Improving memorability using Emojis in a shoulder surfing resistant authentication method

Literature review

Table 1 shows a comparison of previous works. Emojis have been used in authentication⁵ but are in general more vulnerable to shoulder surfing attacks (SSAs). DragPIN⁶ and the methods in^7,8 are resistant to SSA. The automatic sliding variant implemented by DragPIN has the advantage of the display not being static, so the displayed state may not necessarily correspond to the password, which makes it shoulder surfing resistant. However, methods^7,8 are vulnerable to intersection attacks after multiple recorded observations. DragPIN is resistant to SSAs but uses numbers, which are less memorable than pictures. EmojiAuth⁵ is not SSA resistant but uses emojis, which are more memorable.

Both methods have strengths and disadvantages. Therefore, a modified DragPIN that uses emojis instead of digits addresses both systems’ drawbacks as well as maintaining their respective advantages.

DragPIN and EmojiAuth

A DragPIN prototype was constructed for testing. A signup screen, as shown in Figure 2, allows a user to create a login and register a 4-digit pin. Users could sign in by choosing either the manual or automatic tabs (Figure 3). Conceptually, the implementation (shown in Figure 3) is similar to the original DragPIN.⁶

Figure 2. DragPIN prototype signup page.

Figure 3. DragPIN implementation.

Figure 3 shows the DragPIN interface implementation. A prototype for EmojiAuth was also made: the signup page and login screen with an emoji keyboard are shown in Figures 4 and 5, respectively. Unlike the implementation in the original DragPIN, which had only a choice of 20 emojis, the prototype allowed users to make use of a wider set of emojis.

Figure 4. EmojiAuth prototype sign in.

Figure 5. Emoji Keyboard.

Proposed method – EmojiSlide

Operation

In this section, we will describe how the software works. We implemented EmojiSlide (the proposed method) and DragPIN (the reference method) as a web application. All the dependencies required to run the source code are managed by Pipenv version 2020.11.15. The software is provided in the repository as mentioned under the Software availability section. Installation instructions are included in the README.md file archived in release v0.1-beta in the repository. Memory (RAM) 512 MB and 1× CPU cores are the minimum system requirements. Django was the framework used to build this web application. Figure 6 describes the flow of the web application that was used to evaluate the differences between DragPIN and the proposed method (EmojiSlide).

Figure 6. Flow diagram.

At the start of the program, the user will be prompted to select the authentication method desired, either EmojiSlide or DragPin. Thereafter, users will have two options, which are login or sign up. If the user navigates to the signup page in DragPIN or Emoji-Auth, an empty form is generated and passed to the frontend. The form data received by the backend via POST HTTP request is validated and the user profile is saved in the database, following which users may use their credentials to log in via the earlier chosen method.

The proposed method uses emojis instead of numerics in the reference method, DragPIN. The user registers two 4-emoji passwords. For each 4-emoji password, the system generates six other random emojis, for a total of ten emojis. The set of these ten emojis is the challenge set. The challenge set forms the table (column) indexes used in authentication (shown in Figure 10). The challenge set is fixed per user. This ensures that a user's password cannot be deduced from observing the emojis displayed upon subsequent reloading of the challenge webpage.

To increase memorability and security, cue questions were introduced (Figure 7), which were not present in DragPIN. Users wrote a cue question for each emoji password which also served as the password prompt. Resistance to SSA is increased by having randomly chosen cue questions. Each user must register two cue questions and two passwords, each of which consists of four emojis.

Figure 7. Cue question registration.

The proposed method was designed as a web application called EmojiSlide.⁹

The username entry page is shown in Figure 8.

Figure 8. Sign-in page of the proposed method.

Figure 9 shows that a security measure to prevent Cross Site Request Forgery (CSRF) has been implemented. A CSRF Token is a private, unique, and unpredictable value generated by a server-side application to protect CSRF-vulnerable resources. When the later request is made, the server-side application checks that it has the expected token and rejects it if it is absent or incorrect.

Figure 9. Sign-in page with a Cross Site Request Forgery (CSRF) token.

After entering the username, the authentication screen is shown. During authentication (Figure 10), a user chooses either the manual or automatic sliding scheme. The procedure is similar to DragPIN, except that the digits have been replaced with emojis. Figure 10 shows the manual scheme. As an example, the user's emoji password is , , , . The login process is started by the user mentally choosing an alphabet from the available alphabets. Let the chosen alphabet be ‘D’. One of the D’s in each row is aligned with the password emojis in the correct sequence. The icons look slightly different in Figure 10 due to emojis being customized on different platforms.

