© 2019 IJRAR May 2019, Volume 6, Issue 2 www.ijrar.

org (E-ISSN 2348-1269, P- ISSN 2349-5138)

GRAPHICAL AUTHENTICATION SYSTEM TO

PREVENT SHOULDER SURFING ATTACK
1
Kavya P W, 2Venkatesha N
1
Lecturer, 2Final Year M.C.A Kuvempu University
1
Computer Science Department,
1
Adichunchanagiri Polytechnic,Chikkamagaluru, Karnataka, India

Abstract : As the technology has been evolved we can perform online purchasing, bank transaction, store data on cloud or drive
etc. And all these tasks are carried out by authenticated user. Authentication process may be carried out on mobile device, computers,
laptops, tablets etc at public place or private place. Every authenticated user can witness to the discomfort to operate their device like
phone in public place especially while input their password because of the threat of attacker. Even there is a chance that in public place a
stranger standing close enough to observe and potentially note a password. The traditional authentication systems were configuration of
alphanumeric keypad or pattern or PIN because of their simplicity and usability and easy to remember. But these old authentication
systems were vulnerable to shoulder surfing attack that is attacker can find out password or access code after several viewings through
naked eye or through surveillance video. It is imperative to implement an application to resist such "shoulder-surfing," whether in person
or via a building's video camera. To resist the problem of shoulder surfing attack, proposed an authentication system PassMatrix, based
on graphical passwords. Once the user has registered with proposed authentication system, he has provided with three images to create
password by selecting coordinates in each image i.e pass-square. And hashcode are generated based on the images coordinate value. So
that authenticated user can get login by referring to OTP that gives hint about coordinate value. The PassMatrix authentication system
does not offers any clue for attackers to trace out the password even they conduct multiple camera-based attacks. From the experimental
point of view, the proposed authentication system achieves better resistance to shoulder surfing attacks and it’s easy to use.

IndexTerms – Shoulder surfing, Shoulder surfing attack, Security, Authentication system, Shoulder surfing resistance, Password
I. INTRODUCTION
Everyone likes to have secure environment to operate their smart phone or to hide their information. It does not mean to have
separate place to operate their smart phone it means that secure from attackers. Usually common way to achieve security to information
or to smart phone is by using PIN or alphanumeric password or pattern. As technology has been revolved it’s not much difficult to trace
out all these kind of authentication system.
For example in PIN based authentication system maximum length of PIN based password is 4 to 6 digits and series of numbers
between 0-9. It’s get reliable because of its simplicity and easy to memorize. Problem with this technique is that attacker can guess the
PIN and attacker can easily trace out the PIN by standing close to the user when he is unlocking his mobile phone in public place.
Attacker can also find out the PIN by observing visual effects on the screen i.e the blink of a button when it is pressed, or even the oily
residue that the fingers leave on a touch screen.
In case of alphanumeric password[1] it’s difficult to remember the password since for different account given different
passwords. It’s not easy to use and remember.
In case of pattern based password, when user draw pattern the oily residue that the fingers leave on a touch screen.
Attacker can easily trace out passwords when he observe through naked eye or through surveillance camera, video capturing
techniques like Google Glass[2], [3].
Above mentioned all the authentication system is suffering from shoulder surfing attack. Attack is an effort to gain unauthorized
access to information, or to damage information systems. Attack can be active or passive attack. Shoulder surfing attack is an
eavesdropping attack in which attacker is close to the authenticated user and attacker directly observe the password over user shoulder.
Shoulder surfing attack is easy to achieve in crowded place while users are entering their passwords. Shoulder surfing attack is not only
achieved by observing users password through naked eye but it can also be obtained by long distance through binoculars or other vision-
enhancing devices
Awareness regarding the threat constituted by the shoulder surfing attack has increased drastically because of the emergence of
smart phones. Conference on Human Factors in Computing Systems reported that 97 percent of those surveyed claimed that in the
majority of cases, victims were unaware that they were being observed.
Many number of authentication system has been invented to prevent shoulder surfing attack. In this paper proposed a graphical
authentication system Passmatrix to prevent shoulder surfing attack. The proposed method allows a user to use dynamic pointer to point
out the position of their passwords rather than clicking on the password object directly. So that attacker can’t trace out password easily.
II. MOTIVATION
As the technology has been evolved and ease of use mobile marketing has been increased compared to PC in 2011 and number
of mobile users has been overtaken compare to desktop users [13]. Whether it may be mobile users or desktop users all are vulnerable to
attacks that may be active or passive attack. Here in this paper considered shoulder surfing attack. A secure authentication system should
be able to defend against shoulder surfing attacks and should be applicable to all kinds of devices. In papers [6], [18], [19], [20], [21],
[22], [23], [24], [25] proposed different Authentication schemes and those methods are capable to resist shoulder-surfing attack, but those
methods have both advantages and disadvantages. Disadvantage is that difficult to recollect the password, delay in login time, lack of
knowledge about authentication system and small password space. In order to overcome the drawbacks of traditional textual based
authentication system in 2006 PassPoint[7] technique has been introduced. By this technique password space has been increased and easy
to remember. Regrettably this graphical authentication scheme also vulnerable to shoulder surfing attacks.
In this paper, improvised the idea of existing PassPoints technique, by using one-time session passwords i.e PassMatrix method.
The proposed method is repellent to shoulder surfing attacks.
IJRAR19K1941 International Journal of Research and Analytical Reviews (IJRAR)www.ijrar.org 609
© 2019 IJRAR May 2019, Volume 6, Issue 2 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)

