Unaided authentication services provide the flexibility to login without being dependent on any additional device. The power of recording attack resilient unaided authentication services (RARUAS) is undeniable as, in some aspects, they are even capable of offering better security than the biometric based authentication systems. However, high login complexity of these RARUAS makes them far from usable in practice. The adopted information leakage control strategies have often been identified as the primary cause behind such high login complexities. Though recent proposals have made some significant efforts in designing a usable RARUAS by reducing its login complexity, most of them have failed to achieve the desired usability standard. In this paper, we have introduced a new notion of controlling the information leakage rate. By maintaining a good security standard, the introduced idea helps to reduce the login complexity of our proposed mechanism — named as Textual-Graphical Password-based Mechanism or TGPM, by a significant extent. Along with resisting the recording attack, TGPM also achieves a remarkable property of threat detection. To the best of our knowledge, TGPM is the first RARUAS, which can both prevent and detect the activities of the opportunistic recording attackers who can record the complete login activity of a genuine user for a few login sessions. Our study reveals that TGPM assures much higher session resiliency compared to the existing authentication services, having the same or even higher login complexities. Moreover, TGPM stores the password information in a distributed way and thus restricts the adversaries to learn the complete secret from a single compromised server. A thorough theoretical analysis has been performed to prove the strength of our proposal from both the security and usability perspectives. We have also conducted an experimental study to support the theoretical argument made on the usability standard of TGPM.

无辅助身份验证服务提供了登录灵活性，而无需依赖任何其他设备。的功率记录攻击弹性独立的认证服务（RARUAS）不可否认，因为在某些方面，它们甚至能够提供比基于生物统计的身份验证系统更好的安全性。但是，这些RARUAS的高登录复杂性使得它们在实践中远远无法使用。人们通常认为采用的信息泄漏控制策略是造成如此高的登录复杂性的主要原因。尽管最近的建议通过降低登录的复杂性在设计可用的RARUAS方面做出了巨大的努力，但大多数建议都未能达到所需的可用性标准。在本文中，我们引入了一种控制信息泄漏率的新概念。通过保持良好的安全标准，引入的思想有助于降低我们提出的机制（称为基于文本图形密码的机制）的登录复杂性或TGPM。除了抵制录制攻击外，TGPM还具有出色的威胁检测性能。据我们所知，TGPM是第一个RARUAS，它可以阻止和检测机会性记录攻击者的活动，这些攻击者可以在几个登录会话中记录真实用户的完整登录活动。我们的研究表明，与具有相同甚至更高登录复杂性的现有身份验证服务相比，TGPM确保了更高的会话弹性。此外，TGPM以分布式方式存储密码信息，因此限制了攻击者从单个受感染的服务器中学习完整的机密。进行了详尽的理论分析，以从安全性和可用性角度证明我们的建议的实力。