Security and User Interface Usability of Graphical Authentication Systems – A Review

  IJCTT-book-cover
 
International Journal of Computer Trends and Technology (IJCTT)          
 
© 2019 by IJCTT Journal
Volume-67 Issue-2
Year of Publication : 2019
Authors : Hassan Umar Suru, Pietro Murano
DOI :  10.14445/22312803/IJCTT-V67I2P104

MLA

MLA Style: Hassan Umar Suru, Pietro Murano "Security and User Interface Usability of Graphical Authentication Systems – A Review" International Journal of Computer Trends and Technology 67.2 (2019): 17-36.

APA Style:Hassan Umar Suru, Pietro Murano (2019). Security and User Interface Usability of Graphical Authentication Systems – A Review. International Journal of Computer Trends and Technology, 67(2), 17-36.

Abstract
Alphanumeric text and PINs continue to be the dominant authentication methods in spite of the numerous concerns by security researchers of their inability to properly address usability and security flaws and to effectively combine usability and security. These flaws have, however, contributed to the growing research interest in the development and use of graphical authentication systems as alternatives to text based systems. Graphical passwords or graphical authentication systems are password systems that use images rather than characters or numbers in user authentication. In spite of the growing acceptance of graphical passwords, empirical studies have shown that graphical authentication systems have also inherited some of the flaws of text-based passwords. These flaws include predictability, vulnerability to observational attacks and the inability of systems to efficiently combine security with usability. Hence, there is a continued quest to find a „system? that has both strong usability and strong security. This paper is a detailed review of the current state of research into graphical authentication systems. The paper considers in detail some of the mechanisms used in graphical authentication, along with the flaws and strengths of each. The paper also concludes with some suggested ways forward.

Reference
[1] S. Patrick, A. C. Long and S. Flinn "HCI and Security Systems," presented at CHI, Extended Abstracts (Workshops). Ft. Lauderdale, Florida, USA, 2003.
[2] A. Adams, and M. A. Sasse, ?Users are not the enemy?. Communications of the ACM, 42(12), 40-46, 1999.
[3] M. A. F. Al-Husainy and R. A. Malih ?Using Emoji Pictures to Strengthen the Immunity of Passwords against Attackers? European Scientific Journal vol.11, No.30 October 2015
[4] R. Dhamija and A Perrig "Déjà Vu-A User Study: Using Images for Authentication" In USENIX Security Symposium vol. 9, August, 2000.
[5] W. C. Summers and E. Bosworth, "Password policy: the good, the bad, and the ugly," In Proceedings of the winter international symposium on Information and communication technologies, Cancun, Mexico, 2004.
[6] J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano. ?The quest to replace passwords: a framework forcomparative evaluation of web authentication schemes?. In IEEE Symposium on Security and Privacy, 2012
[7] A. Jain, L. Hong, and S. Pankanti, "Biometric identification," Communications of the ACM, vol. 33, pp. 168-176, 2000.
[8] R. N. Shepard, "Recognition memory for words, sentences, and pictures," Journal of Verbal Learning and Verbal Behavior, vol. 6, pp. 156-163, 1967.
[9] S. Saeed and M. S. Umar. ?A hybrid graphical user authentication scheme.? In Communication, Control and Intelligent Systems (CCIS), (pp. 411-415). IEEE. November, 2015.
[10] P. Dunphy, A. P Heiner, and N Asokan. "A closer look at recognition based graphical passwords on mobile devices". In Proceedings of the Sixth Symposium on Usable Privacy and Security (p. 3). ACM, July, 2010.
[11] C. Singh and L. Singh "Investigating the Combination of Text and Graphical Passwords for a more secure and usable experience". International Journal of Network Security & Its Applications (IJNSA), 3(2), March 2011.
[12] S. Chowdhury, R. Poet and L. Mackenzie. "A study of mnemonic image passwords." In Privacy, Security and Trust (PST), 2014 Twelfth Annual International Conference on, pp. 207-214. IEEE, 2014.
[13] E. Hayashi, R Dhamija, N. Christin, and A. Perrig. "Use your illusion: secure authentication usable anywhere". In Proceedings of the 4th Symposium on Usable Privacy and Security (pp. 35-45). ACM, July, 2008.
[14] B. Coskun and C. Herley ?Can "Something You Know" Be Saved?? In ISC (Vol. 8, pp. 421-440). September, 2008.
