GAZE-BASED HIDING VISIBILITY FOR HUMAN SHOULDER-SURFING RESISTANT PIN-ENTRY

Summary

A gaze-based hiding visibility PIN-Entry technique comprises a four horizontal array of objects such as digits and symbols. Each row contains five objects. First and third row comprises array of digits from 0 to 9 (buttons are in disabled state) which are in random order. Second and fourth row comprises with another array of numerous familiar symbols such as $ and @ (buttons are in enabled state) which are also in random order and both rows are responsible for first and third row objects. This new technique needs four rounds. All rounds are PIN-entry rounds, in which the ith digit of the PIN is entered in the ith round for i = 1, 2, 3, 4. In each of these rounds, the technique is given a random array of objects; user enters PIN digits by press the symbols collocated to PIN digits, instead of pressing digits directly. Additionally, the objects get vanishes or hides when the user presses button and generates another random order of objects for next round when the user releases button. For example, if the PIN is 2371, the user recognizes @ is collocated with the first digit of the PIN, 2. User presses the symbol @ for first PIN digit. The objects get vanishes or hides when the user presses the symbol @ button and generates another random order of objects for second round when the user releases button. The same PIN-Entry method is continues for remaining three rounds.

http://ijartet.com/papers/NCRIT15/V02S170327.pdf

Textual and Graphical Password Authentication Scheme Resistant to Shoulder Surfing

We propose a scheme which combines both text as well as graphics, a Textual Graphical Password Authentication Scheme Resistant to Shoulder Surfing which is a basic Single Set Scheme. To increase the level of security and to prevent Brute force attack we shall introduce the SMS module.To login user should find all his original password characters in the login image and click inside the invisible triangle which is also called as password triangle. This password triangle is created using 3 original password characters. The user can select any character which is present inside the invisible triangle or on the border of password triangle. These selected characters are known as session characters and all such session characters makes session password. Therefore in this scheme there are two types of passwords i.e. original password and session password. The original password is set by the user while registering in the system and session password is created when user makes clicks inside the password triangle during login. Session password changes every time when the user tries to login. This is due to a technique called “Change Image Technology”, system generates a new login image every time user tries to login. This helps in securing original password from being hacked. There can be a possibility that out of three password triangle characters two are same then in such case the password triangle cannot be formed so we need to consider a line instead of the triangle and click on that invisible line. An exceptional case may be that all the three password triangle characters are same then there can be neither a triangle formation nor a line so the user has to consider a virtual circle centered on that character.Our systems key feature is the Change Image Technology which prevents the brute force attack and shoulder surfing by changing the image for each session and for each authentication stage which makes the password difficult to crack. Also the length of the password is four which is easy for users to remember. Thus our proposed system fulfills all the requirements of security.

http://research.ijcaonline.org/volume114/number19/pxc3902031.pdf

To Mitigate Online Password Guessing Attack By Implementing: P3-HA

This research is based on the human need regarding with their privacy and usefulness. Privacy deals with preventing user information from anti- social activity and usefulness in terms of the human power of remembrance. By putting such concept this paper proposes a new algorithm called as P3-HA (Pictorial PanOut Password -Hunch Attack) which is an advance version of previous pictorial techniques. The proposed system instead of dextral based passwords uses pictorial based password. P3-HA limits total number of click event generated in an image during selecting the password. It not only restrict failed attempt on dextral during login but also it restricts the number of trial attempts after the image challenge is give. This image was given to the user at the time of registration. So, only authorized user knows about the sequence used in an image. The image is divided into 16 grid cell and users have to click on 5 cells to generate his secret. Hence our proposed system is very much preventive and secure as compared to other image based techniques. Again at the time of challenge attacker will get scrambled image and he has to identify the correct sequence to get access. The number of click points is restricted with 3 attempts only after that the user gets blocked.

http://www.ijcsit.com/docs/Volume%205/vol5issue02/ijcsit20140502293.pdf

Authentication Scheme for Shoulder surfing using Graphical and Pair Based scheme

In graphical scheme, at the time of registration user set his password and select a color out of 8 colors given by system. At the time of login a wheel is appear on the screen divided on 8 sectors. User select that sector which contain his particular color. If this sector not contain his password character, user rotate the wheel on clockwise or anti-clockwise direction to recognize his original password and click on the confirm button. Process repeated until user recognize all his original password. There is a combination of alphanumeric and special characters in each sector. User should select from it. Three wrong attempt will disable the account and email is sent to user.In pair based scheme user select set password of minimum length 8 and it both even and odd. At login, a 6x6 grid is appear, user type the first letter of that row and column which contain the password character and click on the character which is the intersection point of that row and column. Again select the new row and column and intersection point. Process repeated until all password character will be selected.

http://ijarcsms.com/docs/paper/volume2/issue10/V2I10-0058.pdf

Preventing Shoulder-Surfing Attack with the Concept of Concealing the Password Objects’ Information