Figure 10. Proposed manual implementation.

Figure 11 shows the automatic sliding variant. The same emoji password example is used. The space bar was used to capture the moment the sliding marker ‘B’ aligned with the password emoji. The “enter” key commenced the sliding of the next row. In this instance, the user pressed the spacebar during alignment and pressed the “enter” key after the marker had slid beyond the password emoji. As a result, the letter ‘B’ was no longer aligned with the password emoji. This misalignment resists SSA.

Figure 11. Proposed automatic implementation.

User test study

Ethical considerations

Ethics approval was obtained from the ethics committee of the Multimedia University for the research (approval number EA04420201). The demographics chosen was university students and adults (>18 years old). These would likely be using authentication daily in their lives and have experience with different methods of authentication. An invitation message was sent to potential participants who were acquaintances of the authors. The participants were mostly students in MMU, with a few working adults. The invitation included a website link to a presurvey. Consent was implicit as participants would answer this survey and submit their email if they chose to participate in further testing. No monetary reward was given for participation.

Between 30 to 100 participants is considered a medium-sized sample (Bošnjak & Brumen, 2020). In a review of authentication methods (Binbeshr et al, 2021), most of the user studies (51 out of 55 articles) had between 10 to 50 participants, with 30 being the most common. Thus, in the experiments conducted, the chosen number of participants was 30 or more.

Presurvey

Several questions were chosen in the presurvey to gain insight into the users’ willingness to use emojis as password characters. The survey consisted of six questions (Box 1).

User testing of EmojiSlide

User testing was done in two phases. Phase 1 tested for login accuracy and time taken, as well as SSA resistance. Phase 2 tested for memorability by measuring login accuracy. Participants in phase 2 were the same as those in phase 1 to achieve reliable memorability statistics.

Phase 1

In phase 1, participants with ages ranging from 18 to 40 were invited to a Google meeting, which was recorded for further evaluation of the scheme’s capability to resist SSA. EmojiSlide’s motivations were briefly described. Then a test user was created. The participant (user) then learned how to login, using each of the variants in both the proposed and reference methods (EmojiSlide Manual, EmojiSlide Auto-sliding, DragPIN Manual, and DragPIN Auto-sliding). After familiarisation, users then registered and attempted to authenticate in each variant. Participants were given three attempts to login. The time taken for a successful authentication attempt was recorded. A usability survey on the proposed method was given after completion. Shoulder surfing was performed on video recordings of user logins. Four "shoulder surfers” went through the familiarisation procedure as described before attempting SSA.

A survey was provided to the participants (the questions can be found in Box 2). Questions 3 to 6 used a Likert scale. The first three questions were for gathering demographic information. The remaining questions were used to ascertain users’ experience with the proposed method.

System usability survey

At the end of the phase 1 experiment, the participants were given a System Usability Survey (SUS) which is a Likert scale (shown in Box 3). Each question’s response was converted to points and the result was graded according to Ref. 10.

Phase 2

In phase 2, held 4-6 weeks later, the same users from phase 1 were invited to re-login to test for password memorability.

Significance testing

Hypothesis testing was performed to compare the differences between EmojiSlide(E) with DragPIN (DP) in both manual (m) and auto (a) variants. The software used was Microsoft Excel version 2011. The factors for comparison are the time taken for login, t and the mean number of intermediate failures, f. The null hypotheses are that there are no differences. The method’s name and variant form the subscript in Table 4, e.g. the time taken for Emojislide manual is t_Em. For statistical analysis of results, we applied paired t-tests. A p value of p < 0.05 was considered statistically significant.

Presurvey

A total of 50 participants took part in the presurvey. The questions were not compulsory to answer thus not all questions had 50 responses. In the presurvey, participants were asked to create an emoji story about themselves using six to ten emojis. For question no. 3, ‘Would you consider using emojis as your password?’ (n = 50) about 72% answered Yes or “I am not sure”, and one person (2%) gave a comment about the possibility of emoji passwords being guessed, while 26% answered No (Figure 12). To ascertain their answer with practical experience, those who did not answer “No” went on to create their emoji stories in question 5. After creating emojis, (n = 37) answered the repeated question of ‘Would you still consider using emojis as your password?’ (question 6). Only 1 person answered No, indicating that there was a willingness to try using emoji passwords.

Figure 12. Initial feedback on emoji password acceptance.

