1 Introduction and Related Work

1.1 Mobile Authentication

Mobile devices present unique challenges for authentication. These devices have especially high usability requirements; an average smartphone user unlocks their phone 48 times a day [11]. A difference of one second between two authentication methods can cost the user hours in the long term. Many users forgo device authentication altogether to avoid hassle [8]. At the same time, mobile devices carry increasingly sensitive information such as banking and stock trading applications. In many cases, an unlocked mobile device capable of receiving text messages can serve as the sole authentication requirement to reset a password, for example to email accounts, which can in turn be used to access even more sensitive information. The lock screen can be the sole defense against an attacker that already has physical possession of the device.

According to a 2016 Pew survey of smartphone owners [17], numeric PIN (25%) and Fingerprint scanner (23%) are currently the most common methods of locking mobile devices, trailed by alphanumeric password (9%) and Google’s Pattern Unlock (9%). While the fingerprint reader and other biometric methods are quickly gaining popularity, neither iOS nor Android allow fingerprint authentication as the sole lock method, with both requiring either a password or a PIN as a fallback measure. Additionally, many low-cost devices are still sold without fingerprint readers or other biometric scanners. At this time, knowledge-based methods are still the primary method of authentication for most users, and even biometric approaches are still backed by knowledge-based authentication.

Alphanumeric text passwords are especially ill-suited to mobile devices [26] because these devices lack a full-sized hardware keyboard to facilitate fast and accurate typing.

The numeric PIN is notoriously insecure; there are only \(4^{10} = 10,000\) possible 4-digit PINs, and PINs are easy to observe in a shoulder-surfing attack. Furthermore, the top 100 most popular PINs are chosen by almost a third of users [14]. Several authors have proposed improvements to the PIN scheme. Roth et al. [22] proposed to extend PIN’s shoulder-surfing resistance by splitting the digits into two sets. Instead of picking a digit, users pick the set, and the PIN is eventually entered by the intersection of the sets. Von Zezschwitz et al. proposed SwiPin [25], a method to increase the shoulder-surfing resistance of PIN by using directional touch gestures for input. De Luca et al. propose ColorPIN [7], which increases the number of possible passwords to 531, 441 by adding a color dimension. Bianchi et al. [3] proposed several approaches for entering a PIN using haptic or audio cues.

Google’s Pattern Unlock has 389, 112 possible passwords on a 3 by 3 grid, but a space of just 300 passwords may capture around 50% of users [24]. Pattern unlocks are also easy to observe in shoulder-surfing attacks and easy to replicate from the smudge left behind by the user’s finger on the screen [1]. Kwon and Na’s TinyLock [15] offers increased resistance against shoulder-surfing and smudge attacks with minimal usability penalty by leveraging a smaller drawing area and a special gesture which obfuscates the resulting smudge pattern.

The low security strength of existing mobile authentication has led to security-conscious people and organizations adopting a number of frustrating developments, for example long lockouts or even a permanent device wipe after several failed attempts, length requirements of 8+ digits for PINs and 6+ digits for passwords, system assigned passwords, and strict limitations on common passwords, repeating patterns, and password reuse. The usability and memorability of long PINs is significantly worse than the 4-digit base [12, 14]. In other words, the poor security strength of existing methods has led to usability woes for many users.

The goal of this work is to create an authentication method that meets the usability standard of existing authentication methods but offers significantly improved security. We propose analog authentication as a framework for developing authentication based on a continuum. We demonstrate that PassHue, an example of analog authentication, can achieve high usability while offering better security strength than existing methods.

2 Authentication Using Continuous Information

Most traditional authentication methods ask users to remember information which is discrete, such as letters, numbers, or an ordered pattern like Pattern Unlock. Users remember a sequence of discrete information and recall that information back exactly. Some methods, such as RealUsers’s PassFaces [21], ask users to remember discrete items such as faces or patterns and recognize them from a larger set of items later.

By discrete, in this paper, we mean that the information being remembered can be divided easily into a whole number of choices: there are 26 letters in the alphabet, 10 digits, and 3–8 possible directions that a user can pick from any given dot in a pattern. In practice, many sets which are treated as continuous may also be considered discrete, for example 3D space is sometimes argued to be discrete in terms of the plank length. The discussion of which sets are discrete vs continuous is outside the scope of this paper; any sufficiently large set which appears to be continuously variable to an average human will be considered continuous.

