A Wide range Survey on Recall Based Graphical User Authentications Algorithms Based on ISO and Attack Patterns

Nowadays, user authentication is one of the important topics in information security. Text based strong password schemes could provide with certain degree of security. However, the fact that strong passwords being difficult to memorize often leads their owners to write them down on papers or even save them in a computer file. Graphical user authentication (GUA) has been proposed as a possible alternative solution to text based authentication, motivated particularly by the fact that humans can remember images better than text. In recent years, many networks, computer systems and Internet based environments try used GUA technique for their users authentication. All of GUA algorithms have two different aspects which are usability and security. Unfortunately, none of graphical algorithms were being able to cover both of these aspects at the same time. This paper presents a wide range survey on the pure and cued recall based algorithms in GUA, based on ISO standards for usability and attack patterns standards for security. After explain usability ISO standards and attack patterns international standards, we try to collect the major attributes of usability and security in GUA. Finally, try to make comparison tables among all recall based algorithms based on usability attributes and attack patterns those we found.

💡 Research Summary

The paper presents a comprehensive survey of recall‑based graphical user authentication (GUA) schemes, focusing on two major families: pure‑recall (e.g., PassPoints, Draw‑a‑Secret, Passfaces) and cued‑recall (e.g., Cued Click‑Points, PassMap). The authors begin by motivating GUA as an alternative to text passwords, citing the well‑known “picture superiority effect” that humans remember images better than alphanumeric strings. They then outline the dual evaluation criteria that any authentication mechanism must satisfy: usability and security.

For usability, the authors adopt the ISO 9241‑11 definition (effectiveness, efficiency, satisfaction) and supplement it with ISO 9126/25010 quality attributes. Effectiveness is measured by login success rate and error rate; efficiency by time to authenticate and number of interactions; satisfaction by subjective questionnaires, perceived mental workload, and preference scores. The paper reviews existing experimental data (mostly from academic labs) and extracts typical values for each algorithm, noting that pure‑recall schemes often require 30–45 seconds per login with error rates of 10–15 %, whereas cued‑recall schemes typically finish within 10–20 seconds with error rates below 5 %.

Security is examined through the lens of internationally recognised attack patterns, primarily those documented by OWASP, NIST, and the “Graphical Password Attack Taxonomy”. The authors identify five dominant threat categories: (1) shoulder‑surfing and screen‑capture attacks, (2) brute‑force and dictionary attacks on coordinate spaces, (3) hotspot analysis (statistical clustering of user‑chosen points), (4) malware‑based key‑logging or screen‑recording, and (5) social‑engineering/phishing that exploits users’ personal image choices. For each GUA scheme, the paper reports the known resistance level to these threats, often derived from prior simulation or user‑study results.

A central contribution is a two‑dimensional matrix that plots each algorithm according to its usability score (derived from the ISO‑based metrics) on the X‑axis and its security robustness (based on resistance to the five attack categories) on the Y‑axis. The matrix reveals a clear trade‑off: pure‑recall methods occupy the upper‑left region (high security, low usability), while cued‑recall methods sit in the lower‑right (high usability, lower security). Hybrid approaches—such as PassPoints combined with storytelling or multi‑layer click‑points—attempt to move toward the centre of the matrix, but the authors note that a lack of standardized evaluation protocols hampers rigorous comparison.

The paper also extracts a set of design recommendations aimed at narrowing the usability‑security gap. First, employing user‑generated or AI‑generated images can reduce hotspot formation because the image space becomes highly individualized. Second, multi‑factor integration (e.g., coupling recall‑based graphics with biometrics or one‑time tokens) can mitigate the impact of any single attack vector. Third, iterative ISO‑based usability testing—conducted both in controlled labs and in real‑world deployments (mobile, IoT)—should become a mandatory part of the development lifecycle. Finally, the authors call for a unified evaluation framework that combines ISO 25010 software quality models with the graphical‑password attack taxonomy, enabling researchers to report comparable metrics across studies.

Limitations acknowledged include the predominance of small‑scale, university‑student participant pools, the absence of cross‑cultural studies (image perception varies across regions), and the fact that emerging deep‑learning attacks (e.g., automated hotspot prediction from large image datasets) have not been fully addressed. The authors propose future work that involves large‑scale field trials, real‑time logging of attack attempts, and the incorporation of adaptive security mechanisms that can dynamically adjust the difficulty of the graphical challenge based on observed threat levels.

In summary, this survey is the first to systematically map recall‑based GUA schemes against both ISO‑derived usability standards and internationally recognised attack patterns. By providing detailed comparison tables, a visual trade‑off matrix, and concrete design guidelines, the paper offers a valuable reference point for researchers and system designers seeking to develop graphical authentication mechanisms that achieve a more balanced combination of user friendliness and robust security.