Purpose: Determine the effects of organised image selection on authentication time in concentric fill based model.
Parameters: authentication time for organised image selection for fill based (colour) model. The conditions are: 1 (Inward painting), 2 (Outward painting), 3 (Fixed painting) and 4 (Random painting).
As in experiment 7, this experiment (experiment 8) was conducted to determine if significantly significant mean variations will exist in login times between the random image selection style and the ‘organised’ image selection styles of the fill based (colour) model. A detailed explanation of the meaning and procedure of organised image selection for a concentric fill based model is presented in appendix 8B. The concept is developed to improve memorability for concentric fill based models.
5.11.1 Main Hypotheses
This experiment is aimed at investigating if statistically significant mean variation will exist in login times between the various organised image selection styles of a concentric fill based model when compared to the random selection (condition 4, random painting). Here, the following hypotheses are made:
H0: That there will be no difference in mean login time between the random painting (condition 4) and any of the organised selection styles (conditions 1, 2 or 3).
H1: That there will be significantly greater mean login time for the random painting (condition 4) than at least one of the organised selection styles (conditions 1, 2 or 3).
5.11.2 Research Participants
Fifteen undergraduate science students were recruited for the within users study of the four authentication styles for the colour based model. All participants were between the ages of 22 and 35 years of age and each had at least one email and one bank account. Hence, each participant had at least one online password and one numerical PIN and thus had an experience in the use of
passwords. All participants claimed to have used computers and the internet for between one and six years and were thus all experienced in the use of computers.
5.11.3 Experimental Design
A within users design was used for the experiment in which fifteen participants were recruited and each asked to log on to the system using each of the various image selection styles (experimental conditions) which were:
1. Inward painting (see section 3.11) 2. Outward painting
3. Fixed painting 4. Random painting
The operational procedures and interface layout of each of the selection styles are identical. The tasks expected of each of the participants are also identical for each of the image selection styles. Each participant is expected to create a password and authenticate using each of the various image selection styles (run all 4 conditions).
5.11.4 Experimental Variables
The independent variables for this experiment are the various image selection styles (conditions 1, 2, 3, and 4), while the dependent variable is the authentication (login) time. Control variables are the number of authentication steps which is fixed at 2 and the grid size, which is fixed at 3 (9 images). No subjective opinion data was generated for this experiment.
5.11.5 Apparatus and Materials
• An ASUS N55s laptop PC running windows 10, 6. 00 GB RAM and 15.6” monitor
• An installed copy of the concentric fill (colour) based authentication system on which the experiment to use the four selection styles will be conducted.
• An information sheet that provides the participants with information about the experiment and what they are expected to do.
** No post experiment questionnaire is issued for this experiment.
5.11.6 Experimental Procedure
As in experiment 7, the participants were recruited by means of a recruitment form. A consent form is also used to confirm the consent of participants before the conduct of the experiment. A participant is expected to adopt each of the selection styles (experimental conditions) provided in turn and to perform each of the two stages (1) create a password using one of the styles, (2) login to the system using the password created in (1).
These two operations are each divided into a number of tasks, however, the experiment, as in experiment 7, is only interested in the login data, i.e., data collected for the 2nd (authentication stage). The stages are:
1. The registration (password creation) stage
✓ Click on the “sign up” button
✓ Enter a chosen username in the textbox provided
✓ Select the number of authentication steps to be used in the experiment (which is 2)
✓ Select image properties for step 1 in the image properties window
✓ Select image properties for step 2 in the image properties window
2. The authentication stage
✓ Enter your chosen username in the textbox provided
✓ Click on the “continue” button
✓ Select image for step 1 in the step 1 image grid
✓ Click on the “continue” button
✓ Select image for step 2 in the step 1 image grid
✓ Click on the “continue” button
The system logs timing data for both stages, the timing data for the authentication stage shall be used in the analysis of the experiment and the evaluation of its findings.
5.11.7 Experimental Results for Experiment 8
A one-way analysis of variance (ANOVA) was conducted on the login time data (experimental results) and the results are presented in appendix 8. ANOVA indicates that statistically significant variation exists between groups [F(3, 56) = 6.183, p=0.001]. Tukey post hoc analysis (multiple comparisons) indicates statistically significant mean variation between outward painting
(condition 2, M = 15270.53, SD = 5450.910) and random painting (condition 4, M = 25634.47, SD = 6598.242), p=0.003 and between fixed painting (condition 3, M = 15363.13, SD = 8314.870) and random painting (condition 4, M = 25634.47, SD = 6598.242), p=0.004. The result thus clearly indicates that statistically significant mean variation in login time exists between condition 2 and condition 4 and between condition 3 and condition 4.
