Graphical Password Authentication System in An Implicit Manner
Graphical Password Authentication System in An Implicit Manner
Abstract- Authentication is a process by which a system verifies the identity of a user. Authentication may also be generalized by saying
that “to authenticate” means “to authorize”. For example, users tend to pick passwords that can be easily guessed, on the other hand, if a
password is hard to guess, then it is often hard to remember. To address this problem some researchers have developed authentication
methods that use pictures as passwords, known as graphical passwords. We classify these techniques into two categories: recognition-
based and recall-based approaches which are discussed in this paper along with the strengths and limitations of each method. We have
proposed a new technique for authentication. It is a variation to the login/password scheme using graphical passwords used in an implicit
manner. This Graphical Password Authentication System in an Implicit Manner is immune to the common attacks suffered by other authenti-
cation schemes.
Keywords- Authentication, Graphical Password.
Citation: Suchita Sawla, et al. (2012) Graphical password authentication system in an implicit manner. International Journal of Cryptog-
raphy and Security, ISSN: 2249-7013 & E-ISSN: 2249-7021, Volume 2, Issue 1, pp.-27-31.
Copyright: Copyright©2012 Suchita Sawla, et al. This is an open-access article distributed under the terms of the Creative Commons At-
tribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are
credited.
Various Graphical Password Techniques in a particular order in this recognition-based systems. Some
In general, the graphical password techniques can be classified examples of recognition-based system are explained below.
into two categories: recognition-based and recall-based graphical An image password called Awase-E [7] is a new system which
techniques [10]. enables users to use their favorite image instead of a text pass-
word for authentication purpose. Even though Awase-E system
Recognition Based System has a higher usability, the system cannot tolerate replay attack.
Using recognition-based techniques, a user is presented with a set Adding to this, a user may always tend to choose a well-known
of images and the user passes the authentication by recognizing (or associated with the user through some relation, like son, wife
and identifying the images he or she selected during the registra- or a place visited etc.) image which may be prone to guessing
tion stage. There are many graphical password authentication attacks. Weinshall and Kirkpatrick [14] studied a recognition-
schemes which designed by using recognition-based techniques. based scheme and concluded that users can still remember their
We only introduce two typical schemes. The first one is PassFac- graphical password with 90% accuracy even after one or two
es which was developed by Real User Corporation [10]. The user months. Their study supports the theory that human remember
will be asked to choose four or more images of human faces from images better than text.
a face database as their future password. In the authentication Although a recognition-based graphical password seems to be
stage, the user sees a grid of nine faces, consisting of one face easy to remember, which increases the usability, it is not com-
previously chosen by the user and eight cheat faces (figure 1). pletely secure. Also, it is obvious that recognition based systems
The user recognizes and clicks anywhere on the known face. This are vulnerable to replay attack and mouse tracking because of
procedure is repeated for several rounds. The user is authenticat- the use of a fixed image as a password. Thus, these drawbacks
ed if he/she correctly identifies the four faces. The technique is are considered in the proposed system, which overcomes the
based on the assumption that people can recall human faces easi- problems of recall based schemes too.
er than other pictures.
Recall-based System
In recall-based systems, the user is asked to reproduce some-
thing that he/she created or selected earlier during the registra-
tion phase. Recall based schemes can be broadly classified into
two groups, viz: pure recall-based technique and cued recall-
based technique.
A group of images are displayed to the user and an accepted A fine grained grid from which the person selects a drawing grid,
authentication requires a correct image being clicked or touched a rectangular area to zoom in on, in which they may enter their
seminar address most of the threats, still they suffer from the implicit way. Here the other images like zebra-crossing may rep-
following attacks: replay, Shoulder-surfing, and recording the resent the answer zebra, the images of vegetables might repre-
screen. One may argue that replay attack can be prevented using sent vegetarian food which the user likes, and the image of milk
encryption and tamper-proof time stamps, and physical shoulder- represent the white color and so on. So the conclusion is that the
surfing may be known to the user as this process is invasive. answer is provided indirectly i.e. implicitly. Next time, if the same
However, due to the availability of high-bandwidth to mobile de- question is chosen by the server, the same scenario may not be
vices and light-weight, high-efficient video codecs, a rogue pro- presented. For the next time, the server may show an images
gram may still capture and publish remotely. Since all the image among which the correct answer be shown by an image showing
based password schemes known to us use static passwords, the a blue ink pen and so on. The user needs to click on this blue ink
recorded movie may be replayed and with some human- pen image correlating it to the answer blue to implicitly convey his
interaction, the user’s password may be decoded. answer. Since every time the server uses a different scenario and
the answers are given implicitly, the proposed system is immune
Graphical Password Authentication System In An Implicit to screen capture attack. Also, except for the server and the legit-
Manner imate user, for others, the answers may look fuzzy. For example,
The proposed Graphical Password Authentication System in an if the user clicks “Blue Ink Pen”, it may even mean the “type of
Implicit Manner is similar to the PassPoint scheme with some writing tool the user likes the most”, or may represent his “favorite
finer differences. In every “what you know type” authentication color” and so on.
scheme, the server requests the user to reproduce the fact given
to the server at the time of registration. Here the password is
considered as a piece of information known to the server at the
time of registration and at the time of authentication, the user give
this information in an implicit form that can be understood only by
the server. It is explained through a Mobile Banking example. Fig. 8-Example of the system
References
[1] Birget J.C.,Dawei H., et al. (2006), Information Forensics
and Security, IEEE Transactions on 1(3),395-399.
[2] Dirik A. E., Memon N., et al. (2007). 3rd symposium on Usa-
ble privacy and security.
[3] Haichang G., Xiyang L., et al. (2009).Fourth International
Conference on Graphical Passwords.
[4] Lashkari A. H., Towhidi F., et al. (2009) ICCEE '09. Second
International Conference.
[5] Masrom M.,Towhidi F., et al. (2009). AICT 2009. Interna-
tional Conference.
[6] Pierce J.D., Jason G. Wells, Matthew J. Warren, and David R.
Mackay. (2003).1st Australian Information security Manage-
ment Conference,
[7] Renaud K. (2009) J. Vis. Lang. Comput. 20(1),1-15.
[8] Wiedenbeck S.,Waters J.,Birget J.C.,Brodskiy A., Memon N.
(2005) Symposium on Usable Privacy and Security (SOUPS),
6-8
[9] Wiedenbeck S.,Waters J.,Birget J.C., Brodskiy A., Memon N.
(2005) International J. of Human-Computer Studies (Special
Issue on HCI Research in Privacy and Security), 63, 102-
127.
[10]Sabzevar A.P. and Stavrou A. (2008) IEEE International Con-
ference on Signal Image Technology and Internet Based
Systems (SITIS).
[11] Takada T. and Koike H. (2003) Human-Computer Interaction
with Mobile Devices and Services 2795:,347-351.
[12] Wei-Chi K. and Maw-Jinn T. (2005) Local Computer Net-
works.
[13] Wells Jason, Hutchinson Damien and Pierce Justin En-
hanced Security for Preventing Man-in-the-Middle Attacks in
Authentication, formation Security Management Conference.
58.
[14] Xiaoyuan S., Ying Z., et al. (2005) Computer Security Appli-
cations Conference.
[15] Sadiq Almuairfi, Parakash Veeraraghavan and Naveen Chila-
mkurti (2011) Workshops of International Conference on Ad-
vanced Information Networking and Applications.