Towards Implicit Visual Memory-Based Authentication.

Selecting and remembering secure passwords puts a high cognitive burdenon the user, which has adverse effects on usability and security.Authentication schemes based on implicit memory can relieve the user ofthe burden of actively remembering a secure password. In this paper, wepropose a new authentication scheme (MooneyAuth) that relies onimplicitly remembering the content of previously seen Mooney images.These images are thresholded two-tone images derived from imagescontaining single objects. Our scheme has two phases: In the enrollmentphase, a user is presented with Mooney images, their correspondingoriginal images, and labels. This creates an implicit link between theMooney image and the object in the useru0027s memory that serves as theauthentication secret. In the authentication phase, the user has tolabel a set of Mooney images, a task that gets performed withsubstantially fewer mistakes if the images have been seen in theenrollment phase. We applied an information-theoretical approach tocompute the eligibility of the user, based on which images were labeledcorrectly. This new dynamic scoring is substantially better thanpreviously proposed static scoring by considering the surprisal of theobserved events. We built a prototype and performed three experimentswith 230 and 70 participants over the course of 264 and 21 days,respectively. We show that MooneyAuth outperforms current implicitmemory-based schemes, and demonstrates a promising new approach forfallback authentication procedures on the Web.