Keywords

1 Introduction

Humans are in the topmost height among all the species in the world. This is so as people can engage their brains and comprehend things more effectively. Technology is currently experiencing a boom. More data security is a result of the technology’s quick advancement [1, 2]. To safeguard personal information, a variety of password authentication techniques are used, such as graphic or text-based passwords. Password authentication works by comparing a username to its corresponding password; if the two match, the authentication is considered successful. The password or PIN based authentication methods are more likely to have dangers concerning various cyber threats like dictionary attack.

The text-graphic password entry system [3, 12], which combines text and graphical based passwords, is one of the solutions that have been developed to date to strengthen the weaknesses of password or PIN based authentication. We humans have a huge impact of pictures on our mind, so a hybrid password [4] authentication technique based on shape and text is being developed to get over the weaknesses of text- and graphic-based passwords.

Now that someone sitting next to you can see your pattern, graphical passwords are also prone to shoulder surfing attacks. Our method is based on graphic-based passwords with certain modifications, such as the requirement that the user select a three-digit number that is confidential and has its own meaning thanks to specific algorithms.

2 Background

We knows three types of Authentication methods:

  • Token-based authentication

  • Knowledge-based authentication

  • Biometric-based authentication

Token Based Authentication Systems used Bank card, ATM card, Smart card etc. for verification. Sometimes token based authentication system combined with knowledge based password.

Biometric based Authentication systems used fingerprint, iris scan, face recognition etc. these system has some drawback like unreliability due to Hardware devices. Biometric based Authentication system are more secure than others.

Knowledge-based authentication methods are also divided in two sub methods:

  • Text password based Authentication System

  • Graphical password based Authentication System

figure a

3 Proposed Scheme

Our technique is based on a hybrid authentication system that employs both text-based and graphical-based passwords. Here, the textual password is used to compare it to the username to determine whether the user has been authenticated or not, while the graphical password uses some techniques to secure or authenticate the textual password.

Registration Phase

The user’s email address, username, password, and a three-digit secret number must all be entered during the registration phase. Now, this three-digit secret code should be super secretive, and the user can only select it once, during the registration procedure. Figure 1 depicts the actual layout of the registration form.

Fig. 1.
figure 1

Registration Page

Full size image

A. Login Phase

The user must reenter their username and password during the login process in order to be authenticated. In this case, the username will remain the same, but the password will change with each entry. The algorithm we are employing here makes this possible and the 2D matrix which will contain 3 rows for the 3-digit numbers having 0–9 numbers in it. The 1st row is for the 1st number, second row is for the 2nd number and the 3rd row is for the 3rd row.

0

2

9

1

7

4

6

3

8

5

2

7

5

3

9

4

8

1

6

0

3

9

0

8

1

6

5

2

4

7

This matrix also contains a 9 × 10 grid having the characters along with their block numbers in the form of 2D array.

Now suppose the user has entered the username as ANKUSH and having the password as@An%kusH*#. He chooses 356 s as a 3-digit secretnumber. Figure 2 shows the matrix related to the 3-digit number.

Fig. 2.
figure 2

Matrix Example

Full size image

To update a password that has the same meaning as the actual password i.e. @An%kusH*#, use the algorithm below.

4 Algorithm Used

Three requirements, which are repeated after every three characters of the password, are the foundation of our method. Here, ‘i’ denotes the position of the elements of new password which we are representing as an array.

figure b
  1. 1.

    If i%3 == 0 then raw = raw + arr[1][3] and actual block = block no. + arr[1][3] % 100, Here 3 denotes the 1st number and 1 denotes the1st row.

  2. 2.

    If i%3 == 1 then column = column + arr[2][5] and actual block = block no. + 10 * arr[1][3] % 100, Here 5 denotes the 2nd number and 2 denotes the 2nd row.

  3. 3.

    If i%3 == 2 then raw = raw – arr[3][6] and actual block = block no. – arr[1][3] % 100, Here 6 denotes the 3rd number and 3 denotes the 3rd row.

01

A

02

v

03

!

