20-12-2012, 05:56 PM
Authentication Schemes for Session Passwords using Color and Images
Authentication Schemes.pdf (Size: 634.22 KB / Downloads: 56)
Abstract:
Textual passwords are the most common method used for authentication. But textual
passwords are vulnerable to eves dropping, dictionary attacks, social engineering and shoulder surfing.
Graphical passwords are introduced as alternative techniques to textual passwords. Most of the
graphical schemes are vulnerable to shoulder surfing. To address this problem, text can be combined
with images or colors to generate session passwords for authentication. Session passwords can be used
only once and every time a new password is generated. In this paper, two techniques are proposed to
generate session passwords using text and colors which are resistant to shoulder surfing. These methods
are suitable for Personal Digital Assistants.
INTRODUCTION
The most common method used for authentication is textual password. The vulnerabilities of
this method like eves dropping, dictionary attack, social engineering and shoulder surfing are
well known. Random and lengthy passwords can make the system secure. But the main
problem is the difficulty of remembering those passwords. Studies have shown that users tend
to pick short passwords or passwords that are easy to remember. Unfortunately, these
passwords can be easily guessed or cracked. The alternative techniques are graphical passwords
and biometrics. But these two techniques have their own disadvantages. Biometrics, such as
finger prints, iris scan or facial recognition have been introduced but not yet widely adopted.
The major drawback of this approach is that such systems can be expensive and the
identification process can be slow. There are many graphical password schemes that are
proposed in the last decade. But most of them suffer from shoulder surfing which is becoming
quite a big problem. There are graphical passwords schemes that have been proposed which are
resistant to shoulder-surfing but they have their own drawbacks like usability issues or taking
more time for user to login or having tolerance levels. Personal Digital Assistants are being
used by the people to store their personal and confidential information like passwords and PIN
numbers. Authentication should be provided for the usage of these devices.
RELATED WORK
Dhamija and Perrig[1] proposed a graphical authentication scheme where the user has
to identify the pre-defined images to prove user’s authenticity. In this system, the user selects a
certain number of images from a set of random pictures during registration. Later, during login
the user has to identify the pre selected images for authentication from a set of images as shown
in figure 1. This system is vulnerable to shoulder-surfing.
Passface [2] is a technique where the user sees a grid of nine faces and selects one face
previously chosen by the user as shown in figure 2. Here, the user chooses four images of
human faces as their password and the users have to select their pass image from eight other
decoy images. Since there are four user selected images it is done for four times.
NEW AUTHENTICATION SCHEMES
Authentication technique consists of 3 phases: registration phase, login phase and verification
phase. During registration, user enters his password in first method or rates the colors in the
second method. During login phase, the user has to enter the password based on the interface
displayed on the screen. The system verifies the password entered by comparing with content of
the password generated during registration.
Pair-based Authentication scheme:
During registration user submits his password. Minimum length of the password is 8 and it can
be called as secret pass. The secret pass should contain even number of characters. Session
passwords are generated based on this secret pass. During the login phase, when the user enters
his username an interface consisting of a grid is displayed. The grid is of size 6 x 6 and it
consists of alphabets and numbers. These are randomly placed on the grid and the interface
changes every time.
Hybrid Textual Authentication Scheme
During registration, user should rate colors as shown in figure 9. The User should rate colors
from 1 to 8 and he can remember it as “RLYOBGIP”. Same rating can be given to different
colors. During the login phase, when the user enters his username an interface is displayed
based on the colors selected by the user. The login interface consists of grid of size 8×8. This
grid contains digits 1-8 placed randomly in grid cells. The interface also contains strips of colors
as shown in figure 10. The color grid consists of 4 pairs of colors. Each pair of color represents
the row and the column of the grid.
User Study
We conducted the user study of the proposed techniques with 10 participants for each technique.
As the techniques are new, first the participants were briefed about the techniques. They were
given demonstrations for better understanding purpose. Then each user was requested to login.
After that, the usability study was conducted with the students in two sessions. The sessions
were conducted in time frame of one week.
Table 1 shows the registration time for each technique. Table 2 shows the log-in time for each
technique for the first session of user study. Table 3 shows the log-in time for the second session
which was taken after one week of first session.
CONCLUSION
In this paper, two authentication techniques based on text and colors are proposed for PDAs.
These techniques generate session passwords and are resistant to dictionary attack, brute force
attack and shoulder-surfing. Both the techniques use grid for session passwords generation. Pair
based technique requires no special type of registration, during login time based on the grid
displayed a session password is generated. For hybrid textual scheme, ratings should be given to
colors, based on these ratings and the grid displayed during login, session passwords are
generated. However these schemes are completely new to the users and the proposed
authentication techniques should be verified extensively for usability and effectiveness.