See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/261393150

A novel 3-Layer user authentication system for remote accessibility

Conference Paper · December 2012

DOI: 10.1109/ICCITechn.2012.6509709

CITATIONS READS

2 172

2 authors, including:

Kamruddin Nur
American International University-Bangladesh
47 PUBLICATIONS 323 CITATIONS

SEE PROFILE

All content following this page was uploaded by Kamruddin Nur on 13 April 2024.

The user has requested enhancement of the downloaded file.

 A Novel 3-Layer User Authentication System
for Remote Accessibility
Mahmud Hasan1 ∗ and Kamruddin Md. Nur2 †
1
Dept. of Allied Engineering, Bangladesh University of Textiles
Dhaka, Bangladesh
2,
Dept. of Computer Science & Engineering, Stamford University Bangladesh
Dhaka, Bangladesh
∗ hasanpoet@gmail.com, † kamruddin.nur@gmail.com
Abstract—User authentication through password matching
is an age-old issue. It has been popularly being used in the
computing world for its simplicity, flexibility and remote
accessibility. Although people later developed and deployed
some other authentication systems like Biometrics Authen-
tication and Token-Based Authentication; despite proving
higher degree of security, they all suffer from an orthodox
problem- remote accessibility to an Internet-Based System.
Again, for remote access, the general trend of using textual
passwords is not guaranteed to be highly secured and,
most often, they are seen breached by the intruders using
some common password breaking algorithms. Hence, a more
reliable, robust, secured and allover simple authentication
system for remote accessibility is yet needed in digital world.
In this paper, we propose a 3-Layer user authentication
system for remote access of Internet-based systems that
is guaranteed to be more secured, robust and reliable as
compared to its existing counterparts. Besides, the proposed
system ensures flexibility, reduced complexity and simplicity
as well.
Index Terms—User Authentication System, Secured Re-
mote Accessibility, Layerd Authentication Architecture,
Graphical-Textual Based Authentication, Robust LogIn
Mechanism.
I. Introduction
Present user authentication systems can be categorized
in three types [1], [2]. First, a textual password based
authentication system where the principle is what
you know. A user needs to assign a password prior to
perform his authentication to the system. Once assigned,
the system just checks whether the given user-id and
password matches with the one stored in the database.
Although this scheme has been in widespread use,
the universal trade-off of making a textual password
easy to remember but difficult to guess ever leads this
system to a riddling stage. Second, a token-based
authentication system where the system’s principle is
to verify what you have. In this system, the user has
to carry a token or smart card with him in order to
access the system. The system first takes the card and
then takes a password from the user and finally gives
access if both the information provided by the user
complies with its database. This authentication system
is popular in banking sectors with tokens such as ATM,
Debit and Credit Cards [1]. The third authentication
system requires neither a password nor a token, rather,
it directly verifies who you are through a biometric
detection system. This detection can be the user’s
978-1-4673-4836-2/12/$31.00 ©2012 IEEE
retina detection, iris detection, fingerprint detection,
face recognition, voice recognition, movement detection,
palm-print detection, hand-geometry detection and
other popular biometric detections [3].
Clearly, the third authentication system is much
more secured and robust as compared to the first and
second ones since it is itself capable of ensuring the
authenticity of the user without any confusion. All this
system suffers from is just the requirement of the user
to be physically present before the system. Moreover,
many people do not always like to let their biological
data be used for authentication purpose. In some
legal regards like government security concerns, users
may be forced to do so. Consequently, the biometric
based authentication is suitable for being deployed
in a legal-physical environment, not for a virtual
environment where remote accessibility is a must.
Likewise, we cannot easily make use of the token-based
authentication system for accessing an E-mail or Social
Network Server. Thus, whenever the question of secured
remote access arises, we have to yet depend on the
textual password based user authentication systems.
Nevertheless, studies conducted by Klein [4] observed
that users of textual based authentication system have a
common trend of using simple phrases and meaningful
dictionary words 25% of which can be breached by
using a small subset of full password space. Again, they
are very much vulnerable to Hacking and Brute-Force
Attacks [5]. Therefore, the textual password based
authentication system requires special attention and
further improvement since we cannot go without it for
secured access to remote systems.
An alternative to simple textual password based
authentication system is using graphical passwords [6].
It demonstrates the fact that human being is supposed
to remember a picture better than they do for a text.
