User-Generated Free-Form Gestures for Authentication: Security and Memorability

TL;DR

This study evaluates the security and memorability of free-form multitouch gestures for mobile authentication, introducing a new metric for security analysis and testing practical recognition and resistance to shoulder surfing.

Contribution

It introduces a novel information capacity metric for free-form gestures and provides empirical data on their security and memorability in authentication.

Findings

One-finger gestures had higher mutual information than multi-finger gestures.

Gestures with many angles and turns had the highest information capacity.

Signatures and simple angular shapes were most memorable.

Abstract

This paper studies the security and memorability of free-form multitouch gestures for mobile authentication. Towards this end, we collected a dataset with a generate-test-retest paradigm where participants (N=63) generated free-form gestures, repeated them, and were later retested for memory. Half of the participants decided to generate one-finger gestures, and the other half generated multi-finger gestures. Although there has been recent work on template-based gestures, there are yet no metrics to analyze security of either template or free-form gestures. For example, entropy-based metrics used for text-based passwords are not suitable for capturing the security and memorability of free-form gestures. Hence, we modify a recently proposed metric for analyzing information capacity of continuous full-body movements for this purpose. Our metric computed estimated mutual information in repeated sets of gestures. Surprisingly, one-finger gestures had higher average mutual information. Gestures with many hard angles and turns had the highest mutual information. The best-remembered gestures included signatures and simple angular shapes. We also implemented a multitouch recognizer to evaluate the practicality of free-form gestures in a real authentication system and how they perform against shoulder surfing attacks. We conclude the paper with strategies for generating secure and memorable free-form gestures, which present a robust method for mobile authentication.