Home page logo

educause logo Educause Security Discussion mailing list archives

Image, word, and password login
From: Derek Diget <derek.diget+educause-security () WMICH EDU>
Date: Fri, 6 Dec 2013 14:08:05 -0500

We are thinking about creating a login process where user's pick a picture and/or word before getting a password entry box.[1] The main driver is to prevent phishers from copying our "static" login pages.

The process would go something like....

0) Training, Training, Training...and other carbon based life form user
issues...... :)

1) User gets to our login page
2) User enters login ID
3) login process retrieves user's picture and word choice
4) login process displays user's picture with 8 (or 11) others randomly
5) User selects their picture
6) If correct, login process displays user's word with 8 (or 11) others
7) If correct, login process give user a password text box to finish authenticating.

(Yes, a phisher could duplicate the pictures and words and disregard what the user picks...so the user would always get to the password box, but our current thoughts is that it would take to much "work" for them to duplicate this new login process and there are other easier fish in the sea to phish. :)

I have two questions to the group....

1) Is there an industry term for this type of authentication process? (It kind of is two-factor, but we want to avoid using that term as most people think of two-factor having a physical component...token card, key fob, phone, etc).

2) Does anyone know of any research on a multi-step authentication process like this? Be it usability issues, increased security, etc.

Note 1: We vet the user. As part of the process of setting a password, they also pick a picture out of ~12 (with a library of 100+) choices and store their choice. They then pick a word out of ~12 (with a library of 100 or so words) and store their choice. Then they finish setting a password.

Derek Diget                            Office of Information Technology
Western Michigan University - Kalamazoo  Michigan  USA - www.wmich.edu/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]