A. Saravanos1, M. Curinga2, K. Auchter1

1New York University (UNITED STATES)
2Adelphi University (UNITED STATES)
Through this work we focus on the role of user training on the effective realization of cyber-security as it applies to authentication. Authentication is considered to be one of the key activities in the area of cyber-security and has become one of the most common processes carried out by users of modern information systems. Despite this ubiquity authentication mechanisms are still understood to be vulnerable to exploitation by malicious users the primary weakness recognized to be the people using the mechanism. This is often attributed to two reasons. The first is that security is not a user’s foremost reason for using a system but rather is an additional step that must be completed prior to performing a primary task. The second is that a user may not know how to effectively use the security solution. The third is that the user may not physically be able to use the security solution in a way that is effective. In other words, the desire to minimize the effort involved in the authentication process, as well as operators’ limited memory, leads to the use of existing schemes in an ineffective manner. Consequently, if system security is to be improved, we need to train the humans user to interact with an authentication mechanism in a way that would make it effective. We examine the role of training on a specific form of graphical authentication, Microsoft’s Picture Password, found on all machines running the popular Windows 8 and 10 operating systems. This mechanism allows users to authenticate using a graphical password using a blend of the locimetric and/or drawmetric techniques. Users are required to create three gestures in sequence on an image of their choosing. A gesture is defined to be the selection of a point (locimetric) or the drawing of a line or shape (drawmetric). We specifically focus on locimetric (click-based) passwords. These passwords have been found to have the weakness of being predictable. In other words, there are certain points on an image that users are more likely to select as part of their locimetric passwords. These points are referred to in the literature as hot-spots. To test the effect of training on the effective use of the locimetric authentication scheme an implementation of the training and setup phases of a locimetric authentication mechanism were designed and developed. We then examined whether the training offered as part of the Picture Password solution influences the quality of passwords created. Through this work we propose and demonstrate how training can be used to in part overcome the weaknesses inherit in the locimetric scheme and Microsoft’s Picture Password solution. We conclude by discussing the importance of training in realizing effective cyber-security.