Strengthening knowledge-based authentication with graphical passwords
(Last updated on September 26, 2019)
User authentication is a necessary component in any digital security process. Whether it’s a password to an online account, or answering a security question when the password fails, we are all familiar with the verification process carried out via knowledge-based authentication (KBA).
The success of KBA is contingent on the user actually memorizing the secret (i.e. Password or PIN). When we inevitably fail to recall a password, the usability of KBA suffers, even more so if the password recovery process is cumbersome. In scenarios where KBA is the sole authentication factor, its appeal further deteriorates in the face of user impersonation and data breaches.
Despite its aforementioned shortcomings, KBA remains a contender in the authentication process thanks to its familiarity, and minimal investments requirements. With that being said, is there an opportunity to improve the user authentication process while still leveraging KBA?
Graphic passwords solve the KBA usability issue
Graphic-based passwords are a potential alternative to the traditional text-based approach. Classic cognitive science experiments indicate humans have an almost limitless memory for pictures. Simply put, it’s easier to recognize a previously seen image, than a random string of characters. If graphical passwords solve the usability issue, they might also aid the security story. If the authentication secret is easier to remember, users are less likely to partake in poor security practices such as reusing them across multiple applications, or writing them down.
Graphical passwords fall into two categories: recognition-based and recall-based. In a recognition-based authentication scheme, the user must identify an image they have previously seen. In a recall-based authentication scenario, the user must reproduce something they have created. Take for example the android unlock screen where the user must reproduce a drawing on the screen grid.
In comparison to text-based passwords, graphical passwords are less vulnerable to dictionary and brute force attacks. However, their memorability makes them weak against shoulder surfers. In a recent online experiment, 1,173 participants watched videos of people unlocking their phone. Mimicking the shoulder surfing technique, the participants attempted to determine the authentication input. The participants were able to correctly copy the Android password 64% of the time. The six-number PIN was deemed most resistant against shoulder surfing attacks.
Multi-factor authentication is the answer to KBA security
In user authentication scenarios with multi-factor authentication (MFA), KBA secrets can satisfy the “something you know” requirement. As we learned above, KBA doesn’t have to be limited to text-based passwords, or security questions (in fact, you’re probably better of getting rid of security questions altogether). The combination of graphical passwords with something you are (fingerprint), or something you have (smart card) strengthens usability and authentication security.