pith. sign in

arxiv: 2605.00558 · v1 · submitted 2026-05-01 · 💻 cs.CR · cs.HC

Pick and Sort for Graphical Authentication

Argianto Rahartomo , AmirHossein Jamshidipoor , Mohammad Ghafari This is my paper

Pith reviewed 2026-05-09 19:30 UTC · model grok-4.3

classification 💻 cs.CR cs.HC
keywords graphical authenticationpick and sortusabilitysecurityvisual passwordsconfigurable authenticationprototype study
0
0 comments X

The pith

Users authenticate by selecting visual elements and arranging them in a configurable grid.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces a Pick and Sort graphical authentication method where users select images or elements and place them into a grid to log in. The number of elements and grid dimensions can be adjusted, and visuals customized for groups like children. A preliminary prototype study suggests it is straightforward to learn and adaptable for different deployments. Although it takes longer to log in than standard passwords, this may suit infrequent access or secondary checks. Sympathetic readers would value it for balancing security with usability in non-urgent contexts.

Core claim

The central discovery is that a pick-and-sort graphical password scheme, with configurable selection size and grid layout, provides an easy-to-learn and deployable alternative to traditional authentication, as evidenced by initial user testing with a prototype.

What carries the argument

The Pick and Sort design, in which users choose visual elements and arrange them within a grid, with configurable parameters for number of elements and grid size.

If this is right

  • Users can customize the visual elements for specific demographics such as children.
  • The scheme supports variable security levels through adjustable grid sizes and selection counts.
  • Login times are longer but acceptable for non-time-critical applications.
  • It can serve as a secondary authentication mechanism.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Such schemes might reduce phishing risks by relying on visual memory rather than text.
  • Further testing could explore resistance to shoulder-surfing attacks in public settings.
  • Integration with mobile devices could leverage touch-based sorting for better usability.

Load-bearing premise

That the longer login times will be tolerated by users in non-urgent situations and that the preliminary study results apply to broader real-world use.

What would settle it

A larger-scale user study demonstrating that login times are too long for practical adoption or that the scheme has low security against observation attacks would falsify the claim of practical usability.

Figures

Figures reproduced from arXiv: 2605.00558 by AmirHossein Jamshidipoor, Argianto Rahartomo, Mohammad Ghafari.

Figure 1
Figure 1. Figure 1: Overview of the workflow for the “Pick and Sort” authentication scheme. view at source ↗
Figure 2
Figure 2. Figure 2: Excerpt of three element sets in the prototype. view at source ↗
Figure 3
Figure 3. Figure 3: Registration times by age groups view at source ↗
Figure 4
Figure 4. Figure 4: Login success rates. color. The proportions of selected icons and shapes were relatively balanced. Among the color choices, black was selected the most frequently, appearing 38 times, followed by red (15 times), blue (13 times), Medium Slate Blue (9 times), and Dark Green (8 times) view at source ↗
read the original abstract

We propose a graphical authentication scheme that follows a simple ``Pick and Sort'' design in which users choose visual elements and arrange them within a grid. Both the number of selected elements and the grid size are configurable, and the visual elements can be customized for specific user groups, such as children. A preliminary study with a prototype implementation indicated that the scheme is easy to learn and flexible to deploy. Although login times are longer than those of conventional authentication methods, the additional interaction may be acceptable in scenarios that are not time-critical, such as infrequent-access use cases or as a secondary authentication mechanism.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 1 minor

Summary. The paper proposes a configurable graphical authentication scheme called 'Pick and Sort' in which users select visual elements and arrange them within a grid. Both the number of elements and grid size are adjustable, and visuals can be customized (e.g., for children). The central claim is that a preliminary prototype study indicates the scheme is easy to learn and flexible to deploy, with the observation that longer login times may be acceptable in non-time-critical scenarios such as infrequent access or secondary authentication.

Significance. If the usability indications from the preliminary study hold under more rigorous testing, the configurable design could offer a practical, adaptable alternative to existing graphical or text-based authentication methods, particularly for user groups benefiting from visual customization. The absence of complex parameters or fitted models is a strength, as is the explicit caveat regarding login times.

major comments (1)
  1. [Abstract] Abstract (and any evaluation section describing the study): The central usability claim that the scheme 'is easy to learn and flexible to deploy' rests on a preliminary study whose details are not reported. No participant count, task descriptions, quantitative metrics (e.g., success rates, login times with error bars, or learning curves), baselines, or security analysis appear in the provided text. This is load-bearing for the paper's contribution and prevents assessment of whether the results generalize or support the flexibility assertion.
minor comments (1)
  1. The manuscript would benefit from a diagram or screenshot of the Pick and Sort interface to illustrate the selection and sorting steps for readers unfamiliar with the scheme.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the detailed and constructive review. We agree that the preliminary study requires more explicit reporting to support the claims made in the abstract and manuscript, and we will revise accordingly.

read point-by-point responses

  1. Referee: [Abstract] Abstract (and any evaluation section describing the study): The central usability claim that the scheme 'is easy to learn and flexible to deploy' rests on a preliminary study whose details are not reported. No participant count, task descriptions, quantitative metrics (e.g., success rates, login times with error bars, or learning curves), baselines, or security analysis appear in the provided text. This is load-bearing for the paper's contribution and prevents assessment of whether the results generalize or support the flexibility assertion.

