TMGMap: Designing Touch Movement-Based Geographical Password Authentication on Smartphones

  • Weizhi Meng
  • Zhe LiuEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11125)


Although textual passwords are the most widely adopted authentication method, they are vulnerable to many known limitations. Graphical password is considered as one alternative to complement the existing authentication systems, based on the observation that humans can remember images better than textual information. In order to obtain a large password space, geographical passwords have received much attention, which enable users to select one or more places on a map for authentication. For example, PassMap requires users to choose two places on a world map as their credentials, and GeoPass enables users to click only one place for authentication. However, we identify that users are able to perform more particular gestures like touch movement on mobile devices as compared to a common computer. Motivated by the observation, in this work, we develop TMGMap, a touch movement-based geographical password scheme on smartphones, which allows users to draw their secrets on a world map via touch movement events. We conducted a user study with a total of 60 participants, and found that users could achieve better results with our scheme in the aspects of both security and usability, as compared to similar schemes.


Graphical password Smartphone security User authentication Touch dynamics Biometric authentication 



We would like to thank all participants for their hard work in the user study.


  1. 1.
    Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, pp. 538–552 (2012)Google Scholar
  2. 2.
    Chiasson, S., van Oorschot, P.C., Biddle, R.: Graphical password authentication using cued click points. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 359–374. Springer, Heidelberg (2007). Scholar
  3. 3.
    Chiasson, S., Biddle, R., van Oorschot, P.C.: A second look at the usability of click-based graphical passwords. In: Proceedings of the 3rd Symposium on Usable Privacy and Security, SOUPS, pp. 1–12. ACM, New York (2007)Google Scholar
  4. 4.
    Chiasson, S., Stobert, E., Forget, A., Biddle, R.: Persuasive cued click-points: design, implementation, and evaluation of a knowledge-based authentication mechanism. IEEE Trans. Dependable Secur. Comput. 9(2), 222–235 (2012)CrossRefGoogle Scholar
  5. 5.
    Davis, D., Monrose, F., Reiter, M.K.: On user choice in graphical password schemes. In: Proceedings of the 13th Conference on USENIX Security Symposium, SSYM, pp. 151–164. USENIX Association, Berkeley (2004)Google Scholar
  6. 6.
    Dirik, A.E., Memon, N., Birget, J.C.: Modeling user choice in the PassPoints graphical password scheme. In: Proceedings of the 3rd Symposium on Usable Privacy and Security, SOUPS, pp. 20–28. ACM, New York (2007)Google Scholar
  7. 7.
    Dunphy, P., Yan, J.: Do background images improve “draw a secret” graphical passwords? In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS, pp. 36–47 (2007)Google Scholar
  8. 8.
    Fox, S.: Future Online Password Could be a Map (2010).
  9. 9.
    Georgakakis, E., Komninos, N., Douligeris, C.: NAVI: novel authentication with visual information. In: Proceedings of the 2012 IEEE Symposium on Computers and Communications, ISCC, pp. 588–595 (2012)Google Scholar
  10. 10.
    Gołofit, K.: Click passwords under investigation. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 343–358. Springer, Heidelberg (2007). Scholar
  11. 11.
    Jermyn, I., Mayer, A., Monrose, F., Reiter, M.K., Rubin, A.D.: The design and analysis of graphical passwords. In: Proceedings of the 8th Conference on USENIX Security Symposium, pp. 1–14. USENIX Association, Berkeley (1999)Google Scholar
  12. 12.
    Karlson, A.K., Brush, A.B., Schechter, S.: Can I borrow your phone?: Understanding concerns when sharing mobile phones. In: Proceedings of the 27th International Conference on Human Factors in Computing Systems, CHI, pp. 1647–1650. ACM, New York (2009)Google Scholar
  13. 13.
    Lin, D., Dunphy, P., Olivier, P., Yan, J.: Graphical passwords & qualitative spatial relations. In: Proceedings of the 3rd Symposium on Usable Privacy and Security, SOUPS, pp. 161–162 (2007)Google Scholar
  14. 14.
    MacRae, B., Salehi-Abari, A., Thorpe, J.: An exploration of geographic authentication schemes. IEEE Trans. Inf. Forensics Secur. 11(9), 1997–2012 (2016)CrossRefGoogle Scholar
  15. 15.
    Meng, Y.: Designing click-draw based graphical password scheme for better authentication. In: Proceedings of the 7th IEEE International Conference on Networking, Architecture, and Storage, NAS, pp. 39–48 (2012)Google Scholar
  16. 16.
    Meng, Y., Li, W.: Evaluating the effect of tolerance on click-draw based graphical password scheme. In: Chim, T.W., Yuen, T.H. (eds.) ICICS 2012. LNCS, vol. 7618, pp. 349–356. Springer, Heidelberg (2012). Scholar
  17. 17.
