Traditional knowledge-based authentication mechanisms, such as Personal Identification Numbers (PINs) and text-based passwords, have a known weakness. While the security can be enhanced by creating a longer password, the password becomes more difficult to remember. Studies have shown that users as a result tend to pick shorter and more predictable passwords.
To address this problem in traditional knowledge-based authentication, graphical password schemes have been proposed. A range of different mechanisms have been suggested to exploit the power of graphical password authentication. The study of graphical passwords is strongly motivated by the assumption that images and/or pictures are easier to recall for humans than traditional text-based passwords. This assumption is supported by several cognitive psychology studies. The studies explore human visual memory space and show that pictures tend to be remembered far better and for longer than words. This is called the picture superiority effect. Researchers have conducted user studies on retention of pictures in graphical passwords and showed that this effect also holds true for graphical passwords even when multiple passwords are to be remembered.
Graphical passwords can be clustered into three categories: “cognometric”, “locimetric”, and “drawmetric”. The cognometric systems are based on the user's visual recognition of target images embedded amongst a set of distracter images. A user is asked to select a sequence of images from a larger set of images. Later, the user is required to identify the pre-selected images in order to be authenticated. The use of artist-drawn images, computer-generated abstract images and photographs has been explored in this approach. The photographs have been found the most effective for memory. The major drawback of cognometric systems is that it takes longer to create a password and longer to login than text-based passwords.
The locimetric systems are based on the method of loci (mnemonic) and cued recall. In this scheme, a user is requested to click on pre-selected areas of an image in a predefined order. This approach is considered more convenient than pure recall-based passwords. However, user studies showed that there is a tendency for the password to be predictable with obvious points in the picture being chosen. Moreover, users have weak tolerance for clicking accurate points on the image. It also takes longer for users to learn the password and to input their passwords than the text-based password.
The drawmetric systems require users to draw a figure on a canvas. A well-known system in this category is “Draw-a-Secret (DAS)”, in which a user is asked to draw a simple picture on a 2D grid. The positions of the grids and the order of the strokes are stored for later comparison. If the user's drawing touches the same grids in the same order, the user is authenticated. However, the approach has not been met with success. The user study show that users may be able to remember how their drawings looked, but they tend to be unable to recreate it accurately in the correct grids, or with the correct sequence of strokes.
It is thus desirable to explore new authentication schemes to take fuller advantage of graphical password authentication schemes without suffering too many of the existing shortcomings.