Modelling the security of recognition-based graphical password schemes

Recognition-based graphical passwords are a suggested alternative authentication mechanism which have received substantial attention in research literature. The literature often presents new schemes, usability studies or propose countermeasures for specific attacks. Whilst this is beneficial, it does not allow for consistent comparison of the security of recognition-based graphical password schemes. This thesis contributes a proposed solution to this problem. Presented in this thesis are models for estimating the number of attacks required before success for four aspects of the security of a recognition-based graphical password scheme. This includes two types of guessing attacks and two types of observation attacks. These models combine to provide an overall metric of the security of recognitionbased graphical password schemes. Attacks to be incorporated into the metric were established by reviewing the literature and establishing the scope and context. The literature review allowed extraction of the variables of a recognition-based graphical password scheme which represent the scheme. The first aspect examined was that of guessing attacks. The first guessing attack considered was random guessing, the model for this aspect was an adaption of the frequently reported mathematical model. The second guessing attack was a newly proposed attack which prioritised images from more popular semantic categories e.g. animals. The model for this attack was constructed as a further adaption of the random guessing model based on the success rates for the attack which were established by simulations which incorporated user selected images. The observability attacks modelled were shoulder surfing and frequency attacks. The observability attack models were constructed by simulation of the attacks for a wide range of potential configurations of the recognition-based graphical password schemes. A mathematical model was fitted to the resulting data. The final metric combined these models and was evaluated against a list of metric requirements established from relevant literature. The metric results in a consistent, repeatable, and quantitative method for comparing recognition-based graphical password schemes. It can be directly applied to a subset of schemes which allows their security levels to be compared in a way not possible previously. Also presented are details on how the metric could be extended to incorporate other recognition-based graphical password schemes. The approach detailed also allows the possibility of extension to incorporate different attack types and authentication contexts. The metric allows appropriate selection of a recognitionbased scheme and contributes to a detailed analysis of the security aspects of recognition-based graphical passwords.