Analog authentication asks users to remember information from a continuum. That is, given a continuum such as loudness, an analog authentication scheme would ask the user to reproduce a specific volume or volumes. The memory task is effectively extended from recall to estimation, as the user must now not only remember the volume that was previously set but also estimate it accurately. By necessity, a tolerance must be given to the user for error. The password space of an analog authentication scheme is proportional to the size of the continuum divided by the tolerance. Thus, analog authentication has a direct tradeoff between usability (a larger tolerance so the user can authenticate more easily), and security (a smaller tolerance to increase the size of the password space).

We use the term analog authentication to convey that a continuum of information is being used rather than discrete information. The concept is not to be confused with continuous authentication, which refers to authentication that functions by analyzing user behavior in the background while the user is interacting with a device.

Intuitively, it is tempting to assume that humans will perform at vastly varying abilities depending on the estimation task. The well-known “seven, plus or minus two” rule [16] dictates that the average person can distinguish between about 7 pieces of continuous information at a time. When a continuous set is broken into n items, humans start having trouble discerning between items when n is larger than 7. The general rule holds for continuous sets such as pitch, saltiness, loudness, or points in a square. Humans are generally able to discern between no more than 7 unique items before accuracy beings to suffer considerably. Splitting the continuum any more finely leads to errors with rapidly increasing frequency.

Cowan [6] describes the limit as “The Magical Mystery Four” instead, arguing that working memory for the average young adult is limited more closely to 3–5 items.

It follows that an important concern in the design of an analog authentication scheme is to ensure that the user does not have to break the continuum down into more than 7 pieces, and fewer is better. Beyond that, the memorability of a particular continuum must be justified individually; there is no research suggesting that continuous data is always more memorable than discrete data or vice-versa. As Miller [16] demonstrates, even though memorability is similar between various types of continuous information, some are still more memorable than others.

Discrete information like letters is often bundled into higher-order information like words or sentences to improve the number of items a person can remember. Similarly, continuous information like pitch and tone can be bundled into higher order information like notes and songs, though this may also have the effect of making the information discrete.

2.1 Related Work in Analog Authentication

Currently, continuous information is seldom used for authentication. Even when potentially continuous information is used, it is often presented in a discrete manner. For example, if the user is asked to pick a color, for example as a banking security question, they are typically presented with a short list of options or asked to use a standard language-based description such as “blue” or “silver”.

An exception is free-form gesture drawing, such as the work by Sherman et al. [23] and by Clark and Lindqvist [4]. Free-from gesture drawing uses a continuous 2d drawing to authenticate the user, placing it firmly in the realm of analog authentication. While these works have discussed the implications and advantages of utilizing continuous information as opposed to discrete information, none have formalized the concept of using continuous information outside the scope of free-form gesture drawing. Free-form gesture drawing can be considered just one type of analog authentication. Additionally, free-form drawing can be considered as an example of analog authentication which bundles low-level continuous information (2d positions), into higher order information (lines and shapes), while still preserving the analog nature of the method.

On the contrary, Google’s Pattern unlock, and in fact any touch-based authentication on the mobile platform, can be considered examples of turning analog information (2d positions) into discrete information (connections between points). Buttons that users touch to input a PIN or password can be considered a type of tolerance: any 2d positions that fall inside the button count as the same input. We do not count these methods as analog because the memory task facing the user is discrete, only the input method is continuous.

Bianchi’s [3] works falls into a similar category: continuous information such as vibration, beat, and hold time is ultimately used as a cue for discrete information like numbers. Remembering the cue is part of the memory task, so Bianchi’s approaches can be considered partly analog, however analog cues such as vibration are broken down into discrete functions like “number of vibrations that have elapsed”, an integer value which is plainly discrete.

We note that in biometrics, analog authentication is the norm, utilizing continuous data such as gait and typing speed. In this paper, when we discuss authentication methods, we refer specifically to knowledge-based methods, not to biometric methods.

In this paper, we introduce the concept of analog authentication, the idea of using continuous data for authentication. We developed PassHue, a mobile authentication scheme that uses a color continuum, to demonstrate the potential advantages of analog authentication. PassHue follows a PIN-like approach similar to the classic numerical PIN, SwiPIN [25], or ColorPIN [7]. It is designed to be immediately familiar to end users and offer login times and memorability on par with existing PIN-based approaches. PassHue improves on existing mechanisms by providing a much larger password space and moderate protection from shoulder-surfing. As an example of analog authentication, PassHue demonstrates that continuous information can be used for authentication just as well as discrete information. Our in-the-wild user study demonstrates that PassHue can achieve high usability and remain memorable over a period of 2 weeks.

