Training johnny to authenticate (Safely)

Amir Herzberg, Ronen Margulies

Research output: Contribution to journalArticlepeer-review

3 Scopus citations


The authors present the results of a long-term user study of site-based login mechanisms that train users to log in safely. Interactive site-identifying images received 70 percent detection rates, which is significantly better than the 20 percent received by the typical login ceremony. They also found that combining login bookmarks with interactive images and nonworking buttons or links (called negative training functions) achieved the best detection rates (82 percent) and overall resistance rates (93 percent). Because interactive custom images provide effective user training against phishing, the authors extended its authentication usages. The authors present an adaptive authentication mechanism based on recognition of multiple custom images, which can be used for different Web and mobile authentication scenarios. The mechanism relies on memorization of the custom images on each primary login, adaptively increasing the authentication difficulty on detection of impersonation attacks, and recognizing all images for fallback authentication.

Original languageEnglish
Article number6025344
Pages (from-to)37-45
Number of pages9
JournalIEEE Security and Privacy
Issue number1
StatePublished - Jan 2012

Bibliographical note

Funding Information:
We thank Ben Adida for his feedback and helpful suggestions. This work was supported by Israeli Science Foundation grant ISF1014/07.


  • fallback authentication
  • forcing functions
  • graphical passwords
  • human factors
  • long-term user study
  • memorability
  • password reset
  • phishing
  • training


Dive into the research topics of 'Training johnny to authenticate (Safely)'. Together they form a unique fingerprint.

Cite this