Although the graphical passwords prove higher security
as compared to textual passwords against Brute-Force
Attacks, Dictionary Attacks, Spyware and Shoulder
Surfing to some extents, it is still in immature stage and
requires more research to be completely deployed in the
market [7].
In this paper, we present a 3 layer secured user
authentication scheme for accessing remote systems.
441
The proposed system is a clear improvement over
the existing textual password based authentication
systems since it authenticates an individual through
three different phases making the breaching task of
intruders three times tougher. In each phase, it combines
the features of graphical password scheme with the
textual password scheme. The experimental results
show that the proposed scheme is more robust against
different attacks and capable of ensuring higher degree
of usability.
The rest of the paper is organized as follows. Section
II describes the background details of the problem
being discussed. Section III presents the proposed
system’s requirements and implementation details.
Following this, the experimental results are presented
in Performance Studies of Section IV. Finally, Section
V discusses the summary of the problems, proposed
solution and experimental outcomes.
II. Background Study
A. Knowledge Based Authentication Systems
Knowledge Based Authentication System is one that
deals with what information the user knows. Various
approaches have been proposed under this title [8], [9],
[10]. These approaches with a little variation are being
used in almost every systems where remote access is
required. For instance, we can consider most popular
E-mail Service Providers gmail, hotmail and ymail
systems that ask for a specific user-id and password
from an individual and then check if they properly
match with the previously stored id-password. All the
user has to do is to enter his/her user-id and a textual
password. This system allows remote access but is
vulnerable to attacks. Because the users trend to select
dictionary words or phrases as passwords, one simple
password cracker running for only 30 seconds over a
network could breach almost 80% of the passwords of
the entire network [11]. Thus, passwords chosen for
this scheme suffer from being hard to guess but easy to
remember [12].
B. Token Based Authentication Systems
Unlike Knowledge Based Authentication System, the
Token Based Authentication does not only require a
password to be remembered, it requires if the user
carries proper token/card as well. Many approaches
have also been proposed for this scheme [13], [14],
[15]. This system is more robust in the sense that an
intruder cannot access the system for a specific user
even knowing his password unless the intruder has
acquired the proper token. On the contrary, it is less
robust in the sense that this system often demands
only 4-6 digits numeric passwords that are even easier
to breach. Thus, if an intruder can somehow steal or
manage the token/card, accessing the system as the
carrier of that card is more easier.
978-1-4673-4836-2/12/$31.00 ©2012 IEEE
C. Biometric Authentication System
Biometric Authentication Systems have lately been
popular in the digital authentication arena since it
is completely free from Brute-Force or other security
attacks [16]. Biometric Authentication System can be
further classified by Voice Recognition, Face Recognition,
Palm-Print Recognition, Hand-Geometry Recognition,
Fingerprint Detection, Iris Detection, Retina Detection
and Movement Detection [17], [18]. This is the most
secured form of authentication among all three user
authentication types discussed in subsection II-A, II-B
and II-C respectively. However, this authentication
system requires the presence of the user before the
system and hence not suitable for remote accessing. Yet,
a lot of biometric based user authentication systems
have been proposed, deployed and being used in digital
world [18].
D. Graphical Password Based Authentication System
For remote access with higher robustness as compared
to textual passwords, graphical password based
authentication systems have been proposed. Blonder
[19] first introduced the concept of graphical password.
Later, Dhamija et. al. proposed Deja Vu [6] which
is, in effect, a recognition-based graphical password
scheme. At present there are many approaches available
for graphical password based authentication system,
although, Xiaoyuan Suo et. al. [7] mentioned that
this scheme is still under research and require more
experiments to finally deploy in the market.
E. Graphical-Textual Password Based Authentication System
In recent times, several approaches have been
proposed that combine the usability of textual
passwords with the security and robustness of the
graphical passwords [20], [21], [22]. These schemes
although vary in several points, regardless of their
working techniques, they all suffer from the easy
accessibility to the Internet based system.
Table I presents a comparative analysis among all
the user authentication system discussed. It is clearly
visible that remote-accessibility with high security level
is not present in the digital world right now. Thus
our proposed system aims to design an authentication
system that is suitable for remote access with proven
