“Too Taxing on the Mind!” Authentication Grids are not for Everyone

  • Kat KrolEmail author
  • Constantinos Papanicolaou
  • Alexei Vernitski
  • M. Angela Sasse
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9190)


The security and usability issues associated with passwords have encouraged the development of a plethora of alternative authentication schemes. These aim to provide stronger and/or more usable authentication, but it is hard for the developers to anticipate how users will perform with and react to such schemes. We present a case study of a one-time password entry method called the Vernitski Authentication Grid (VAG), which requires users to enter their password in pairs of characters by finding where the row and the column containing the characters intersect and entering the character from this intersection. We conducted a laboratory user evaluation (n = 36) and found that authentication took 88.6 s on average, with login times decreasing with practice. Participants were faster authenticating on a tablet than on a PC. Overall, participants found using the grid complex and time-consuming. Their stated willingness to use it depended on the context of use, with most participants considering it suitable for accessing infrequently used and high-stakes accounts and systems. While using the grid, 31 out of 36 participants pointed at the characters, rows and columns with their fingers or mouse, which undermines the shoulder-surfing protection that the VAG is meant to offer. Our results demonstrate there cannot be a one-size-fits-all replacement for passwords – usability and security can only be achieved through schemes designed to fit a specific context of use.


Authentication Scheme Computer Literacy Online Banking Virtual Keyboard Authentication Time 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We would like to thank Brian Glass, Ingolf Becker and Granville Moore for their help in data analysis. Kat Krol’s research was supported by an EPSRC grant to the UCL Security Science Doctoral Training Centre (SECReT) (grant number: EP/G037264/1).


  1. Biddle, R., Chiasson, S., Van Oorschot, P.C.: Graphical passwords: learning from the first twelve years. ACM Comput. Surv. (CSUR) 44(4), 19 (2012)CrossRefGoogle Scholar
  2. Bonneau, J., Herley, C., Van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: IEEE Symposium on Security and Privacy (SP), pp. 553–567 (2012)Google Scholar
  3. Braun, V., Clarke, V.: Using thematic analysis in psychology. Q. Res. Psychol. 3(2), 77–101 (2006)CrossRefGoogle Scholar
  4. Brostoff, S., Sasse, M.A.: Are Passfaces more usable than passwords? a field trial investigation. People and Computers XIV — Usability or Else!, pp. 405–424 (2000)Google Scholar
  5. Brostoff, S., Inglesant, P., Sasse, M.A.: Evaluating the usability and security of a graphical one-time PIN system. In: 24th BCS Interaction Specialist Group Conference, pp. 88–97 (2010)Google Scholar
  6. Ellison, C., Hall, C., Milbert, R., Schneier, B.: Protecting secret keys with personal entropy. Future Gener. Comput. Syst. 16(4), 311–318 (2000)CrossRefGoogle Scholar
  7. Florêncio, D., Herley, C., Van Oorschot, P.C.: Password portfolios and the finite-effort user: sustainably managing large numbers of accounts. In: Proceedings of USENIX Security, pp. 575–590 (2014)Google Scholar
  8. Greene, K.K., Gallagher, M.A., Stanton, B.C., Lee, P.Y.: I can’t type that! P@$$word entry on mobile devices. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2014. LNCS, vol. 8533, pp. 160–171. Springer, Heidelberg (2014)Google Scholar
  9. Krol, K., Moroz, M., Sasse, M.A.: Don’t work. can’t work? why it’s time to rethink security warnings. In: 7th International Conference on Risk and Security of Internet and Systems (CRiSIS), Cork, Ireland, pp. 1–8 (2012)Google Scholar
  10. Krol, K., Philippou, E., De Cristofaro, E., Sasse, M.A.: "They brought in the horrible key ring thing!" analysing the usability of two-factor authentication in UK online banking. In: USEC 2015: NDSS Workshop on Usable Security, San Diego, CA, USA (2015)Google Scholar
  11. Papanicolaou, C.: Novel Authentication Solution. Department of Computer Science, University College London, London (2013)Google Scholar
  12. Roth, V., Richter, K., Freidinger, R.: A PIN-entry method resilient against shoulder surfing. In: 11th ACM Conference on Computer and Communications Security (CCS), pp. 236–245. ACM, Washington, DC (2004)Google Scholar
  13. Schaub, F., Deyhle, R., Weber, M.: Password entry usability and shoulder surfing susceptibility on different smartphone platforms. In: 11th International Conference on Mobile and Ubiquitous Multimedia, p. 13:1–13:10 (2012)Google Scholar
  14. Steves, M., Chisnell, D., Sasse, A., Krol, K., Theofanos, M., Wald, H.: Report: Authentication Diary Study. National Institute of Standards and Technology (NIST). NISTIR 7983 (2014)Google Scholar
  15. Vernitski, A.: Authentication grid. University of Essex, Technical report. Accessed on 21 March 2015
  16. Yang, Y., Lindqvist, J., Oulasvirta, A.: Text entry method affects password security. In: Learning from Authoritative Security Experiment Results (LASER 2014), pp. 11–20. USENIX Association, Arlington (2014)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Kat Krol
    • 1
    Email author
  • Constantinos Papanicolaou
    • 1
  • Alexei Vernitski
    • 2
  • M. Angela Sasse
    • 1
  1. 1.Department of Computer ScienceUniversity College London (UCL)LondonUK
  2. 2.Department of Mathematical SciencesUniversity of EssexColchesterUK

Personalised recommendations