3 The Design of PassHue

In this section, we present the design of PassHue, an example of analog authentication that utilizes color. We envision PassHue to be used as an unlock scheme, potentially integrated with the OS, or for in-app authentication in, for example, email or banking applications.

Fig. 1.
figure 1

Tutorial images shown on the store page (Color figure online)

Full size image
Fig. 2.
figure 2

(left) The password setup screen, (right) The login screen (Color figure online)

Full size image

PassHue is implemented on Android. Figure 1 shows the tutorial images that are presented on the Play Store listing for PassHue. Users are given no further guidance beyond these images.

PassHue is designed to simultaneously use three continuous sets of color: red, green, and blue, referred to as “RGB” values. The RGB system is the most common method for representing colors in digital applications– a color is made up of one value from each set: R, G, and B. In general, each set has a range of 0–255, so the sets are not actually continuous, but sufficiently large so that they appear continuous to a human. The size of RGB color space is quite large; \(256^3\) yields approximately 16.8 million possible colors.

Users set a password by tapping 4 colors in order. The 4 RGB color values are stored as the user’s password. The password setup screen is shown on the left in Fig. 2. Tapping the “View Tutorial button” allows users to see the images in Fig. 1 again. Before finishing password setup, the user must re-enter the same 4 colors an additional 3 times to verify that they remember the password. Until the 3 verification entries are complete, the password is not set. If the user decides that their password is too hard before verifying it 3 times, or wants to pick a different password for any other reason, they can reset it with no penalty using the “Reset Password” button.

Fig. 3.
figure 3

Cone representation of HSV color space. (Hue is the primary color where red is 0\(^{\circ }\), Saturation is the strength or intensity of the color, and Value describes how dark the color is.) (Color figure online)

Full size image

To authenticate themselves later, users must pick the same 4 colors, within the tolerance, and in the same order. The login screen is shown on the right in Fig. 2. The user has already picked three colors: orange, yellow, and pink – those choices are tracked at the bottom of the screen. The fourth color is still awaiting user input. The “Reset” button can be used to clear the current input if a mistake was made, and the “I Forgot” button clears the user’s password and allows them to set a new one if they wish to continue the experiment. We include this button so users can easily communicate to us that they do not remember their password.

Colors are picked by tapping the standard color wheel shown in Fig. 2. The wheel is identical to the color wheel found in many graphics applications such as Adobe Photoshop and Paint.net. There are three elements in RGB color, and it is difficult to express all three in a single 2D image while maintaining a continuously variable pattern. Ideally there should not be “jumps” in color when the user moves across the image, otherwise two very different colors may end up adjacent, and this can make picking a color accurately difficult. Additionally, the user should be able to locate colors quickly based on location, for example it is expected that orange falls between yellow and red. The color wheel accomplishes these requirements; movement in any direction around the wheel is associated with a gradual change in color, movement towards the center increases the “whiteness” of the color, and colors appear in classic order around the wheel: red, orange, yellow, green, blue (cyan), indigo (dark blue), violet, and purple.

A tradeoff to using a color wheel is that relatively few RGB colors are represented. The color wheel used by PassHue is often called an HSV (Hue, Saturation, Value) wheel, which typically features a Value slider in addition to the wheel. HSV is a simple transformation of RGB. Figure 3 shows how an HSV system addresses colors; the flat area at the top enclosed by the dotted line represents the portion of colors used by PassHue and demonstrates that PassHue uses only Hue and Saturation in the HSV scheme.

PassHue contains only the RGB colors where at least 1 of the 3 RGB values equals 255. This allows PassHue to display a variety of colors with a consistent gradient on a 2D display but sacrifices the ability to display the colors that reside in the rest of the HSV cone.

We design PassHue around color because color is a continuum that humans are relatively good at processing. There are at least 2.8 million colors discernible to normal humans [20], and some researchers suggest as many as 10 million [13]. Halsey and Chapanis [9] presented participants with 342 CIE colors, all of equal luminance, and asked them to match given colors exactly to one of the 342 presented colors. Participants could pick out over 11 unique colors – that is, colors with no overlapping matches to other colors, at the 5% error level – and over 15 colors at the 10% level, significantly better than the expected “magic number seven” [16]. Hamwi and Landis [10] found no relationship between time delay and color memory for delays of 15 min, 24 h, and 6 h, indicating that color may be good for long-term memory.

