Story-based authentication for mobile devices using semantically-linked images

We introduce SemanticLock, a simple, fast, and memorable single-factor graphical authentication approach for mobile devices. SemanticLock uses a set of graphical images as password tokens that allow the construction of a semantically memorable story representing the user's password. Passwords are entered via the familiar and quick action of dragging and positioning user-defined images on the touchscreen. It is well known that for (un)locking mechanisms such as PIN or PATTERN, users tend to pick memorable passwords such as dates or simple (often regular) patterns. This practice by users significantly reduces the effective password space for these mechanisms. The authentication strength of SemanticLock is based on the large number of possible semantic constructs derived from the positioning of the image tokens and the type of images selected. While graphical passwords have been shown in some cases to have lower entropy than other password types, we avoid this problem by (1) performing a series of experiments and analyses to understand which images and image pairs users prefer and then (2) selecting images that avoid any type of explicit or implicit bias, resulting in an effective password space that is essentially the same as the total password space. Results of our study comparing SemanticLock against other authentication systems show that SemanticLock performs similarly to PIN and PATTERN in usability while having significantly increased memorability and security.