[15] A. De Luca, M. Denzel and H. Hussmann ?Look into my eyes!: Can you guess my password?.? In Proceedings of the 5th Symposium on Usable Privacy and Security (p. 7). ACM. July, 2009.
[16] D. Gafurov, E. Snekkenes and P. Bours ?Spoof attacks on gait authentication system?. IEEE Transactions on Information Forensics and Security, 2(3), Special Issue on Human Detection and Recognition. 2007
[17] M. Babaeizadeh, M. Bakhtiari and A. M. Mohammed ?Authentication Methods in Cloud Computing: A Survey? Research Journal of Applied Sciences, Engineering and Technology 9(8): 655-664, 2015
[18] E. Hayashi and J. I. Hong, ?A Diary Study of Password Usage in Daily Life,? In Proceedings of the 29th Annual Conference on Human Factors in Computing Systems, Vancouver, BC, Canada, May 2011.
[19] M. D. H. Abdullah, A. H. Abdullah, N. Ithnin, and H. K. Mammi, ?Towards identifying usability and security features of graphical password in knowledge based authentication technique?. In Modeling & Simulation. AICMS 08. Second Asia International Conference on (pp. 396-403). IEEE, May 2008.
[20] G. Devansh "A new approach of authentication in graphical systems using ASCII submission of values."Wireless Communications and Mobile Computing Conference (IWCMC), 2017 13th International. IEEE, 2017.
[21] H. Zhao and X. Li ?S3PAS: A scalable shoulder-surfing resistant textual-graphical password authentication scheme.? In Advanced Information Networking and Applications Workshops, 2007, AINAW`07. 21st International Conference on (Vol. 2, pp. 467-472). IEEE, May 2007.
[22] S. Saeed and M. S. Umar. ?A hybrid graphical user authentication scheme.? In Communication, Control and Intelligent Systems (CCIS), (pp. 411-415). IEEE. November, 2015.
[23] A. Perrig and D. Song, "Hash Visualization: A New Technique to Improve Real-World Security", In Proceedings of the 1999 International Workshop on Cryptographic Techniques and E-Commerce, 1999.
[24] S. Akula and V. Devisetty, "Image Based Registration and Authentication System," In Proceedings of Midwest Instruction and Computing Symposium, 2004.
[25] S. Wiedenbeck, J. Waters, L. Sobrado, and J. C. Birget ?Design and evaluation of a shoulder-surfing resistant graphical password scheme.? In Proceedings of the working conference on Advanced visual interfaces (pp. 177-184). ACM, May 2006.
[26] D. Weinshall and S. Kirkpatrick, "Passwords You‘ll Never Forget, but Can‘t Recall," In Proceedings of the Conference on Human Factors in Computing Systems (CHI). Vienna, Austria: ACM, pp. 1399-1402., 2004
[27] L. Sobrado and J. C. Birget, "Graphical passwords", The Rutgers Scholar, An Electronic Bulletin for Undergraduate Research, vol. 4, 2002.
[28] F. Tari, A. Ozok and S. H. Holden. "A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords". In Proceedings of the second symposium on Usable privacy and security (pp. 56-66). ACM. July, 2006.
[29] R. Poet and K. Renaud. ?A Mechanism for Filtering Distractors for Graphical Passwords?. In 13th Conference of the International Graphonomics Society Melbourne, Australia, volume 11, pg 14, 2007
[30] S. Man, D. Hong, and M. Mathews, "A shoulder surfing resistant graphical password scheme – WIW" in Proceedings of International conference on security and management. Las Vegas, NV, 2003.
[31] D. Hong, S. Man, B. Hawes, and M. Mathews, "A password scheme strongly resistant to spyware," in Proceedings of International conference on security and management. Las Vergas, NV, 2004.
[32] Passfaces: Two factor authentication for the enterprise". [Available online] at www.realuser.com, (Accessed July 2015)
[33] T. Valentine, "An evaluation of the Passface personal authentication system," Technical Report, Goldsmiths College, University of London, 1998.
[34] T. Valentine, "Memory for Passfaces after a Long Delay," Technical Report, Goldsmiths College, University of London, 1999.
[35] S. Brostoff and M. A. Sasse, "Are Passfaces more usable than passwords: a field trial investigation," in People and Computers XIV - Usability or Else: Proceedings of HCI. Sunderland, UK: Springer-Verlag, 2000.
