Abstract
The technique of determining whether a user is legitimate or not is known as authentication. It needs a secret field (password) that only the actual user knows. Every security system is created in such a way that it must include at least one authentication technique to safeguard an individual’s identity. There are numerous authentication methods available today, but each method has its own advantages and drawbacks that allow attackers to carry out various exploits including dictionary attacks and shoulder surfing attacks, among others. With some tweaking, graphic password authentication may have fewer drawbacks. A modified version of the graphical password technique is employed in this paper. The user is assigned a three-digit unique number in this that must be kept private. Each digit has a unique value that is determined by a set of computations and algorithms. This makes it difficult for the attacker to decrypt the password and makes it possible to prevent numerous cyber attacks like dictionary attacks and shoulder surfing attacks.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Humans are in the topmost height among all the species in the world. This is so as people can engage their brains and comprehend things more effectively. Technology is currently experiencing a boom. More data security is a result of the technology’s quick advancement [1, 2]. To safeguard personal information, a variety of password authentication techniques are used, such as graphic or text-based passwords. Password authentication works by comparing a username to its corresponding password; if the two match, the authentication is considered successful. The password or PIN based authentication methods are more likely to have dangers concerning various cyber threats like dictionary attack.
The text-graphic password entry system [3, 12], which combines text and graphical based passwords, is one of the solutions that have been developed to date to strengthen the weaknesses of password or PIN based authentication. We humans have a huge impact of pictures on our mind, so a hybrid password [4] authentication technique based on shape and text is being developed to get over the weaknesses of text- and graphic-based passwords.
Now that someone sitting next to you can see your pattern, graphical passwords are also prone to shoulder surfing attacks. Our method is based on graphic-based passwords with certain modifications, such as the requirement that the user select a three-digit number that is confidential and has its own meaning thanks to specific algorithms.
2 Background
We knows three types of Authentication methods:
-
Token-based authentication
-
Knowledge-based authentication
-
Biometric-based authentication
Token Based Authentication Systems used Bank card, ATM card, Smart card etc. for verification. Sometimes token based authentication system combined with knowledge based password.
Biometric based Authentication systems used fingerprint, iris scan, face recognition etc. these system has some drawback like unreliability due to Hardware devices. Biometric based Authentication system are more secure than others.
Knowledge-based authentication methods are also divided in two sub methods:
-
Text password based Authentication System
-
Graphical password based Authentication System
3 Proposed Scheme
Our technique is based on a hybrid authentication system that employs both text-based and graphical-based passwords. Here, the textual password is used to compare it to the username to determine whether the user has been authenticated or not, while the graphical password uses some techniques to secure or authenticate the textual password.
Registration Phase
The user’s email address, username, password, and a three-digit secret number must all be entered during the registration phase. Now, this three-digit secret code should be super secretive, and the user can only select it once, during the registration procedure. Figure 1 depicts the actual layout of the registration form.
A. Login Phase
The user must reenter their username and password during the login process in order to be authenticated. In this case, the username will remain the same, but the password will change with each entry. The algorithm we are employing here makes this possible and the 2D matrix which will contain 3 rows for the 3-digit numbers having 0–9 numbers in it. The 1st row is for the 1st number, second row is for the 2nd number and the 3rd row is for the 3rd row.
0 | 2 | 9 | 1 | 7 | 4 | 6 | 3 | 8 | 5 |
2 | 7 | 5 | 3 | 9 | 4 | 8 | 1 | 6 | 0 |
3 | 9 | 0 | 8 | 1 | 6 | 5 | 2 | 4 | 7 |
This matrix also contains a 9 × 10 grid having the characters along with their block numbers in the form of 2D array.
Now suppose the user has entered the username as ANKUSH and having the password as@An%kusH*#. He chooses 356 s as a 3-digit secretnumber. Figure 2 shows the matrix related to the 3-digit number.
To update a password that has the same meaning as the actual password i.e. @An%kusH*#, use the algorithm below.
4 Algorithm Used
Three requirements, which are repeated after every three characters of the password, are the foundation of our method. Here, ‘i’ denotes the position of the elements of new password which we are representing as an array.
-
1.
If i%3 == 0 then raw = raw + arr[1][3] and actual block = block no. + arr[1][3] % 100, Here 3 denotes the 1st number and 1 denotes the1st row.
-
2.
If i%3 == 1 then column = column + arr[2][5] and actual block = block no. + 10 * arr[1][3] % 100, Here 5 denotes the 2nd number and 2 denotes the 2nd row.
