ALL Metrics
-
Views
-
Downloads
Get PDF
Get XML
Cite
Export
Track
Research Article

Improving memorability using Emojis in a shoulder surfing resistant authentication method

[version 1; peer review: 1 approved with reservations, 1 not approved]
PUBLISHED 29 Mar 2022
Author details Author details
OPEN PEER REVIEW
REVIEWER STATUS

This article is included in the Research Synergy Foundation gateway.

Abstract

Background: Emojis are icons that are familiar and fun to add pizzazz and colour to communication. They have also been used in authentication where the emojis form memorable pictogram story-like passwords. Emojis, which are graphical, are in general vulnerable to shoulder surfing attacks (SSAs). This paper studies whether graphics such as emojis offer better memorability than numerics when implemented in a shoulder-surfing resistant authentication method. Thus, the proposed method aims to meet both needs of being shoulder-surfing resistant as well as being memorable.
Methods: In this paper, a SSA resistant method (DragPIN) is used as a reference system on which to implement emojis in place of numerics. Additionally, a new feature, cue questions was implemented for added security. In the proposed method, users composed emoji-based stories using personalised cue questions that served as memory aids. Moreover, these self-chosen cue questions were less comprehensible to shoulder-surfing observers. There were two variants of the DragPIN method, manual and automatic-sliding. To compare the differences, both the reference configuration and modified versions based on the proposed method were implemented. Thirty people participated in user testing. A pre- and post-survey appraised user experience. User testing and survey on both methods and their variants for performance, memorability, and usability were performed.
Results: All implementations successfully resisted shoulder surfing. The time taken for login in the manual variant using the proposed methodology was shorter than using the reference method. After four to six weeks, login performance taking into account intermediate failures was better for the proposed method (86.7-91.7%) than the reference method (76.7-78.3%). Hypothesis testing also showed significance in the results. This could point to higher memorability in the proposed method.
Conclusion: The study provides testing of emoji-based compared to PIN-based implementation in authentication. Emoji-based stories may form memorable passwords while personalised cue questions may aid memorability.

Keywords

Graphical Authentication System, PIN, Password, Emoji, Shoulder Surfing

Introduction

In general, graphical passwords are more memorable than text passwords because of the picture superiority effect.13 Graphical authentication has been a widely researched topic. At the time of writing this paper, 1,090 articles were retrieved by Google Scholar with the search terms “shoulder-surfing” and “graphical authentication”.

There was an uptrend of publications from 2012 to 2017 which plateaued until 20204 (Figure 1), with mean citations of 15.18 per paper. In dimensions.ai4 the search phrase involving combinations of “emoji”, “picture”, “password” and “authentication” retrieved 587 publications.

a5071fa6-e6f7-44e2-8139-5197c07f04f5_figure1.gif

Figure 1. Trend of picture/emoji-based authentication.4

Literature review

Table 1 shows a comparison of previous works. Emojis have been used in authentication5 but are in general more vulnerable to shoulder surfing attacks (SSAs). DragPIN6 and the methods in7,8 are resistant to SSA. The automatic sliding variant implemented by DragPIN has the advantage of the display not being static, so the displayed state may not necessarily correspond to the password, which makes it shoulder surfing resistant. However, methods7,8 are vulnerable to intersection attacks after multiple recorded observations. DragPIN is resistant to SSAs but uses numbers, which are less memorable than pictures. EmojiAuth5 is not SSA resistant but uses emojis, which are more memorable.

Table 1. Comparison of related works.

ReferenceResistance to SSA
Srinivasan6Yes (auto-sliding variant)
Salman Wang, & Li7Vulnerable to intersection attack
Kasat & Bhadade.8Vulnerable to intersection attack
Golla, Detering, & Dürmuth5No

Both methods have strengths and disadvantages. Therefore, a modified DragPIN that uses emojis instead of digits addresses both systems’ drawbacks as well as maintaining their respective advantages.

Methods

DragPIN and EmojiAuth

A DragPIN prototype was constructed for testing. A signup screen, as shown in Figure 2, allows a user to create a login and register a 4-digit pin. Users could sign in by choosing either the manual or automatic tabs (Figure 3). Conceptually, the implementation (shown in Figure 3) is similar to the original DragPIN.6

a5071fa6-e6f7-44e2-8139-5197c07f04f5_figure2.gif

Figure 2. DragPIN prototype signup page.

a5071fa6-e6f7-44e2-8139-5197c07f04f5_figure3.gif

Figure 3. DragPIN implementation.