3.1 Comparison of Color Values

PassHue illustrates a potential difficulty in analog authentication: humans are often better at discerning values on one part of the continuum than on another. This can make it difficult to establish an exact estimate for the tolerance t, since t varies depending on which part of the continuum the user picks. In color, for example, humans are worst at discerning shades of green [9, 18], so the tolerance should be greater for green colors. Euclidean distance between colors does not accommodate for different levels of performance with different colors.

PassHue compares colors using the CompuPhase algorithm [5], a commercially-used, simple, and efficient method for calculating the distance between two colors in a way that tries to emulate how a human would perceive the distances. A key advantage of the CompuPhase algorithm over an algorithm like CIE2000 is that it has significantly fewer mathematical operations and does not require conversion into another color space, potentially saving valuable overhead. Processing overhead is especially important on mobile devices with limited computing resources and battery life. The algorithm describes the difference between two RGB colors using the following equation:

$$\begin{aligned} \sqrt{(2+\frac{\bar{r}}{256}) \times \varDelta R^{2} + 4 \times \varDelta G^{2} + (2+\frac{255-\bar{r}}{256}) \times \varDelta B^{2}} \end{aligned}$$
(1)

where \(\bar{r}\) is the mean red level, i.e., (\(R_{1}+R_{2})/2\), and \(\varDelta R\), \(\varDelta G\), and \(\varDelta B\) are the differences between the respective R, G, and B values of the two colors. The result of Eq. 1 will be referred to from here on as the similarity score – the lower the score, the more similar the colors.

A similarity score of 100 or lower is considered a match. All 4 colors in a user’s password must match for authentication to succeed. That is, the similarity score for all 4 chosen colors vs the stored RGB values for that password must be 100 or less.

A score of 100 was chosen after a brief pilot test with 5 participants. A goal of the user study in this paper is to determine if the score should be raised or lowered for the average person. We hypothesize that for most users, a lower score will be sufficient, while a few may struggle without a higher score. In a full commercial application of PassHue, the similarity score may start high and gradually reduce if the user continuously meets a lower score, allowing users with better color-discerning ability to enjoy increased security.

4 Security Strength of PassHue

Current mobile authentication methods are limited in password space. A 4-digit PIN can generate only \(10^4=10,000\) passwords, and pattern unlock offers 389, 112 possible passwords on a 3 by 3 grid [24]. In this section, we calculate the password space of PassHue. We will address hotspots and other considerations in password selection in Sect. 5.

The password space of a traditional discrete scheme is \(C^n\), where C is the number of choices per item and n is the number of items chosen. The password space of an analog authentication scheme with one variable is \((C/t)^{n}\), where C is the size of the continuum, t is the tolerance, and n is the number of choices picked from the continuum. We can consider t to be number of items in C which are treated as identical for purposes of satisfying the password. In a traditional discrete scheme, we can say that \(t=1\).

PassHue uses 3 continuums: red, green, and blue, but only a single tolerance based on a score generated using all 3 values. For simplicity we can combine the colors and consider C to be a single continuum from (0, 0, 0) to (255, 255, 255). In practice, PassHue uses only the top circle of the HSV color cone, so at least one RGB value must always equal 255. We can choose any of the three colors R, G, or B to set equal to 255. While one color must be 255, there are 256 options for both other colors, leaving \((256*256)\) choices. The total size of C is therefore \(3*(256*256) = 196,608\) colors, which represents just over 1% of RGB color space. Users pick 4 colors, so n is equal to 4.

It is difficult to calculate a value for the tolerance. The similarity score, generated according to Eq. 1, weighs the values in each continuum differently, so the tolerance varies depending on the values of the colors in question.

To find an accurate estimate for t, we write a short script to process all RGB color pairs where at least one value in both colors is equal to 255, and the similarity score between the colors is between 99–100, yielding approximately 40 million pairs. The worst-case product of differences between two colors having a similarity score of 99–100 (i.e., \(\varDelta R \times \varDelta G \times \varDelta B\)) is approximately 39,000, and the average product is approximately 3,400. That is, for any given RGB value, on average, there are 3,400 other RGB values that would be considered a match for purposes of authentication.

Using our average estimate for t, we find that PassHue has a password space of \((196,608/3,400)^4 = 1.1 * 10^7\) (appox. 23 bits), 1000 times larger than a traditional 4 digit PIN, and 28 times larger than pattern unlock on a 3 by 3 grid.

