Abstract

Recognition-based graphical passwords (RBGPs) are often proposed as an alternative user authentication mechanism. However, discussion of attack resistance often lacks quantitative examination. Establishing the efficacy of countermeasures could allow selection of an appropriate countermeasure for the level of security required by a given system. Furthermore, this information could be used to construct a model to estimate the number of intersection attacks required before success. This research contributes to these goals by establishing effective countermeasures and a model for intersection attacks. The approach involves creating a simulation of intersection attacks using five possible countermeasures and performing analysis to determine efficacy. Results show that using dummy screens does not increase the number of attacks required. It is also shown that increasing the number of challenge screens can increase and reduce the number of attacks required. Also presented is a model for RBGP schemes that can be used to estimate the number of intersection attacks required for a RBGP scheme when configuration values such as the number of challenge screens are known. This allows a quantitative choice of countermeasure for intersection attacks and a calculation that can provide a basis of comparison with other RBGP schemes, which was previously not possible.