Dec 21 2008
Sonia Chiasson, PhD
Sonia Chiasson successfully defended her PhD thesis on Wednesday
December 17th: congratulations Sonia! She will be staying at Carleton
University for a little while longer, beginning a post-doctoral
fellowship on January 1st, 2009.
Sonia’s thesis was entitled “Usable Authentication
and Click-Based Graphical Passwords”, and the abstract is as follows:
Security experts often refer to humans as the “weakest link” (Sasse, Brostoff, and
Weirich, 2001) in the security chain, asserting that the problem lies not with the
security systems themselves, but with users who are unable or unwilling to comply
with security protocols. The shift towards usable security and including human factors
in system design is an important one that has a direct impact on system security.
In this thesis, we focus on knowledge-based authentication. We examine the
password problem, where passwords are either weak-and-memorable or secure-but-
difficult-to-remember, despite the need for secure and memorable passwords. We
concentrate on graphical passwords due to the human ability to accurately recognize
and recall images. We began by cataloguing existing graphical passwords, focusing
equally on usability and security characteristics, and identified PassPoints, a click-
based graphical password scheme, as the scheme that appeared most promising and
that we believed warranted closer evaluation. Our overall research question, therefore,
asks: “Can click-based graphical passwords simultaneously support both memorability
and security, while maintaining usability?”.
We conducted lab and field studies of PassPoints, and identified areas for usabil-
ity and security improvements. We next designed Cued Click-Points and Persuasive
Cued-Click-Points, schemes with several novel design features: one-to-one cueing to
help with the memorability, implicit feedback meaningful only to legitimate users, and
a safe-path-of-least-resistance influencing users to select stronger memorable pass-
words. Empirical studies of both schemes provide evidence of increased usability,
memorability, and security. Additionally, we propose a new discretization method for
such systems that improves usability by making the system more predictable from
the user’s perspective and improves security by allowing for smaller tolerance regions
without sacrificing usability. From this empirical work, we identified the underlying
design characteristics of our systems that led to success and generalized our findings
as design strategies that may be applicable to other knowledge-based authentication
schemes.