Imagine a password that consists of images. A login screen presents you twelve images and you select your six images.

Recall Based Authentication versus Recognition Based Authentication

Traditional passwords depend on Recall Based Authentication: this means the user needs to recall in full the password s/he was given. There are other methods, such as Recognition Based Authentication that use graphic images as selectors.

Three main techniques for user authentication: knowledge based systems (what you know), token-based systems (what you have), biometrics (what you are). NB: there is also what you can do.

Click here for more details on Password (text based) Shortcomings 

Cognitive Science & Image Based Passwords

Cognitive science shows humans can remember images really well. Deja Vu was a system that used image based passwords. Their goals for this:

  1. system should not rely on precise recall (unlike text based)
  2. system should prevent users from choosing weak passwords
  3. make it difficult to write down and share with others

They did this by using two phases:

  1. Picture Selection Phase: in which the user selects her pictures. These are abstract pictures on purpose, but they are also attractive.
  2. Training Phase: teaching the user how to login using the pictures

The Argument For Image Authentication

Inline image 1

Source: De ́ja` Vu: A User Study Using Images for Authentication

Threats & Counters

  • Brute Force: depends on the number of pictures used. Counter: the more images used the harder to crack
  • Educated Guess: if you know the person you might guess his/her password. Counter: but this is made harder due to the enforcement of abstract images.
  • Observer: somebody shoulder surfs. Counter: shoulder surfing can be made difficult by adjusting method of selection – the selection method can be hidden
  • Intersection: if all 12 images are randomized each time and the 6 password images are left behind, it is possible to eventually guess the password (think about if your lockout value was set to ten). Using the above counters should help with this.

More Reading: 

De ́ja` Vu: A User Study Using Images for Authentication
Picture Password: A Visual Login Technique for Mobile Devices