    Authors: We acknowledge that the current manuscript provides only a high-level summary of the preliminary study without sufficient methodological or quantitative detail. In the revised version we will add a dedicated evaluation section that reports the participant count, task descriptions, success rates, login times (including any available variability measures), learning observations, and direct comparisons to baseline methods where data exist. This will allow readers to assess the strength and generalizability of the usability indications. The manuscript does not contain a formal security analysis because its primary contribution is the configurable design and initial usability observations rather than a security evaluation; we will explicitly note this scope limitation and identify security analysis as future work. revision: yes

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper is a purely descriptive proposal for a configurable graphical authentication scheme ('Pick and Sort') with no equations, derivations, fitted parameters, predictions, or mathematical models of any kind. The sole empirical reference is a brief mention of a preliminary prototype study indicating ease of learning; this is presented as an observation rather than a derived or self-referential result. No self-citations, uniqueness theorems, ansatzes, or renamings of known results appear in a load-bearing role. The argument does not reduce any claim to its own inputs by construction and remains self-contained as a design description.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 1 invented entities

The claim rests on the existence and usability of the proposed design plus an un-detailed preliminary study; no mathematical axioms, free parameters, or new physical entities are introduced.

invented entities (1)
  • Pick and Sort graphical scheme no independent evidence
    purpose: Configurable visual authentication method using selection and arrangement of elements
    The scheme is introduced by the authors as the core contribution without reference to prior identical designs.

pith-pipeline@v0.9.0 · 5392 in / 1094 out tokens · 22355 ms · 2026-05-09T19:30:32.228084+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

14 extracted references · 14 canonical work pages

  1. [1]

    Mahdi Nasrullah Al-Ameen, Kanis Fatema, Matthew Wright, and Shannon Scielzo

    work page

  2. [2]

    InEleventh Symposium On Usable Privacy and Security (SOUPS 2015)

    The Impact of Cues and User Interaction on the Memorability of System- Assigned Recognition-Based Graphical Passwords. InEleventh Symposium On Usable Privacy and Security (SOUPS 2015)

    work page 2015

  3. [3]

    Panagiotis Andriotis, Myles Kirby, and Atsuhiro Takasu. 2023. Bu-Dash: a uni- versal and dynamic graphical password scheme (extended version).International Journal of Information Security22, 2 (01 Apr 2023), 381–401. doi:10.1007/s10207- 022-00642-2

    work page doi:10.1007/s10207- 2023

  4. [4]

    Hala Assal, Ahsan Imran, and Sonia Chiasson. 2018. An exploration of graphical password authentication for children.International Journal of Child-Computer Interaction18 (2018), 37–46. doi:10.1016/j.ijcci.2018.06.003

    work page doi:10.1016/j.ijcci.2018.06.003 2018

  5. [5]

    Gerald Berman and K.D. Fryer. 1972. 3 - The Inclusion–Exclusion Principle. In Introduction to Combinatorics. Academic Press, 60–72. doi:10.1016/B978-0-12- 092750-0.50008-9

    work page doi:10.1016/b978-0-12- 1972

  6. [6]

    Robert Biddle, Sonia Chiasson, and Paul C Van Oorschot. 2012. Graphical pass- words: Learning from the first twelve years.ACM Computing Surveys (CSUR)44, 4 (2012), 1–41

    work page 2012

  7. [7]

    The quest to replace passwords: A framework for comparative evaluation of web authentication schemes,

    Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. 2012. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. In2012 IEEE Symposium on Security and Privacy. 553–567. doi:10.1109/SP.2012.44

    work page doi:10.1109/sp.2012.44 2012

  8. [8]

    Ahmet Emir Dirik, Nasir Memon, and Jean-Camille Birget. 2007. Modeling user choice in the PassPoints graphical password scheme. InProceedings of the 3rd Symposium on Usable Privacy and Security(Pittsburgh, Pennsylvania, USA) (SOUPS ’07). Association for Computing Machinery, New York, NY, USA, 20–28. doi:10.1145/1280680.1280684

    work page doi:10.1145/1280680.1280684 2007

  9. [9]

    Jeff Kahn, Nathan Linial, and Alex Samorodnitsky. 1996. Inclusion-exclusion: Exact and approximate.Combinatorica16, 4 (01 Dec 1996), 465–477. doi:10.1007/ BF01271266

    work page 1996

  10. [10]

    Christina Katsini, Gregory Epiphaniou, and Carsten Maple. 2025. FREA-XR: An Evaluation Framework for Extended Reality User Authentication Mechanisms. International Journal of Human–Computer Interaction(2025), 1–42. doi:10.1080/ 10447318.2025.2558033

    work page arXiv 2025

  11. [11]

    David Malone and Wayne Sullivan. 2005. Guesswork is not a substitute for entropy. (2005), 1–5. https://mural.maynoothuniversity.ie/id/eprint/6302/

    work page 2005

  12. [12]

    2025.Graphical Authentication

    Weizhi Meng. 2025.Graphical Authentication. Springer Nature Switzerland, Cham, 1028–1031. doi:10.1007/978-3-030-71522-9_1581

    work page doi:10.1007/978-3-030-71522-9_1581 2025

  13. [13]

    Naheem Noah and Sanchari Das. 2025. From PINs to Gestures: Analyzing Knowledge-Based Authentication Schemes for Augmented and Virtual Reality. IEEE Transactions on Visualization and Computer Graphics31, 5 (2025), 3172–3182. doi:10.1109/TVCG.2025.3549862

    work page doi:10.1109/tvcg.2025.3549862 2025

  14. [14]

    Argianto Rahartomo, Leonel Merino, and Mohammad Ghafari. 2025. Metaverse security and privacy research: A systematic review.Computers & Security157 (2025), 104602. doi:10.1016/j.cose.2025.104602

    work page doi:10.1016/j.cose.2025.104602 2025