Section 9.4. Let s Face It

9.4. Let's Face It

Given the psychological evidence supporting the assertion that humans can better remember pictures than they can text, graphical passwords are an attractive approach to better user authentication and key generation. There is already empirical evidence that this approach can yield user authentication schemes offering better memorability. The analysis we surveyed here suggests that it is possible to design a graphical authentication scheme permitting user-chosen passwords (e.g., the Story scheme) that should provide adequate user authentication, provided that only a limited number of incorrect guesses are permitted before the account is "locked." However, the study also shows that the design of such a scheme requires care; in particular, the Face scheme fails significantly when users select their own passwords.

An issue that is much less clear at this point is the extent to which repeatable key generation can be achieved satisfactorily using graphical passwords. To our knowledge, only two classes of schemes have been proposed for this purpose, and neither has been evaluated empirically.^[38], ^[39] We consider this to be an area warranting significant future research in both design and evaluation.

^[38] Jermyn et al.

^[39] Stubblefield and Simon.

Our collective understanding of graphical passwords is still in its infancy, and for this reason, we caution users from adopting them (even for user authentication) without careful consideration of alternatives. We do believe that some designs will prove to be more usable than text passwords and adequately secure for user authentication, in terms of the measures that we have discussed here. However, they may fall prey to other attacks that we have not considered here; for example, passwords based on image recognition, tapping, or drawing may be more easily observed by an onlooker while a user is entering the password. In contrast, text passwords in which the characters are not echoed (or, more typically, echoed with nondescript characters such as asterisks) provide few on-screen cues as to what the password is. So, considering whether to adopt a graphical password scheme requires attention to a range of system factors, as well.