Increasing the Security of Weak Passwords: the SPARTAN Interface

# Increasing the Security of Weak Passwords: the SPARTAN Interface

Sarah C. Helble, Alexander J. Gartner, Jennifer A. McKneely Johns Hopkins University Applied Physics Laboratory
firstname.lastname@jhuapl.edu

## I Introduction

Password authentication is in many ways both a blessing and a curse for modern computer systems and applications and their users. Although many researchers and users would enjoy the riddance of password authentication in their daily lives, the relative ease of deployment and usability of password authentication shows that passwords are here to stay for the foreseeable future [1][2]. However, when given the freedom to choose their own passwords, many users will opt to create passwords that are easy for an adversary to guess or easy for a password recovery tool to crack [3]. Users can be trained or given tools and guidelines to aid in the creation of more secure passwords. However, studies have found that most users will actively try to circumvent these requirements in order to create a password they are able to remember [4].

This paper presents SPARse Two-dimensional AuthenticatioN (SPARTAN), a password entry interface that attempts to bridge the gap between security and usability. SPARTAN allows a user to input each character of his password anywhere in a two-dimensional grid instead of a linear textbox. Even with sparsely-populated grids, SPARTAN passwords increase entropy over linear passwords due to the variability of the location of each character. In this way, users can have simpler passwords while achieving a higher overall password security.

As prior work with SPARTAN has been largely theorectical, we conducted a preliminary study to test the usability and security of the SPARTAN interface with unfamiliar users. Our study was especially concerned with the time required for users to create a password using our interface, and the resulting security of the password created both in terms of calculated security (i.e., entropy) and security against a stolen password file attack. The study reached a total of 100 participants, 48 of which interacted with the SPARTAN prototype. The remaining 52 participants formed a control group and were asked to perform tasks on a linear password interface. We found that while passwords created with the SPARTAN interface were, on average, shorter and comprising fewer character sets than passwords created with the linear interface, SPARTAN users did choose a variety of starting positions and password formations, which resulted in a higher average security for SPARTAN passwords compared to their linear conterparts. Feedback on the SPARTAN prototype mixed excitement and criticism, and the current prototype needs further evaluation and focused usability development before use in an operational environment.

The next section goes into more detail about SPARTAN, while Section III discusses related work in usable password authentication. Section IV explains the methodology of our user study and the functionality of the SPARTAN prototype interface created for this study. Our findings are presented in Sections V and VI, while Section VII gives a more academic discussion of the calculated security of user-created SPARTAN passwords. Finally, Section VIII explains future work that we wish to perform to further evaluate SPARTAN and concludes.

## Ii Spartan

The SPARTAN interface allows the user to input their password anywhere in a two-dimensional grid. The user’s SPARTAN password is then the text of the password itself and the location of each character in the grid. Figure 1 gives examples of various types of SPARTAN passwords users could create. As its name implies, SPARTAN grids are sparsely populated, that is, the whole grid does not need to be filled with characters in order to see a security benefit over linear passwords. Table I compares the password space for 8-character linear passwords and SPARTAN passwords.

To use SPARTAN, the user first selects a starting location. In deployment scenarios, this cell could be randomly chosen or otherwise constrained to help the user select a unique placement. There is no requirement for the characters of a password to be placed in adjacent cells. In fact, SPARTAN passwords are most secure when the user chooses distinct points throughout the grid. However, to aid ease of input, our implementations give the user the option to select a direction for their password. Direction can be changed during password entry; the prototype will automatically place typed characters into adjacent cells in the selected direction. Order of character entry is not collected as part of the password, but SPARTAN does not preclude this.

The grid used for SPARTAN passwords can be as large or as small as necessary to balance desired usability and security. Optimal grid size is an interesting area of future work we wish to pursue in a follow-on user study. In our prototypes, the squares of the SPARTAN grid have been colored in an abstract pattern in an attempt to limit the prevalance of hotspots in the grid, and to help users remember the placement of their passwords. This colorization is merely a visual aid provided by the interface; it is not chosen by the user as part of their password. Colorization would be different across accounts, so it could also aid users in remembering multiple different SPARTAN passwords.