04

@

05

R

06

#

07

Z

08

s

09

0

10

J

11

5

12

B

13

w

14

S

15

%

16

T

17

t

18

K

19

^

20

 = 

21

1

22

 + 

23

C

24

G

25

(

26

u

27

L

28

*

29

&

30

F

31

M

32

)

33

a

34

D

35

h

36

6

37

-

38

{

39

\

40

C

41

}

42

n

43

Y

44

B

45

E

46

i

47

X

48

]

49

|

50

O

51

[

52

 < 

53

o

54

N

55

3

56

2

57

j

58

 > 

59

?

60

$

61

,

62

z

63

4

64

P

65

_

66

d

67

G

68

k

69

/

70

M

71

72

P

73

y

74

V

75

q

76

W

77

e

78

H

79

l

80

7

81

Q

82

:

83

;

84

X

85

U

86

r

87

9

88

f

89

I

90

8

91

L

92

M

93

4

94

7

95

!

96

|

97

o

98

q

99

e

100

a

figure c

Now according to the algorithm 1st row is for the 1st number now we have 3 as our 1st number and in 1st row in 3rd place, we have 1.

CASE 1: So, i = 0

Now 0%3 == 0 i.e., 1st element

Therefore, actual block = (04 + 1) % 100 = 05. So, we will write R in place of @.

figure d
figure e

2nd row is for the 2nd number now we have 5 as our 2nd number and in 2nd row in 5th place we have 4.

CASE 2: So, i = 1

Now 1%3 =  = 1 i.e., 2nd element

Therefore, actual block = (01 + 10 * 4) % 100 = 41. So we will write} in place of A.

figure f

3rd row is for the 3rd number now we have 6 as our3rd number and in 3rd row in 6th place we have

5. CASE 3: So, i = 2

Now 2%3 == 2 i.e., 3rd element

Therefore, actual block = (42 − 5) % 100 = 37. So we will write - in place of n.

figure g

Now the cycle will be repeated after 3 characters. Now according to the algorithm 1st row is for the 1stnumber now we have 3 as our 1st number and in 1st row in 3rd place we have 1.

CASE 1: So i = 3

Now 3%3 == 0 i.e. 4th element

Therefore actual block = (15 + 1) % 100 = 16. So we will write T in place of %

figure h

2nd row is for the 2nd number now we have 5 as our 2nd number and in 2nd row in 5th place we have 4.

CASE 2: So i = 4

Now 4%3 == 1 i.e. 5th element

Therefore actual block = (68 + 10 * 4) % 100 = 08. So we will write s in place of k.

figure i

3rd row is for the 3rd number now we have 6 as our 3rd number and in 3rd row in 6th place we have 5.

CASE 3: So i = 5

Now 5%3 == 2 i.e. 6th element

Therefore actual block = (26 − 5) % 100 = 21. So we will write 1 in place of u.

figure j

Now the cycle will be repeated after 3 characters. Now according to the algorithm 1st row is for the 1st number now we have 3 as our 1st number and in 1st row in 3rd place we have 1.

CASE 1: So i = 6

Now 6%3 == 0 i.e. 7th element

Therefore actual block = (08 + 1) % 100 = 09. So we will write 0 in place of s.

figure k

2nd row is for the 2nd number now we have 5 as our 2nd number and in 2nd row in 5th place we have 4.

CASE 2: So i = 7

Now 7%3 == 1 i.e. 8th element

Therefore, actual block = (78 + 10 * 4) % 100 = 18. So we will write K in place of H.

figure l

3rd row is for the 3rd number now we have 6 as our3rd number and in 3rd row in 6th place we have 5.

CASE 3: So i = 8

Now 8%3 == 2 i.e. 9th element Therefore row = (28 − 5) % 100 = 23. So we will write C in place of *.

figure m

Now the cycle will be repeated after 3 characters. Now according to the algorithm 1st row is for the 1st number now we have 3 as our 1st number and in 1st row in 3rd place we have 1.

CASE 1: So i = 9

Now 9%3 == 0 i.e. 10th element Therefore row = (06 + 1) % 100 = 07. So we will write Z in place of #.

figure n

Now the new password will be “R}-Ts10KCZ” which has the same meaning as @An%kusH*# Both the matrix and the grid will be shuffled after every login so it is impossible for the attacker to guess the real password.

