Déjà Vu: Using Images for User Authentication

Current security systems suffer because they neglect the importance of human factors in security. With Déjà Vu, we address a fundamental weakness of knowledge-based authentication schemes, which is the human limitation to remember secure passwords.

Our approach to improve the security of these systems relies on recognition-based, rather than recall-based authentication. Déjà Vu authenticates a user through her ability to recognize previously seen images. Déjà Vu is more reliable and easier to use than traditional recall-based schemes, which require the user to precisely recall passwords or PINs. Furthermore, it has the advantage that it prevents users from choosing weak passwords and makes it difficult to write down or share passwords with others.

Shown here is a prototype of Déjà Vu login screen. Using our prototype, we conducted a user study that compares it to traditional password and PIN authentication. Our user study shows that 90% of all participants succeeded in the authentication tests using Déjà Vu while only about 70% succeeded using passwords and PINS. Our findings indicate that Déjà Vu has potential applications, especially where text input is hard (e.g., PDAs or ATMs), or in situations where passwords are infrequently used (e.g., web site passwords).

Papers about Déjà Vu

Déjà Vu: A User Study Using Images for Authentication, Rachna Dhamija and Adrian Perrig, 9th Usenix Security Symposium, August 2000. [PDF]

Hash Visualization: a way to improve real world security , Adrian Perrig and Dawn Song. International Workshop on Cryptographic Techniques and E-Commerce CrypTEC '99

About the authors:

Adrian Perrig is a Ph.D. student in Computer Science at Carnegie Mellon University
(currently finishing his thesis at UC Berkeley).

Dawn Song is a Ph.D. student in Computer Science at UC Berkeley.

Rachna Dhamija is a Ph.D. student in UC Berkeley's School of Information Management and Systems.

Press

Open Sesame: A Picture Worth 1,000 Passwords The New York Times, December 27, 2001, by Jennifer 8. Lee

And the Password Is . . . Waterloo The New York Times, December 27, 2001, by Jennifer 8. Lee

Pictorial Passwords Slashdot discussion, December 28, 2001

A Picture May Be Worth A Thousand Passwords The Wall Street Journal, November 27, 2000, by H. Asher Bolande
[cached copy] [copy of ZDnet reprint]

Forget your password? Picture this The Independent, London October 9 2000, by Suelette Dreyfus
[cached copy]

The art of passwords in an era of machines The Age newspaper, Melbourne, October 10 2000 by Suelette Dreyfus
[cached copy]

Also see

Andrej Bauer's Gallery of Random Art
Adrian Perrig's Random Art Gallery (16 images and 48 images)