raphical based authentication is a type of knowledge based authentication which uses images/picture to assist users in generating a more robust password (Suo, Zhu & Owen, 2005). Due to its picture superiority which according to Paivio in 1991, pictures are dually encoded and this is an advantage over words. While words are merely encoded verbally, pictures produce both a verbal code and an image code because participants are more likely to hold a label for pictures than to imagine words. Having two types of codes tagged to the pictures allow a greater chance of retrieval during a memory task (Paivio 1991). In addition, classic cognitive science experiment conducted have shown that humans have a strong memory ability for images. The experiment showed a recognition performance exceeding 90%, indicating retention of over 2,000 items, even when up to 3 days elapsed between learning and testing (Standing, Conezio, & Haber, 1970).
The challenge of users generating weak guessable passwords in text based authentication has been one of the major reasons numerous research has been conducted on Graphical based authentication (Prakash, Infant & Shobana, 2010). The concept of Graphical based authentication is creating a level of abstraction whereby users do not actually know the set of password characters generated but a pattern used in generating the passwords. However, over the years, Graphical based authentication schemes have been faced with numerous challenges including vulnerability to shoulder surfing attacks, the size of pictures used and browsing through an array of images/objects without assistance (Biddle, Chiasson & Oorschot, 2011;Wiedenbeck, Waters, Birget, Brodskiy & Memon, 2005). The proposed Graphical authentication schemes reviewed in this paper tackles majorly on the abovementioned issues.
The rest of the paper is structured as follows: a brief overview of Graphical based authentication and it techniques; examples of the schemes that utilize the techniques of Graphical based authentication, listing their features, pros and cons; the proposed scheme and its architecture; summary and conclusion.
Graphical based password authentication is a type of knowledge based authentication that uses images or pictures in verifying the identity of a user. It is categorized generally into the following: recognitionbased, recall-based and cued recall techniques (Suo et al, 2005). Based on the various techniques, the steps for both registration and authentication varies. The background of every icon belongs to one of the finite set of colors given. Registration involves choosing a color which then displays all the set of icons whose background color is the same as the chosen color. Users are required to choose 3 icons from the set of icons displayed. During authentication, icons of different background colors including 2 of the user's icons will be randomly displayed on a grid. Users only need to select the row where the pass icon is located (no need to click on the icon itself but any other icon on the same row with it) and after which all the icons on that row will be substituted with a lock icon. A user is authenticated after getting the pass icon in one attempt else the icons will be shuffled for the user to try again. Using of colors and selecting of row improves the security against shoulder surfers. In this authentication, some icons are frequently chosen as pass icons creating so-called hotspots and also searching through an array of icons can become tiring for the user.
This requires the user to reproduce something that was created during registration; example includes: i. Passdoodle Source: Varenhorst, Kleek and Rudolph(2004
)Varenhorst et aldeveloped Pass-doodles in 2004 using recall based technique. It is a hand-written design usually drawn with stylus unto touch sensitive screen. A doodle in this case is an ordered set of points which is drawn (Figure 1.1 is an example of a doodle) and saved during registration. In addition to the doodle drawn, the speed used in drawing the doodle is also calculated and saved. This graphical authentication scheme provides an easy way for users to remember the pass-doodle drawn but it was observed that sometimes the users forget the order in which they were drawn and also it tends to be vulnerable to shoulder surfing.
Cued recall assist the user by providing a cue (a clue or hint) to enable the user recall from memory and reproduce the information that was created during registration. The following ae some examples: if a user's description for a particular inkblot is "butterfly" then "by" is saved or if the description is "standing man" then "sn" is saved). All the displayed inkblots images have to be described and saved for that particular user. Upon authentication, a fraction of randomly chosen inkblot images from the user's set will be displayed for the user to describe. By randomly selecting a fraction of the users set of pictures upon login gives a dynamic password creating a probabilistic situation for dictionary attack and brute force. Nevertheless, in other for the module to be properly secured a large amount of inkblot pictures is required which is a load for the server and can be tiring for the user on registration and authentication.