5 User Study

The experiment in this paper was approved by the IRB at Cleveland State University. Participation is anonymous.

We design our user study to determine the effectiveness of an analog authentication scheme in-the-wild. Users download the application on their own device, set a password, then recall that password several times over a period of 14 days to simulate a phone unlock scheme that is used daily. Participants are given little to no guidance about how to use the scheme, the entire tutorial is contained in Fig. 1, and viewing it is optional. To keep the time burden on our participants low, we notify them to authenticate just once per day, though a typical authentication scheme will be used far more frequently by most users.

5.1 Data Collection

Information is transmitted via php to a dedicated private server. Participants download the application from the Google Play Store.

After downloading the application, participants must verify they are over 18 and consent to our terms before they can continue. After, participants are asked to provide optional demographic information, such as age, which is encrypted and transmitted to our server. Participants are then taken directly to the password setup screen in Fig. 2 with no further guidance.

Passwords are stored on the device’s local memory and also transmitted to our server upon creation. Information about authentication attempts is transmitted to our server after each attempt, including total entry time, entry time for each individual color, raw RGB values of each attempted color, and the similarity score between the attempted colors and the actual password.

After initializing a password, participants are notified once per day, at approximately the same time of day the password was originally set, to recall the password. Notifications last a total of 14 days. Participants can chose to ignore a notification.

After 14 days, the application notifies the user to complete an exit survey. Users answer basic questions about how they liked the scheme and are given the option to leave written feedback. This information is encrypted and transmitted to our server.

5.2 Participants

Participants were recruited with fliers around our university, social media posts, and word of mouth. We extend a special thank you to the /r/Android community on Reddit for providing a large number of our participants. To be considered as completing the experiment, participants needed to attempt recall on at least 4 different days, or forget their password and have completed at least 2 authentication attempts. A total of 38 participants completed the experiment. The drop out rate, based on participants who set a password but did not meet the above criteria, is 30% (16 participants).

Participation is anonymous, but participants are asked to provide some optional demographic information at the start of the experiment. Some information, such as Android version and country of origin, is collected automatically by Android. Of the 38 participants, 35 chose to provide their age and 37 provided their gender. The average age of participants was 25.5 (median = 21, std = 11) and our population was 22% female. Most of our participants (\({\ge }60\%\)) were using Android 7.0 or higher. Approximately 70% of participants were from the United States, but we also found participants in Canada, Sweden, Russia, Australia, and the UK.

Because our experiment requires ownership of an Android device as well as some rudimentary abilities such as downloading the application from the Play Store, our experiment self-selects towards participants who are already skilled at using their device. Participants self-reported skill with using their device on a scale from 1 (worst) to 5 (best), with an average score of 4.7 (median = 5, std = 0.74). We asked participants what unlock method they currently use to lock their device, with the following options and scores respectively: PIN (1), Dot Pattern (7), Fingerprint (25), Alphanumeric Password (0), Other (2), Don’t Lock Device (1), or Prefer not to Answer (2). We note that our population has an unusually high rate of locking their device, but this is expected in a population of people who were interested in an experiment about device authentication. We also note that the rate of fingerprint is quite high, notably because our experiment appealed to mobile phone enthusiasts who tended to have higher end devices which supported fingerprint authentication. As mentioned in Sect. 1, fingerprint authentication is not currently a replacement for knowledge based authentication, and users of fingerprint authentication are still required to set a separate PIN or password as well.

On the first application startup, participants were randomly assigned into one of the following two conditions for the remainder of the experiment:

Stationary – In this condition, the color wheel appears in the same orientation for every login attempt. The default orientation is shown on the left in Fig. 2.

Rotating – In this condition, the color wheel has a different rotation for every authentication session. Figure 2 demonstrates this condition: the color wheel on the right is oriented differently from the color wheel on the left. The wheel’s rotation is determined only once, at authentication start; the wheel is not rotated again if the user authenticates incorrectly. When initially setting the password, users must confirm the password 3 times before it is set. In the rotating condition, the color wheel is rotated after each successful attempt.

Nineteen participants were assigned to each condition. Participants were not made aware that different conditions existed and received no guidance about rotation or lack thereof. We hypothesize that the rotating condition will perform slightly worse in terms of entry times and failed authentication attempts, but may offer better defense against shoulder-surfing.

