“Too Taxing on the Mind!” Authentication Grids are not for Everyone

The security and usability issues associated with passwords have encouraged the development of a plethora of alternative authentication schemes. These aim to provide stronger and/or more usable authentication, but it is hard for the developers to anticipate how users will perform with and react to such schemes. We present a case study of a one-time password entry method called the Vernitski Authentication Grid (VAG), which requires users to enter their password in pairs of characters by finding where the row and the column containing the characters intersect and entering the character from this intersection. We conducted a laboratory user evaluation (n = 36) and found that authentication took 88.6 s on average, with login times decreasing with practice. Participants were faster authenticating on a tablet than on a PC. Overall, participants found using the grid complex and time-consuming. Their stated willingness to use it depended on the context of use, with most participants considering it suitable for accessing infrequently used and high-stakes accounts and systems. While using the grid, 31 out of 36 participants pointed at the characters, rows and columns with their fingers or mouse, which undermines the shoulder-surfing protection that the VAG is meant to offer. Our results demonstrate there cannot be a one-size-fits-all replacement for passwords – usability and security can only be achieved through schemes designed to fit a specific context of use.