Over the years, in attempt to provide a more secured graphical authentication system, combinations of these techniques have been implemented. Examples of such systems includes: chosen/identified images. The right OTP will be associated with the correct images and it is also a challenge from the server. On registration, a lock pattern is drawn and a set of four (4) images out of thirty (30) are chosen. During authentication, the user first begins by drawing the lock pattern, next to selecting the right images (two of the previously selected four) from the portfolio of images and finally inputting a random number (i.e. one-time password if the right one is chosen) associated with the selected images. This will be sent as a response to the server. This authentication improves the ability to recall the pattern and identify images more efficiently. Nevertheless, a reasonable amount of pictures need to be stored on the server for improved security which can be a bottle neck for the server.
Graphical One Time PasswordFrom the works reviewed, many of the graphical authentication models developed are susceptible to shoulder attack which has been found to be one of the major challenges. The few which are not susceptible require a search through an array of objects which can be demanding for the user and/or require a reasonable number of pictures (with lots of details) to be made secured which can be demanding in storing such unique images for different users creating a burden for the server. Therefore, there is a need for a shoulder surfing resistant graphical authentication for web applications which should require little number of images and little time to generate the graphical password.
This scheme utilizes set of colored rows and columns which may assist users in identifying their chosen cell. The interface design elaborates on the cued recall graphical technique being utilized. This scheme will involve the following;
i. Rows and Columns: As shown in Figure 1.4, the grid is made of 13 columns and 9 rows. From these rows and columns are 6 columns and 4 rows that are assigned unique colours and values (these are all the even rows and columns; the odd rows and column are not assigned any colour or value). The values are permanently assigned to the rows and columns. The concept of these unique rows, columns and their intersection is gotten from the earth's longitude and latitude whose intersection is unique and are used to provide co-ordinates. (The Editors of Encyclopedia Britannica, 2012). Every intersection of the coloured rows and column is unique and its purpose is to assist in locating a particular cell in the grid. Figure 3.1, shows the intersection between the white row (4) and red column (1); the format of this co-ordinate is written as (4,1). During registration and authentication, these coloured rows and columns are randomly arranged on the grid but still retain the values given to them. This is done by pressing, holding and moving the left mouse button anywhere within the grid. Moving the mouse left or right will affect all the right values in the cell causing them to move from one cell to another either to the left or right position. On the other hand, moving the mouse up or down will affect all the left values in the cell causing them to move from one cell to another either upwards or downwards. For cells located at the edge of the grid, new randomly generated values will be moved into the cell. Here the password created will be (in this order), the value of the chosen row, the value of the chosen column, the position (in value) of the cell relative to the intersection, the chosen value for the first side (left side) and second side (right side) of the chosen cell. The format is written as (R,C,P,Le,Ri) Where: R = the value of the row chosen, 1<=R<=4. C = the value of the column chosen, 1<=C<=6. P = the position of the cell to the intersection of the chosen R and C, 0<=P<=8. Le = the left value of the chosen cell, 0<=Le<=9 and Ri = the right value of the chosen cell, 0<=Ri<=9.
The co-ordinates includes (R,C,P) which identifies the users chosen cell, while (Le,Ri) are the pair of values found in those co-ordinates (chosen cell). The graphical password includes the combination of the coordinates and the pair values which will be stored in the database. The co-ordinates will also be stored in the database to enable the authentication scheme know the users chosen cell in other to retrieve the inputted pair of value. The co-ordinates will be used for authentication.
This section explains the steps for generating a graphical password after creating/setting up a password. In this phase, the co-ordinates stored for the registered user is utilized in other to know the user's chosen cell and acquire the pair of values in that cell.
Every time during this phase, the order/arrangement of the unique rows and columns are randomly placed, only the user knows his/her chosen row, column, position (co-ordinates) and the pair of values to be inserted in to the chosen cell. This phase includes the following: i. By pressing and dragging the left mouse button up or down within the grid, assign the pre-chosen value for the first side (left side) into the chosen cell. ii. By pressing and dragging the left mouse button left or right within the grid, assign the pre-chosen value for the second side (right side) into the chosen. iii. Proceeding to the next phase the authentication scheme only validates the values located at the chosen cell as the scheme already knows the chosen cell.
Selection of appropriate system development tools is required to provide a robust, reliable and effective graphical authentication system. These tools include.
This is a mark-up language that is used to create and design the structure of the scheme. To achieve the grid system made of 117 cells, a table tag is created containing 9 table row tags which in turn contains 13 table definition tags each. Each table definition (a cell) contain a unique identity.