Figure 3 shows the DragPIN interface implementation. A prototype for EmojiAuth was also made: the signup page and login screen with an emoji keyboard are shown in Figures 4 and 5, respectively. Unlike the implementation in the original DragPIN, which had only a choice of 20 emojis, the prototype allowed users to make use of a wider set of emojis.

a5071fa6-e6f7-44e2-8139-5197c07f04f5_figure4.gif

Figure 4. EmojiAuth prototype sign in.

a5071fa6-e6f7-44e2-8139-5197c07f04f5_figure5.gif

Figure 5. Emoji Keyboard.

Proposed method – EmojiSlide

Operation

In this section, we will describe how the software works. We implemented EmojiSlide (the proposed method) and DragPIN (the reference method) as a web application. All the dependencies required to run the source code are managed by Pipenv version 2020.11.15. The software is provided in the repository as mentioned under the Software availability section. Installation instructions are included in the README.md file archived in release v0.1-beta in the repository. Memory (RAM) 512 MB and 1× CPU cores are the minimum system requirements. Django was the framework used to build this web application. Figure 6 describes the flow of the web application that was used to evaluate the differences between DragPIN and the proposed method (EmojiSlide).

a5071fa6-e6f7-44e2-8139-5197c07f04f5_figure6.gif

Figure 6. Flow diagram.

At the start of the program, the user will be prompted to select the authentication method desired, either EmojiSlide or DragPin. Thereafter, users will have two options, which are login or sign up. If the user navigates to the signup page in DragPIN or Emoji-Auth, an empty form is generated and passed to the frontend. The form data received by the backend via POST HTTP request is validated and the user profile is saved in the database, following which users may use their credentials to log in via the earlier chosen method.

The proposed method uses emojis instead of numerics in the reference method, DragPIN. The user registers two 4-emoji passwords. For each 4-emoji password, the system generates six other random emojis, for a total of ten emojis. The set of these ten emojis is the challenge set. The challenge set forms the table (column) indexes used in authentication (shown in Figure 10). The challenge set is fixed per user. This ensures that a user's password cannot be deduced from observing the emojis displayed upon subsequent reloading of the challenge webpage.

To increase memorability and security, cue questions were introduced (Figure 7), which were not present in DragPIN. Users wrote a cue question for each emoji password which also served as the password prompt. Resistance to SSA is increased by having randomly chosen cue questions. Each user must register two cue questions and two passwords, each of which consists of four emojis.

a5071fa6-e6f7-44e2-8139-5197c07f04f5_figure7.gif

Figure 7. Cue question registration.

The proposed method was designed as a web application called EmojiSlide.9

The username entry page is shown in Figure 8.

a5071fa6-e6f7-44e2-8139-5197c07f04f5_figure8.gif

Figure 8. Sign-in page of the proposed method.

Figure 9 shows that a security measure to prevent Cross Site Request Forgery (CSRF) has been implemented. A CSRF Token is a private, unique, and unpredictable value generated by a server-side application to protect CSRF-vulnerable resources. When the later request is made, the server-side application checks that it has the expected token and rejects it if it is absent or incorrect.

a5071fa6-e6f7-44e2-8139-5197c07f04f5_figure9.gif

Figure 9. Sign-in page with a Cross Site Request Forgery (CSRF) token.

After entering the username, the authentication screen is shown. During authentication (Figure 10), a user chooses either the manual or automatic sliding scheme. The procedure is similar to DragPIN, except that the digits have been replaced with emojis. Figure 10 shows the manual scheme. As an example, the user's emoji password is graphic1.gif, graphic2.gif, graphic3.gif, graphic4.gif. The login process is started by the user mentally choosing an alphabet from the available alphabets. Let the chosen alphabet be ‘D’. One of the D’s in each row is aligned with the password emojis in the correct sequence. The icons look slightly different in Figure 10 due to emojis being customized on different platforms.

a5071fa6-e6f7-44e2-8139-5197c07f04f5_figure10.gif

Figure 10. Proposed manual implementation.