5.3 Memorability of PassHue

Three participants forgot their passwords, for an overall memorability of 92%. Two participants belonged to the rotating condition while the third belonged to the stationary condition. We found no significant difference in memorability between the conditions (\(\chi ^{2}=.36, p=.548\)).

All three participants forgot their passwords within the first three days of the experiment. After resetting a new password, all three participants went on to complete the experiment successfully. We conclude that PassHue is highly memorable, even after a period of two weeks, but a small subset of users can have issues with initially memorizing a password.

Fig. 4.
figure 4

Creation time

Full size image

5.4 Usability of PassHue

Figure 4 shows the amount of time, in seconds, needed to create a password, including the required 3 additional successful entries before a password is officially set. As expected, stationary users on average required less time to set a password, with the exception of three outliers. The data shows that with very little guidance, users are able to figure out how to use PassHue in about one minute.

We recorded entry times for a total of 1192 authentication attempts. To obtain more realistic timing data, we filtered attempts that were likely “pocket dials” or random tapping. We categorized these as attempts where the sum of difference scores for the four colors was greater than 500. Most of these attempts had entry times lower than 1.5 s. We filtered out 112 attempts in this manner. We also filtered out attempts where the total login time was much longer than 60 s, indicating the user accidentally left the application open. Nine attempts were filtered in this manner, leaving a total of 1071 valid authentication attempts.

Fig. 5.
figure 5

Median entry time of PassGame users over time (“Days” represents the number of individual calender days the user has made an attempt at authentication.)

Full size image

We hypothesize that PassHue users will improve in entry time over the course of two weeks as they practice the scheme, and that participants in the rotating condition will perform slightly worse than those in the stationary condition. Figure 5 shows the median entry time in seconds for PassHue users over a 14 day period. Figure 5 is based on days attempted, though several days may have elapsed for the user. For example, if the user attempted authentication on days 0, 4, 7, and 12, those attempts would be plotted as day 0, 1, 2, and 3. We organize attempts in this manner because the elapsed days between authentication attempts is not consistent for each user, many users opted to skip days. Participants attempted authentication on an average of 11 separate days.

The overall average time for a single authentication attempt is 2.63 s (median = 2.25, std = 1.99) for rotating PassHue and 1.67 s (median = 1.46, std = .86) for stationary PassHue. As expected, two-tailed Mann-Whitney testing indicates a significant difference between the entry times for the two conditions (\(p<.0001\)).

The data supports our hypotheses that entry times improve over a short practice period, and that the rotating condition is slower. The average entry time of both conditions is close to in-the-wild entry times reported by other research for traditional 4 digit PINs (1.5 s) and Pattern Unlocks (3.1 s) [27]. PassHue’s in-the-wild entry times are superior to average lab entry times for similar PIN-based schemes: ColorPIN – 13.9 s [7], SwiPIN – 3.7 s [25], DOC – 25.7 s [22], and The Phone Lock – 12.2 s [2].

Fig. 6.
figure 6

Authentication sessions with failures

Full size image

Error Rates. We hypothesize that Rotating users will experience more authentication errors. Figure 6 shows the percentage of authentication sessions that result in critical or uncritical failures. A critical failure is defined as 3 or more incorrect attempts consecutively, as this could traditionally lead to a device lockout. A session is defined as all the authentication attempts in a single instance of using the application. A uncritical failure is 1–2 incorrect attempts in the same session. Users required multiple attempts to authenticate in roughly \(35\%\) of authentication sessions in both conditions, but Stationary users face more critical failures. The average number of incorrect authentication attempts per authentication session is .90 and 1.34 for Rotating and Stationary respectively.

Fig. 7.
figure 7

Authentication sessions with failures (outliers removed)

Full size image

We noted that most failed attempts originated from a small subset of users, particularly in the Stationary condition. We removed users who made errors more than two standard deviations above the mean error rate as outliers to generate Fig. 7. Even with outliers removed, we find that for most users, the error rate is worse than Pattern Unlock (14.6%, 1.6%) [27]. PassHue would require a high error tolerance before lockout to be viable for most users. With outliers removed, the average number of incorrect authentication attempts per authentication session is .76 and .46 for Rotating and Stationary respectively. The data supports our hypothesis that average Rotating users will make more errors than their Stationary counterparts.

Because PassHue is very fast, the time impact of incorrect authentication attempts is largely insignificant. Using timing results from the previous section, users can expect to spend an average of 1.99 s and .77 s making errors in Rotating and Stationary PassHue respectively. We hypothesize that some users simply preferred to go quickly rather than carefully since there was no punishment for multiple incorrect attempts. PassHue offers a greater chance to trade speed for precision than most discrete authentication methods.