[36] P. Dunphy, J. Nicholson, and P. Olivier. "Securing passfaces for description." In Proceedings of the 4th symposium on Usable privacy and security, pp. 24-35. ACM, 2008.
[37] W. Jansen, "Authenticating Mobile Device Users through Image Selection," in Data Security, 2004.
[38] W. Jansen, S. Gavrila, V. Korolev, R. Ayers, and R. Swanstrom, "Picture Password: A Visual Login Technique for Mobile Devices," National Institute of Standards and Technology Interagency Report NISTIR 7030, 2003.
[39] W. A. Jansen, "Authenticating Users on Handheld Devices," in Proceedings of Canadian Information Technology Security Symposium, 2003.
[40] T. Takada and H. Koike, "Awase-E: Image-based Authentication for Mobile Phones using User‘s Favorite Images," In Human-Computer Interaction with Mobile Devices and Services, vol. 2795 / 2003: Springer-Verlag GmbH, 2003, pp. pp. 347 - 351.
[41] X. Suo, Y. Zhu and G. S. Owen Graphical passwords: A survey. In 21st annual Computer security applications conference (pp. 10-pp). IEEE, 2005.
[42] I. H. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A. D. Rubin, "The Design and Analysis of Graphical Passwords," In Proceedings of the 8th USENIX Security Symposium, 1999.
[43] J. Thorpe and P. C. v. Oorschot, "Graphical Dictionaries and the Memorable Space of Graphical Passwords," In Proceedings of the 13th USENIX Security Symposium. San Deigo, USA: USENIX, 2004.
[44] J. Thorpe and P. C. van Oorschot, "Towards Secure Design Choices for Implementing Graphical Passwords," in 20th Annual Computer Security Applications Conference (ACSAC). Tucson, USA. IEEE, 2004.
[45] P. Dunphy, and J. Yan. "Do background images improve Draw a Secret graphical passwords?" In Proceedings of the14th ACM conference on Computer and communications security, pp. 36-47. ACM, 2007.
[46] J. Goldberg, J. Hagman, and V. Sazawal, "Doodling Our Way to Better Authentication,? In Proceedings of Human Factors in Computing Systems (CHI), Minneapolis, Minnesota, USA, 2002.
[47] D. Nali and J. Thorpe, "Analyzing User Choice in Graphical Passwords," Technical Report, School of Information Technology and Engineering, University of Ottawa, Canada, May 2004.
[48] A. F. Syukri, E. Okamoto, and M. Mambo, "A User Identification System Using Signature Written with Mouse," In Third Australasian Conference on Information Security and Privacy (ACISP): Springer- Verlag Lecture Notes in Computer Science (1438), pp. 403441, 1998
[49] G. E. Blonder, "Graphical passwords," in Lucent Technologies, Inc., Murray Hill, NJ, U.S. Patent, Ed. United States, 16.
[50] M. R. Albayati and A. H. Lashkari. ?A New Graphical Password Based on Decoy Image Portions (GP-DIP). In International Conference on Mathematics and Computers in Sciences and in Industry (MCSI), 2014 (pp. 295-298). IEEE. September, 2014.
[51] A. H Lashkari, A. Gani, L. G Sabet, & S. Farmand "A new algorithm on Graphical User Authentication (GUA) based on multi-line grids" In Scientific Research and Essays, 5(24), 3865-3875., 2010.
[52] D. Paulson, "Taking a Graphical Approach to the Password," Computer, vol. 35, pp. 19, 2002.
[53] S. Wiedenbeck, J. Waters, J. C. Birget, A. Brodskiy, and N. Memon, "Authentication using graphical passwords: Basic results," In Human-Computer Interaction International (HCII 2005). Las Vegas, NV, 2005.
[54] S. Wiedenbeck, J. Waters, J. C. Birget, A. Brodskiy, and N. Memon, "Authentication using graphical passwords: Effects of tolerance and image choice," In Symposium on Usable Privacy and Security (SOUPS). Carnegie-Mellon University, Pittsburgh, 2005.
[55] S. Wiedenbeck, J. Waters, J. C. Birget, A. Brodskiy, and N. Memon, "PassPoints: Design and longitudinal evaluation of a graphical password system, "International Journal of Human Computer Studies 63(1), 102-127, 2005 .
[56] J. C. Birget, D. Hong, and N. Memon, "Robust discretization, with an application to graphical passwords," Cryptology ePrint archive, 2003.