Figure 11 shows the automatic sliding variant. The same emoji password example is used. The space bar was used to capture the moment the sliding marker ‘B’ aligned with the password emoji. The “enter” key commenced the sliding of the next row. In this instance, the user pressed the spacebar during alignment and pressed the “enter” key after the marker had slid beyond the password emoji. As a result, the letter ‘B’ was no longer aligned with the password emoji. This misalignment resists SSA.

a5071fa6-e6f7-44e2-8139-5197c07f04f5_figure11.gif

Figure 11. Proposed automatic implementation.

User test study

Ethical considerations

Ethics approval was obtained from the ethics committee of the Multimedia University for the research (approval number EA04420201). The demographics chosen was university students and adults (>18 years old). These would likely be using authentication daily in their lives and have experience with different methods of authentication. An invitation message was sent to potential participants who were acquaintances of the authors. The participants were mostly students in MMU, with a few working adults. The invitation included a website link to a presurvey. Consent was implicit as participants would answer this survey and submit their email if they chose to participate in further testing. No monetary reward was given for participation.

Between 30 to 100 participants is considered a medium-sized sample (Bošnjak & Brumen, 2020). In a review of authentication methods (Binbeshr et al, 2021), most of the user studies (51 out of 55 articles) had between 10 to 50 participants, with 30 being the most common. Thus, in the experiments conducted, the chosen number of participants was 30 or more.

Presurvey

Several questions were chosen in the presurvey to gain insight into the users’ willingness to use emojis as password characters. The survey consisted of six questions (Box 1).

Box 1. Pre-survey questions.

1. On a scale of 0 to 5, 5 being strong and 0 being weak, how strong do you think your password is?

2. How would you rate your ability to recall this password?

3. Would you consider using emojis as your password?

4. Use 6 to 10 emojis only to tell a story about yourself. mine would be: “graphic5.gif

5. How would you rate your ability to recall this emoji story?

6. Would you still consider emojis as a password?

User testing of EmojiSlide

User testing was done in two phases. Phase 1 tested for login accuracy and time taken, as well as SSA resistance. Phase 2 tested for memorability by measuring login accuracy. Participants in phase 2 were the same as those in phase 1 to achieve reliable memorability statistics.

Phase 1

In phase 1, participants with ages ranging from 18 to 40 were invited to a Google meeting, which was recorded for further evaluation of the scheme’s capability to resist SSA. EmojiSlide’s motivations were briefly described. Then a test user was created. The participant (user) then learned how to login, using each of the variants in both the proposed and reference methods (EmojiSlide Manual, EmojiSlide Auto-sliding, DragPIN Manual, and DragPIN Auto-sliding). After familiarisation, users then registered and attempted to authenticate in each variant. Participants were given three attempts to login. The time taken for a successful authentication attempt was recorded. A usability survey on the proposed method was given after completion. Shoulder surfing was performed on video recordings of user logins. Four "shoulder surfers” went through the familiarisation procedure as described before attempting SSA.

A survey was provided to the participants (the questions can be found in Box 2). Questions 3 to 6 used a Likert scale. The first three questions were for gathering demographic information. The remaining questions were used to ascertain users’ experience with the proposed method.

Box 2. Post-survey questions.

  • 1. What is your age group?

  • 2. What is your occupation?

  • 3. How computer savvy are you?

  • 4. How would you rate your overall experience?

  • 5. How hard was it to recall your emoji password compared to a textual password?

  • 6. Would you trust this system to prevent a shoulder surfer?

System usability survey

At the end of the phase 1 experiment, the participants were given a System Usability Survey (SUS) which is a Likert scale (shown in Box 3). Each question’s response was converted to points and the result was graded according to Ref. 10.

Box 3. System usability survey.

  • 1. I think that I would like to use this system frequently.

  • 2. I found the system unnecessarily complex.

  • 3. I thought the system was easy to use.

  • 4. I think that I would need the support of a technical person to be able to use this system.

  • 5. I found the various functions in this system were well integrated.

  • 6. I thought there was too much inconsistency in this system.

  • 7. I would imagine that most people would learn to use this system very quickly.

  • 8. I found the system very cumbersome to use.

  • 9. I felt very confident using the system.

  • 10. I needed to learn a lot of things before I could get going with this system.