The SPARTAN grid also employs a wrapping mechanism so that the user does not have to estimate spacing before creating his password. In our implementations this mechanism can result in the overwriting of characters. Future implementations could fix this by allowing multiple characters to reside in a single cell. The encoding of the SPARTAN password is an implementation decision, and can be any method which preserves each character of the password and its location. One method could be to encode the password as follows:

          23P24a25s26s36w46o56r57d


Where the initial ’23’ is location of the ’P’ in the grid, ’24’ is the location of the ’a’, and so forth. The encoded password can then be hashed and stored in the same way as linear passwords.

### Ii-a Deployment Options

The SPARTAN interface can be used anywhere that linear passwords are used, including as part of a two-factor authentication scheme. We have developed a JavaScript SPARTAN interface, which can be incorporated into any existing web-based login page. We have also created a SPARTAN user script which can be deployed client-side, with no changes made to the authentication server. In this use case, the user installs a SPARTAN user script in their browser. The user can then enter a backslash (’\’) or another user-defined character into any password field and the SPARTAN grid will appear on top of the webpage. The user can then enter his SPARTAN password in the grid, and the hashed version of this password will be automatically placed in the website’s linear password field.

## Iii Related Work

The topic of usable passwords has been a contentious subject of research for many in the field of privacy and security throughout the years. Among the participants in a study by Mare et al., passwords were the most commonly disliked form of authentication, and had a relatively high failure rate among users [4]. Many other experts and studies find that current password practices are burdensome to users [3]. However, due to the deployability of passwords, among other factors, passwords are here to stay [1][2].

Password managers can help solve the common user problem of having too many passwords to remember; however, a study by Ion et al. found that many users are distrustful of password managers and do not find them to be user-friendly [5]. Furthermore, many organizations do not feel they can trust third-party password managers, and restrict their employees from using them for work accounts [4].

Mnemonic passwords, where users are instructed to make a password by choosing a character for each word of a selected phrase, have also been an interesting point of research. Kuo et al. found that user-created mnemonic passwords are often based on well-known phrases, such as song lyrics, and they could be vulnerable to a specially-crafted dictionary attack [8]. A study by Forget et al. found that these password schemes may be difficult for users to understand and are easy to misuse [9].

Safdar and Hassan suggest the completion of a full two-dimensional grid as passwords in secure environments [17]. In their research, they acknowledge that this method should only be used in extreme situations where security is paramount, because the passwords are too complex and lengthy for normal users to remember.

Perhaps the most similar work to the research described in this paper is Saharkar and Dhopte’s scheme for the combination of graphical and alphanumeric passwords. In their model, they suggest that users should choose points of interest on an image, and have the option of adding a textual password to each point upon password entry [18]. As of this writing, there is no published research evaluating the security or usability of this method.

Our study is unique to all previous research in that it evaluates the combination of aspects of graphical and linear passwords. Although SPARTAN uses a two-dimensional grid, it is different from Safdar and Hassan’s work in that its use does not require users to complete the entire grid space. In this way, our study gives unique insight into the creation of passwords and is the first to evaluate the SPARTAN method of authentication.

## Iv Method

We conducted a Institutional Review Board (IRB)-approved human factors study with adult employees of our organization in order to evaluate the usability of our SPARTAN prototype and differences between user-created SPARTAN and linear passwords. During the course of this study, we were especially concerned with identifying usability limitations in our SPARTAN prototype, identifying any potential patterns in participant’s use of the prototype and comparing passwords created with a linear password interface with those created with the SPARTAN interface.

Participants were recruited via email and could participate at their leisure from the comfort of their individual workstations. Figures 2 and 3 show demographic information of participants and their reported computer usage. The study took place over the course of three weeks from late August to early September 2016.

### Iv-a Procedure

Participants were randomly assigned to the control group (linear passwords) or the experimental group (SPARTAN passwords). Each group went through four phases: instruction, creation, survey, and recall. The study had to be completed in one session; users were not able to return to complete their participation.

During instruction, the experimental group was given minimal instructions on SPARTAN and an interactive demo of its use. In the creation phase, members of each group created a password. For both SPARTAN and linear participants, the only password requirement was that it comprise at least eight characters. All passwords were masked during creation. In addition to a password hash, we collected a converted version of the passwords created which conveyed the character set used for each character of the password (uppercase, lowercase, numerical, or special character). This data allowed us to determine the password length and number of character sets used as well as the placement of SPARTAN passwords in the grid.