III. RELAED WORK

A lot of research has been taken place on password authentication system. In this paper discussing about graphical based
authentication system. Many other techniques such as those in [27], [28], [29], [30], [31] may have good usability, but drawback is those
technique are vulnerable to shoulder surfing attack since they are not graphical-based and need additional support from extra hardware.
Various graphical password authentication system [4], [5], [6], [7] were introduced to address the issues with textual passwords.
Based on some survey such as those in [8], [9], stated that humans have a better ability to remember the images for long time compared
to textual password. In paper [10], [11], [12] stated that Image-based passwords were proved to be easier to recollect.

Draw A Secret:
In paper [6] proposed graphical password technique at 1999 for the devices which are graphically less capable. Primarily it is
implemented for personal digital assistants (PDAs) namely Palm Pilot. In this technique on the available 2D grid space user has to re-
draw the predefined picture. If the re-drawing matches the same grids in the same sequence, then the user is authenticated. Then onwards
graphical capability of handheld devices has been improvised.

PassPoint:
In paper[7] proposed graphical authentication scheme PassPoint at 2005, for improvised high resolution color picture handheld
device. Main aim of this proposed method is to overcome the drawback of textual passwords because textual passwords are difficult to
remember. In this technique, the user has to click on a set of pre-defined pixels on the predestined photo, with a correct sequence and
within their tolerant squares during the login stage. And proposed system takes less time to input graphical password compare to input the
textual password because its long difficult to recollect. However, this authentication schemes are still vulnerable to shoulder surfing
attacks as they may reveal the graphical passwords directly to some unknown observers in public.

Cognitive Trapdoor Games:

In paper [14] proposed PIN entry to prevent shoulder surfing attack. The proposed method introduced more noise to observer so
that he cannot easily find out password. In this approach, original PIN pad layout is retained but improvised it by assuming color of digit
is changed from black on white background and white on black back ground. Hence, one set is displayed as white on black, and the other
as black on white. The result is a scattered pattern of black and white patches distributed over the pad. The authenticated user job is to
identify the color of each password digit. Based on the series of black and white background digits, the implemented system can find out
PIN. This black and white color combination made attackers confuse. But attackers can easily crack the PIN if he observes through video
capturing devices.

Fake Pointer
In paper[15] proposed a method called Fake Pointer to overcome shoulder surfing attack with video capturing. The proposed
method prevent attackers from defending PIN even attacker observes authentication process through video camera. The proposed system
is specially implemented for bank ATM. Along with PIN number the user is provided with “answer indicator” each time for the
authentication process at a bank ATM. The fakepointer method has 2 features i.e user has 2 secrets for authentication: a PIN is a fixed
secret and answer indicator is disposal secret. Here answer indicator represents the different shapes for digit as background. User has to
move the digits circularly but not shapes on provided numeric keypad using left or right arrow keys. User has to repeat the process until
first digit of the PIN overlaps the first shape of the answer indicator on the keypad. The same procedure is carried out for all the digits of
the PIN. This feature enables to change a secret input operation in each authentication. Hence it’s difficult for an attacker to defend the
PIN even he observes the authentication scene through video capturing device. However proposed system can be improvised password
space wise for smart phones and tabs.

Convex Hull Click (CHC) scheme

In paper [16] proposed graphical password scheme to prevent shoulder surfing attack using a convex hull method. Using this
method the user no need to directly click on the password image instead of that the user needs to recognize a set of pass-icons on the
screen and clicks inside the convex hull formed by all these pass-icones. Finally they concluded that observers are unable to determine
the pass-objects which formed the convex hull, it is difficult to determine the user’s passwords.

