Multiple-Password Interference in the GeoPass User Authentication Scheme

Author(s): Mahdi Nasrullah Al-Ameen, Matthew Wright

Download: Paper (PDF)

Date: 7 Feb 2015

Document Type: Briefing Papers

Additional Documents: Slides

Associated Event: NDSS Symposium 2015

Abstract:

Password schemes based on selecting locations in an online map are an emerging topic in user authentication research. GeoPass is the most promising such scheme, as it provides satisfactory resilience against online guessing and showed high memorability (97%) for a single location-password. No multiple-password interference study, however, has been conducted to see if GeoPass or any other location-based password scheme is suitable for real-world deployment, where users have to remember multiple passwords. In this paper, we report the results of two separate multiple-password studies on GeoPass, each conducted over the span of three weeks. In the first study, we aim to understand the effects of interference on GeoPass scheme, where we found that users remembered location-passwords in less than 70% of login sessions, with 41.5% of login failures due to interference effects. Through a detailed analysis, we identify why interferences occur for location-passwords, and based on our findings, we propose to leverage mental stories to address the interference issue. We then perform a second interference study on modified GeoPass scheme to test the efficacy of our approach, where we found that the login success rate was greater than 97% and 3.4% of login attempts failed because of interference effects.