Gradeigh D. Clark

Video: User-generated free-form gestures for authentication: security and memorability

This paper studies the security and memorability of free-form multitouch gestures for mobile authentication. Towards this end, we collected a dataset with a generate-test-retest paradigm where participants (N=63) generated free-form gestures, repeated them, and were later retested for memory. Half of the participants decided to generate one-finger gestures, and the other half generated multi-finger gestures. Although there has been recent work on template-based gestures, there are yet no metrics to analyze security of either template or free-form gestures. For example, entropy-based metrics used for text-based passwords are not suitable for capturing the security and memorability of free-form gestures. Hence, we modify a recently proposed metric for analyzing information capacity of continuous full-body movements for this purpose. Our metric computed estimated mutual information in repeated sets of gestures. Surprisingly, one-finger gestures had higher average mutual information. Gestures with many hard angles and turns had the highest mutual information. The best-remembered gestures included signatures and simple angular shapes. We also implemented a multitouch recognizer to evaluate the practicality of free-form gestures in a real authentication system and how they perform against shoulder surfing attacks. We discuss strategies for generating secure and memorable free-form gestures. We conclude that free-form gestures present a robust method for mobile authentication.

Engineering Gesture-Based Authentication Systems

Gestures are a topic of increasing interest in authentication, but successfully implementing them as a security layer requires reliable gesture recognition. So far, much work focuses on new ways to recognize gestures, leaving discussion on the viability of recognition in an authentication scheme to the background. Its as yet unclear how gesture recognition should be deployed for practical and robust real-world authentication. In this article, the authors analyze the effectiveness of different approaches to recognizing gestures and the potential for use in secure gesture-based authentication systems. This article is part of a special issue on privacy and security.

Free-Form Gesture Authentication in the Wild

Free-form gesture passwords have been introduced as an alternative mobile authentication method. Text passwords are not very suitable for mobile interaction, and methods such as PINs and grid patterns sacrifice security over usability. However, little is known about how free-form gestures perform in the wild. We present the first field study (N=91) of mobile authentication using free-form gestures, with text passwords as a baseline. Our study leveraged Experience Sampling Methodology to increase ecological validity while maintaining control of the experiment. We found that, with gesture passwords, participants generated new passwords and authenticated faster with comparable memorability while being more willing to retry. Our analysis of the gesture password dataset indicated biases in user-chosen distribution tending towards common shapes. Our findings provide useful insights towards understanding mobile device authentication and gesture-based authentication.

Guessing Attacks on User-Generated Gesture Passwords

Touchscreens, the dominant input type for mobile phones, require unique authentication solutions. Gesture passwords have been proposed as an alternative ubiquitous authentication technique. Prior security analysis has relied on inconsistent measurements such as mutual information or shoulder surfing attacks.We present the first approach for measuring the security of gestures with guessing attacks that model real-world attacker behavior. Our major contributions are: 1) a comprehensive analysis of the weak subspace for gesture passwords, 2) a method for enumerating the size of the full theoretical gesture password space, 3) a design of a novel guessing attack against user-chosen gestures using a dictionary, and 4) a brute-force attack used for benchmarking the performance of the guessing attack. Our dictionary attack, tested on newly collected user data, achieves a cracking rate of 47.71% after two weeks of computation using 109 guesses. This is a difference of 35.78 percentage points compared to the 11.93% cracking rate of the brute-force attack. In conclusion, users are not taking full advantage of the large theoretical password space and instead choose their gesture passwords from weak subspaces. We urge for further work on addressing this challenge.

Of Two Minds, Multiple Addresses, and One Ledger: Characterizing Opinions, Knowledge, and Perceptions of Bitcoin Across Users and Non-Users

Digital currencies represent a new method for exchange -- a payment method with no physical form, made real by the Internet. This new type of currency was created to ease online transactions and to provide greater convenience in making payments. However, a critical component of a monetary system is the people who use it. Acknowledging this, we present results of our interview study (N=20) with two groups of participants (users and non-users) about how they perceive the most popular digital currency, Bitcoin. Our results reveal: non-users mistakenly believe they are incapable of using Bitcoin, users are not well-versed in how the protocol functions, they have misconceptions about the privacy of transactions, and that Bitcoin satisfies properties of ideal payment systems as defined by our participants. Our results illustrate Bitcoins tradeoffs, its uses, and barriers to entry.

Where Usability and Security Go Hand-in-Hand: Robust Gesture-Based Authentication for Mobile Systems

Gestures have recently gained interest as a secure and usable authentication method for mobile devices. Gesture authentication relies on recognition, wherein raw data is collected from user input and preprocessed into a more manageable form before applying recognition algorithms. Preprocessing is done to improve recognition accuracy, but little work has been done in justifying its effects on authentication. We examined the effects of three variables: location, rotation, and scale, on authentication accuracy. We found that an authentication-optimal combination (location invariant, scale variant, and rotation variant) can reduce the error rate by 45.3% on average compared to the recognition-optimal combination (all invariant). We analyzed 13 gesture recognizers and evaluated them with three criteria: authentication accuracy, and resistance against both brute-force and imitation attacks. Our novel multi-expert method (Garda) achieved the lowest error rate (0.015) in authentication accuracy, the lowest error rate (0.040) under imitation attacks, and resisted all brute-force attacks.

Composition policies for gesture passwords: User choice, security, usability and memorability

Research on gesture passwords suggest they are highly usable and secure, leading them to be proposed as a strong alternative authentication method for touchscreen devices. However, studies demonstrate that user-chosen gesture passwords are biased towards familiar symbols, increasing the risk of guessing. Prior work on gesture elicitation focuses on creating sets with high overlap, but gesture passwords require solving an inverse problem: minimal overlap between different users. We present the results of the first study (N = 128) of composition policies for gesture passwords, wherein we compare four policies derived from unique properties of gesture passwords. Our main result is that implementing a policy changes user choice, security, usability, and memorability compared to a control group and that the strength of those changes depend on the policies. We report trade-offs among the instruction policies while showing that simple policies cause users to choose stronger and diverse gesture passwords.

Of Two Minds, Multiple Addresses, and One History: Characterizing Opinions, Knowledge, and Perceptions of Bitcoin Across Groups

Digital currencies represent a new method for exchange and investment that differs strongly from any other fiat money seen throughout history. A digital currency makes it possible to perform all financial transactions without the intervention of a third party to act as an arbiter of verification; payments can be made between two people with degrees of anonymity, across continents, at any denomination, and without any transaction fees going to a central authority. The most successful example of this is Bitcoin, introduced in 2008, which has experienced a recent boom of popularity, media attention, and investment. With this surge of attention, we became interested in finding out how people both inside and outside the Bitcoin community perceive Bitcoin -- what do they think of it, how do they feel, and how knowledgeable they are. Towards this end, we conducted the first interview study (N=20) with participants to discuss Bitcoin and other related financial topics. Some of our major findings include: not understanding how Bitcoin works is not a barrier for entry, although non-user participants claim it would be for them and that user participants are in a state of cognitive dissonance concerning the role of governments in the system. Our findings, overall, contribute to knowledge concerning Bitcoin and attitudes towards digital currencies in general.