After creating their passwords, all participants completed a survey for demographic information and password practices. SPARTAN participants were asked additional questions about the SPARTAN interface. Participants were then asked to recall the password they created at the beginning of the study, with the opportunity to retry as many times as desired.

Some participants did not complete all phases of the study; user retention is discussed further in Section V-D1. Of the participants that reached the recall phase, the median total time spent on the study for members of the control group was 3.8 minutes, whereas in the experimental group the median time was 13.7 minutes. Figure 4 shows the average time spent in each phase for all participants.

### Iv-B SPARTAN Prototype

The SPARTAN prototype used in this study is a 12x12 grid, with the block colorization seeded by the username used. When entering a password, the user was expected to first choose a starting location by clicking on a cell in the grid, then choose a typing direction for their password by clicking on an arrow or pressing an arrow on their keyboard. In order to de-clutter the interface, we opted for arrows superimposed on the grid itself instead of a separate directional pad (d-pad). As a goal of this study was to gather data on where users would independently place their passwords in the SPARTAN grid, we refrained from giving a default grid location and direction.

We also implemented a mobile-inspired masking mechanism, where characters in adjacent cells remain visible to the user until the cursor is moved to a distant cell. Characters in each cell could be unmasked by hovering over the desired cell. A screenshot of the developed prototype displaying these features is shown in Figure 5.

Some of the design decisions made for the use of this study were found to have adverse affects on the usability of the prototype. These concerns are explained further in Section V-B3.

Passwords created with the SPARTAN prototype were collected by filling empty cells with spaces in order to effectively preserve location data and concatenating each row to the preceding rows. The result of the concatenation was then hashed to compare against re-entered passwords.

## V Results

In general, our participants’ responses indicated that they are burdened by password creation, with many sites enforcing disparate complexity requirements. This is in line with other research and expert opinions in the field [3][19][4]. Many participants demonstrated an affinity for longer length requirements in place of complexity requirements. This is also the opinion supported by the NIST Draft Digital Authentication Guideline [20], and is the idea behind the SPARTAN interface, to decrease complexity requirements while increasing security.

### V-B SPARTAN Usability

In this section we evaluate SPARTAN in terms of the time required to use the SPARTAN interface, the rate of recall of SPARTAN passwords, and the reported usability and acceptance of SPARTAN among participants.

#### V-B1 Time Considerations

As shown in Figure 4, the average time for participants to create a SPARTAN password was three times that of their linear counterparts. In addition, experimental group participants took approximately twice as long as their control group counterparts to recall their passwords. Although this is a significant increase in time required for creation and recall, we find these results promising as the factor of increase decreased as participants became more familiar with the SPARTAN interface. Future work should further evaluate the time required for users to login using SPARTAN after they’ve gained familiarity with the interface over time.

#### V-B2 Recall Rate

In total, 31 SPARTAN and 41 linear participants reached the recall phase of the study. Of these SPARTAN participants, three did not attempt to recall their password. Both the control group and the experimental group had one participant who was unable to recall his password after several attempts. Of the participants that did sucessfully recall their passwords, two in the control group and three in the experimental group required multiple attempts. In both groups, the average number of attempts among all successful participants was 1.1. All participants in the study only had to remember their passwords for a couple of minutes while they completed the survey; however, it is promising that SPARTAN group participants displayed a recall rate similar to their linear counterparts. Future work should evaluate the recall rate of SPARTAN passwords over a longer period of time, and when multiple passwords need to be remembered across different accounts.

#### V-B3 User Reaction

We also asked SPARTAN participants if they would prefer to use SPARTAN or traditional passwords in order to log in to their bank accounts. 37% of users said they would prefer SPARTAN while 63% reported they would prefer linear (N=35). The reasons behind these answers varied. The majority of participants in favor of SPARTAN cited improved security as the reason for their preference. Some even mentioned that they would prefer security over ease-of-use for important credentials. A few also mentioned that they liked that they could create a unique pattern that would be impossible for others to guess. Of those in favor of linear passwords, a majority cited poor prototype usability as the reason behind their preference.

One of the most prevalent problems with usability was caused by our decision to superimpose arrows on the grid instead of featuring a separate d-pad. With this implementation, in order to move around the grid cell by cell, users could either click a cell or use the directional arrows on the keyboard to navigate. However, if a cell contained an arrow, one click would select the arrow, and a second click would select the cell. This was understandably confusing to users unfamiliar with the mechanics. Our decision to eliminate default selections also resulted in poor usability. As noted in Section IV-B, in order to decrease bias, we did not implement a default starting position or direction in the SPARTAN interface. This resulted in a decrease in usability which would not be present in a deployed system. In Section VIII, we propose future work to improve the usability of SPARTAN.