In this paper, a picture-based password scheme that uses the concept of concealing information about the password images as much as possible is proposed. This scheme has two phases in the proposed method: Registration Phase and Authentication Phase. During the Registration Phase, users are required to select multiple images as his or her password. Users are also required to remember the sequence in which the password images were selected. During the password selection process, an image can only be used once. Duplication of images in the password selection is not allowed because it decreases the randomness of the proposed system. During the Authentication Phase, a user is required to identify the correct “target” images within a grid of N x N images, where N is the grid size. The pictures shown in the grid are randomly shuffled. The users are required to click on the final “target” picture in the grid with the aid of the sequence of the registered password pictures. In order to log in, the user has to mentally go through a series of steps. For each step, there will be a starting picture, a cued picture, and a target picture, denoted as P_start, P_cued, and P_target, respectively. Initially, the starting picture and the cued picture can be determined using the first and second password pictures (registered by the user during the Registration Phase), respectively. From both the starting and cued pictures, the user has to identify the first “target” picture using the proposed algorithm. The first step is completed once the first “target” picture is determined. In the next step, the user has to find the next “target” picture with the aid of the current starting and cued pictures. In this step, the first “target” picture is used as the current starting picture and the current cued picture is obtained from the next registered password picture (third password picture). The same algorithm is used to determine the next “target” picture. This process is repeated until the last step when the final “target” picture is obtained. The user is required to click on the final “target” picture and a challenge round is considered complete. The number of steps in the Authentication Phase is always one less than the number of password images selected. The number of challenge rounds is arbitrary and can be increased to suit the level of security required, thus improving the password space, though the amount of mental work expended by the user increases accordingly.

http://www.hindawi.com/journals/tswj/2014/838623/

Shoulder Surfing Defence for Recall-based Graphical Passwords

In this paper, we study shoulder surfing defences for recall-based graphical password systems such as Draw-A-Secret (DAS) and Background Draw-A-Secret (BDAS). A DAS password is a free-form picture drawn on an N x N grid. The grid is denoted by discrete rectangular coordinates (x, y) which will be used to indicate the cells that are crossed by the user’s drawn secret (password). DAS password, which will be recorded by the system as a sequence of coordinate pairs: (2,2); (3,2); (3,3); (2,3); (2,2); (2,1); (5,5), where (5,5) is distinguished as a “pen-up” indicator. Here are the three techniques; in Decoy Strokes technique the user first draws the strokes on the screen for DAS. The method employed here is that when the user draws the strokes the user sees only the points in the screen. The points are intersection of strokes with the grid in the DAS screen along with starting and ending points in the stroke. The points are generated as the user draws the password. However this algorithm is not applied while the user setting his password. This algorithm is applied during the login session where the user enters this password for authentication. The disappearing stroke solution entails the user stroke being removed from the screen after it has been drawn. The idea behind this is that the password information of an individual stroke is removed, which gives the attacker less time to store the image to memory. This solution is designed for both passwords that have multiple strokes, and passwords of one long stroke, although it might work better for the former type of passwords. The stroke was designed to be wiped from the screen only after the user has finished drawing that particular stroke (i.e. when the stylus is removed from the screen). This was designed using a timer whose purpose was to remove the stroke after a certain period of time (after the pen up event). The line snake defence was designed to combat shoulder surfing for passwords containing long singular strokes. Hence, allowing stroke information to be removed from a long singular stroke, whilst the stroke is still being drawn. The variable factor for this solution was decided upon as being the speed at which the user stroke disappears (or snaking away) from the screen.

https://cups.cs.cmu.edu/soups/2011/proceedings/a6_Zakaria.pdf

3-Level Password Authentication System

Summary

 The first level is the image ordering which simply means the selection of previously set images in the same order. From a sequence of images, the user can select few images at random. The images provided are commonly used, user friendly and easy to remember images. The maximum limit of image selection will be set to three images. During authentication phase, the sequence of images will be given in a shuffled order, from which the user selects the same set of images chosen during registration phase in the same order. In case of any invalid selection of images, the system will be locked automatically after few trials based on the count given. After image ordering, the second level is the selection of color pixels. The user can select a single color pixel from the different blocks of colors provided. The maximum limit of color pixel selection will be set to one. During authentication phase, the previously set images should be chosen in the first level and then the user will be redirected to the second level i.e. the color pixel selection, where the user selects the same colour pixel chosen in the registration phase. In case of any invalid selection of images or colour pixel the system will be locked automatically after few trials based on the count given. In the Third level, one time password (OTP) technique is used that is a password which is valid for a single session. OTP will securely be generated and verify using Smartphone. The major advantage of the system is that, different OTP is generated each time the user tries to login.

http://www.ijrdet.com/files/Volume2Issue4/IJRDET_0414_23.pdf