The Security of Picture Gesture Authentication
Computing devices with touch-screens have experienced unprecedented growth in recent years. Such an evolutionary advance has been facilitated by various applications that are heavily relying on multi-touch gestures. In addition, picture gesture authentication has been recently introduced as an alternative login experience to text-based password on such devices. In particular, the new Microsoft Windows 8 operating system adopts such an alternative authentication to complement traditional text-based authentication. In this paper, we present an empirical analysis of picture gesture authentication on more than 10,000 picture passwords collected from over 800 subjects through online user studies. Based on the findings of our user studies, we also propose a novel attack framework that is capable of cracking passwords on previously unseen pictures in a picture gesture authentication system. Our approach is based on the concept of selection function that models users' password selection processes. Our evaluation results show the proposed approach could crack a considerable portion of collected picture passwords under different settings.
We will present a paper that describes this project at USENIX Security Symposium, 2013.
Due to the confidentiality agreement with the subjects, we are not able to share pictures that are marked having personally identifiable information in Dataset-1. For the pictures in Dataset-2, please refer to the PASCAL Visual Object Classes Challenge 2007. Here is the link to download both datasets.