Fig. 8.
figure 8

Failed authentication attempts per session over time (outliers removed)

Full size image

Figure 8 demonstrates the improvement over time in failed authentication attempts per session. A clear trend emerges in the Stationary condition, demonstrating that PassHue users become significantly less error prone after just 4 days of use, with diminishing gains in accuracy after one week. We hypothesize that Rotating users do not share the training effect because they do not have a chance to build muscle memory due to the color wheel being in a different position each time.

Fig. 9.
figure 9

Colors selected by participants (Colors, within \(\varDelta R+\varDelta B+\varDelta G \le 10\) of the true value of that color, e.g., 0, 255, 255 for true cyan, are marked for blue, green, cyan, magenta, red, yellow, and white.) (Color figure online)

Full size image

5.5 Color Selection and Hotspots

Figure 9 shows all colors selected by our participants, grouped roughly in ascending RGB order. We did not find any impact on color selection by condition or color order. Cyan, violet, and white hues are slightly under-represented, while hues between yellow and red, are slightly over-represented. The mean RGB values are (\(\bar{R}=161\), \(stdev=116\); \(\bar{G}=133\), \(stdev=99\); \(\bar{B}=131\), \(stdev=112\)). The expected mean assuming an even distribution is 128, indicating red is slightly over-represented.

A brute force attacker may gain some advantage guessing shades of red, orange, and yellow first. From Fig. 9, we note that roughly \(40\%\) of all color choices fall between true red (255, 0, 0) and true yellow (255, 255, 0), despite this section making up only one sixth (\(17\%\)) of the color wheel. In other words, red-orange-yellow is selected roughly twice as frequently as expected. Only one participant (\(3\%\)) relied on these colors exclusively.

Fig. 10.
figure 10

All PassHues chosen by participants (Color figure online)

Full size image

Figure 10 shows all the PassHues chosen by participants in our user study, each row represents one participant. Four participants (\(11\%\)) generated a PassHue using the same color 4 times. By same, we mean that all 4 colors had a difference score of less than 10 based on Eq. 1. This is very similar to 4-digit PINs, where roughly 8% of PINs are comprised of 4 duplicated digits [14]. Two more participants (\(5\%\)) generated a PassHue using the same color twice.

Notably absent in the data are repeating patterns such as couplets in the form XYXY, which comprise approximately \(18\%\) of PINs. Number based patterns, such as the years 1951–2000 (accounting for roughly 6% of all PINs [14]) are impossible in PassHue. We conclude that PassHue may have a substantial advantage in encouraging good password choices, simply because there are relatively few commonly occurring patterns based on color. In our future work, we plan to include more participants in order to determine if any patterns emerge in password selection.

6 Discussion

6.1 Color Blindness and Tetrachromacy

We hypothesized that some people with minor color blindness would still be able to use PassHue if they avoided colors that were difficult for them, by using some sort of relative position on the wheel, or by using only the most intense colors. In general, these techniques may not reduce the security strength of PassHue, since the attacker is unlikely to know if the user is color blind, and if they do, it is nearly impossible for the attacker to know how color blind the user is. Figure 11 demonstrates what the PassHue wheel would look like to someone with minor green color blindness (Deuteranomaly), the most common form of color blindness. Subjectively, it appears to be still be usable, and distinct line patterns are now clearly visible.

Fig. 11.
figure 11

The PassHue wheel seen with minor deuteranomaly (Color figure online)

Full size image

As part of our demographic information, we asked participants to tell us if they were color blind, and if so, what type of blindness they had. One participant reported that they were red-green color blind. This participant was assigned to the Stationary condition. Password creation time was 50 s, and average entry time was 2.42 s, slightly below average. The average number of incorrect attempts per authentication session was 1.83, again slightly worse than average.

However, we note that entry time for this participant in the first 3 days was 3.62 s, declining to 1.9 s over the latter 11 days. Likewise, we note that the error rate for this participant in the first 3 days was 4.38 incorrect attempts per session, declining to .88 incorrect attempts per session for the latter 11 days of the experiment. We conclude that the participant was able to find a way to use PassHue despite not having perfect color vision.

