Abstract
Text-based passwords alone are subject to dictionary attacks as users tend to choose weak passwords in favor of memorability, as well as phishing attacks. Many recognition-based graphical password schemes alone, in order to offer sufficient security, require a number of rounds of verification, introducing usability issues. We suggest a hybrid user authentication approach combining text passwords, recognition-based graphical passwords, and a two-step process, to provide increased security with fewer rounds than such graphical passwords alone. A variation of this two-step authentication method, which we have implemented and deployed, is in use in the real world.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Chiasson, S.: Usable Authentication and Click-Based Graphical Passwords. Ph.D thesis, Carleton University, Ottawa, Canada (January 2009)
Chiasson, S., Forget, A., Biddle, R., van Oorschot, P.C.: Influencing Users Towards Better Passwords: Persuasive Cued Click-Points. In: Proc. of HCI 2008 (September 2008)
Chiasson, S., van Oorschot, P.C., Biddle, R.: Graphical Password Authentication Using Cued Click Points. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 359–374. Springer, Heidelberg (2007)
Real User Corporation. The Science Behind Passfaces (September 2001)
Davis, D., Monrose, F., Reiter, M.: On User Choice in Graphical Password Schemes. In: Proc. of 13th USENIX Security Symposium (August 2004)
Dhamija, R., Perrig, A.: Deja Vu: A User Study Using Images for Authentication. In: Proc. of 9th USENIX Security Symposium (August 2000)
Dhamija, R., Tygar, J., Hearst, M.: Why Phishing Works. In: Proc. of Human Factors in Computing Systems (April 2006)
51Logon: Simplifying SignIn Experience (in Chinese), http://www.51Logon.com
Felton, E., Balfanz, D., Dean, D., Wallach, D.: Web Spoofing: An Internet Con Game. In: Proc. of the 20th National Information systems Security Conference (October 1997)
Florencio, D., Herley, C.: A Large-Scale Study of Web Password Habits. In: Proc. of the 2007 World Wide Web (2007)
Golle, P., Wagner, D.: Cryptanalysis of a Cognitive Authentication Schemes (Extended Abstract). In: Proc. of the 2007 IEEE Symposium on Security and Privacy (May 2007)
Jermyn, I., Mayer, A., Monrose, F., Reiter, M.K., Rubin, A.: The Design and Analysis of Graphical Passwords. In: Proc. of the 8th USENIX Security Symposium, August 23-26 (1999)
Kumar, M., Garfinkel, T., Boneh, D., Winograd, T.: Reducing Shoulder-surfing by Using Gaze-based Password Entry. In: Proc. of SOUPS 2007 (July 2007)
Rabkin, A.: Personal Knowledge Questions for Fallback Authentication. In: Proc. of the 2008 Symposium On Usable Privacy and Security (SOUPS), July 23-25 (2008)
Weinshall, D.: Cognitive Authentication Schemes Safe Against Spyware (Short Paper). In: Proc. of the 2006 IEEE Symposium on Security and Privacy (May 2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
van Oorschot, P.C., Wan, T. (2009). TwoStep: An Authentication Method Combining Text and Graphical Passwords. In: Babin, G., Kropf, P., Weiss, M. (eds) E-Technologies: Innovation in an Open World. MCETECH 2009. Lecture Notes in Business Information Processing, vol 26. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-01187-0_19
Download citation
DOI: https://doi.org/10.1007/978-3-642-01187-0_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-01186-3
Online ISBN: 978-3-642-01187-0
eBook Packages: Computer ScienceComputer Science (R0)