5 Password Space

Calculating the password space will allow us to determine how strong our password is against a brute force attack. The formula for the password space is PS = A^N Where PS defines password space. A defines the number of total characters i.e. 89, N defines the length of the password In our system we defined N as 4 < N < 13 If we calculate the password space for N = 8 then it is PS = 2.1 * 10^14.

6 Comparison

Cued Click Point (CCP) [5]: In this system the user must click five points on five distinct photos to create a pattern. The user must re draw the pattern by clicking on the same pixel locations during the login process.

The fundamental drawback of this approach is that shoulder surfing attacks can still be successfully launched against it. In contrast, our system doesn’t employ any pattern methods; instead, it employs a security algorithm that uses dummy passwords and is protected against the shoulder surfing attack.

Graphical System Using ASCII Values [6]: In this system, a graphical password is used in which user can select any size 2D matrix and create a pattern on it. This system to add up all the ASCII values corresponds to the characters in the pattern.

However, the disadvantage is that anyone sitting nearby might observe your pattern, making you vulnerable to shoulder surfing attacks. Contrarily, our method does not employ ASCII values or any other pattern; rather, it will just need a secret three-digit number selected by the user during the registration process, after which our algorithm will function and it will be difficult for the attacker to obtain the user’s credentials. The shoulder surfing attack is thus repelled.

Graphical Arrangement of Rows and Columns Using Specific Scale [7]: In this system, the user must define the row and column as well as scale them. The biggest disadvantage of it is that anyone sitting close to you can see your row and column scaling, leaving you vulnerable to shoulder surfing attacks. However, since users might forget the scaling, our solution doesn’t require a row and column structure. Instead, users only need to remember a three-digit number and a simple algorithm that will defend against all types of attacks.

Hopper Blum Method [8]: This approach is based on a cognitive authentication mechanism that is very time consuming. This approach is vulnerable to a shoulder surfing attack because it can be cracked if the attacker somehow manages to observe 2–3 logins. But in our approach, the attacker can never predict the 3-digit number, which prevents them from ever cracking the code. And even if the attacker sees the user’s dummy password, he will never discover the real password.

7 Comparison Based on Password Space

Our system provides a better way or it provides the advantages over many previously used password authentication schemes:

  1. a.

    As our system has large password space i.e.10^14 so it has minimize the risk of brute force attack to a very good extent.

  2. b.

    Our system uses a very simple algorithm which is understandable by most of the users.

  3. c.

    Our system does not require any complex calculations so anyone can understand it.

  4. d.

    Our System is providing high security against many attacks like brute force attack, shoulder surfing attack and dictionary attack.

8 Result

Our approach is essentially a modified version of the graphical password approach. Here, we’ve utilized a dummy password scheme that requires the user to register using a confidential 3-digit number. And based on this three-digit number, we created an algorithm that creates unique dummy passwords for each login by the user. The original password is the same as this dummy password.

The main benefit of this strategy is that even if the user notices our dummy password, he will never be able to figure out the real password because the next time he logged in using the same dummy password, he would receive the message that his password was incorrect because the matrix and grid would be shuffled after each login and the values would change to reflect our three-digit number.

Because of this, we have reduced or even eliminated several forms of attacks, including dictionary attacks [11], brute force attacks [10], and shoulder surfing attacks [9]. Therefore, we may conclude that our strategy offers excellent resistance to significant attacks like shoulder surfing attack.

9 Conclusion

In this paper we have proposed a scheme that is based on graphical user authentication technique and secure from shoulder surfing attack, brute force attack, and dictionary attack. This scheme is a combination of knowledge-based authentication and graphic based matrices. The security analysis proves that this scheme effectively resists shoulder surfing attack because there is some cryptography-based algorithm applied that is based on some random digits that is changed their position in matrix at the time of each and every login. This feature enhances security without sacrificing the usability aspect. This authentication scheme can be used in public places, ATMs, access-control, etc.