You Only Live Twice or "The Years We Wasted Caring about Shoulder-Surfing"

TL;DR

This paper examines the limitations of passwords, explores graphical authentication prototypes, and argues that alternative mechanisms should focus on authentication scenarios rather than password flaws to achieve widespread adoption.

Contribution

It provides a detailed analysis of graphical authentication prototypes and advocates for scenario-focused alternatives to overcome password-related issues.

Findings

Password problems like observation are inherent to passwords.

Graphical authentication prototypes reveal password flaws.

Effective alternatives should target authentication scenarios.

Abstract

Passwords are a good idea, in theory. They have the potential to act as a fairly strong gateway. In practice though, passwords are plagued with problems. They are (1) easily shared, (2) trivial to observe and (3) maddeningly elusive when forgotten. While alternatives to passwords have been proposed, none, as yet, have been adopted widely. There seems to be a reluctance to switch from tried and tested passwords to novel alternatives, even if the most glaring flaws of passwords can be mitigated. One argument is that there is not enough investigation into the feasibility of many password alternatives. Graphical authentication mechanisms are a case in point. Therefore, in this paper, we detail the design of two prototype applications that utilise graphical authentication mechanisms. However, when forced to consider the design of such prototypes, we find that pertinent password problems eg. observation of entry, are just that: password problems. We conclude that effective, alternative authentication mechanisms should target authentication scenarios rather than the well-known problems of passwords. This is the only route to wide-spread adoption of alternatives.