Professional Documents
Culture Documents
Graphical Authentication System To Prevent Shoulder Surfing Attack
Graphical Authentication System To Prevent Shoulder Surfing Attack
Abstract : As the technology has been evolved we can perform online purchasing, bank transaction, store data on cloud or drive
etc. And all these tasks are carried out by authenticated user. Authentication process may be carried out on mobile device, computers,
laptops, tablets etc at public place or private place. Every authenticated user can witness to the discomfort to operate their device like
phone in public place especially while input their password because of the threat of attacker. Even there is a chance that in public place a
stranger standing close enough to observe and potentially note a password. The traditional authentication systems were configuration of
alphanumeric keypad or pattern or PIN because of their simplicity and usability and easy to remember. But these old authentication
systems were vulnerable to shoulder surfing attack that is attacker can find out password or access code after several viewings through
naked eye or through surveillance video. It is imperative to implement an application to resist such "shoulder-surfing," whether in person
or via a building's video camera. To resist the problem of shoulder surfing attack, proposed an authentication system PassMatrix, based
on graphical passwords. Once the user has registered with proposed authentication system, he has provided with three images to create
password by selecting coordinates in each image i.e pass-square. And hashcode are generated based on the images coordinate value. So
that authenticated user can get login by referring to OTP that gives hint about coordinate value. The PassMatrix authentication system
does not offers any clue for attackers to trace out the password even they conduct multiple camera-based attacks. From the experimental
point of view, the proposed authentication system achieves better resistance to shoulder surfing attacks and it’s easy to use.
IndexTerms – Shoulder surfing, Shoulder surfing attack, Security, Authentication system, Shoulder surfing resistance, Password
I. INTRODUCTION
Everyone likes to have secure environment to operate their smart phone or to hide their information. It does not mean to have
separate place to operate their smart phone it means that secure from attackers. Usually common way to achieve security to information
or to smart phone is by using PIN or alphanumeric password or pattern. As technology has been revolved it’s not much difficult to trace
out all these kind of authentication system.
For example in PIN based authentication system maximum length of PIN based password is 4 to 6 digits and series of numbers
between 0-9. It’s get reliable because of its simplicity and easy to memorize. Problem with this technique is that attacker can guess the
PIN and attacker can easily trace out the PIN by standing close to the user when he is unlocking his mobile phone in public place.
Attacker can also find out the PIN by observing visual effects on the screen i.e the blink of a button when it is pressed, or even the oily
residue that the fingers leave on a touch screen.
In case of alphanumeric password[1] it’s difficult to remember the password since for different account given different
passwords. It’s not easy to use and remember.
In case of pattern based password, when user draw pattern the oily residue that the fingers leave on a touch screen.
Attacker can easily trace out passwords when he observe through naked eye or through surveillance camera, video capturing
techniques like Google Glass[2], [3].
Above mentioned all the authentication system is suffering from shoulder surfing attack. Attack is an effort to gain unauthorized
access to information, or to damage information systems. Attack can be active or passive attack. Shoulder surfing attack is an
eavesdropping attack in which attacker is close to the authenticated user and attacker directly observe the password over user shoulder.
Shoulder surfing attack is easy to achieve in crowded place while users are entering their passwords. Shoulder surfing attack is not only
achieved by observing users password through naked eye but it can also be obtained by long distance through binoculars or other vision-
enhancing devices
Awareness regarding the threat constituted by the shoulder surfing attack has increased drastically because of the emergence of
smart phones. Conference on Human Factors in Computing Systems reported that 97 percent of those surveyed claimed that in the
majority of cases, victims were unaware that they were being observed.
Many number of authentication system has been invented to prevent shoulder surfing attack. In this paper proposed a graphical
authentication system Passmatrix to prevent shoulder surfing attack. The proposed method allows a user to use dynamic pointer to point
out the position of their passwords rather than clicking on the password object directly. So that attacker can’t trace out password easily.
II. MOTIVATION
As the technology has been evolved and ease of use mobile marketing has been increased compared to PC in 2011 and number
of mobile users has been overtaken compare to desktop users [13]. Whether it may be mobile users or desktop users all are vulnerable to
attacks that may be active or passive attack. Here in this paper considered shoulder surfing attack. A secure authentication system should
be able to defend against shoulder surfing attacks and should be applicable to all kinds of devices. In papers [6], [18], [19], [20], [21],
[22], [23], [24], [25] proposed different Authentication schemes and those methods are capable to resist shoulder-surfing attack, but those
methods have both advantages and disadvantages. Disadvantage is that difficult to recollect the password, delay in login time, lack of
knowledge about authentication system and small password space. In order to overcome the drawbacks of traditional textual based
authentication system in 2006 PassPoint[7] technique has been introduced. By this technique password space has been increased and easy
to remember. Regrettably this graphical authentication scheme also vulnerable to shoulder surfing attacks.