    Meng, Y., Li, W.: Evaluating the effect of user guidelines on creating click-draw based graphical passwords. In: Proceedings of the 2012 ACM Research in Applied Computation Symposium, RACS, pp. 322–327 (2012)Google Scholar
  18. 18.
    Meng, Y., Li, W., Kwok, L.-F.: Enhancing click-draw based graphical passwords using multi-touch on mobile phones. In: Janczewski, L.J., Wolfe, H.B., Shenoi, S. (eds.) SEC 2013. IAICT, vol. 405, pp. 55–68. Springer, Heidelberg (2013). Scholar
  19. 19.
    Meng, W.: RouteMap: a route and map based graphical password scheme for better multiple password memory. Network and System Security. LNCS, vol. 9408, pp. 147–161. Springer, Cham (2015). Scholar
  20. 20.
    Meng, W.: Evaluating the effect of multi-touch behaviours on android unlock patterns. Inf. Comput. Secur. 24(3), 277–287 (2016)CrossRefGoogle Scholar
  21. 21.
    Meng, W., Li, W., Wong, D.S., Zhou, J.: TMGuard: a touch movement-based security mechanism for screen unlock patterns on smartphones. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 629–647. Springer, Cham (2016). Scholar
  22. 22.
    Meng, W., Li, W., Kwok, L.-F., Choo, K.-K.R.: Towards enhancing click-draw based graphical passwords using multi-touch behaviours on smartphones. Comput. Secur. 65, 213–229 (2017)CrossRefGoogle Scholar
  23. 23.
    Meng, W., Li, W., Lee, W.H., Jiang, L., Zhou, J.: A pilot study of multiple password interference between text and map-based passwords. In: Gollmann, D., Miyaji, A., Kikuchi, H. (eds.) ACNS 2017. LNCS, vol. 10355, pp. 145–162. Springer, Cham (2017). Scholar
  24. 24.
    Meng, W., Lee, W.H., Au, M.H., Liu, Z.: Exploring effect of location number on map-based graphical password authentication. In: Pieprzyk, J., Suriadi, S. (eds.) ACISP 2017. LNCS, vol. 10343, pp. 301–313. Springer, Cham (2017). Scholar
  25. 25.
    Meng, W., Wang, Y., Wong, D.S., Wen, S., Xiang, Y.: TouchWB: touch behavioral user authentication based on web browsing on smartphones. J. Netw. Comput. Appl. 117, 1–9 (2018)CrossRefGoogle Scholar
  26. 26.
    Nelson, D.L., Reed, V.S., Walling, J.R.: Pictorial superiority effect. J. Exp. Psychol.: Hum. Learn. Mem. 2(5), 523–528 (1976)Google Scholar
  27. 27.
  28. 28.
    Shepard, R.N.: Recognition memory for words, sentences, and pictures. J. Verbal Learn. Verbal Behav. 6(1), 156–163 (1967)CrossRefGoogle Scholar
  29. 29.
    Spitzer, J., Singh, C., Schweitzer, D.: A security class project in graphical passwords. J. Comput. Sci. Coll. 26(2), 7–13 (2010)Google Scholar
  30. 30.
    Shin, J., Kancharlapalli, S., Farcasin, M., Chan-Tin, E.: SmartPass: a smarter geolocation-based authentication scheme. Secur. Commun. Netw. 8, 3927–3938 (2015)CrossRefGoogle Scholar
  31. 31.
    Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., Dolev, S., Glezer, C.: Google Android: a comprehensive security assessment. IEEE Secur. Priv. 8(2), 35–44 (2010)CrossRefGoogle Scholar
  32. 32.
    Suo, X., Zhu, Y., Owen, G.S.: Graphical passwords: a survey. In: Proceedings of the 21st Annual Computer Security Applications Conference, ACSAC, pp. 463–472. IEEE Computer Society, USA (2005)Google Scholar
  33. 33.
    Sun, H., Chen, Y., Fang, C., Chang, S.: PassMap: a map based graphical-password authentication system. In: Proceedings of ASIACCS, pp. 99–100 (2012)Google Scholar
  34. 34.
    Tao, H., Adams, C.: Pass-Go: a proposal to improve the usability of graphical passwords. Int. J. Netw. Secur. 2(7), 273–292 (2008)Google Scholar
  35. 35.
    Thorpe, J., MacRae, B., Salehi-Abari, A.: Usability and security evaluation of GeoPass: a geographic location-password scheme. In: Proceedings of the 9th Symposium on Usable Privacy and Security, SOUPS, pp. 1–14 (2013)Google Scholar
  36. 36.
    Van Thanh, D.: Security issues in mobile eCommerce. In: Proceedings of the 11th International Workshop on Database and Expert Systems Applications, DEXA, pp. 412–425. IEEE, USA (2000)Google Scholar
  37. 37.
    Wiedenbeck, S., Waters, J., Birget, J.-C., Brodskiy, A., Memon, N.: PassPoints: design and longitudinal evaluation of a graphical password system. Int. J. Hum.-Comput. Stud. 63(1–2), 102–127 (2005)CrossRefGoogle Scholar
  38. 38.
    Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: Proceedings of CCS, pp. 162–175 (2010)Google Scholar
  39. 39.
    Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: empirical results. IEEE Secur. Priv. 2, 25–31 (2004)CrossRefGoogle Scholar
  40. 40.
    Yu, X., Wang, Z., Li, Y., Li, L., Zhu, W.T., Song, L.: EvoPass: evolvable graphical password against shoulder-surfing attacks. Comput. Secur. 70, 179–198 (2017)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Department of Applied Mathematics and Computer ScienceTechnical University of DenmarkCopenhagenDenmark
  2. 2.Nanjing University of Aeronautics and AstronauticsNanjingChina
  3. 3.Interdisciplinary Centre for Security, Reliability and TrustUniversity of LuxembourgEsch-sur-AlzetteLuxembourg

Personalised recommendations