ABSTRACT Authentication plays a crucial role in information security by which several mechanisms are widely used to protect services from attacks. Graphical password is the most popular mechanism and frequently assert the advantage that they are significantly more secure. However, most graphical passwords are susceptible to shoulder surfing attack. To overcome this problem, this study proposed a hotspot guessing attack resistant graphical password authentication scheme based on the modified PassMatrix method. The modification involves replacing the single discretized image of the PassMatrix method into several independent images and applying a random grid traversal method. The proposed Jumbled PassSteps was evaluated in terms of its usability. Experimental results showed that the users were able to remember their graphical passwords successfully as the memorability percentage reached 100.00% and 90.90% in the first and second session respectively. Further, users achieved an average registration time of 29.96 seconds and carried out two log-in attempts with an average time of 46.03 seconds and 63.43 seconds. Keywords: graphical password, Jumbled PassSteps, PassMatrix, usability. 1. INTRODUCTION A secured user authentication system is vital nowadays in light of the increasing amount of sensitive information available. A technique which is based on graphical password authentication is now getting huge attentions from various business organizations. This password authentication scheme offers a good trade-off between security [1], [2] and password memorability. In fact, studies have revealed that graphical passwords are a better choice to text-based passwords from the memorability and usability perspective [3]-[7]. Graphical password authentication schemes utilize pictures as passwords rather than complex set of characters. Researchers have identified that pictures are more easily remembered than recalling alphanumeric characters for the reason that pictures permits for a greater depth of cognitive processing [8]-[12]. Moreover, pictures basically possess more features than what individual letters and numbers have, thus facilitating retrieval as well. This type of authentication scheme is widely used in some applications such as in social media, online commerce, and banking. Although graphical schemes offer memorial advantages, they must also meet other usability needs for widespread adoption such as the time taken in the registration and authentication. In spite of the fact that graphical schemes offer a more memorable passwords, these should also meet other usability needs such as the time taken in the registration and authentication for widespread adoption. Users have to choose an image from a collection of images when registering initially and the users have to scan many images to pick several pass images for authentication purposes. These processes must be quick to be considered as efficient graphical password authentication scheme. There have been various studies on the usability assessment of user authentication systems using a graphical password. Reference [13] compared the memorability of an alphanumeric password to four graphical passcodes. All of the graphical schemes found to be more memorable than the alphanumeric scheme. Same result was found by [14] in which most participants verbally remembered the password. Hence, the performance of the graphical schemes in terms of memorability is satisfactory compared to alphanumeric scheme, for which no participant was able to enter his or her password correctly or verbally remember it three weeks later. The study of [15] implemented a PassMatrix prototype on Android and carried out real user experiments to evaluate its usability. The usability perspective was measured by the amount of time users spent in each PassMatrix phase: registration and authentication. From the experimental result, the proposed system showed better resistance to shoulder surfing attacks while maintaining usability. A usability was also investigated in terms of memorability and efficiency in terms of registration and authentication time of multiple image passwords in the PHAS [16]. The results demonstrated that the memorability of multiple passwords in PHAS is better than in existing Graphical authentication systems (GASs). Although the registration time is high, authentication time for successful attempts is either Towards Usability Evaluation of Jumbled PassSteps Jerome P. Songcuan 1 , Dr. Ariel M. Sison 2 , Dr. Ruji P. Medina 3 1 Technological Institute of the Philippines, Philippines, jerome.songcuan@dmmmsu-sluc.com 2 Emilio Aguinaldo College, Philippines, ariel.sison@eac.edu.ph 3 Technological Institute of the Philippines, Philippines, ruji.medina@tip.edu.ph