This is used for presentation and in this scheme, provides each selected row and column its unique colour and styling.
3. JavaScript: It plays a major role in this research as it is responsible for interacting with the user. This performs the client side scripting and used for the development of the graphical interface for creating/setting up and generating password. In this project, it will be performed both at the frontend framework and backend framework.
The acronym WAMP stands for Windows Apache MySQL PHP and it is a software suite designed specifically for Windows operating system. This suite creates a sandbox for the development of web based application which provides four key elements: An operating system, database, web server and a scripting software. Apache is the web server used to execute the different codes presented. MySQL is the type of database used during this project. PHP (PHP Hypertext Pre-processor) performs at the backend, this is used to connect to the database and serve as the server scripting language.
PhpMyAdmin: This is a friendly interface used to manage the activities of the database.
The architecture of the scheme provides different features to tackle the issues associated with reviewed existing graphical schemes. These features include. 1. Shoulder surfing resistance: Firstly, during the process of inputting the chosen values into the chosen cells, every other value is affected and move simultaneously according to the movement of the mouse. Secondly, during every authentication, the coloured rows and column are randomly placed making the scheme dynamic. These feature screate a level of resistance to shoulder surfing attacks. 2. Optimization of storage capacity: The use of HTML (Hyper Text Mark-up Language), CSS (Cascading Style Sheet) and JavaScript creates a dynamic table where the coloured rows and columns are rearranged during authentication. This dynamic grid system is used as the image for authentication thereby mitigating the need for picture uploads and/or storage. 3. Assistance in finding objects: The coloured rows and columns provides assistance for users to locate the chosen cell for inputting the chosen pair of objects. Rather than searching through each cell, user focus on their chosen coloured row and column. This streamlines the search.
Using magic triangle evaluation, an evaluation scheme designed by Lashkari, Manaf, Masrom, and Daud in 2011 which shows 3 attributes of security in Graphical authentication. The password space and entropy were shown to be 2.61*10 4 and 14.39 respectively. These results are very low making it susceptible to brute force attacks, therefore, an additional security feature should be added to this scheme against such attacks.
Several researches have been conducted on Graphical based authentication schemes, however, this area is still in its infancy. In this scheme, the security issues tackled were majorly on shoulder surfing; other areas such as usability were not properly addressed.
From the different scheme reviewed, there has not been a perfect Graphical authentication scheme for all scenario. Every graphical authentication has its pros and cons suitable for specific scenario. Before utilizing any graphical scheme, a proper analysis should be conducted to determine the best scheme that will be appropriate.
Color | Value |
Red | 1 |
Blue | 2 |
Green | 3 |
White | 4 |
Yellow | 5 |
Brown | 6 |
Color | Value |
Red | 1 |
Blue | 2 |
Green | 3 |
White | 4 |
Position | Value |
Centre | 0 |
North | 1 |
North East | 2 |
East | 3 |
South | 4 |
South West | 5 |
West | 6 |
North West | 7 |
Security Evaluation for Graphical Password. DICTAP 2011, Proceedings, Part I.166, (Dijion, France; Heidelberg Dordrecht
Dual coding theory: Retrospect and current status. Canadian Journal of Psychology 1991. (45) p. .
Graphical One-Time Password (GOTPass): A usability evaluation. 10.1080/19393555.2016.1179374. Information Security Journal: A Global Perspective 2016.
Design and Analysis of a Graphical Password Scheme. Innovative Computing, Information and Control (ICICIC). 10.1109/ICICIC.2009.158. IEEE Xplore 2009.
Latitude and longitude. https://www.britannica.com/science/latitude The Editors of Encyclopedia Britannica, 2012. July 3. April 5, 2017.
Perception and memory for pictures: Single-trial learning of 2500 visual stimuli. 10.3758/BF03337426. Psychonomic Science 1970. 19 (2) p. .
Eliminating Vulnerable Attacks Using One-Time Password and PassText -Analytical Study of Blended Schema. Universal Journal of Computer Science and Engineering Technology 2010. 1 (2) p. .
Passblot: A Highly Scalable Graphical One Time Password System. International Journal of Network Security & Its Applications (IJNSA) 2012. (2) p. 4.
PassPoints: design and longitudinal evaluation of a graphical password system. Int. J. Hum.-Comput. Stud 2005. 63 p. .