Future Research Directions

This thesis has contributed to the field of RBGSs and usable security literature, but has also raised further issues. In this section, a number of potential future research directions are discussed.

7.3.1 PHAS Evaluation

(A) Usability study to assess the performance of multiple art passwords in PHAS

US3 investigated the usability of four PHAS passwords, out of which one comprised of the art images. A lab-based usability study should be conducted in future to assess the performance of, ‘n’, number of art passwords in PHAS. This will demonstrate, whether multiple art passwords in PHAS are usable, i.e. memorable, it is easy to choose hints for multiple art passwords and efficient in terms of password creation as well as authentication time. The field of usable security also lacks comprehensive and conclusive results on text passwords, which makes it difficult to use them as benchmarks. Hence an empirical study should include the use of text passwords as the control group, using the same protocol that is used for examining PHAS passwords. This will help to systematically compare the performance of the two authentication mechanisms.

(B) Field study of PHAS

Despite the field of graphical authentication having existed for over 12 years (Biddle et al., 2009), most usability studies reported in the existing literature are lab-based. However, with the advent of ubiquitous technologies and specifically the widespread adoption of smart- phones, lab-based experiments seem to be less ecologically valid compared to the field

178

studies (Rogers et al., 2011). In this context, the results reported in Chiasson et al. (2007) have shown considerable discrepancies in the performance of the users in a lab-based usability study compared to a field study. This raises an important question about the combination of studies that are required to assess the viability of a specific authentication mechanism in a given context. However, we believe that the lab-based studies could be used as a proof of principle, before conducting large scale field studies.

PHAS has proven successful in terms of memorability of multiple image passwords in a lab- based study. The next logical step is to conduct a field study to examine the performance of PHAS in the real world. Such a study would help to assess the acceptability, suitability and usability of PHAS. However, it remains a challenge as to how field studies can be conducted to examine the usability of multiple graphical passwords, since most of the existing multiple graphical password studies are either lab-based or web-based, as discussed in Chapter 2.

7.3.2 Improving the Security of PHAS

(C) Varying the configuration of the system to increase the theoretical password space Charrau et al. (2005) showed that increasing the password space, i.e. number of target images and number of challenge sets, would have a negative impact on usability, i.e. memorability will decrease and the system will be time consuming to employ. However, it is worth investigating, whether PHAS performs equally well, when the system parameters are modified to increase the theoretical password space. Such a study would help to assess the limitations of PHAS in the context of the security against guessing attacks. The aforementioned proposal was assigned to an MSc Information Security student (2013-14) as the MSc dissertation in the School of Computing Science (University of Glasgow) . The student investigated the usability of PHAS, when the number of target images is increased to six and a user is required to remember six such passwords.

(D) Additional features to increase the security of PHAS

We propose some additional features which could be implemented to enhance the security of PHAS as given below.

 Lock out policy based on login time: PHAS may offer more secure authentication, if the lock out policy is based not only on a definite number of failed login attempts, but a threshold value of login time. For example, once a user has used the system for α

179

number of times, then a timer, β, could be set for each login session. If the user is unable to complete the login session within the set time interval, then this will be recorded. After a definite number of failed attempts due to the timer expiration, the account will be locked. But, different aspects such as how to customize the timer to cater for the needs of a user and the number of attempts before the account is locked have to be considered, before this feature could be implemented in practice. Most importantly, the impact of the proposed security component on the overall usability of the system has to be considered too.

 False Challenge Sets: Let a user, U, select four images and give one hint for each one of them in PHAS (x1- x4). The system selects 15 decoy images for each of the target images (x1- x4), generating four challenge sets (T1- T4). (T1- T4) are the true challenge sets for the respective target images (x1- x4). The system would now choose four more images with their corresponding hints (F1- F4), which do not belong to the user U. Let the target images and the corresponding hints (F1- F4) belong to four different users. So (F1- F4) are the false challenge sets, which do not belong to the user U. In each authentication session, for the user U, the system would display m number of true sets selected from (T1- T4) and n number of false sets selected from (F1- F4). The values of

m and n can either vary for each authentication session or remain constant for all the authentication sessions. Each challenge screen will have 16 images, a hint and a button named “Ignore”. This Ignore button can be used by the legitimate user, when a false challenge set is displayed. The lockout policy may be the same, i.e. four failed login attempts. The approach for choosing the decoy images might be as follows:

(1) 15 decoy images for each of the four challenge sets will not be a target for another challenge set;

(2) decoy images for all the challenge sets is fixed;

(3) sets won’t change, even when the image selected is not a target (different from the configuration used in PHAS (Chapter 8)

(4) result of the authentication will be shown once the last step is completed. If cognitive attacks are carried out to break a PHAS password, we believe that the false challenge sets would make it difficult for the attacker to follow a lead for breaking into the system and the lock-out policy based on login time will put further pressure, making it hard

180

to succeed. However, rigorous usability studies need to be conducted, before these features could be adopted in practice.

7.3.3 Understanding the Topic of Descriptions

The topic of descriptions and password recordability in case of RBGSs need to be assessed at many different levels. In GS1 and GS2, the recorded descriptions of the target images forming the password were presented in the same order as they would appear in the authentication steps. However, in real life this may not be an ideal scenario. An account holder may record a prompt in any order, which might decrease the chances of successfully guessing the target images. Hence it would be worth investigating the effectiveness of guessing, when the order of the authentication steps is varied and the order of the descriptions is randomized, instead of presenting them sequentially (as in our experiments).

Another possible improvement might be to allow the account holders record their prompts as they wish. Then a study should be conducted to assess the effectiveness of guessing using the recorded prompts. This might help to understand the different approaches to record RBGS passwords, the vulnerability of each approach as well as the feasibility of each approach in a real life scenario. Moreover, the topic of descriptions in the context of the RBGSs needs to be assessed very carefully and at various levels because it relies on user behaviour, which is not only difficult to control, but varies from one individual to the other.

7.3.4 Guidelines for Designing Experiments

In the area of graphical authentication, most published results lack consistency, which makes it difficult to compare them. In context of graphical authentication systems, Biddle et al. (2009) suggested that user studies should include:

 motivation of the work, context of use and target users;

 clear description of the methodology used to conduct the usability study  clear description of the system’s design;

 Security parameters and aspects that are being investigated.

However, there are no general set of principles to design such usability studies in context of authentication mechanisms. For example, each of the multiple graphical password studies

181

discussed in Chapter 2 have used different experiment protocols, i.e. duration of the experiment, gap between two sessions in case of multi-session studies, number of participants, and metrics reported. Such variations in the reported studies make it difficult to systematically examine and compare the characteristics of different authentication mechanisms. Hence in order to make such studies more comprehensive and comparable, it is necessary to establish a set of common guidelines, to conduct usability as well as guessability studies with human subjects in the field of usable authentication. This set of guidelines would need to address issues such as:

 different ways of designing experiments to establish proof of principle;

 protocols to be used in the experiment, i.e. minimum duration of study, metric to be reported, interpretation of each metrics and statistical tests to be used for each metrics;  type of training to be given before starting the experiment, length of the training and

the instruction that need to be given to the uses;

 consider the potential effects of training, while interpreting the results of the study;  establish benchmarks that could be used to compare the results obtained in a study

and demonstrate its viability in a specific context.

Practitioners and experts from both the areas, i.e. HCI and security should come together and establish rules for effective experimental design, which could be adopted in the future. By taking such steps, we can edge closer to evaluating usable authentication in a systematic and comprehensive way.