Citation Context

...ecure gesture might be. For understanding the generation and recall process, we used a mixed method approach: after generating a gesture, all participants filled a questionnaire on workload (NASA-TLX =-=[18]-=-) after each task and a short survey at the end of the second session. We note that a somewhat similar generate-test-retest design has been used before by Chiasson et al. [9] to compare multiple passw...

Citation Context

...pend on implementing techniques to make the input more difficult to attack (e.g. making the graphical password disappear as it is being drawn [43]). Another team designed an algorithm based on Rubine =-=[29]-=- that told users whether or not their gestures are too similar, although the metric for this is inherently based on the recognizer’s scoring capabilities and not on a measure of the gesture by itself ...

Citation Context

...em. There has been considerable work on cued graphical passwords, a survey is offered by Biddle et al. [2] for the past twelve years. In particular, there has been analysis on how Draw a Secret (DAS) =-=[19]-=- type of graphical passwords measures up to text-based passwords in terms of dictionary attacks [26]. Oorschot et al. [26] go on to describe a set of complexity properties based on DAS passwords and c...

Citation Context

...ar nearest neighbor approach. Given the gesture templates obtained and the two recall sets, we would like to measure how well the gestures perform. Protractor is an improvement upon the $1 Recognizer =-=[41]-=-, having both a lower error rate [21] and an effectively constant computational time per training sample as compared to $1’s growing cost per training sample. Protractor presents itself further as an ...

Citation Context

... graphical passwords (e.g. PassPoints [40]), Thorpe et al. [37] found they could seed attacks based on human choices and find hotspots for dictionary attacks. For textbased passwords Florencio et al. =-=[14]-=- studied people’s web password habits, and found that people’s passwords were generally of poor quality, they are re-used and forgotten a lot. Yan et al. [42] were among the first to study empirically...

Citation Context

...alysis is restricted to constructing a model to perform a dictionary attack and show that there are weak password subspaces based on DAS symmetry. For click-based graphical passwords (e.g. PassPoints =-=[40]-=-), Thorpe et al. [37] found they could seed attacks based on human choices and find hotspots for dictionary attacks. For textbased passwords Florencio et al. [14] studied people’s web password habits,...

Citation Context

... For textbased passwords Florencio et al. [14] studied people’s web password habits, and found that people’s passwords were generally of poor quality, they are re-used and forgotten a lot. Yan et al. =-=[42]-=- were among the first to study empirically how different password policies affect security and memorability of the text-based passwords. Chiasson et al. [9] conducted laboratory studies on how people ...

Citation Context

...ree-dimensional gestures can be recognized by measuring the Doppler shifts between transmitted and received Wi-Fi signals. Graphical and text-based passwords security and memorability. Bonneau et al. =-=[5]-=- have studied alternatives to text-based passwords for web authentication and how to comparatively evaluate them. There has been considerable work on cued graphical passwords, a survey is offered by B...

Citation Context

...t our novel information-theoretic metric for evaluating the security and memorability of gestures. We briefly discuss why existing entropy-based metrics used to evaluate discrete text-based passwords =-=[4]-=- are not suitable for gestures, and move to present our metric for security and memorability of continuous gestures. We have modified a recent metric on analyzing information capacity of full-body mov...

Citation Context

...ties of touchscreens as input devices, they are limited as an authentication method. For example, a visual pattern drawn on a grid is prone to attacks such as shoulder surfing [43] and smudge attacks =-=[1]-=-. This paper studies free-form multitouch gestures without visual reference, that is, gestures that allow all fingers to draw a trajectory on a blank screen with no grid or other template. An example ...

Citation Context

...to constructing a model to perform a dictionary attack and show that there are weak password subspaces based on DAS symmetry. For click-based graphical passwords (e.g. PassPoints [40]), Thorpe et al. =-=[37]-=- found they could seed attacks based on human choices and find hotspots for dictionary attacks. For textbased passwords Florencio et al. [14] studied people’s web password habits, and found that peopl...

Citation Context

... alternatives to text-based passwords for web authentication and how to comparatively evaluate them. There has been considerable work on cued graphical passwords, a survey is offered by Biddle et al. =-=[2]-=- for the past twelve years. In particular, there has been analysis on how Draw a Secret (DAS) [19] type of graphical passwords measures up to text-based passwords in terms of dictionary attacks [26]. ...

Citation Context

...nce, for example, is not inherently necessary. The size of a gesture can be a feature of that gesture depending on how the recognizer is implemented. We elected to implement and extend the Protractor =-=[21]-=- recognition algorithm, a popular nearest neighbor approach. Given the gesture templates obtained and the two recall sets, we would like to measure how well the gestures perform. Protractor is an impr...

