Someone in Your Contact List: Cued Recall-Based Textual Passwords

Journal Article
Alomar, Noura . 2017
Authentication, Passwords, Password Hint, Password Recall, Cued Recall-Based Textual Passwords
Magazine \ Newspaper: 
IEEE Transactions on Information Forensics and Security
Publication Abstract: 

Textual passwords remain the most commonly employed user authentication mechanism, and potentially will continue to be so for years to come. Despite the well-known security and usability issues concerning textual passwords, none of the numerous proposed authentication alternatives appear to have achieved a sufficient level of adoption to dominate in the foreseeable future. Password hints, consisting of a user generated text saved at the account setup stage, are employed in several authentication systems to help users to recall forgotten passwords. However, users are often unable to create hints that jog the memory without revealing too much information regarding the passwords themselves. We propose a rethink of password hints by introducing S`YNTHIMA, a novel cued recall-based textual password method that reveals no information regarding the password, requires no modifications to authentication servers, and requires no additional setup or registration steps. S`YNTHIMA makes use of users’ contact lists, so that mapped password hints extracted from a user’s contacts are automatically generated while the user is typing the password. We create formal models for relevant aspects of the password hint mechanism, define its threat model, and analyze the security and usability of S`YNTHIMA. We also present the results of an in-lab user study of S`YNTHIMA on 30 participants to evaluate its effectiveness and usability. The results demonstrate that S`YNTHIMA minimizes the number of incorrect login attempts and improves long-term password recall, with acceptable login times and positive user feedback. We summarize the lessons learned from the user study, with the hope of provoking further insights regarding the design of effective cued recall-based textual password schemes.

PDF icon tifs2712126_authorversion.pdf1014.17 KB