-
3.
If i%3 == 2 then raw = raw – arr[3][6] and actual block = block no. – arr[1][3] % 100, Here 6 denotes the 3rd number and 3 denotes the 3rd row.
01 A | 02 v | 03 ! | 04 @ | 05 R | 06 # | 07 Z | 08 s | 09 0 | 10 J |
11 5 | 12 B | 13 w | 14 S | 15 % | 16 T | 17 t | 18 K | 19 ^ | 20 = |
21 1 | 22 + | 23 C | 24 G | 25 ( | 26 u | 27 L | 28 * | 29 & | 30 F |
31 M | 32 ) | 33 a | 34 D | 35 h | 36 6 | 37 - | 38 { | 39 \ | 40 C |
41 } | 42 n | 43 Y | 44 B | 45 E | 46 i | 47 X | 48 ] | 49 | | 50 O |
51 [ | 52 < | 53 o | 54 N | 55 3 | 56 2 | 57 j | 58 > | 59 ? | 60 $ |
61 , | 62 z | 63 4 | 64 P | 65 _ | 66 d | 67 G | 68 k | 69 / | 70 M |
71 | 72 P | 73 y | 74 V | 75 q | 76 W | 77 e | 78 H | 79 l | 80 7 |
81 Q | 82 : | 83 ; | 84 X | 85 U | 86 r | 87 9 | 88 f | 89 I | 90 8 |
91 L | 92 M | 93 4 | 94 7 | 95 ! | 96 | | 97 o | 98 q | 99 e | 100 a |
Now according to the algorithm 1st row is for the 1st number now we have 3 as our 1st number and in 1st row in 3rd place, we have 1.
CASE 1: So, i = 0
Now 0%3 == 0 i.e., 1st element
Therefore, actual block = (04 + 1) % 100 = 05. So, we will write R in place of @.
2nd row is for the 2nd number now we have 5 as our 2nd number and in 2nd row in 5th place we have 4.
CASE 2: So, i = 1
Now 1%3 = = 1 i.e., 2nd element
Therefore, actual block = (01 + 10 * 4) % 100 = 41. So we will write} in place of A.
3rd row is for the 3rd number now we have 6 as our3rd number and in 3rd row in 6th place we have
5. CASE 3: So, i = 2
Now 2%3 == 2 i.e., 3rd element
Therefore, actual block = (42 − 5) % 100 = 37. So we will write - in place of n.
Now the cycle will be repeated after 3 characters. Now according to the algorithm 1st row is for the 1stnumber now we have 3 as our 1st number and in 1st row in 3rd place we have 1.
CASE 1: So i = 3
Now 3%3 == 0 i.e. 4th element
Therefore actual block = (15 + 1) % 100 = 16. So we will write T in place of %
2nd row is for the 2nd number now we have 5 as our 2nd number and in 2nd row in 5th place we have 4.
CASE 2: So i = 4
Now 4%3 == 1 i.e. 5th element
Therefore actual block = (68 + 10 * 4) % 100 = 08. So we will write s in place of k.
3rd row is for the 3rd number now we have 6 as our 3rd number and in 3rd row in 6th place we have 5.
CASE 3: So i = 5
Now 5%3 == 2 i.e. 6th element
Therefore actual block = (26 − 5) % 100 = 21. So we will write 1 in place of u.
Now the cycle will be repeated after 3 characters. Now according to the algorithm 1st row is for the 1st number now we have 3 as our 1st number and in 1st row in 3rd place we have 1.
CASE 1: So i = 6
Now 6%3 == 0 i.e. 7th element
Therefore actual block = (08 + 1) % 100 = 09. So we will write 0 in place of s.
2nd row is for the 2nd number now we have 5 as our 2nd number and in 2nd row in 5th place we have 4.
CASE 2: So i = 7
Now 7%3 == 1 i.e. 8th element
Therefore, actual block = (78 + 10 * 4) % 100 = 18. So we will write K in place of H.
3rd row is for the 3rd number now we have 6 as our3rd number and in 3rd row in 6th place we have 5.
CASE 3: So i = 8
Now 8%3 == 2 i.e. 9th element Therefore row = (28 − 5) % 100 = 23. So we will write C in place of *.
Now the cycle will be repeated after 3 characters. Now according to the algorithm 1st row is for the 1st number now we have 3 as our 1st number and in 1st row in 3rd place we have 1.