Phase 2

In phase 2, held 4-6 weeks later, the same users from phase 1 were invited to re-login to test for password memorability.

Significance testing

Hypothesis testing was performed to compare the differences between EmojiSlide(E) with DragPIN (DP) in both manual (m) and auto (a) variants. The software used was Microsoft Excel version 2011. The factors for comparison are the time taken for login, t and the mean number of intermediate failures, f. The null hypotheses are that there are no differences. The method’s name and variant form the subscript in Table 4, e.g. the time taken for Emojislide manual is tEm. For statistical analysis of results, we applied paired t-tests. A p value of p < 0.05 was considered statistically significant.

Results and discussion

The datasets for the user results are available as Underlying data.1113

Presurvey

A total of 50 participants took part in the presurvey. The questions were not compulsory to answer thus not all questions had 50 responses. In the presurvey, participants were asked to create an emoji story about themselves using six to ten emojis. For question no. 3, ‘Would you consider using emojis as your password?’ (n = 50) about 72% answered Yes or “I am not sure”, and one person (2%) gave a comment about the possibility of emoji passwords being guessed, while 26% answered No (Figure 12). To ascertain their answer with practical experience, those who did not answer “No” went on to create their emoji stories in question 5. After creating emojis, (n = 37) answered the repeated question of ‘Would you still consider using emojis as your password?’ (question 6). Only 1 person answered No, indicating that there was a willingness to try using emoji passwords.

a5071fa6-e6f7-44e2-8139-5197c07f04f5_figure12.gif

Figure 12. Initial feedback on emoji password acceptance.

The respondents who created their emoji stories (n = 37) also rated their ability to recall the emoji story they created on a scale of 0 = weak and 5 = strong (Figure 13). Option ‘5’ had the highest number of responses, indicating that most respondents felt confident of their ability to remember their emoji password.

a5071fa6-e6f7-44e2-8139-5197c07f04f5_figure13.gif

Figure 13. Initial feedback on the memorability of Emojis.

User testing of EmojiSlide

A total of 30 participants took part in user testing. Figure 14 shows the age groups: most participants were aged 20-30 years old (76.7%). Table 2 shows the demographics of the participants.

a5071fa6-e6f7-44e2-8139-5197c07f04f5_figure14.gif

Figure 14. Participants age groups.

Table 2. Participant demographics of the user testing study.

CategoriesPercentage %
Males66.66
Females33.33
Graduates/Employed26.67
Undergraduates73.33
Computer savvy users26.66
Average computer users53.33
Non-frequent computer users20

Table 3 shows the average time taken to login for successful attempts. Users logged in slightly faster using EmojiSlide (proposed method) compared to DragPIN. Results also showed that login to auto-sliding variants took longer than the manual variants.

Table 3. Time taken for login.

ParametersAverage login time of successful attempts, seconds (s)
DragPIN Manual19.3
DragPIN Automatic30.1
EmojiSlide Manual16.7
EmojiSlide Automatic29.5

Post experiment, users were requested to state whether they would trust the system to resist SSA. Figure 15 shows that 76.7% answered yes, 23.3% were unsure and none answered no, showing that the system was judged capable by most participants.

a5071fa6-e6f7-44e2-8139-5197c07f04f5_figure15.gif

Figure 15. Users’ perception of the proposed method’s ability to resist SSA.

None of the shoulder surfers were able to get any full PIN or emoji password. They commented that slowing or reversing the recorded videos availed little, especially for the automatic variants. They were only able to obtain two emojis, from three users, which was due to those users pointing their mouse cursor at their desired emoji. All participants logged in successfully within three attempts (100% login accuracy). Most of the mistakes occurred during phase 1, for the DragPIN auto variant where three participants used three login attempts to login.

Figure 16 shows the average successful login rates when the number of intermediate failures before succeeding is taken into account. If a successful login takes one attempt (0 failures), the success rate = 100%, if it takes two attempts (1 failure), the success rate = ½ or 50% and if three attempts (2 failures), success rate = 1/3 or 33.33%. This is calculated per user. The average success rate is shown in Figure 16.

a5071fa6-e6f7-44e2-8139-5197c07f04f5_figure16.gif

Figure 16. Phase 1 and phase 2 average success rate (including intermediate failures).