high security.
III. Proposed System
In order to provide a robust user authentication
system for remote-access, in this section, we propose
a three layer mechanism where the authentication is
performed in three consecutive steps. The proposed
system does not require any special arrangement to be
deployed. The requirement of the proposed system is
similar to that of its present textual password system
counterpart. Hence, no extra cost is needed for the setup
of the proposed system.
442
 TABLE I
Comparative Properties of the Existing Authentication Systems
Method Knowledge Based Token Based
Security Level Low Low
Remote Accessibility Yes No
A. Signing Up Phase
Let us consider a user trying to access a system for the
first time. Hence, s/he requires to set up an account first.
After taking the personal details of the user, the system
will ask the user for choosing his/her authentication
keys in three consecutive steps. At the first step the user
has to select an image from the ones available in the
system or may choose one of his own after uploading
to the system. This step poses the first layer of security
in the proposed system. Let the user choose the image
i from the set of n images. This set of n images is
further subdivided into several subsets like n1 , n2 ,
n3 ,....,nn each representing a category of the images like
nature, animals, sports etc. While further accessing to
the system, the user must know which category his/her
previously chosen picture falls to (selection of subset
ni ) and which image s/he chose (selection of image i). If
the user fails to properly recognize the exact subset and
exact image, the system does not let the user access the
system. In the background of the system, a simple index
of the subsets and the images has to be maintained
which will help the system recognize the user.
At second stage, the selected image i is divided into
k number of m × n blocks, each block is chosen such
that it represents a particular region or subregion of
an image. The dimension of each block is fixed by the
system that chooses it based on the region information
of the image. In this step, the user has to select one such
block. Let the user select ki block (a region of his/her
choice) whose dimension is m × n. The block ki contains
m × n number of pixels and the system takes the average
pixel value of the block to its nearest possible integer.
Finally, the user is required to provide a textual
numeric password of his own choice. But this password
should not cross the limit of 24 bits. That is, the chosen
password should be a combination from available
1,67,77,216 various types. Now, the user given password
is simply XORed with the 24 bits average pixel value
of the m × n number of pixels of block ki obtained
from previous step. The reason for choosing XOR
function is that it is only XOR that generates unique
bit stream while performed with a key. However,
other cryptographic approaches are also allowed if the
system wants higher level of security. Figure 1 shows a
schematic diagram of the proposed system.
B. System Accessing Phase
During accessing phase, the system first lets the user
find the subset ni he fixed up before. If it is successful,
the system then lets him/her find the image i. If the
user can successfully recognize the image i, the system
978-1-4673-4836-2/12/$31.00 ©2012 IEEE
Biometric Based Graphics Based Graphical-Textual Based
High Moderate High
No Yes No
asks him/her to find the region ki . Since each region is
predefined by the system, the users need not carry the
dimension in mind, rather, he should just properly click
on the particular region. After successful recognition of
the region, the user is asked to provide his secret key
(password). Now, the secret key is XORed with average
pixel value APi and the result is matched with the one
stored in database. Whenever the database information
agrees, the authentication process is completed and the
user is allowed to access the system. If any selection or
recognition at any step is failed, the system immediately
blocks the user.
C. Pseudocode Representation
The complete process can be viewd as a pseudocode
as give in algorithm 1.
IV. Performance Studies
This section considers how much robustness the
proposed system can achieve. At first step, when
the subset is to be selected, if there is n subsets of
images, the intruder has 1/n probability to breach this
section successfully. Later, when the image i is to be
selected, if subset ni contains p number of images,
the intruder has to again deal with the probability
1/p. Now, if the selected image contains x regions, the
intruder has to face a breaching probability 1/x once
again. Additionally, the intruder has to find out the
24 bits long user password which has the 1/16777216
probability [23]. According to probability theory, the
intruder has the probability 1/n × 1/p × 1/x × 1/16777216
to breach the authentication [23], whereas, for the
present textual base password system, the probability
of breaching the authentication is only 1/Sp , where Sp
is the total number of digits the user uses. It is true
that the more the length of Sp , the more secured the
password; however, it again conflicts with the trade-off:
the longer passwords are stronger against attacks but difficult