The next most frequent response in favor of linear passwords was a feeling that SPARTAN passwords would be harder to remember. As discussed in Section V-B2, we did not see a significant decrease in recall rate for SPARTAN passwords. However, our study only required a short amount of time between password creation and recall; future work should evaluate the recall rate of SPARTAN passwords over a longer period of time. A few participants indicated their preference was due to password managers not yet supporting SPARTAN passwords.

The increased security of SPARTAN passwords over linear passwords depends on the variability of their placement in the grid. If all users choose the same location or set of locations, the security of SPARTAN passwords would decrease and SPARTAN would not provide any additional security over linear passwords. The data gathered during our study shows that users did choose variable password locations and strategies throughout the grid, and increased the security of their passwords by doing so. Figure 7 shows the distribution of filled cells in the grid for all SPARTAN passwords created by users.

### V-D Limitations

There are a number of factors that could have affected the outcome of our study. Members of the experimental group took much longer to complete their participation than members of the control group. This could have led to fatigue in the experimental group.

As mentioned in Section IV-B, in order to refrain from imposing bias on the location and direction of participants’ SPARTAN passwords, we did not give a default location or direction in the grid. This led to some usability concerns among participants.

Finally, participants may have created stronger passwords than they normally employ because they knew the passwords were being monitored for a study. This is especially true in the control group, as some participants indicated a belief that the results of the study would be used to influence password complexity requirements for our organization as a whole.

#### V-D1 Retention

Although we recruited 100 participants from throughout our organization, not all participants finished all phases of the study. Two participants each from the control and experimental groups quit after failing to create a password due to being unable to meet requirements and/or re-enter the password correctly. Since the same number of participants in each group did this, terminating at this time should not be attributed to difficulty with the SPARTAN interface.

It should also be noted that a number of participants from each group quit before the survey loaded. We found during the study that the survey had difficulty handling a large number of simultaneous participants. A number of experimental group participants also quit during the survey or before attempting to recall their password. This may have been due to fatigue; as noted in Section IV-A, participation in the experimental group took much longer than control group participation did. More information about the number of participants at each phase is shown in Figure 9.

## Vii Discussion

### Vii-a Predicting the Next Cell

Password security is commonly measured in terms of entropy. Previous work in the field has tested the validity of this and other measures in relation to actual password security against realistic attacks [21][22][23]. We find the calculation of entropy added by the use of SPARTAN to be an interesting point of discussion for this research. Shannon’s work in which he estimated the entropy of a string of English text has been used in password security research for decades [24]. The 2013 NIST Electronic Authentication Guideline builds on Shannon’s work and offers similar metrics for the entropy of passwords [25]. In their analysis, the first character of a password is worth 4 bits of entropy. The following seven characters are worth 2 bits each, while characters 9 through 20 are each worth 1.5 bits. Each character after the twentieth is worth 1 bit each. Using these metrics, the median-length linear password created during this study was worth 23 bits of entropy and the median SPARTAN password text was worth 20 bits of entropy.

### Vii-B Dictionary Size

It is difficult to quantify exactly how bits of entropy correlate to increased security. Entropy can also be described as a function of the dictionary size, or space (S) and the likelihood (L) that a given password will be in the stated space, as in Equation 1 below [26].

 Entropy=log2(S/2L) (1)

Looking at the problem from this angle, one can consider the number of passwords that an attacker might recover using a given dictionary, as described in Section VI. An attacker will try to go after the weakest passwords first when constructing his dictionary. Assume the adversary has created a dictionary of 5000 possible passwords and assume he is able to crack all linear passwords comprising a maximum of 10 characters with this dictionary. Under these assumptions, he would recover 43% of the linear passwords created in our study.

Using the same dictionary, but adapting it to look for SPARTAN passwords that are up to 10 characters and that start at the top left corner of the grid and continue horizontally, the dictionary would have the same number of entries, but the adversary would only recover 5% of the passwords created with SPARTAN. Although a greater number of SPARTAN passwords were 10 characters or fewer, only 5% of the SPARTAN passwords created were both 10 characters or fewer and placed horizontally in the top left corner. Thus, with the same size dictionary (therefore the same number of comparisons to perform, the same amount of time spent cracking), the attacker would only recover 5% of the SPARTAN passwords created in this study compared to 43% of the linear passwords.