After 4-6 weeks, the login accuracy for both the auto sliding and manual variants ranged between 76.7-78.3% for the reference method and 86.7-91.7% for the proposed method.

Significance testing

Referring to Table 4, the null hypothesis for (1) is that there are no differences in the mean login time between the manual EmojiSlide (E) & DragPIN (DP). The t-test gives t(29) = 2.13, p = 0.04, which shows that the mean login time differs. The mean login time is shorter for the EmojiSlide. However, for (2), the time differences between the autosliding versions of E & DP were not significant.

Table 4. Sets of hypotheses.

SetH0H1Number of tails
1. Login time manualtEm = tDPmtEm ≠ tDPm2
2. Login time autotEa = tDPatEa ≠ tDPa2
3. Number of failures manualfEm = fDPmfEm < fDPm1
4. Number of failures autofEa = fDPafEa < fDPa1

The null hypotheses for (3) and (4) are that there are no differences in the number of intermediate failures (during Phase 1) in the manual and auto EmojiSlide and DragPIN versions respectively, while the alternative hypotheses are that the EmojiSlide versions have fewer failures. The one tailed t-test for manual variants (3) gave t(29) = 1.99, p = 0.028. The auto versions (4) had t(29) = 2.25, p = 0.016. In Phase 2, hypothesis set (3) gave t(29) = 2.11, p = 0.02 but in hypothesis set (4), the null hypothesis was not rejected. Thus, in Phase 1, EmojiSlide (manual and auto) had a lower number of failures compared to DragPIN, and this trend continued in Phase 2 for the manual variant.

This suggests higher memorability in the proposed method. The login accuracy was higher even though the users had two sets of emoji passwords to remember versus one PIN.

System usability survey

The SUS showed that the average score per user was 88.5% (Excellent). The score distribution is shown in Figure 17.

a5071fa6-e6f7-44e2-8139-5197c07f04f5_figure17.gif

Figure 17. System usability testing results.

Limitations and future improvement

As the emoji-based implementation was based on one method, whether the memorability gains will extend to other authentication methods is yet undiscovered. Also, the sample comprised mostly young people thus the effect on older adults was not tested. Larger scale testing with a higher number and variety of participants can provide more insight. One of the system’s future upgrades is the use of the most recent version of emojis.

Conclusion

In this paper, a graphical authentication method was proposed where emojis were used in place of numerics and cue questions were added. Results indicate the proposed method and reference method resisted SSA where no passwords were compromised. Passwords remained memorable after 4-6 weeks where the proposed method had a login accuracy of 86.7-91.7% compared to 76.7-78.3% for the reference method. The results indicate that the use of emoji-based stories may have higher memorability than numbers. Personalized cue questions may also aid memorability.

Data availability

Underlying data

Figshare: Using Emojis in a Shoulder-surfing Resistant Authentication Method, Pre-survey.csv. (Pre-survey results.). https://doi.org/10.6084/m9.figshare.14872062.v1.11

Figshare: Using Emojis in a Shoulder-surfing Resistant Authentication Method, Phase1&2.csv. (User testing results). https://doi.org/10.6084/m9.figshare.17163470.v1.12

Figshare: Using Emojis in a Shoulder-surfing Resistant Authentication Method, SUS.csv (System Usability Survey results.). https://doi.org/10.6084/m9.figshare.14872059.v1.13

Data are available under the terms of the Creative Commons Attribution 4.0 International license (CC-BY 4.0).

Software availability

Source code for EmojiSlide available from: https://github.com/mahrous-amer/FYP/tree/v0.1-beta

Archived source code at the time of publication: https://doi.org/10.5281/zenodo.55743879

Licence: MIT

Grant information

This work was supported by the IRFund grant [grant number MMUI/210071], Multimedia University, Malaysia.

Comments on this article Comments (0)

Version 1
VERSION 1 PUBLISHED 29 Mar 2022
Comment
Author details Author details
Competing interests
Grant information
Copyright
Download
 
Export To
metrics
Views Downloads
F1000Research - -
PubMed Central
Data from PMC are received and updated monthly.
- -
Citations
CITE
how to cite this article
Amer MMM, Kam YHS and Elkhedrawi AH. Improving memorability using Emojis in a shoulder surfing resistant authentication method [version 1; peer review: 1 approved with reservations, 1 not approved]. F1000Research 2022, 11:362 (https://doi.org/10.12688/f1000research.73691.1)
NOTE: If applicable, it is important to ensure the information in square brackets after the title is included in all citations of this article.
track
receive updates on this article
Track an article to receive email alerts on any updates to this article.