Color Rings
In paper [17] proposed a visual authentication method for tabletop interfaces called ”Color Rings”, where the user is provided
with i authentication (key) icons, which are collectively assigned one of the four color-rings: red, green, blue, or pink. During login, i
grids of icons are provided, with 72 icons being displayed per grid. There is only one key icon presented in each grid. The user must drag
all four rings (ideally with index finger and thumb from two hands) concurrently and place them in the grid. The distinct key icon should
be captured by the correct color ring while the rest of rings just make decoy selections. The user confirms a selection by dropping the
rings in position. The rings are large enough to include more than one icon and can thus obfuscate the direct observer. Unfortunately,
these kinds of passwords can be cracked by intersecting the user’s selections in each login because the color of the assigned ring is fixed
and a ring can include at most seven icons. Thus, the attacker only requires a limited number of trials to guess the user’s password.

IV. PROBLEM STATEMENT

As the technology has been evolved we can store our documents , photos , personnel information on cloud or drive and even we
can perform bank transaction by using mobile device without moving to bank, in all these tasks security matters critical. All these tasks
are vulnerable to shoulder surfing attack i.e attacker’s peep to our authentication process through naked eyes or video capturing devices.
Once the attackers find out password they can easily perform any task as authenticated user that will be the big treat for authenticated
user asset. The following lists some of the problems that can be addressed by the proposed method:
 Authentication based on passwords is used largely in applications for computer security and privacy.
IJRAR19K1941 International Journal of Research and Analytical Reviews (IJRAR)www.ijrar.org 610
© 2019 IJRAR May 2019, Volume 6, Issue 2 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)
 However, human actions such as choosing bad passwords and inputting passwords in an insecure way are regarded as ”the
weakest link” in the authentication chain.
 Rather than arbitrary alphanumeric strings, users tend to choose passwords either short or meaningful for easy memorization.
 With web applications and mobile apps piling up, people can access these applications anytime and anywhere with various
devices.
 This evolution brings great convenience but also increases the probability of exposing passwords to shoulder surfing attacks.
 Attackers can observe directly or use external recording devices to collect users’ credentials.

Objective of the proposed system is to develop the application which resists Shoulder Surfing attacks in Graphica Authentication
System.

V. SYSTEM architecture:

To conquer the imperfection of the traditional PIN based authentication system, the easiness of obtaining passwords in public by
attacker, proposed a graphical authentication system called PassMatrix. PassMatrix design is discussed in this section.
First step is user registration. User has to register by giving his information such as userid, user name, password ,valid e-mail id,
phone number etc, and after giving this information, randomly three images will be assigned to the user.
Next step is image discretization. This process divides each image into square; user will choose one square among them as
pass-square. The image should be discretized in such a way that it should be specious enough to select pass-square.
Second step is to design login indicator generator consisting of rows and columns of size 8*6 i.e 8 rows numbered from 1 to 8
and 6 columns named from A to F. Each time login indicator generates randomly. There are 2 scroll bars horizontal bar and vertical bar to
shift row and columns values respectively. In those discretized images user has to select the coordinate squares of the images as the
graphical password. The details of coordinates of all images will be stored in the database with respect to the specific user.
Registered user will be login to the application by using his userid and password, if the userid and password is valid One Time
Password(OTP) will be sent to the user’s e-mail, whereas OTP contains the random pair of vertical and horizontal slider coordinate
points of all the three images. After successful login , three assigned images will be displayed to the user with horizontal and vertical
sliders , user has to set the horizontal and vertical sliders for all the three images ,where the OTP coordinate value should be equal to the
coordinates chosen by the user at the time of password setting. For instance, if the user chosen the pass-square as (4,5) in the first image,
then the login indicator will be (A,2).Authenticated is only possible if each pass-square in each pass-image is correctly aligned with the
login indicator.

IJRAR19K1941 International Journal of Research and Analytical Reviews (IJRAR)www.ijrar.org 611

© 2019 IJRAR May 2019, Volume 6, Issue 2 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)

VI. RESULTS

Home Page:

Admin home page

New User Registration

IJRAR19K1941 International Journal of Research and Analytical Reviews (IJRAR)www.ijrar.org 612

© 2019 IJRAR May 2019, Volume 6, Issue 2 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)

Image password settings

Image1

Image 2

Image3

IJRAR19K1941 International Journal of Research and Analytical Reviews (IJRAR)www.ijrar.org 613

© 2019 IJRAR May 2019, Volume 6, Issue 2 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)

User login

OTP from e-mail

Rearranging the coordinates based on OTP

IJRAR19K1941 International Journal of Research and Analytical Reviews (IJRAR)www.ijrar.org 614

© 2019 IJRAR May 2019, Volume 6, Issue 2 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)

Authenticated to application to Calculate BMI

Conclusion
As the web service and apps are increased, user can access to any application with various devices. While accessing some
particular application user has to go through the security. However user may feel unpleasant while authenticating in public because
attacker may observe password i.e shoulder surfing attack. In the existing system such as textual passwords or PIN method, user use to
prefer weaken password in order to remember easily but this kind of authentication process are more vulnerable to shoulder surfing
attack.
To overcome this problem, proposed a shoulder surfing resistant authentication system based on graphical passwords. By using
proposed graphical password user can login using a one-time login indicator per image, this proposed system is invulnerable to shoulder
surfing attack, because of the design of the horizontal and vertical bars that cover the entire pass-image. By incorporating proposed
system user can even login in public because attacker it offers no clue for attackers to crack the password.