[57] S Chiasson, van P. C. Oorschot, and R. Biddle. "Graphical password authentication using cued click points". In Computer Security–ESORICS 2007 (pp. 359-374). Springer Berlin Heidelberg, 2007.
[58] P. C. van Oorschot and J. Thorpe. "Exploiting predictability in click-based graphical passwords", Journal of Computer Security: 19(4):669–702, 2011.
[59] W. Moncur, and G. Leplâtre. "Pictures at the ATM: exploring the usability of multiple graphical passwords". In Proceedings of the SIGCHI conference on Human factors in computing systems (pp. 887-894). ACM. April, 2007.
[60] H. Gao, Z. Ren, X. Chang, X. Liu and U. Aickelin, ?A New Graphical Password Scheme Resistant to Shoulder-Surfing?, International Conference on Cyberworlds. 2010, IEEE: Singapore pp. 194 – 199, 2010.
[61] A. Haque and B. Imam ?A New Graphical Password: Combination of Recall and Recognition Based Approach? International Journal of Computer, Electrical, Automation, Control and Information Engineering Vol: 8, No:2, 2014
[62] M. Sreelatha, M. Shashi, M. Anirudh, et al. ?Authentication schemes for session passwords using color and images.? In International Journal of Network Security & Its Applications, 3(3), 111-119. 2011.
[63] S. Saeed and M. S. Umar ?A hybrid graphical user authentication scheme?. In Communication, Control and Intelligent Systems (CCIS), (pp. 411-415). IEEE, November 2015.
[64] N. P. Sachin, D. V. Panjabi ?An Overview: Passwords using Text, Color and Images Techniques Discussion, Implementation and Comparison?. In International Journal of Computer Applications (0975 – 8887) National Conference on Emerging Trends in Computer Technology NCETCT, 2014.
[65] M. S. Tidke, M. N. Khan and M. S. Balpande ?Password Authentication Using Text and Colors.? Computer Engineering, Rtm Nagpur University, MietBhandara. 2015.
[66] Z. Zheng, X. Liu, L. Yin and Z. Liu ?A Hybrid Password Authentication Scheme Based on Shape and Text?. JCP, 5(5), 765-772. 2010
[67] P. C. Van Oorschot, and T. Wan ?TwoStep: An Authentication Method Combining Text and Graphical Passwords?. MCETECH, 233-239. 2009.
[68] G. Yang, D. S. Wong, H. Wang and X. Deng ?Two-factor mutual authentication based on smart cards and passwords? Journal of Computer and System Sciences, 74(7), 1160- 1172, 2008.
[69] A. T. B. Jin, D. N. C. Ling and A. Goh, ?Biohashing: two factor authentication featuring fingerprint data and tokenized random number.? Pattern recognition, 37(11), 2245-2255., 2004.
[70] T. Hoang and D. Choi ?Secure and privacy enhanced gait authentication on smart phone? The Scientific World Journal, 2014.
[71] S. Abu-Nimeh, ?Three-Factor Authentication.? In Encyclopedia of Cryptography and Security (pp. 1287-1288), Springer, US. 2011.
[72] J. Brainard, A. Juels, R. L Rivest, et al. ?Fourth-factor authentication: somebody you know?. In Proceedings of the 13th ACM conference on Computer and communications security (pp. 168-178). ACM. October, 2006.
[73] E. von Zezschwitz, A. Koslow, A. De Luca and H. Hussmann. "Making graphic-based authentication secure against smudge attacks". In Proceedings of the International Conference on Intelligent User Interfaces 277–286., 2013.
[74] S. Chowdhury, R. Poet, and L. Mackenzie "Exploring the Guessability of Image Passwords Using Verbal Descriptions". In Trust, Security and Privacy in Computing and Communications (TrustCom), 2013 12th IEEE International Conference on (pp. 768- 775). IEEE, July 2013.
[75] A. De Angeli, L. Coventry, G. Johnson and K. Renaud ?Is a picture really worth a thousand words? Exploring the feasibility of graphical authentication systems? International journal of human-computer studies, 63(1), 128-152. 2005
[76] M. E. Zurko and R. T. Simon ?User-centered security?. In Proceedings of the 1996 workshop on new security paradigms (pp. 27-33). ACM. September, 1996.