Citation Context

...l. [2] for the past twelve years. In particular, there has been analysis on how Draw a Secret (DAS) [19] type of graphical passwords measures up to text-based passwords in terms of dictionary attacks =-=[26]-=-. Oorschot et al. [26] go on to describe a set of complexity properties based on DAS passwords and conclude that symmetry and stroke-count are key in how complicated a DAS-password can be. They do not...

Citation Context

... metrics cannot be directly applied. What is unique to gesturing over discrete aimed movements (physical and virtual buttons) is that every repetition of a trajectory is inherently somewhat different =-=[20]-=-. However, when this variability grows too large, the password is useless, because it is both not repeatable by the user and not discriminable from other passwords. The information metric should captu...

Citation Context

...fic environment such as handwriting motion detected by Kinect-cameras [38], predefined whole-body gestures detected from wireless signals [28], and mobile device movement detected by built-in sensors =-=[30]-=-. Studies of the security of gestures look at either the protection of gestures from specific scenarios [43, 33, 38, 11], or an indirect measurement of security [17, 25]. Further, these works have foc...

Citation Context

...d passwords compared to multiple click-based graphical passwords (PassPoints [40]). They found that the recall rates after two weeks were not statistically significant from each other. Everitt et al. =-=[12]-=- analyzed the memorability of multiple graphical passwords (PassFaces [2]) through a longitudinal study and found that users who authenticate with multiple different graphical passwords per week were ...

Citation Context

...tractive algorithm for the data under consideration since it has low computational complexity compared to other techniques, for example, Dynamic Time Warping (DTW) [41] and Hidden Markov Models (HMM) =-=[13, 24]-=-. In general, Protractor’s error rate falls with an increasing number of training samples and at 9-10, the error rate is less than 0.5% [21]. Below we describe first the single touch Protractor and we...

Citation Context

...rvational attacks may be more difficult. Previous work on gestures as an authentication method has focused on a few directions: one was whether the same gesture can be correctly recognized in general =-=[15, 31]-=- or in a specific environment such as handwriting motion detected by Kinect-cameras [38], predefined whole-body gestures detected from wireless signals [28], and mobile device movement detected by bui...

Citation Context

...rvational attacks may be more difficult. Previous work on gestures as an authentication method has focused on a few directions: one was whether the same gesture can be correctly recognized in general =-=[15, 31]-=- or in a specific environment such as handwriting motion detected by Kinect-cameras [38], predefined whole-body gestures detected from wireless signals [28], and mobile device movement detected by bui...

Citation Context

...re re-used and forgotten a lot. Yan et al. [42] were among the first to study empirically how different password policies affect security and memorability of the text-based passwords. Chiasson et al. =-=[9]-=- conducted laboratory studies on how people recall multiple text-based passwords compared to multiple click-based graphical passwords (PassPoints [40]). They found that the recall rates after two week...

Citation Context

...etected from wireless signals [28], and mobile device movement detected by built-in sensors [30]. Studies of the security of gestures look at either the protection of gestures from specific scenarios =-=[43, 33, 38, 11]-=-, or an indirect measurement of security [17, 25]. Further, these works have focused on understanding performance of template gestures repeated by participants, not user-generated free-form gestures a...

Citation Context

...hentication schemes are based on the idea that when a user performs a gesture on a touchscreen they will do this in such a way that features can be extracted that will uniquely identify them later on =-=[15, 31, 45, 3]-=-. Similar ideas have been applied to recognizing motions with Kinect [38]. Specifically, SaeBae et al. [31] has shown that there is a uniqueness to the way users perform identical set of template 2D g...

Citation Context

... and y are often not of equal length due to different speed at which the gestures are performed. This can be corrected by temporally aligning the sequences using, for instance, Canonical Time Warping =-=[46]-=-. The result is a pairwise alignment of each of the frames in x and y achieved by duplicating some of the frames in each sequence. These duplicate frames are skipped when computing mutual information ...

Citation Context

...y an attacker to replicate the original biometric or graphical password – there is no analysis performed as to the security content of the gesture, just its difficulty to be reproduced. Shazad et al. =-=[35]-=- worked on a template-based touchscreen recognition system on smartphones where they used distinguishing features of a gesture other than the shape to recognize users. To that end, they selected (besi...

Citation Context

...ter utilize the capabilities of touchscreens as input devices, they are limited as an authentication method. For example, a visual pattern drawn on a grid is prone to attacks such as shoulder surfing =-=[43]-=- and smudge attacks [1]. This paper studies free-form multitouch gestures without visual reference, that is, gestures that allow all fingers to draw a trajectory on a blank screen with no grid or othe...

Citation Context

...ement detected by built-in sensors [30]. Studies of the security of gestures look at either the protection of gestures from specific scenarios [43, 33, 38, 11], or an indirect measurement of security =-=[17, 25]-=-. Further, these works have focused on understanding performance of template gestures repeated by participants, not user-generated free-form gestures as the present work. Our goal is to understand the...