to remember [24].
The proposed system has been tested against
a 24 bits textual password system. The matlab
implementation shows that a chosen password in
a textual password based system is breached most often
while the proposed system does not. Table II shows a
comparative performance study conducted during our
experiment phase in order to find out how much time it
may take to breach a password in the proposed system
and in an existing textual based password system.
Table III lists a portion of our detailed performance
studies conducted for different passwords commonly
used today. It shows that maximum easy to remember
443
 Fig. 1. Schematic Diagram of The Proposed System.
SELECT subset ni FROM n available subsets
SELECT i FROM the subset ni
SELECT region ki of dimension mxn from i
GET the pixel values in region ki
GET the average pixel value APi of block ki
TAKE user password Pi of 24 bits
FinalPassword =Pi XOR APi
STORE FinalPassword in database
Algorithm 1. Pseudocode Representation of Proposed System
passwords of the existing textual password based
authentication systems are very much vulnerable while
the same passwords used in the third layer of the
proposed system helped block the intruder attack.
V. Conclusion
This paper presents a three layer user authentication
system for remote accessibility. This study explored
the existing user authentication systems and observed
which systems do not fit for remote access even having
the higher degree of robustness. Further, our study takes
into account the problems of the existing systems and
discusses their relevant studies properly. Then this study
proposed a new authentication system that combines
the robustness of graphical passwords with the remote
accessibility of textual password schemes in a three
layer architecture. The performance analysis section
of this paper proved the robustness of the proposed
system as compared to its existing counterparts. In
addition, the implementation of the proposed scheme
is as simple as doing for an existing textual password
based authentication system thus suitable for any
remote authorization.
References
[1] Fawaz A. Alsulaiman and Abdulmotaleb El Saddik, “Three-
Dimensional Password for More Secure Authentication,” IEEE
Transaction on Instrumentation and Measurement, Vol. 57, No. 9,
pp. 1929-1938, September 2008.
[2] Ayannuga Olanrewaju O., Folorunso Olusegun, Akinwale Adio T.
and Asiribo E. O., “A Secure Usability Design System for User
Authentication,” International Journal of Computer Science and
Network Security, vol. 11 No. 4, pp. 151-158, April 2011.
[3] Ms. Vidya Mhaske-Dhamdhere and Prof. G. A. Patil, “Three Di-
mensional Object Used for Data Security,” International Conference
on Computational Intelligence and Communication Networks,
DOI:10.1109/CICN.2010.83, pp. 403-408, 2010.
978-1-4673-4836-2/12/$31.00 ©2012 IEEE
[4] D. V. Klein, Foiling the cracker: A survey of, and improvement to
passwords security, in Proc. USENIX Security Workshop, pp. 514,
1990.
[5] Prof. Gauri Rao, “SECUREZZA,” CIT Journal of Research, vol. 1,
May 2010.
[6] R. Dhamija and A. Perrig, ”Deja Vu: A User Study Using Images
for Authentication,” in Proceedings of 9th USENIX Security Sym-
posium, 2000.
[7] Xiaoyuan Suo, Ying Zhu and G. Scott. Owen, “Graphical Pass-
words: A Survey,”
[8] Xiyu Liu, Lizi Yin and Zhaocheng Liu, “A Stroke-Based Tex-
tual Password Authentication Scheme,” First International Work-
shop on Education Technology and Computer Science, vol. 3,
DOI:10.1109/ETCS.2009.544, pp. 90-95, 2009.
[9] Gayathiri Charathsandran, “Text Password Survey: Transition from
First Generation to Second Generation,”
[10] Horng-Twu L. and Chin-Laung L, “An efficient password authen-
tication scheme based on a unit circle,” Computer and Security,
Elsevier, Vol. 14, No. 3, pp. 220-220, 1995.
[11] K. Gilhooly, ”Biometrics: Getting Back to Business,” in Comput-
erworld, May 2005.
[12] A. Adams and M. A. Sasse, ”Users are not the enemy:why
users compromise computer security mechanisms and how to take
remedial measures,” Communications of the ACM, vol. 42, pp. 41-
46, 1999.
[13] NBC news, “ATM Fraud: Banking on Your Money, Dateline
Hidden Cameras Show Criminals Owning ATMs,” Dec. 11, 2003.
[14] T. Kitten, “Keeping an Eye on the ATM,” July 2005. [Online
Available: ATMMarketPlace.com]
[15] BBC news, “Cash Machine Fraud up, Say Banks,” November 2006.
[16] Ross, A. and Prabhakar, S., “An introduction to biometric recog-
nition,” vol. 14, issue. 1, DOI:10.1109/TCSVT.2003.818349, pp. 4-20,
January 2004.
[17] Siddhesh Angle, Reema Bhagtani and Hemali Chheda, “BIOMET-
RICS : A FURTHER ECHELON OF SECURITY,”
[18] Massimo Tistarelli and Mark S Nixon, “Advances in Biometrics,”
SpringerLink, ISBN: 9783642017933 3642017932 9783642017926
3642017924, 2009.
[19] G. E. Blonder, Graphical password, U.S. Patent 5 559 961, Sep. 24,
1996.
[20] Huanyu Zhao and Xiaolin Li, “S3PAS:A Scalable Shoulder-Surfing
Resistant Textual-Graphical Password Authentication Scheme,”
[21] C Singh and L Singh, “Investigating the Combination of Text and
Graphical Passwords for a more secure and usable experience,”
International Journal of Network Security & Its Applications, Vol.
3, No. 2, pp. 78-95, March 2011.
444
 TABLE II
Password Breaking Time Comparison using Simple Character Combination

