Even after years of research in security, authentication schemes based on passwords still have numerous shortcomings [12, 9]. In general, neither simple nor very complex passwords provide the desired security. Shorter, simpler passwords, which are easy to remember, are too easily guessed with a password cracker program and user specific vocabulary. On the other hand, if the password is very complex the user cannot remember it and hence needs to write it on a piece of paper. This again compromises security, since the user might forget, loose, or leave the paper in insecure places. Storing the password in a file might also present a security risk, depending on the computing environment.
Similarly, there is a trade-off related to the number of distinct passwords used. On one hand having many different passwords for different cases of authentication improves the security of a system, but on the other hand users tend to write down the infrequently used passwords, which are usually used for higher security purposes.
Another problem with passwords nowadays is that they are ubiquitous. With the general increase of security awareness, the number of occasions in which a password is required has dramatically increased. Logging onto a computer, accessing a protected spreadsheet file, disabling a secure screen saver, and opening a personalized web site are just a few examples in which a password is required. Since a user can only remember a limited number of passwords, he or she will either write them down, or use similar or even equal passwords for different purposes. Both options have a negative impact on security: writing passwords down increases the chance of compromise, and reusing the same password in different places makes it only as secure as the weakest link.
On the Internet there are sites which offer personalized settings, such as my.yahoo.com. These sites require authentication with passwords but often do not use secure communication links. In this way passwords can be easily sniffed off the network, not to mention that a security breach of a site like ``My Yahoo!'' would compromise a very large number of systems, simply because people use the same passwords on many different systems. Similar considerations apply to PINs, which are frequently used as a method of authentication at ATM's.
The problems presented in this section are common. In the first place, our motive is to draw attention to them, and to stress that even theoretically secure schemes might be insecure in practice because they ignore human factors. Since people cannot remember strong passwords in general, we propose to replace the precise memorization and recall of the password or PIN with a recognition of a previously seen image, with the potential of alleviating some of the problems mentioned above.
Instead of having a user memorize a password, he or she is presented with a small number of images, the image portfolio, which he or she must memorize for recognition. The portfolio is shown to the user in a safe environment where it can be ensured that no other person can see the images.
When the user wants to authenticate, he or she is presented with a set of images. Some of the images are chosen from the user's image portfolio and others are generated randomly. The user must correctly identify all the images from the portfolio.
Suppose the portfolio contains images and that for authentication the system shows images. This gives combinations. A credit card PIN code is usually four digits long, which gives 10,000 possible combinations. To match this, we would have to use and which gives combinations.
A disadvantage of current ATM authentication schemes is that PIN codes can be observed from a distance [3] by various ways of acquiring the typing sequence of the key pad. Since the images in our scheme are presented in random order, an observer would gain no knowledge knowing which keys are typed, assuming that the images can only be seen by the person right in front of the ATM. A problem of displaying random images along with the ones in the portfolio is that a criminal could try to log in once for another person, remembering all the presented images. Later, the criminal would make a second attempt, picking the intersection of the presented images, which would correspond to the portfolio. Such attacks need to be taken into consideration during system design.
A combination of a traditional password scheme and image authentication system might give another opportunity to improve the current problems. The key observation for this approach is that people remember the password approximately, but not exactly. The system could generate an image for the password which is typed in so far, and the user would then recognize the image corresponding to the correct password and pass that string to the password checking function. Another idea is to use a fixed database of real photographs, instead of Random Art, and letting users choose the pictures in their portfolio. This approach can take the advantage that people are extremely good at pointing out which images (or faces) they have seen [1, 6] previously.