CASE 1: So i = 9
Now 9%3 == 0 i.e. 10th element Therefore row = (06 + 1) % 100 = 07. So we will write Z in place of #.
Now the new password will be “R}-Ts10KCZ” which has the same meaning as @An%kusH*# Both the matrix and the grid will be shuffled after every login so it is impossible for the attacker to guess the real password.
5 Password Space
Calculating the password space will allow us to determine how strong our password is against a brute force attack. The formula for the password space is PS = A^N Where PS defines password space. A defines the number of total characters i.e. 89, N defines the length of the password In our system we defined N as 4 < N < 13 If we calculate the password space for N = 8 then it is PS = 2.1 * 10^14.
6 Comparison
Cued Click Point (CCP) [5]: In this system the user must click five points on five distinct photos to create a pattern. The user must re draw the pattern by clicking on the same pixel locations during the login process.
The fundamental drawback of this approach is that shoulder surfing attacks can still be successfully launched against it. In contrast, our system doesn’t employ any pattern methods; instead, it employs a security algorithm that uses dummy passwords and is protected against the shoulder surfing attack.
Graphical System Using ASCII Values [6]: In this system, a graphical password is used in which user can select any size 2D matrix and create a pattern on it. This system to add up all the ASCII values corresponds to the characters in the pattern.
However, the disadvantage is that anyone sitting nearby might observe your pattern, making you vulnerable to shoulder surfing attacks. Contrarily, our method does not employ ASCII values or any other pattern; rather, it will just need a secret three-digit number selected by the user during the registration process, after which our algorithm will function and it will be difficult for the attacker to obtain the user’s credentials. The shoulder surfing attack is thus repelled.
Graphical Arrangement of Rows and Columns Using Specific Scale [7]: In this system, the user must define the row and column as well as scale them. The biggest disadvantage of it is that anyone sitting close to you can see your row and column scaling, leaving you vulnerable to shoulder surfing attacks. However, since users might forget the scaling, our solution doesn’t require a row and column structure. Instead, users only need to remember a three-digit number and a simple algorithm that will defend against all types of attacks.
Hopper Blum Method [8]: This approach is based on a cognitive authentication mechanism that is very time consuming. This approach is vulnerable to a shoulder surfing attack because it can be cracked if the attacker somehow manages to observe 2–3 logins. But in our approach, the attacker can never predict the 3-digit number, which prevents them from ever cracking the code. And even if the attacker sees the user’s dummy password, he will never discover the real password.
7 Comparison Based on Password Space
Our system provides a better way or it provides the advantages over many previously used password authentication schemes:
-
a.
As our system has large password space i.e.10^14 so it has minimize the risk of brute force attack to a very good extent.
-
b.
Our system uses a very simple algorithm which is understandable by most of the users.
-
c.
Our system does not require any complex calculations so anyone can understand it.
-
d.
Our System is providing high security against many attacks like brute force attack, shoulder surfing attack and dictionary attack.
8 Result
Our approach is essentially a modified version of the graphical password approach. Here, we’ve utilized a dummy password scheme that requires the user to register using a confidential 3-digit number. And based on this three-digit number, we created an algorithm that creates unique dummy passwords for each login by the user. The original password is the same as this dummy password.
The main benefit of this strategy is that even if the user notices our dummy password, he will never be able to figure out the real password because the next time he logged in using the same dummy password, he would receive the message that his password was incorrect because the matrix and grid would be shuffled after each login and the values would change to reflect our three-digit number.
Because of this, we have reduced or even eliminated several forms of attacks, including dictionary attacks [11], brute force attacks [10], and shoulder surfing attacks [9]. Therefore, we may conclude that our strategy offers excellent resistance to significant attacks like shoulder surfing attack.
9 Conclusion
In this paper we have proposed a scheme that is based on graphical user authentication technique and secure from shoulder surfing attack, brute force attack, and dictionary attack. This scheme is a combination of knowledge-based authentication and graphic based matrices. The security analysis proves that this scheme effectively resists shoulder surfing attack because there is some cryptography-based algorithm applied that is based on some random digits that is changed their position in matrix at the time of each and every login. This feature enhances security without sacrificing the usability aspect. This authentication scheme can be used in public places, ATMs, access-control, etc.