IJRAR19K1941 International Journal of Research and Analytical Reviews (IJRAR)www.ijrar.org 615

© 2019 IJRAR May 2019, Volume 6, Issue 2 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)
REFERENCES
[1] S. Sood, A. Sarje, and K. Singh, “Cryptanalysis of password authentication schemes: Current status and key issues,” in Methods and
Models in Computer Science, 2009. ICM2CS 2009. Proceeding of International Conference on, Dec 2009, pp. 1–7.

[2] “Google glass snoopers can steal your passcode with a glance,” http://www.wired.com/2014/06/google-glass-snoopers-cansteal-your-
passcode-with-aglance/.

[3] “Black hat: Google glass can steal your passcodes,” https://www.technologyreview.com/s/529896/black-hatgoogle-glass-can-steal-
your passcodes/.

[4] R. Dhamija and A. Perrig, “Deja vu: A user study using images for authentication,” in Proceedings of the 9th conference on USENIX
Security Symposium-Volume 9. USENIX Association, 2000, pp. 4–4.

[5] “Realuser,” http://www.realuser.com/.

[6] I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Rubin, “The design and analysis of graphical passwords,” in Proceedings of the
8th conference on USENIX Security Symposium-Volume 8. USENIX Association, 1999, pp. 1–1.

[7] S. Wiedenbeck, J. Waters, J. Birget, A. Brodskiy, and N. Memon, “Passpoints: Design and longitudinal evaluation of a graphical
password system,” International Journal of Human-Computer Studies, vol. 63, no. 1-2, pp. 102–127, 2005.

[8] A. Paivio, T. Rogers, and P. Smythe, “Why are pictures easier to recall than words?” Psychonomic Science, 1968.

[9] D. Nelson, U. Reed, and J. Walling, “Picture superiority effect,” Journal of Experimental Psychology: Human Learning and Memory,
vol. 3, pp. 485–497, 1977.

[10] S. Brostoff and M. Sasse, “Are passfaces more usable than passwords? a field trial investigation,” PEOPLE AND COMPUTERS, pp.
405–424, 2000.

[11] A. De Angeli, M. Coutts, L. Coventry, G. Johnson, D. Cameron, and M. Fischer, “Vip: a visual approach to user authentication,” in
Proceedings of the Working Conference on Advanced Visual Interfaces. ACM, 2002, pp. 316–323.

[12] B. Ives, K. Walsh, and H. Schneider, “The domino effect of password reuse,” Communications of the ACM, vol. 47, no. 4, pp. 75–
78, 2004.

[13] “Mobile marketing statistics compilation,” http://www.smartinsights.com/mobile marketing/mobilemarketing- analytics/mobile-

marketing-statistics/.

[14] V. Roth, K. Richter, and R. Freidinger, “A pin-entry method resilient against shoulder surfing,” in Proceedings of the 11th ACM
conference on Computer and communications security, ser. CCS ’04. New York, NY, USA: ACM, 2004, pp. 236–245.

[15] T. Takada, “fakepointer: An authentication scheme for improving security against peeping attacks using video cameras,” in Mobile
Ubiquitous Computing, Systems, Services and Technologies, 2008. UBICOMM’ 08. The Second International Conference on. IEEE,
2008, pp. 395–400.

[16] S. Wiedenbeck, J. Waters, L. Sobrado, and J.-C. Birget, “Design and evaluation of a shoulder-surfing resistant graphical password
scheme,” in Proceedings of the working conference on Advanced visual interfaces, ser. AVI ’06. New York, NY, USA: ACM, 2006, pp.
177– 184.

[17]D. Kim, P. Dunphy, P. Briggs, J. Hook, J. Nicholson, J. Nicholson, and P. Olivier, “Multi-touch authentication on tabletops,” in
Proceedings of the 28th international conference on Human factors in computing systems. ACM, 2010, pp. 1093–1102.

IJRAR19K1941 International Journal of Research and Analytical Reviews (IJRAR)www.ijrar.org 616