Main Article Content
Abstract
BYOP is a new graphical password scheme for public terminals that replaces the static digital images typically used in graphical password systems with personalized physical tokens, herein in the form of digital pictures displayed on a physical userowned device such as a mobile phone. Users present these images to a system camera and then enter their password as a sequence of selections on live video of the token. Highly distinctive optical features are extracted from these selections and used as the password. We present three feasibility studies of BYOP examining its reliability, usability, and security against observation. The reliability study shows that imagefeature based passwords are viable and suggests appropriate system thresholds—password items should contain a minimum of seven features, 40% of which must geometrically match originals stored on an authentication server in order to be judged equivalent. The usability study measures task completion times and error rates, revealing these to be 7.5 s and 9%, broadly comparable with prior graphical password systems that use static digital images. Finally, the security study highlights BYOP’s resistance to observation attack— three attackers are unable to compromise a password using shoulder surfing, camera based observation, or malware. These results indicate that pass-BYOP shows promise for security while maintaining the usability of current graphical password schemes.