User Authentication

Sylized sample CSA graphical password containing nine image elements that need to be recognized during authentication.

Passwords are one of the main authentication systems in modern digital technologies. We use them to access our email, protect our smart phones, use them to access ATMs in conjunction with our debit cards, and control access to our financial information and online banking. Passwords, PINs, and access codes are ubiquitous.

It has been clear for quite a while that passwords and the security needs of modern technology are at odds with each other - the so called password problem. If left to their own devices, users will chose simple passwords that are easy to remember, they reuse their passwords for multiple sites and uses, and they share their passwords with others. Passwords are often easy to crack for malicious attackers, and most secure passwords are hard to remember, which leads to insecure practices like writing the passwords down.

In our lab we have looked at ways to create new password systems that optimize both the security and the memorability of passwords. In cooperation with Sergio Caltagirone, a graduate student in computer science, we created a successful graphical password system that takes advantage of superior recognition memory for visual material. Our system (which we call "Composite Scene Authentication" or CSA for short) shows great promise to be used as an alternative for traditional, alphanumeric password systems. Users remember a randomly generated CSA password well (>90% of users are able to authenticate) after long retention intervals (we tested up to six weeks) and after only seeing the password image once for 90 seconds. Korey Johnson and Kylie Pfeifer have worked on important aspects of the system (see below).

Currently Connor Hoover is looking into a similar approach of randomly combining different elements into a password by using short stories (e.g., randomized flash fiction). His research looks at the potential of these "narrative passwords" to replace infrequently used passwords or even security questions that are often used when resetting an account.

Alternative cognitive authentication systems, in conjunction with biometric and token based authentication, are gaining traction in modern technology - especially in mobile devices that benefit from non-textual entry methods like pointing, gesturing, and swiping. There are many interesting application domains that will benefit from a fresh look at authentication!


Papers / Proceedings

Werner, S. & Hoover, C. (2014). The Potential of Narrative Passwords for Cognitive Authentication Systems. Poster presented at the Annual Meeting of the Psychonomic Society, November 20-23, 2014, Long Beach, CA.

Hoover, C., Werner, S., & Cohen, R. (2014, Oct.). Cognitive Authentication and Narrative Passwords. Proceedings of the the 58th Annual Meeting of the Human Factors and Ergonomics Society, Oct 27-31 2014, Chicago, IL, USA.

Werner, S. & Hoover, C. (2012). Cognitive Approaches to Password Memorability - The Possible Role of Story-based Passwords. Proceedings of the the 56th Annual Meeting of the Human Factors and Ergonomics Society, October 22-26, 2012, Boston, MA, USA.

Johnson, K. & Werner, S. (2008). Graphical User Authentication – A Comparative Evaluation of Composite Scene Authentication (CSA) vs. three Competing Graphical Passcode Systems (Passfaces, VIP, PassPoints). Proceedings of the the 52nd Annual Meeting of the Human Factors and Ergonomics Society, Sept 22-26, New York, NY, USA.

Johnson, K. & Werner, S. (2007). Memorability of Alphanumeric and Composite Scene Authentication (CSA) Passcodes over Extended Retention Intervals. Proceedings of the the 51st Annual Meeting of the Human Factors and Ergonomics Society, October 1-5, 2007, Baltimore, MD, USA.