Fig. 12.
figure 12

Color-blind participant’s PassHue (Color figure online)

Full size image

Figure 12 shows the PassHue for this participant. Notably, the colors are less saturated and relatively far from true color values for red, blue, yellow, and green. The participant gave the following response on their exit survey:

“Since I know I could never remember the colour I set my password according to a colour sequence which consists of the most obvious colours from each 4 groups namely red, blue, yellow, and green. Since in blue and yellow groups I can see very distinct lines of that colour I use them in the password sequence. The rest is muscle memory.”

From this statement we hypothesize that color blind people in general will tend to pick colors that are very different from each other, since they have a harder time discerning similar colors. We plan to investigate this hypothesis with more color blind participants in our future work.

We conclude that PassHue, despite being based on the color continuum, can actually be used by someone with limited ability to discern parts of the continuum. The user can effectively substitute memorizing color with memorizing x-y location relative to some color or pattern hint.

Although roughly 8% of males of .5% of females suffer from color blindness and may not be able to use PassHue effectively, it is also estimated that 1% of the population has tetrachromatic vision, allowing them to see additional colors. By including more colors from the types that tetrachromes can better discern, a version of PassHue can be developed that is highly secure against anyone that doesn’t have tetrachromatic vision. This system would require a tetrachromatic display, and finding participants with tetrachromatic vision is difficult.

6.2 Gender Bias

Because most kinds of color blindness occur more frequently men, and because research suggests that on average women remember color more easily and accurately than men [18], PassHue may be slightly biased towards women. We hypothesized that females on average would be faster and more accurate when entering their PassHue.

Surprisingly, we found that women were slightly slower at entering their PassHue, with average entry times of 2.69 and 2.44 s vs male average entry times of 2.53 and 1.68 s for Rotating and Stationary respectively. Mann-Whitney testing found a significant difference in entry times between genders for both conditions (\(p=.006\) and \(p=.016\) for Rotating and Stationary respectively). The difference in entry time may be due to motor proficiency, where studies have found men to have some advantage [19].

However, the data supported our hypothesis that women would be more accurate on average. For Rotating and Stationary respectively, women made an average of 0.5 and 0.24 incorrect authentication attempts per authentication session vs male error rates of 0.87 and 1.55 incorrect attempts per session (\(\chi ^{2}=5.27, p=.022; \chi ^{2}=35.21, p\le .00001\)). Additionally, the lowest performers, discussed in Sect. 5.4, were all male.

The data shows that PassHue is generally suitable for both genders, but the error rate may be quite high for a small subset of males. This may suggest that tolerances for male users should be slightly higher by default.

6.3 Inclusion of Additional Colors

Adding a “Value” slider to PassHue would greatly increase the password space as it would allow use of the entire RGB color space. Alternatively, there are also 2d images containing the entire RGB color space. The size of C would become all of RGB color space, \((256^{3}) = 16.8\) million colors. Even assuming the worst-case tolerance of 39,000, the password space is \((256^{3} / 39000)^{4} = 3.4 * 10^{10}\), about the same as a 6-character case-sensitive alphanumeric password with no symbols (\(62^{6} = 5.8 * 10^{10}\)). We sample 40 million random color pairs and find that the average product of distances is 15,000. Using this value as our tolerance, the password space is \((256^{3} / 15000)^4 = 1.5 * 10^{12}\), roughly on-par with a 7-character alphanumeric password (\(62^{7} = 3.5 * 10^{12}\)). In our future work, we plan to see if it is feasible to extend PassHue to the entire RGB color space without impacting usability.

6.4 Shoulder-Surfing Resistance

We hypothesize that PassHue will be significantly more shoulder-surfing resistant in the Rotating condition because the attacker cannot use position as a cue and must directly memorize the colors. The rotating condition should also be resistant to smudge attackers, since the wheel is not in the same orientation for different attempts, though a smudge can still give the attacker the relative spatial relationship between colors. A formal user study of PassHue’s shoulder-surfing resistance is a plan for future work. PassHue is inherently resistant to black-and-white or poor resolution camera attacks, especially in the rotating condition.

7 Conclusion

In this paper, we introduced the concept of Analog Authentication, using continuous rather than discrete information for authentication purposes. PassHue, a proof-of-concept for analog authentication, is able to achieve a much higher security strength than PIN or Pattern Unlock. Our in-the-wild user study demonstrates that PassHue is highly memorable, PassHue is on-par or faster than existing authentication schemes, and PassHue is not significantly prone to hotspots. We conclude that PassHue, and by extension analog authentication, are viable avenues of exploration in finding a new method for mainstream mobile authentication.