5.11.8 Discussion of Results for Experiment 8
Unlike in experiment 7, the results for experiment 8 indicate that statistically significant mean variation does exist between the random selection style (condition 4) and two of the ‘organised’ selection styles (outward painting and fixed painting, conditions 2 and 3). The results contradict the null hypothesis and confirm the hypothesis that the random painting selection style (condition 4) will incur significantly greater mean login time than at least one of the organised selection styles (conditions 1, 2 or 3). Hence the belief that organised image selection for fill based models may greatly reduce a participant’s authentication time is justified.
5.12 Conclusion
This chapter discusses usability issues and the main usability experiments conducted as part of this research project. It also discusses the corresponding results obtained from the experiments and the way the data is analysed. Although not explicitly stated, the chapter is divided into three distinct parts, each providing insight into the concept of usability as it relates to property based systems and the entire concept of graphical authentication.
The first part consists of the first two sections of the chapter that provide a highlight on the concept of usability and its place in the field of human computer interaction. Table 5.1 provides a generalized guideline on the relationship between the various components of usability in the setting of a graphical authentication system, how data is organised within each system, and how it is collected and evaluated to reflect the measures of effectiveness, efficiency and user satisfaction embodied in each authentication system.
The second part consists of sections three to section seven (experiments 1 to 4). This sections provide the details of all the experiments conducted on the idea of a novel hybrid property based system for user authentication. Section three discusses some preliminary work conducted to give
the researcher some insight into the workability and user experience on the concept of property based authentication. Sections four to seven discuss experiments conducted to provide information on the efficiency, effectiveness and user opinion on the concept of property based authentication. Within these sections, a lot of comparison has been made between various implementations of the property based paradigm to understand the various similarities and differences that exist within the systems in relation to user registration time, authentication time, user satisfaction, login failure rate, and other usability evaluation metrics as part of the fundamental usability evaluation of all authentication systems.
The third part consists of sections eight to eleven (experiments 5 to 8) that deal specifically on some novel concept related to the concept and design of property based authentication. Section eight evaluates the effect of grid size on authentication time, section nine evaluates the influence on order on authentication time for magnitude based systems, while sections ten and eleven evaluate the idea of organised image selection as it relates to the word based and fill based authentication systems.
Having gone through these sections, one will understand that the chapter as answered all enquiries related to the research question of whether or not the idea of property based authentication is applicable as a novel system of user authentication and if it can effectively meet the usability and design needs of system users. Property based authentication is indeed a promising concept in user authentication systems as demonstrated by the numerous experiments and very much caters to the usability needs of system users.
The next chapter shall discuss the security experiments conducted as part of this research work. Several experiments were conducted to evaluate the vulnerability of these systems to observational attacks simple guessing attacks and vulnerability to verbal and written description. These experiments are performed to evaluate the strengths of the systems considering security issues that have direct bearing on the part of the user.
Chapter Six – Security Evaluation of Property Based Models
6.1 Introduction
Security vulnerabilities such as shoulder surfing, the tendency for guessing attacks and the ability of passwords to be written down, stolen or communicated to others have been the serious issues that have hindered the effective use of alphanumeric passwords. Graphical passwords were thus suggested as alternatives to text based passwords. Graphical passwords are believed to be far more secure than alphanumeric passwords as they are less likely to be transmitted verbally or in writing, and are less prone to shoulder surfing and guessing attacks. In fact, these have been the motivating factors in the proliferation of graphical passwords as alternatives to text based passwords. Research has, however, discovered the tendency that images in some graphical schemes can be effectively described. Whenever descriptions are possible, there is that tendency of launching both guessing and social engineering attacks. Although considered far better than textual passwords, most recognition based graphical passwords are also prone to shoulder surfing attacks and this has been studied in numerous literature.
This chapter evaluates and discusses the security vulnerabilities of the property based graphical authentication scheme. In particular, the vulnerabilities of the systems to guessing attacks, shoulder surfing attacks and the ability to describe images in various implementations of the system were investigated. We are particularly interested in these vulnerabilities as they are the ones that present the system user as the weakest link in the security chain [4]. .Although investigations into the vulnerabilities of graphical authentication systems to description and guessing attacks have not been explicitly performed in existing literature, a number of studies exist in which verbal and written descriptions are studied as motivations for guessing attacks [16]. The procedure for these experiments takes its cue from these investigations. The aim is to ascertain the strengths and weaknesses of the implementation of property based algorithms in relation to attacks on the user side.