PassBYOP is a new graphical password scheme for public terminals that replaces the static digital images typically used in graphical password systems with personalized physical tokens, herein in the form of digital pictures displayed on a physical user-owned device such as a mobile phone. Users present these images to a system camera and then enter their password as a sequence of selections on live video of the token. Highly distinctive optical features are extracted from these selections and used as the password. We present three feasibility studies of PassBYOP examining its reliability, usability, and security against observation. The reliability study shows that image-feature based passwords are viable and suggests appropriate system thresholds - password items should contain a minimum of seven features, 40% of which must geometrically match originals stored on an authentication server in order to be judged equivalent. The usability study measures task completion times and error rates, revealing these to be 7.5 s and 9%, broadly comparable with prior graphical password systems that use static digital images. Finally, the security study highlights PassBYOP’s resistance to observation attack - three attackers are unable to compromise a password using shoulder surfing, camera-based observation, or malware. These results indicate that PassBYOP shows promise for security while maintaining the usability of current graphical password schemes.
Andrea Bianchi, Ian Oakley and Hyoungshick Kim. 2016. PassBYOP: Bring Your Own Picture for Securing Graphical Passwords. In IEEE Transactions on Human-Machine Systems, vol. 46, no. 3, pp. 380-389, June 2016.