In this paper, improvised the idea of existing PassPoints technique, by using one-time session passwords i.e PassMatrix method.
The proposed method is repellent to shoulder surfing attacks.
IJRAR19K1941 International Journal of Research and Analytical Reviews (IJRAR)www.ijrar.org 609
© 2019 IJRAR May 2019, Volume 6, Issue 2 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)
Draw A Secret:
In paper [6] proposed graphical password technique at 1999 for the devices which are graphically less capable. Primarily it is
implemented for personal digital assistants (PDAs) namely Palm Pilot. In this technique on the available 2D grid space user has to re-
draw the predefined picture. If the re-drawing matches the same grids in the same sequence, then the user is authenticated. Then onwards
graphical capability of handheld devices has been improvised.
PassPoint:
In paper[7] proposed graphical authentication scheme PassPoint at 2005, for improvised high resolution color picture handheld
device. Main aim of this proposed method is to overcome the drawback of textual passwords because textual passwords are difficult to
remember. In this technique, the user has to click on a set of pre-defined pixels on the predestined photo, with a correct sequence and
within their tolerant squares during the login stage. And proposed system takes less time to input graphical password compare to input the
textual password because its long difficult to recollect. However, this authentication schemes are still vulnerable to shoulder surfing
attacks as they may reveal the graphical passwords directly to some unknown observers in public.
Fake Pointer
In paper[15] proposed a method called Fake Pointer to overcome shoulder surfing attack with video capturing. The proposed
method prevent attackers from defending PIN even attacker observes authentication process through video camera. The proposed system
is specially implemented for bank ATM. Along with PIN number the user is provided with “answer indicator” each time for the
authentication process at a bank ATM. The fakepointer method has 2 features i.e user has 2 secrets for authentication: a PIN is a fixed
secret and answer indicator is disposal secret. Here answer indicator represents the different shapes for digit as background. User has to
move the digits circularly but not shapes on provided numeric keypad using left or right arrow keys. User has to repeat the process until
first digit of the PIN overlaps the first shape of the answer indicator on the keypad. The same procedure is carried out for all the digits of
the PIN. This feature enables to change a secret input operation in each authentication. Hence it’s difficult for an attacker to defend the
PIN even he observes the authentication scene through video capturing device. However proposed system can be improvised password
space wise for smart phones and tabs.
Color Rings
In paper [17] proposed a visual authentication method for tabletop interfaces called ”Color Rings”, where the user is provided
with i authentication (key) icons, which are collectively assigned one of the four color-rings: red, green, blue, or pink. During login, i
grids of icons are provided, with 72 icons being displayed per grid. There is only one key icon presented in each grid. The user must drag
all four rings (ideally with index finger and thumb from two hands) concurrently and place them in the grid. The distinct key icon should
be captured by the correct color ring while the rest of rings just make decoy selections. The user confirms a selection by dropping the
rings in position. The rings are large enough to include more than one icon and can thus obfuscate the direct observer. Unfortunately,
these kinds of passwords can be cracked by intersecting the user’s selections in each login because the color of the assigned ring is fixed
and a ring can include at most seven icons. Thus, the attacker only requires a limited number of trials to guess the user’s password.
Objective of the proposed system is to develop the application which resists Shoulder Surfing attacks in Graphica Authentication
System.
V. SYSTEM architecture:
To conquer the imperfection of the traditional PIN based authentication system, the easiness of obtaining passwords in public by
attacker, proposed a graphical authentication system called PassMatrix. PassMatrix design is discussed in this section.
First step is user registration. User has to register by giving his information such as userid, user name, password ,valid e-mail id,
phone number etc, and after giving this information, randomly three images will be assigned to the user.
Next step is image discretization. This process divides each image into square; user will choose one square among them as
pass-square. The image should be discretized in such a way that it should be specious enough to select pass-square.
Second step is to design login indicator generator consisting of rows and columns of size 8*6 i.e 8 rows numbered from 1 to 8
and 6 columns named from A to F. Each time login indicator generates randomly. There are 2 scroll bars horizontal bar and vertical bar to
shift row and columns values respectively. In those discretized images user has to select the coordinate squares of the images as the
graphical password. The details of coordinates of all images will be stored in the database with respect to the specific user.