The respondents who created their emoji stories (n = 37) also rated their ability to recall the emoji story they created on a scale of 0 = weak and 5 = strong (Figure 13). Option ‘5’ had the highest number of responses, indicating that most respondents felt confident of their ability to remember their emoji password.

Figure 13. Initial feedback on the memorability of Emojis.

User testing of EmojiSlide

A total of 30 participants took part in user testing. Figure 14 shows the age groups: most participants were aged 20-30 years old (76.7%). Table 2 shows the demographics of the participants.

Figure 14. Participants age groups.

Table 3 shows the average time taken to login for successful attempts. Users logged in slightly faster using EmojiSlide (proposed method) compared to DragPIN. Results also showed that login to auto-sliding variants took longer than the manual variants.

Post experiment, users were requested to state whether they would trust the system to resist SSA. Figure 15 shows that 76.7% answered yes, 23.3% were unsure and none answered no, showing that the system was judged capable by most participants.

Figure 15. Users’ perception of the proposed method’s ability to resist SSA.

None of the shoulder surfers were able to get any full PIN or emoji password. They commented that slowing or reversing the recorded videos availed little, especially for the automatic variants. They were only able to obtain two emojis, from three users, which was due to those users pointing their mouse cursor at their desired emoji. All participants logged in successfully within three attempts (100% login accuracy). Most of the mistakes occurred during phase 1, for the DragPIN auto variant where three participants used three login attempts to login.

Figure 16 shows the average successful login rates when the number of intermediate failures before succeeding is taken into account. If a successful login takes one attempt (0 failures), the success rate = 100%, if it takes two attempts (1 failure), the success rate = ½ or 50% and if three attempts (2 failures), success rate = 1/3 or 33.33%. This is calculated per user. The average success rate is shown in Figure 16.

Figure 16. Phase 1 and phase 2 average success rate (including intermediate failures).

After 4-6 weeks, the login accuracy for both the auto sliding and manual variants ranged between 76.7-78.3% for the reference method and 86.7-91.7% for the proposed method.

Significance testing

Referring to Table 4, the null hypothesis for (1) is that there are no differences in the mean login time between the manual EmojiSlide (E) & DragPIN (DP). The t-test gives t(29) = 2.13, p = 0.04, which shows that the mean login time differs. The mean login time is shorter for the EmojiSlide. However, for (2), the time differences between the autosliding versions of E & DP were not significant.

The null hypotheses for (3) and (4) are that there are no differences in the number of intermediate failures (during Phase 1) in the manual and auto EmojiSlide and DragPIN versions respectively, while the alternative hypotheses are that the EmojiSlide versions have fewer failures. The one tailed t-test for manual variants (3) gave t(29) = 1.99, p = 0.028. The auto versions (4) had t(29) = 2.25, p = 0.016. In Phase 2, hypothesis set (3) gave t(29) = 2.11, p = 0.02 but in hypothesis set (4), the null hypothesis was not rejected. Thus, in Phase 1, EmojiSlide (manual and auto) had a lower number of failures compared to DragPIN, and this trend continued in Phase 2 for the manual variant.

This suggests higher memorability in the proposed method. The login accuracy was higher even though the users had two sets of emoji passwords to remember versus one PIN.

System usability survey

The SUS showed that the average score per user was 88.5% (Excellent). The score distribution is shown in Figure 17.

Figure 17. System usability testing results.

Limitations and future improvement

As the emoji-based implementation was based on one method, whether the memorability gains will extend to other authentication methods is yet undiscovered. Also, the sample comprised mostly young people thus the effect on older adults was not tested. Larger scale testing with a higher number and variety of participants can provide more insight. One of the system’s future upgrades is the use of the most recent version of emojis.

Underlying data

Figshare: Using Emojis in a Shoulder-surfing Resistant Authentication Method, Pre-survey.csv. (Pre-survey results.). https://doi.org/10.6084/m9.figshare.14872062.v1.¹¹

Figshare: Using Emojis in a Shoulder-surfing Resistant Authentication Method, Phase1&2.csv. (User testing results). https://doi.org/10.6084/m9.figshare.17163470.v1.¹²

Figshare: Using Emojis in a Shoulder-surfing Resistant Authentication Method, SUS.csv (System Usability Survey results.). https://doi.org/10.6084/m9.figshare.14872059.v1.¹³

Data are available under the terms of the Creative Commons Attribution 4.0 International license (CC-BY 4.0).