Improving memorability using Emojis in a shoulder surfing resistant authentication method

Abstract

Background: Emojis are icons that are familiar and fun to add pizzazz and colour to communication. They have also been used in authentication where the emojis form memorable pictogram story-like passwords. Emojis, which are graphical, are in general vulnerable to shoulder surfing attacks (SSAs). This paper studies whether graphics such as emojis offer better memorability than numerics when implemented in a shoulder-surfing resistant authentication method. Thus, the proposed method aims to meet both needs of being shoulder-surfing resistant as well as being memorable. Methods: In this paper, a SSA resistant method (DragPIN) is used as a reference system on which to implement emojis in place of numerics. Additionally, a new feature, cue questions was implemented for added security. In the proposed method, users composed emoji-based stories using personalised cue questions that served as memory aids. Moreover, these self-chosen cue questions were less comprehensible to shoulder-surfing observers. There were two variants of the DragPIN method, manual and automatic-sliding. To compare the differences, both the reference configuration and modified versions based on the proposed method were implemented. Thirty people participated in user testing. A pre- and post-survey appraised user experience. User testing and survey on both methods and their variants for performance, memorability, and usability were performed. Results: All implementations successfully resisted shoulder surfing. The time taken for login in the manual variant using the proposed methodology was shorter than using the reference method. After four to six weeks, login performance taking into account intermediate failures was better for the proposed method (86.7-91.7%) than the reference method (76.7-78.3%). Hypothesis testing also showed significance in the results. This could point to higher memorability in the proposed method. Conclusion: The study provides testing of emoji-based compared to PIN-based implementation in authentication. Emoji-based stories may form memorable passwords while personalised cue questions may aid memorability.