Text-based passwords alone are subject to dictionary attacks as users tend to choose weak passwords in favor of memorability, as well as phishing attacks. Many recognition-based graphical password schemes alone, in order to offer sufficient security, require a number of rounds of verification, introducing usability issues. We suggest a hybrid user authentication approach combining text passwords, recognition-based graphical passwords, and a two-step process, to provide increased security with fewer rounds than such graphical passwords alone. A variation of this two-step authentication method, which we have implemented and deployed, is in use in the real world.

Additional Metadata
Keywords Graphical Passwords, Phishing, Security, User Authentication
Persistent URL dx.doi.org/10.1007/978-3-642-01187-0_19
Van Oorschot, P, & Wan, T. (Tao). (2009). TwoStep: An authentication method combining text and graphical passwords. doi:10.1007/978-3-642-01187-0_19