We developed a web-based prototype of Déjà Vu that allows users to create image portfolios and to authenticate themselves to the system later by selecting their portfolios from a challenge set. We designed a user study to compare Déjà Vu to standard web authentication using password/PIN dialogues.
We selected twenty participants (11 males and 9 females) to be representative of the general population of computer users. An equal number of novice and expert users were selected, all of who were familiar with password authentication.
The testing consisted of two sessions. During the first session, participants had to create a four digit PIN and a password with a minimum of six characters, both which they believed to be secure and that they had never used before. Other than character length, we imposed no limitations on the type of password or PIN created.
Participants also created two types of image portfolios, one consisting of five Random Art images and another consisting of five photographs. We presented each user with the same set of one hundred images to choose from, although the image order was randomized, to see if there was any similarity in the images chosen by users.
From user to user, we varied the order in which passwords, PINs, Random Art portfolios and photo portfolios were created to ensure that there was no bias due to task sequence.
Participants next had to authenticate using all four techniques, in the same order that they had created them. This ensured that several minutes and tasks elapsed between each PIN, password and portfolio creation and the login using that technique. To authenticate using image portfolios, users had to select their five portfolio images, which were randomly interspersed with twenty decoy images that were never seen before. (Selecting 5 images form a challenge set of 25 images results in 53,130 possible combinations, which is equivalent to a 4-5 digit PIN.) We gave participants an unlimited amount of time and attempts to login.
The second session occurred one week later and participants once again had to login using all four techniques (i.e., with the PIN, password and portfolios created in the first session). Again, we allowed an unlimited amount of time and number of attempts.