Citation Context

... that told users whether or not their gestures are too similar, although the metric for this is inherently based on the recognizer’s scoring capabilities and not on a measure of the gesture by itself =-=[22]-=-. Schaub et al. [33] suggest that the size of the password space for a gesture is based on three spaces: design features (how the user interacts with the device), smartphone capabilities (screen size,...

Citation Context

...etected from wireless signals [28], and mobile device movement detected by built-in sensors [30]. Studies of the security of gestures look at either the protection of gestures from specific scenarios =-=[43, 33, 38, 11]-=-, or an indirect measurement of security [17, 25]. Further, these works have focused on understanding performance of template gestures repeated by participants, not user-generated free-form gestures a...

Citation Context

...tractive algorithm for the data under consideration since it has low computational complexity compared to other techniques, for example, Dynamic Time Warping (DTW) [41] and Hidden Markov Models (HMM) =-=[13, 24]-=-. In general, Protractor’s error rate falls with an increasing number of training samples and at 9-10, the error rate is less than 0.5% [21]. Below we describe first the single touch Protractor and we...

Citation Context

...ement detected by built-in sensors [30]. Studies of the security of gestures look at either the protection of gestures from specific scenarios [43, 33, 38, 11], or an indirect measurement of security =-=[17, 25]-=-. Further, these works have focused on understanding performance of template gestures repeated by participants, not user-generated free-form gestures as the present work. Our goal is to understand the...

Citation Context

... the security of the gesture drawn, instead it is focused on where a user would target in a picture-based authentication schema – it does not address free-form gesture authentication. Serwadda et al. =-=[34]-=- showed that authentication schema based on biometric analysis (including one by Frank et al. [15]) can be cracked using a robot to brute force the inputs using an algorithm that is supplied swipe inp...

Citation Context

...od has focused on a few directions: one was whether the same gesture can be correctly recognized in general [15, 31] or in a specific environment such as handwriting motion detected by Kinect-cameras =-=[38]-=-, predefined whole-body gestures detected from wireless signals [28], and mobile device movement detected by built-in sensors [30]. Studies of the security of gestures look at either the protection of...

Citation Context

...y, usability, etc). Security in this context refers to a measured resistance to shoulder surfing. Continuing with security analysis, brute force attacks on gestures have been examined in some studies =-=[38, 44, 2]-=-. Zhao et al. [44] have examined the security of 2D gestures against brute force attacks (assisted or otherwise) when using an authentication system where a user will draw a gesture on a picture. A me...

Citation Context

...hentication schemes are based on the idea that when a user performs a gesture on a touchscreen they will do this in such a way that features can be extracted that will uniquely identify them later on =-=[15, 31, 45, 3]-=-. Similar ideas have been applied to recognizing motions with Kinect [38]. Specifically, SaeBae et al. [31] has shown that there is a uniqueness to the way users perform identical set of template 2D g...

Citation Context

...empts before the guessed gesture is identified as the correct one. Each bit of mutual information will double the effort by the attacker. Thus, the mutual information defines the effective key-length =-=[6, 4]-=- of gesture passwords, so that their security becomes directly comparable to the security of text-based passwords. In practice, it can be questioned whether users will typically choose gesture passwor...

Citation Context

... the phone – the features extracted included acceleration, pressure, size, and time. Bo et al. [3] performed recognition by mining coordinates, duration, pressure, vibration, and rotation. Cai et al. =-=[8]-=- examined six different features (e.g. sliding) and compared data such as the speed, sliding offset, and variance between finger pressures. De Luca et al. [11] developed a system for authentication by...

Citation Context

...res; security; mutual information; memorability 1. INTRODUCTION Smartphones and tablets today are important for secure daily transactions. They are part of multi-factor authentication for enterprises =-=[23]-=-, allow us to access our email, make one-click payments on Amazon, allow mobile payments [36] and even access to Permission to make digital or hard copies of all or part of this work for personal or c...

Citation Context

... in repeated multifinger trajectories. We base our metric on a recent one that was used for a very different purpose, specifically the estimation of throughput (bits/s) in continuous full-body motion =-=[27]-=-, and it has not been used previously for authentication. Because multitouch gestures are continuous by nature the standard information metrics cannot be directly applied. What is unique to gesturing ...

Citation Context

...nsistency in participants’ perception and the actual security could be advised against in the password generation user interface. We also learned that, unlike with the length of a text-based password =-=[39]-=-, the duration of a gesture does not play an important role in Î . Intuitively speaking, complex gestures with high Î should take longer time to perform. However, we learned that even brief gestures...

Citation Context

...equency jitter introduced by the touchscreen hardware, but preserving the low frequency content of the gesture data. To deal with the uneven sample rate in the non-interpolated data, the Lomb-Scargle =-=[32]-=- method was used. At this stage, artifacts in the raw data were detected and corrected as well. The primary such artifact is when a participant fails to place their fingers on the touchscreen in the s...