Registered user will be login to the application by using his userid and password, if the userid and password is valid One Time
Password(OTP) will be sent to the user’s e-mail, whereas OTP contains the random pair of vertical and horizontal slider coordinate
points of all the three images. After successful login , three assigned images will be displayed to the user with horizontal and vertical
sliders , user has to set the horizontal and vertical sliders for all the three images ,where the OTP coordinate value should be equal to the
coordinates chosen by the user at the time of password setting. For instance, if the user chosen the pass-square as (4,5) in the first image,
then the login indicator will be (A,2).Authenticated is only possible if each pass-square in each pass-image is correctly aligned with the
login indicator.
VI. RESULTS
Home Page:
Image 2
Image3
User login
Conclusion
As the web service and apps are increased, user can access to any application with various devices. While accessing some
particular application user has to go through the security. However user may feel unpleasant while authenticating in public because
attacker may observe password i.e shoulder surfing attack. In the existing system such as textual passwords or PIN method, user use to
prefer weaken password in order to remember easily but this kind of authentication process are more vulnerable to shoulder surfing
attack.
To overcome this problem, proposed a shoulder surfing resistant authentication system based on graphical passwords. By using
proposed graphical password user can login using a one-time login indicator per image, this proposed system is invulnerable to shoulder
surfing attack, because of the design of the horizontal and vertical bars that cover the entire pass-image. By incorporating proposed
system user can even login in public because attacker it offers no clue for attackers to crack the password.
[2] “Google glass snoopers can steal your passcode with a glance,” http://www.wired.com/2014/06/google-glass-snoopers-cansteal-your-
passcode-with-aglance/.
[3] “Black hat: Google glass can steal your passcodes,” https://www.technologyreview.com/s/529896/black-hatgoogle-glass-can-steal-
your passcodes/.
[4] R. Dhamija and A. Perrig, “Deja vu: A user study using images for authentication,” in Proceedings of the 9th conference on USENIX
Security Symposium-Volume 9. USENIX Association, 2000, pp. 4–4.
[6] I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Rubin, “The design and analysis of graphical passwords,” in Proceedings of the
8th conference on USENIX Security Symposium-Volume 8. USENIX Association, 1999, pp. 1–1.
[7] S. Wiedenbeck, J. Waters, J. Birget, A. Brodskiy, and N. Memon, “Passpoints: Design and longitudinal evaluation of a graphical
password system,” International Journal of Human-Computer Studies, vol. 63, no. 1-2, pp. 102–127, 2005.
[8] A. Paivio, T. Rogers, and P. Smythe, “Why are pictures easier to recall than words?” Psychonomic Science, 1968.
[9] D. Nelson, U. Reed, and J. Walling, “Picture superiority effect,” Journal of Experimental Psychology: Human Learning and Memory,
vol. 3, pp. 485–497, 1977.
[10] S. Brostoff and M. Sasse, “Are passfaces more usable than passwords? a field trial investigation,” PEOPLE AND COMPUTERS, pp.
405–424, 2000.
[11] A. De Angeli, M. Coutts, L. Coventry, G. Johnson, D. Cameron, and M. Fischer, “Vip: a visual approach to user authentication,” in
Proceedings of the Working Conference on Advanced Visual Interfaces. ACM, 2002, pp. 316–323.
[12] B. Ives, K. Walsh, and H. Schneider, “The domino effect of password reuse,” Communications of the ACM, vol. 47, no. 4, pp. 75–
78, 2004.
[14] V. Roth, K. Richter, and R. Freidinger, “A pin-entry method resilient against shoulder surfing,” in Proceedings of the 11th ACM
conference on Computer and communications security, ser. CCS ’04. New York, NY, USA: ACM, 2004, pp. 236–245.
[15] T. Takada, “fakepointer: An authentication scheme for improving security against peeping attacks using video cameras,” in Mobile
Ubiquitous Computing, Systems, Services and Technologies, 2008. UBICOMM’ 08. The Second International Conference on. IEEE,
2008, pp. 395–400.
[16] S. Wiedenbeck, J. Waters, L. Sobrado, and J.-C. Birget, “Design and evaluation of a shoulder-surfing resistant graphical password
scheme,” in Proceedings of the working conference on Advanced visual interfaces, ser. AVI ’06. New York, NY, USA: ACM, 2006, pp.
177– 184.
[17]D. Kim, P. Dunphy, P. Briggs, J. Hook, J. Nicholson, J. Nicholson, and P. Olivier, “Multi-touch authentication on tabletops,” in
Proceedings of the 28th international conference on Human factors in computing systems. ACM, 2010, pp. 1093–1102.