The attacker could increase his dictionary to include all Straight Line horizontal passwords of 10 characters or fewer placed anywhere in the grid. By doing so, his dictionary would now be able to recover 29% of the SPARTAN passwords created in this study, but his dictionary would necessarily increase by a factor of 288 for a 12x12 grid (passwords could start anywhere in the grid, traveling left or right). This trend continues for other common SPARTAN password placements. The attacker could alter his dictionary to target a certain subset of SPARTAN passwords, but this comes with the tradeoff of a larger dictionary, thus more memory and time required. Figure 12 displays the calculated tradeoff between dictionary size for the more common variations of SPARTAN passwords and the percent of passwords recovered.

## Viii Conclusion and Future Work

During this user study, we created a SPARTAN prototype, gathered empirical data on the security and usability of this method, and analyzed SPARTAN password security. The prototype interface, while sufficiently usable for the purposes of this study, would benefit from focused improvement to maximize usability. The usability concerns voiced by users were largely against the particular implementation of SPARTAN created for this study, and participants were open to new methods of authentication. Many users voiced opinions showing that they are overburdened with the current state of password requirements employed in their various online accounts, and they showed that they are interested in trying new forms of authentication.

The user-created SPARTAN passwords in this study, while generally shorter than the linear passwords created by participants, varied in placement throughout the grid and demonstrate that SPARTAN is a promising method for shorter, more secure passwords. In addition, current password cracking tools are not capable of breaking SPARTAN passwords without modification, and SPARTAN would necessitate the use of larger dictionaries than those employed for cracking linear passwords to recover the same number of user-created passwords.

There is still much work that can be done to evaluate the security and usability of SPARTAN passwords. First, we would like to address some of the usability concerns mentioned by participants in this study. In future deployments, we would like to employ a default location and direction in the grid in order to ease usability. In addition, we would like to introduce a simpler d-pad implementation for the directional arrows instead of superimposed arrows on the grid. We would also like to look into mobile adoption, as we can see usability on mobile as an important feature going forward.

We gathered 38 SPARTAN and 44 linear passwords during this study. In the future, we would like to gather more data on user-created SPARTAN passwords to ensure that the trends we saw in this study hold with a larger sample size. In addition, we would like to conduct a study to gain insight into the optimal grid size and layout to balance the tradeoffs among usability, memorability, and security. The decreased security resulting from the use of a smaller grid (10x10 or 8x8, for example) could perhaps be tolerated if increased usability can be demonstrated. Finally, we would like to conduct a study to gather data on the usability of SPARTAN over time, while participants use it to authenticate periodically over the course of a few months. This study would gain data on the memorability of SPARTAN and its usability over time, and could incorporate activities related to SPARTAN password changes and recovery for analysis.