[77] M. A. Sasse, S. Brostoff, and D. Weirich ?Transforming the ?weakest link‘—a human/computer interaction approach to usable and effective security.? BT technology journal, 19(3), 122-131. 2001.
[78] S. L. Pfleeger, M. A. Sasse and A. Furnham ?From weakest link to security hero: Transforming staff security behavior.? Journal of Homeland Security and Emergency Management, 11(4), 489-510. 2014.
[79] A. Adams and M. A. Sasse ?Users are not the enemy?. In Communications of the ACM, 42(12), 40-46. 1999.
[80] K. Renaud, P. Mayer, M. Volkamer, and J. Maguire "Are graphical authentication mechanisms as strong as passwords?? In Federated Conference on Computer Science and Information Systems (FedCSIS), (pp. 837-844). IEEE, September 2013.
[81] S. Komanduri, R. Shay, P. G. Kelley et al. ?Of passwords and people: measuring the effect of password-composition policies.? In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (pp. 2595-2604). ACM. May, 2011
[82] L. Lamport ?Password authentication with insecure communication? In Communications of the ACM, 24 (11), 770-772. 1981.
[83] W. C. Summers and E. Bosworth. "Password policy: the good, the bad, and the ugly." In Proceedings of the winter international symposium on Information and communication technologies, pp. 1-6. Trinity College Dublin, 2004.
[84] J. Bonneau, S. Preibusch and R. J. Anderson ?A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs?. In Financial Cryptography (Vol. 7397, pp. 25-40). March, 2012
[85] B. Ives, K. R. Walsh and H. Schneider ?The domino effect of password reuse.? In Communications of the ACM, 47(4), 75-78. 2004.
[86] M. Golla, D. V. Bailey and M. Dürmuth ?I want my money back! Limiting Online Password-Guessing Financially.? In Symposium on Usable Privacy and Security (SOUPS). July, 2017.
[87] G. C. Kessler ?Passwords – strengths and weaknesses? Online Available at https://www.garykessler.net/library/password.html Accessed October, 15th 2017.
[88] L. Gong ?Optimal Authentication Protocols Resistant to Password Guessing Attacks.? In Proceedings of the Computer Security Foundations Workshop, 1995. Eighth IEEE (pp. 24-29). IEEE. June, 1995.
[89] P. Biswas, M. M. Patil, and M. Biswas ?Reduction of Password Guessing Attacks using Click Point?. In International Journal of Computer Applications (IJCA) (0975 – 8887) Proceedings on Emerging Trends in Electronics and Telecommunication Engineering (NCET). 2013.
[90] T. Kwon and J. Song ?Efficient and secure password-based authentication protocols against guessing attacks? Computer communications, 21(9), 853-861, 1998.
[91] S. M. Bellovin and M. Merritt ?Encrypted key exchange: Password-based protocols secure against dictionary attacks? In Research in Security and Privacy, 1992. Proceedings, 1992 IEEE Computer Society Symposium on(pp. 72-84). IEEE. May, 1992.
[92] H. K. Sarohi, and F. U. Khan ?Graphical password authentication schemes: current status and key issues?. Int. Journal of Engineering and Innovative Technol. (IJEIT), 10(2). 2013.
[93] S. Chiasson, A. Forget, E. Stobert et al., ?Multiple password interference in text passwords and click-based graphical passwords? In Proceedings of the 16th ACM conference on Computer and communications security (pp. 500-511). ACM. November, 2009.
[94] K. Chalkias, A. Alexiadis, and G. Stephanides ?A multi-grid graphical password scheme? In Proceedings of the 6th International Conference on Artificial Intelligence and Digital Communications, Thessaloniki, (pp. 1-11). Greece, August, 2006.
[95] A. H. Lashkari, S. Farmand, D. Zakaria et al. ?Shoulder surfing attack in graphical password authentication.?arXiv preprint arXiv:0912.0951. 2009.
[96] F. Aloul, S. Zahidi and W. El-Hajj ?Two factor authentication using mobile phones.? In Computer Systems and Applications, 2009. AICCSA 2009. IEEE/ACS International Conference on (pp. 641-644). IEEE. May, 2009.
[97] K. Krombholz, H. Hobel, M. Huber, and E. Weippl ?Advanced social engineering attacks? In Journal of Information Security and applications, 22, 113-122. 2015.
[98] K. Ivaturi and L. Janczewski ?A taxonomy for social engineering attacks.? In International Conference on Information Resources Management. Centre for Information Technology, Organizations, and People. June, 2011.
