It has become commonplace to note that computer systems protected by authentication systems are either mathematically robust or user-friendly, but not both.

We propose a Multi-dimensionAl Password Scheme (MAPS) for mobile authentication. MAPS fuses information from multiple dimensions to form a password. Using information from multiple dimensions can enlarge the password space and improve memorability by reducing memory interference. The information fusion in MAPS can greatly increase usability as significantly less input gestures are required fo r passwords of the same security strength in comparison to existing authentication methods. Graphical hints are designed to further improve MAPS’s memorability. Based on the idea of MAPS, we implement a Chess-based MAPS (CMAPS) for Android systems. Only 2 and 6 gestures are required for CMAPS to generate passwords with better security strength than 4-digit PINs and 8-character alphanumeric passwords respectively. Our user studies on CMAPS show that CMAPS, with security strength exceeding the strength of current mobile authentication schemes and exceeding the requirements of banking, can achieve high recall rates respectively

We propose PassGame, a shoulder-surfingresistant mobile authentication scheme based on boardgames. The design of PassGame is based on the popular gameof chess. PassGame challenges a user with a random formationof chess pieces on a game board. A successful authenticationrequires a user to respond to the challenge so that a set ofpredefined rules are satisfied after adjustments made by theuser. PassGame can be finished by a user without any chessknowledge. We implement PassGame on the Android operatingsystem. Our user studies with the Android implementation showthat PassGame passwords with more password strength thancurrent mobile authentication schemes can achieve 100% recall rates when recalled one week after password setup.

We propose a secondary implicit authentication scheme which monitors typing behavior to detect unauthorized use and lock down the mobile device. We build a basic implementation of our scheme on the Android operating system. Our user studies on the implementation show that we can achieve an accuracy of up to 97 % identifying one user out of a set of fifteen, with an FAR of < 3 % and an FRR of < .5 %.

We developed – and experimentally tested – the Game Changer Password System, a new approach to password security that is both mathematically robust and user-friendly. This approach, informed by cognitive psychology, involves giving up the idea of passwords as alphanumeric strings and replacing such strings with pieces on a game board. The Game Changer Password System emphasizes two new factors: fun and relative usability in different populations. Our work represents a unique combination of theoretical issues in password security from computer engineering and methods of empirical testing from the social sciences.

In Experiment 1, we examined high school student, younger adult, and older adult participants’ memory for game-based password, using chess or Monopoly. The results provide evidence that all three groups can remember game-based passwords fairly well. The fact that older adults and high school students do fairly well is important because these age groups are underrepresented in password security research. Future work might consider extending to even younger children.

In Experiment 2, we examined participants’ use of five game-based passwords across 24 sessions over 10 weeks. All five passwords were stored in chess or Monopoly for the initial 20 sessions, and changed (from chess to Monopoly or vice versa) for the remaining sessions. The results provide evidence that participants can remember multiple game-based passwords over 10 weeks fairly well. Moreover, when participants changed games and created new passwords, their performance was significantly better than the first time they entered their passwords.

One limitation of the current study is that the passwords we collected did not protect real user accounts – instead they were hypothetical accounts as part of our experimental testing. Outside the laboratory, the Game Changer Password System could be flexibly implemented depending, for example, on the desired level of security. The system has the potential to replace (or complement) existing password schemes for a wide range of electronic platforms, including smart phones, personal computers, tablets, ATMs, other high-risk electronic gateways, as well as the potential to replace (or complement) the use of keys.

The project offers a radical breakthrough and a permanent solution to password security by designing a system that is mathematically secure and easy to remember overtime. Given that the approach is applicable to a wide range of electronic platforms, includingsmart phones, personal computers, tablets, banking ATMs and other high-risk electronicgateways, the potential to benefit society with more secure systems in a variety of ways would have an enormous impact. A second societal outcome is the engagement of high school students, college students, and older adults with science and technology.

Last Modified: 11/30/2016
Modified by: Ye Zhu