A3C: An Image-Association-Based Computing Device Authentication Framework for People with Upper Extremity Impairments
Brittany Lewis, Priyankan Kirupaharan, Tina-Marie Ranalli, Krishna Venkatasubramanian · 2024 · ACM Transactions on Accessible Computing · doi:10.1145/3652522
Summary
This paper presents A3C (Accessible image-Association-based Authentication for Computing devices), a novel authentication framework designed for people with upper extremity impairments (UEI). Over 20 million Americans have conditions—including traumatic injuries, degenerative conditions, amputations, and movement disorders—that affect their ability to use conventional authentication methods like typing passwords, entering PINs, or positioning for biometric scans. A3C is a recognition-based graphical authentication system with a critical design principle: it requires only simple point-and-click selection, making it compatible with any assistive technology users already employ (eye-gaze trackers, voice interfaces, mouth sticks, adaptive mice). During setup, users provide primary images of people they recognize (friends, family, celebrities) and mentally associate each with a secondary image (animals, in the tested implementation). During authentication, users first select their primary images from a grid containing decoy faces, then identify the associated secondary image for a randomly selected primary image. The security comes from the undocumented mental association between primary and secondary images—even if an attacker knows which faces the user selected, they cannot guess the personal associations. The researchers implemented A3C-FA (using faces and animals) in both undistorted and distorted versions, achieving an entropy of 152.4 bits, exceeding the 128-bit standard for AES encryption.
Key findings
Three rigorous studies evaluated A3C-FA. In a shoulder-surfing attack study (N=319), participants watched authentication videos then attempted to break in. A3C-FA achieved only ~30% attacker success rate compared to 88.7% for Passfaces, a well-established graphical authentication control. The close-adversary study (N=268) simulated attackers with personal knowledge of the target user—given 12 face images of people the target knows and 12 animals they like. Even with 15 attempts, 81.7% of adversaries failed to authenticate. The accessibility study with 14 people with UEI (including spinal cord injuries, multiple sclerosis, ALS, and hand-arm vibration syndrome) was conducted over three sessions spanning one month. Thirteen of 14 participants authenticated successfully without errors even after a month without using the system. Qualitative findings revealed participants found A3C-FA easier than passwords ("Typing words is difficult. Selecting images is easy"), more reliable than biometrics (unaffected by lighting or wet hands), and more usable than other graphical authentication requiring precise gestures. Participants developed diverse strategies for creating memorable associations: name-based ("Snoop Dogg, first thing that comes to mind is a dog"), characteristic-based (matching a guitarist to a fast animal), and rank-based (favorite celebrity to favorite animal).
Relevance
This research addresses a significant gap in accessible security, demonstrating that authentication can be both highly secure and accessible to people with motor impairments. The framework works with the full range of assistive technologies people with UEI already use—a critical design consideration often overlooked in security research. For practitioners, the paper offers a validated alternative to password/PIN systems that cause documented frustration and errors for people with motor impairments. The large image selection areas and elimination of precise gestures or typing make A3C suitable for deployment on personal devices. The researchers note potential applications beyond UEI: children who struggle with passwords, people with memory or cognitive impairments who may find visual associations easier to remember, and as a backup authentication method for all users. The study also identifies important limitations and future directions: adapting A3C for people who are blind or have low vision (potentially using voice recognition and audio associations), developing guidelines for creating secure credentials, and testing with people with intellectual and developmental disabilities. The framework represents a model for security research that centers accessibility from the start rather than treating it as an afterthought.
Tags: authentication · upper extremity impairments · graphical authentication · security · assistive technology · motor impairments · accessible design