References
The Economic Times. The EconomicTimes, October 2021. https://economictimes.indiatimes.com/definition/authentication
Geeks for geeks, April 2020. https://www.geeksforgeeks.org/graphical-password-authentication/
Johnson Durai, A.R., Vinayan, V.: A novel crave-char based password entry system resistant to shoulder-surfing. Int. J. Comput. Algorithm 3(3), 954–958 (2014). Joseph’s College of Arts and Science (Autonomous), Cuddalore, 273–276
Zheng, Z., Liu, X., Yin, L., Liu, Z.: A Hybrid Password Authentication Scheme based on shape and text. J. Comput. 5, 765–772 (2010)
Bhand, A., Desale, V., Shirke, S., Shirke, S.P.: Enhancement of password authentication system using graphical images. In: International Conference on Information Processing (ICIP), pp. 217–219, December 2015 (2015)
Gupta, D.: A new approach of authentication in graphical systems using ASCII submission of values. In: 2017 13th International Wireless Communications and Mobile Computing Conference (IWCMC), pp. 1362–1369 (2017)
Istyaq, S., Umar, M.S.: Novel hybrid authentication by graphical arrangement of rows and columns using specific scale. Int. J. Comput. Math. Sci. 6(7), 2347–8527 (2017)
Joy, J.P., Jyothis, T.S.: Secure authentication. In: 2016 Online International Conference on Green Engineering and Technologies (IC-GET), pp. 1–3 (2016)
Wikipedia, the free encyclopedia. Wikipedia, the free encyclopedia. https://en.wikipedia.org/wiki/Shoulder_surfing_(computer_security)
Fatima, R., Siddiqui, N., Sarosh Umar, M., Khan, M.H.: A novel text-based user authentication scheme using pseudo-dynamic password. In: Fong, S., Akashe, S., Mahalle, P. (eds.) Information and Communication Technology for Competitive Strategies. LNNS, vol. 40, pp. 177–186. Springer, Singapore (2019). https://doi.org/10.1007/978-981-13-0586-3_18
Varshney, S., Umar, M.S., Nazir, A.: A secure shoulder surfing resistant hybrid graphical user authentication scheme. In: Cybernetics, Cognition and Machine Learning Applications. AIS, pp 79–87. Springer, Singapore (2019). https://doi.org/10.1007/978-981-15-1632-0_9
Varshney, S.: A secure shoulder surfing resistant user password authentication scheme. In: International Conference on Communication, Networks and Computing. Springer, Singapore (2020)
Varshney, S., Kumarl, L.: A secure authentication system for blind users. J. Appl. Sci. Comput. 1–9 (2018). UGC Approved Journal
Dhamija, R., Perrig, A.: Déjà Vu: a user study using images for authentication. In: 9th USENIX Security Symposium (2000)
Brostoff, S., Sasse, M.: Are passfaces more usable than passwords? A field trial investigation. In: McDonald, S., Waern, Y., Cockton, G. (eds.) People and Computers XIV—Usability or Else!, pp. 405–424. Springer, London (2000). https://doi.org/10.1007/978-1-4471-0515-2_27
Zheng, Z., Liu, X., Yin, L., Liu, Z.: A stroke-based textual password authentication scheme. In: First International Workshop on Education Technology and Computer Science, May 2009. IEEE (2009)
Lashkari, A.H., Abdul Manaf, A., Masrom, M., Daud, S.M.: Security evaluation for graphical password. In: Cherifi, H., Zain, J.M., El-Qawasmeh, E. (eds.) DICTAP 2011, Part I, CCIS, vol. 166, pp. 431–444. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21984-9_37
Sobradoand, L., Birget, J.-C.: Graphical passwords. Department of Computer Science, Rutgers University, An Electronic Bulletin for Undergraduate Research, vol. 4 (2002)
Wiedenbeck, S., Waters, J., Sobrado, L., Birget, J.C.: Design and evaluation of a shoulder-surfing resistant graphical password scheme. In: Proceedings of Advanced Visual Interface (AVI 2006), May, pp. 23–26 (2006)
Forget, A.: A world with many authentication schemes. A Thesis at Carleton University, November 2012 (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Varshney, S., Kumari, S., Agarwal, A., Pal, P. (2023). A Robust Graphical Authentication System for the Shoulder Surfing Attack. In: Tomar, R.S., et al. Communication, Networks and Computing. CNC 2022. Communications in Computer and Information Science, vol 1893. Springer, Cham. https://doi.org/10.1007/978-3-031-43140-1_9
Download citation
DOI: https://doi.org/10.1007/978-3-031-43140-1_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-43139-5
Online ISBN: 978-3-031-43140-1
eBook Packages: Computer ScienceComputer Science (R0)