the cups blog


SOAPS: Accessibility and Graphical Passwords

Alain Forget, Sonia Chiasson and Robert Biddle

Previous systems:
Click-based graphical passwords

  • PassPoints: security issues, users tend to click on the same points as other users in a given image
  • Cued Click-Points:
    • Click once on each of several images, where you click determines the next image you see.
    • Users still click on the same spots in a given image.
  • Persuasive CCP:
    • Eliminated the hotspots
  • Accessibility of these solutions?
    • Rely on vision and fine motor control

Decouple Content vs Presentation

  • ie, like how CSS does for web sites.
  • In click-based systems:
    • Presentation: Cue (image)
    • Selection: Response (clicks on a specific area)
  • Generalized model:
    • presentation: any cue, any modality (image, text, sound, haptic, video…)
    • (But shouldn’t provide a predictable response across all users)
    • response: any user input, any modality (clicking, typing, verbal, gesture, mouse movement…)
    • Example:
      • PassSounds: music clip, click at appropriate time.
      • Musicians can synthronize at approximately 250ms
      • early conclusions: ~5 clicks, 30sec max, +/-1/2sec accuracy.


  • PassPoints:
    • 451×331, 5 clicks, 19×19 tolerance ~ 43 bits password space
    • Minimize hotspots by using several images, providing selection assistance
  • PassSounds:
    • 30s, 1s tolerance. ~17 bits (about a 5-digit PIN)
    • Minimize hotspots by: using several clips, suggesting clicks, identifying other elements of the clip?


  • Allow any combination of modalities
  • Caution: cue and response cannot be evaluated in isolation


Q:Will there be a bandwidth concern with using these techniques?

A:Images seem modest, most of these techniques aren’t particularly high bandwidth. Perhaps there’s a compromise
Q:Have you done longitudinal studies to test recall?
A:No testing over time yet, but testing interference with other passwords.