Open Peer Review

Current Reviewer Status: ?
Key to Reviewer Statuses VIEW
ApprovedThe paper is scientifically sound in its current form and only minor, if any, improvements are suggested
Approved with reservations A number of small changes, sometimes more significant revisions are required to address specific details and improve the papers academic merit.
Not approvedFundamental flaws in the paper seriously undermine the findings and conclusions
Version 1
VERSION 1
PUBLISHED 29 Mar 2022
Views
6
Cite
Reviewer Report 02 Feb 2023
Nur Haryani Zakaria, School of Computing, Universiti Utara Malaysia, Kedah, Malaysia 
Not Approved
VIEWS 6
Summary:
The research work proposed an enhancement of DragPIN scheme using Emojis instead of numerical characters and claimed to be shoulder surfing resistant. The proposed scheme rely on personalized cue questions to aid memorability. The experiment conducted to evaluate ... Continue reading
CITE
CITE
HOW TO CITE THIS REPORT
Zakaria NH. Reviewer Report For: Improving memorability using Emojis in a shoulder surfing resistant authentication method [version 1; peer review: 1 approved with reservations, 1 not approved]. F1000Research 2022, 11:362 (https://doi.org/10.5256/f1000research.77360.r159005)
NOTE: it is important to ensure the information in square brackets after the title is included in all citations of this article.
Views
12
Cite
Reviewer Report 13 Apr 2022
Gerard Bastiaan Remijn, Faculty of Design, Department of Human Science, Kyushu University, Fukuoka, Japan 
Approved with Reservations
VIEWS 12
The authors implemented and tested the use of Emojis in a shoulder-surfing resistant authentication method (“DragPIN”). Users were asked to construct a PIN-like password consisting of a series of emojis, and they could use personalized cue questions to aid memorability ... Continue reading
CITE
CITE
HOW TO CITE THIS REPORT
Remijn GB. Reviewer Report For: Improving memorability using Emojis in a shoulder surfing resistant authentication method [version 1; peer review: 1 approved with reservations, 1 not approved]. F1000Research 2022, 11:362 (https://doi.org/10.5256/f1000research.77360.r129237)
NOTE: it is important to ensure the information in square brackets after the title is included in all citations of this article.
  • Author Response 28 Apr 2022
    Yvonne Kam, MMU Cyberjaya, Cyberjaya, Malaysia
    28 Apr 2022
    Author Response
    Thank you to the reviewer for the detailed, insightful comments. 

    Regarding the major points raised by reviewer #1, 
    1. We will provide more reasons and motivations for this
    ... Continue reading
COMMENTS ON THIS REPORT
  • Author Response 28 Apr 2022
    Yvonne Kam, MMU Cyberjaya, Cyberjaya, Malaysia
    28 Apr 2022
    Author Response
    Thank you to the reviewer for the detailed, insightful comments. 

    Regarding the major points raised by reviewer #1, 
    1. We will provide more reasons and motivations for this
    ... Continue reading

Comments on this article Comments (0)

Version 1
VERSION 1 PUBLISHED 29 Mar 2022
Comment
Alongside their report, reviewers assign a status to the article:
Approved - the paper is scientifically sound in its current form and only minor, if any, improvements are suggested
Approved with reservations - A number of small changes, sometimes more significant revisions are required to address specific details and improve the papers academic merit.
Not approved - fundamental flaws in the paper seriously undermine the findings and conclusions
Sign In
If you've forgotten your password, please enter your email address below and we'll send you instructions on how to reset your password.

The email address should be the one you originally registered with F1000.

Email address not valid, please try again

You registered with F1000 via Google, so we cannot reset your password.

To sign in, please click here.

If you still need help with your Google account password, please click here.

You registered with F1000 via Facebook, so we cannot reset your password.

To sign in, please click here.

If you still need help with your Facebook account password, please click here.

Code not correct, please try again
Email us for further assistance.
Server error, please try again.