24 bits Textual Password System Average Breaking Time 24 bits Proposed Password System Average Breaking Time
Numeric Alphabetic Alphanumeric Numeric Alphabetic Alphanumeric
6.5 Minutes 7 Minutes 25 Minutes Not until 2 Hours Not until 2 Hours Not until 3 Hours

TABLE III
One Minute Experiment Results upon the Commonly used Passwords

Password 1 Minute Experiment for Textual Password Based System 1 Minute Experiment for Proposed System
123456 Breached at 56th second Could not breach the FIRST level
000111 Breached at 5th second Could not breach the FIRST level
abcd01 Could not breach within 1 min Could not breach the FIRST level
abcdef Breached at 59th second Could not breach the SECOND level
111111 Breached at 21st second Could not breach the FIRST level

[22] Ayannuga Olanrewaju O. and Folorunso Olusegun, “Graphic-

Text Authentication of a Window-based Application,” International
Journal of Computer Applications, Vol. 21, No. 6, pp. 36-42, May
2011.
[23] Ronald E. Walpole, Raymond H. Myers and Sharon L. Myers,
“Probability and Statistics for Engineers and Scientists,” 1st Edi-
tion, ISBN:0138402086, December 1997.
[24] Andrew S. Tanenbaum, “Computer Networks,” 4th Edition,
ISBN:8177581651, December 2008.

978-1-4673-4836-2/12/$31.00 ©2012 IEEE 445

View publication stats