The Impact of Cues and User Interaction on the Memorability of System-Assigned Passwords
The goal of this project is to design a secure and memorable password scheme for online user authentication. Traditional user-chosen passwords are vulnerable to online guessing attacks. System-assigned random passwords are more secure but suffer from poor memorability. To address this usability-security tension, we propose a novel cued-recognition authentication scheme, which provides users with memory cues to learn system-assigned keywords. In our studies, we examine the impact of different types of memory cues, e.g., graphical, verbal, and spatial cues, and employing user interaction. The results show that verbal cues (i.e., real-life facts corresponding to assigned keywords) and user interaction play a significant role to gain high memorability for system-assigned random passwords.
A Comprehensive Study of the GeoPass
User Authentication Scheme
Password schemes based on selecting locations in an online map are an emerging topic in user authentication research. GeoPass is the most promising such scheme, as it provides satisfactory resilience against online guessing and showed high memorability in the preliminary lab study. In this project, we performed three separate user studies, e.g., a real-world field study and two multiple-password interference studies to understand the potentials of GeoPass. The single-password field study showed promise for GeoPass in a real-life scenario, however, the memorability for GeoPass was not satisfactory in the first multiple-password study. To overcome this issue, we design and evaluate a novel mental story based approach, which contributes to gain a significant improvement in memorability in the second multiple-password study on GeoPass.
Designing Secure and Memorable Two-factor
Traditional textual passwords alone are not adequate to provide security guarantees for online authentication, because of attacks like online guessing, phishing, shoulder surfing, and keylogger malware. Thus, it is now widely held that two-factor authentication should be implemented to provide a higher level of security. The Federal Financial Institutions Examination Council (FFIEC) has recommended two-factor authentication for consumer online banking services. In this project, we leverage users' autobiographical memory and different types of memory cues to design two-factor authentication schemes offering resilience to online guessing, shoulder-surfing, phishing, and keylogger malware with minimal costs in terms of memory burden, additional communication channel, and hardware requirement.
Mahdi Nasrullah Al-Ameen and Matthew Wright. Exploring the Potential of GeoPass: A Geographic Location-Password Scheme. In Interacting with Computers. Vol. 29, No. 4, pp. 605 – 627. 2017.
Mahdi Nasrullah Al-Ameen, S M Taiabul Haque, and Matthew Wright. Leveraging Autobiographical Memory for Two-factor Online Authentication. In Information & Computer Security. Vol. 24, No. 4, pp. 386 – 399. 2016.
S M Taiabul Haque, Mahdi Nasrullah Al-Ameen, Matthew Wright, Shannon Scielzo. Learning System-assigned Passwords (up to 56 Bits) in a Single Registration Session with the Methods of Cognitive Psychology. In USEC. February 2017.
Mahdi Nasrullah Al-Ameen, Kanis Fatema, Matthew Wright, Shannon Scielzo. Leveraging Real-Life Facts to Make Random Passwords More Memorable. In European Symposium on Research in Computer Security (ESORICS). September, 2015.
Mahdi Nasrullah Al-Ameen, Kanis Fatema, Matthew Wright, Shannon Scielzo. The Impact of Cues and User Interaction on the Memorability of System Assigned Recognition-Based Graphical Passwords. In Symposium on Usable Privacy and Security (SOUPS). July, 2015.
Mahdi Nasrullah Al-Ameen, Matthew Wright, Shannon Scielzo. Towards Making Random Passwords Memorable: Leveraging Users’ Cognitive Ability Through Multiple Cues. In 33rd ACM Conference on Human Factors in Computing Systems (CHI). April 2015.
Mahdi Nasrullah Al-Ameen, Matthew Wright. Multiple-Password Interference in the GeoPass User Authentication Scheme. In NDSS Workshop on Usable Security. February 2015.