[99] R. B. Basnet, S. Mukkamala, and A. H. Sung ?Detection of Phishing Attacks: A Machine Learning Approach? In Soft Computing Applications in Industry, 226, 373-383. 2008.
[100] A. Ross et al. ?Measuring the cost of cybercrime? In 11th Workshop on the Economics of Information Security, Berlin, Germany. June, 2012.
[101] S. Garera, N. Provos, M. Chew and A. D. Rubin ?A framework for detection and measurement of phishing attacks.? In Proceedings of the 2007 ACM workshop on Recurring malcode (pp. 1-8). ACM. November, 2007.
[102] J. Hong ?The Current state of phishing attacks? In Communications of the ACM, 55(1), 74-81. 2012.
[103] Z. Ramzan, and C. Wüest ?Phishing Attacks: Analyzing Trends in 2006? In CEAS. August, 2007.
[104] A. Litan ?Phishing attack victims likely targets for identity theft? Online available at https://www.social-engineer.org/wiki/archives/IdTheif/IdTheif-phishing_attack.pdf Accessed 15 November, 2017.
[105] M. Jakobsson ?Modeling and preventing phishing attacks? In Financial Cryptography (Vol. 5). February, 2005.
[106] P. P. Ray ?Ray‘s scheme: Graphical password based hybrid authentication system for smart hand held devices.? In Journal of Information engineering and Applications, 2(2), 1-12. 2012.
[107] N. A. G. Arachchilage and S. Love ?Security awareness of computer users: A phishing threat avoidance perspective? Computers in Human Behavior, 38, 304-312. 2014.
[108] F. A. Aloul ?Information security awareness in UAE: A survey paper.? In Internet Technology and Secured Transactions (ICITST), 2010 International Conference for (pp. 1-6). IEEE. November, 2010
[109] M. Masrom, F. Towhidi, and A. H Lashkari. "Pure and cued recall-based graphical user authentication". In 3rd International Conference on Application of Information and Communication Technologies, 2009. AICT 2009. (pp. 1-6). IEEE, October 2009.
[110] A. H. Lashkari, R. Saleh, F. Towhidi, and S. Farmand. "A complete comparison on Pure and Cued Recall-Based Graphical User Authentication Algorithms". In Second International Conference on Computer and Electrical Engineering. 2009; Volume 1():527 - 542. IEEE., 2009
[111] S. Chiasson, A. Forget, R. Biddle, and P. C van Oorschot. "User interface design affects security: Patterns in click-based graphical passwords". International Journal of Information Security, 8(6), 387-398. 2009.
[112] F. Towhidi, M. Masrom and A. A. Manaf. ?An enhancement on Passface graphical password authentication?. Journal of Basic and Applied Scientific Research, vol. 2, no. 2, 2013
[113] R. English, "Modelling the security of recognition-based graphical password schemes," PhD Thesis, School of Computing Science, University of Glasgow., Glasgow, 2012.
[114] J. W. Sparks, ?The Impact of Image Synonyms in Graphical-Based Authentication Systems? PhD Thesis, College of Engineering and Computing, Nova Southeastern University, Florida, USA, March 2015.
[115] Y. Meng, and L. Wenjuan. "Enhancing click-draw based graphical passwords using multi- touch on mobile phones." In IFIP International Information Security Conference, pp. 55-68. Springer, Berlin, Heidelberg, 2013.
[116] R. Biddle, S. Chiasson and P. C. Van Oorschot ?Graphical passwords: Learning from the first twelve years. ACM Computing Surveys (CSUR), 44(4), 19. 2012
[117] A. E. Dirik, N. Memon and J. C. Birget ?Modeling user choice in the PassPoints graphical password scheme? In Proceedings of the 3rd symposium on Usable privacy and security (pp. 20-28). ACM. July, 2007
[118] S. Chiasson, E. Stobert, A. Forget et al. ?Persuasive cued click-points: Design, implementation, and evaluation of a knowledge-based authentication mechanism.? In IEEE Transactions on Dependable and Secure Computing, 9(2), 222-235., 2012.
[119] J. Nicholson, L. Coventry and P. Briggs ?Age-related performance issues for PIN and face-based authentication systems.? In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (pp. 323-332). ACM. April, 2013.

Keywords
Graphical Authentication, graphical passwords, security, usability, user interface