## References

• [1] J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano, “The quest to replace passwords: A framework for comparative evaluation of web authentication schemes,” in In Symposium on Security and Privacy.   IEEE, 2012.
• [2] C. Herley and P. van Oorschot, “A research agenda acknowledging the persistence of passwords,” IEEE Security & Privacy, vol. 10, no. 1, 2012.
• [3] L. F. Cranor, “What’s wrong with your paw0rd? [video file],” March 2014, retrieved from https://www.ted.com/talks/lorrie_faith_cranor_what _s_wrong_with_your_pa_w0rd.
• [4] S. Mare, M. Baker, and J. Gummeson, “A study of authentication in daily life,” in Proceedings of the Twelfth Symposium on Usable Privacy and Security (SOUPS).   USENIX, June 2016, pp. 189–206.
• [5] I. Ion, R. Reeder, and S. Consolvo, ““…no one can hack my mind“: Comparing expert and non-expert security practices,” in Proceedings of the Symposium on Usable Privacy and Security (SOUPS).   USENIX, July 2015, pp. 327–346.
• [6] R. Shay, S. Komanduri, A. L. Durity, P. Huh, M. L. Mazurek, S. M. Segreti, B. Ur, L. Bauer, N. Christin, and L. F. Cranor, “Can long passwords be secure and usable?” in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems.   CHI, April 2014, pp. 2927–2936.
• [7] A. Forget, S. Chiasson, P. van Oorschot, and R. Biddle, “Improving text passwords through persuasion,” in Symposium on Usable Privacy and Security (SOUPS), July 2008.
• [8] C. Kuo, S. Romanosky, and L. F. Cranor, “Human selection of mnemonic phrase-based passwords,” in Symposium on Usable Privacy and Security (SOUPS), July 2006.
• [9] A. Forget, S. Chiasson, and R. Biddle, “Helping users create better passwords: Is this the right approach?” in Symposium on Usable Privacy and Security (SOUPS), July 2007.
• [10] E. Stobert and R. Biddle, “Memory retrieval and graphical passwords,” in Proceedings of the Ninth Symposium on Usable Privacy and Security (SOUPS).   ACM, July 2013, p. 15.
• [11] R. Biddle, S. Chiasson, and P. V. Oorschot, “Graphical passwords: Learning from the first twelve years,” ACM Computing Surveys, vol. 44(4), 2012.
• [12] P. C. van Oorschot and J. Thorpe, “On predictive models and user-drawn graphical passwords,” ACM Transactions on Information and System Security, vol. 10, no. 4, January 2008.
• [13] D. Davis, F. Monrose, and M. K. Reiter, “On user choice in graphical password schemes,” in Proceedings of the 13th conference on USENIX Security Symposium.   USENIX, August 2004.
• [14] H. Tao and C. Adams, “Pass-go: A proposal to improve the usability of graphical passwords,” International Journal of Network Security, vol. 7(2), pp. 273–292, September 2008.
• [15] S. Chiasson, A. Forget, R. Biddle, and P. van Oorschot, “Influencing users toward better passwords: Persuasive cued click-points,” in Proceedings of the 22nd British HCI Group Annual Conference on People and Computers: Culture, Creativity, Interaction, vol. 1, September 2008, pp. 121–130.
• [16] S. Wiedenbeck, J. Waters, J. Birget, A. Brodskiy, and N. Memon, “Authentication using graphical passwords: Effects of tolerance and image choice,” in Symposium on Usable Privacy and Security (SOUPS), July 2005.
• [17] S. Safdar and M. F. Hassan, “Moving towards two dimensional passwords,” in 2010 International Symposium in Information Technology.   IEEE, June 2010.
• [18] C. S. Saharkar and S. V. Dhopte, “Authentication for the system by using graphical region and alphanumeric password,” International Journal on Recent and Innovation Trends in Computing and Communication (IJRITCC), vol. 3, no. 5, May 2015.
• [19] L. F. Cranor, “Time to rethink mandatory password changes,” Tech@FTC, 2016.
• [20] P. A. Grassi, J. L. Fenton, E. M. Newton, R. A. Perlner, A. R. Regenscheid, W. E. Burr, J. P. Richer, N. B. Lefkovitz, J. M. Danker, Y. Choong, K. K. Greene, and M. F. Theofanos, “Digital authentication guideline,” DRAFT NIST Special Publication, vol. 800-63B, 2016.
• [21] S. Komanduri, R. Shay, P. G. Kelley, M. L. Mazurek, L. Bauer, N. Christin, L. F. Cranor, and S. Egelman, “Of passwords and people: Measuring the effect of password-composition policies,” in CHI 2011.   ACM, 2011.
• [22] W. Ma, J. Campbell, D. Tran, and D. Kleeman, “Password entropy and password quality,” in Fourth International Conference on Network and System Security.   IEEE, 2010.
• [23] J. J. Yan, “A note on proactive password checking,” in In Proceedings of the 2001 Workshop on New Security Paradigms.   ACM, September 2001, pp. 127–135.
• [24] C. E. Shannon, “Prediction and entropy of printed english,” The Bell System Technical Journal, 1951.
• [25] W. E. Burr, D. F. Dodson, E. M. Newton, R. A. Perlner, T. W. Polk, S. Gupta, and E. A. Nabbus, “Electronic authentication guideline,” NIST Special Publication, vol. 800-63-2, 2013.
• [26] R. E. Smith, Authentication: From Passwords to Public Keys, 2nd ed.   Addison Wesley, 2002.
You are adding the first comment!
How to quickly get a good reply:
• Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
• Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
• Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minimum 40 characters and the title a minimum of 5 characters