GAZE-BASED HIDING VISIBILITY FOR HUMAN SHOULDER-SURFING RESISTANT PIN-ENTRY

Summary

A gaze-based hiding visibility PIN-Entry technique comprises a four horizontal array of objects such as digits and symbols. Each row contains five objects. First and third row comprises array of digits from 0 to 9 (buttons are in disabled state) which are in random order. Second and fourth row comprises with another array of numerous familiar symbols such as $ and @ (buttons are in enabled state) which are also in random order and both rows are responsible for first and third row objects. This new technique needs four rounds. All rounds are PIN-entry rounds, in which the ith digit of the PIN is entered in the ith round for i = 1, 2, 3, 4. In each of these rounds, the technique is given a random array of objects; user enters PIN digits by press the symbols collocated to PIN digits, instead of pressing digits directly. Additionally, the objects get vanishes or hides when the user presses button and generates another random order of objects for next round when the user releases button. For example, if the PIN is 2371, the user recognizes @ is collocated with the first digit of the PIN, 2. User presses the symbol @ for first PIN digit. The objects get vanishes or hides when the user presses the symbol @ button and generates another random order of objects for second round when the user releases button. The same PIN-Entry method is continues for remaining three rounds.

http://ijartet.com/papers/NCRIT15/V02S170327.pdf

Textual and Graphical Password Authentication Scheme Resistant to Shoulder Surfing

We propose a scheme which combines both text as well as graphics, a Textual Graphical Password Authentication Scheme Resistant to Shoulder Surfing which is a basic Single Set Scheme. To increase the level of security and to prevent Brute force attack we shall introduce the SMS module.To login user should find all his original password characters in the login image and click inside the invisible triangle which is also called as password triangle. This password triangle is created using 3 original password characters. The user can select any character which is present inside the invisible triangle or on the border of password triangle. These selected characters are known as session characters and all such session characters makes session password. Therefore in this scheme there are two types of passwords i.e. original password and session password. The original password is set by the user while registering in the system and session password is created when user makes clicks inside the password triangle during login. Session password changes every time when the user tries to login. This is due to a technique called “Change Image Technology”, system generates a new login image every time user tries to login. This helps in securing original password from being hacked. There can be a possibility that out of three password triangle characters two are same then in such case the password triangle cannot be formed so we need to consider a line instead of the triangle and click on that invisible line. An exceptional case may be that all the three password triangle characters are same then there can be neither a triangle formation nor a line so the user has to consider a virtual circle centered on that character.Our systems key feature is the Change Image Technology which prevents the brute force attack and shoulder surfing by changing the image for each session and for each authentication stage which makes the password difficult to crack. Also the length of the password is four which is easy for users to remember. Thus our proposed system fulfills all the requirements of security.

http://research.ijcaonline.org/volume114/number19/pxc3902031.pdf

To Mitigate Online Password Guessing Attack By Implementing: P3-HA

This research is based on the human need regarding with their privacy and usefulness. Privacy deals with preventing user information from anti- social activity and usefulness in terms of the human power of remembrance. By putting such concept this paper proposes a new algorithm called as P3-HA (Pictorial PanOut Password -Hunch Attack) which is an advance version of previous pictorial techniques. The proposed system instead of dextral based passwords uses pictorial based password. P3-HA limits total number of click event generated in an image during selecting the password. It not only restrict failed attempt on dextral during login but also it restricts the number of trial attempts after the image challenge is give. This image was given to the user at the time of registration. So, only authorized user knows about the sequence used in an image. The image is divided into 16 grid cell and users have to click on 5 cells to generate his secret. Hence our proposed system is very much preventive and secure as compared to other image based techniques. Again at the time of challenge attacker will get scrambled image and he has to identify the correct sequence to get access. The number of click points is restricted with 3 attempts only after that the user gets blocked.

http://www.ijcsit.com/docs/Volume%205/vol5issue02/ijcsit20140502293.pdf

Authentication Scheme for Shoulder surfing using Graphical and Pair Based scheme

In graphical scheme, at the time of registration user set his password and select a color out of 8 colors given by system. At the time of login a wheel is appear on the screen divided on 8 sectors. User select that sector which contain his particular color. If this sector not contain his password character, user rotate the wheel on clockwise or anti-clockwise direction to recognize his original password and click on the confirm button. Process repeated until user recognize all his original password. There is a combination of alphanumeric and special characters in each sector. User should select from it. Three wrong attempt will disable the account and email is sent to user.In pair based scheme user select set password of minimum length 8 and it both even and odd. At login, a 6x6 grid is appear, user type the first letter of that row and column which contain the password character and click on the character which is the intersection point of that row and column. Again select the new row and column and intersection point. Process repeated until all password character will be selected.

http://ijarcsms.com/docs/paper/volume2/issue10/V2I10-0058.pdf

Preventing Shoulder-Surfing Attack with the Concept of Concealing the Password Objects’ Information

In this paper, a picture-based password scheme that uses the concept of concealing information about the password images as much as possible is proposed. This scheme has two phases in the proposed method: Registration Phase and Authentication Phase. During the Registration Phase, users are required to select multiple images as his or her password. Users are also required to remember the sequence in which the password images were selected. During the password selection process, an image can only be used once. Duplication of images in the password selection is not allowed because it decreases the randomness of the proposed system. During the Authentication Phase, a user is required to identify the correct “target” images within a grid of N x N images, where N is the grid size. The pictures shown in the grid are randomly shuffled. The users are required to click on the final “target” picture in the grid with the aid of the sequence of the registered password pictures. In order to log in, the user has to mentally go through a series of steps. For each step, there will be a starting picture, a cued picture, and a target picture, denoted as P_start, P_cued, and P_target, respectively. Initially, the starting picture and the cued picture can be determined using the first and second password pictures (registered by the user during the Registration Phase), respectively. From both the starting and cued pictures, the user has to identify the first “target” picture using the proposed algorithm. The first step is completed once the first “target” picture is determined. In the next step, the user has to find the next “target” picture with the aid of the current starting and cued pictures. In this step, the first “target” picture is used as the current starting picture and the current cued picture is obtained from the next registered password picture (third password picture). The same algorithm is used to determine the next “target” picture. This process is repeated until the last step when the final “target” picture is obtained. The user is required to click on the final “target” picture and a challenge round is considered complete. The number of steps in the Authentication Phase is always one less than the number of password images selected. The number of challenge rounds is arbitrary and can be increased to suit the level of security required, thus improving the password space, though the amount of mental work expended by the user increases accordingly.

http://www.hindawi.com/journals/tswj/2014/838623/

Shoulder Surfing Defence for Recall-based Graphical Passwords

In this paper, we study shoulder surfing defences for recall-based graphical password systems such as Draw-A-Secret (DAS) and Background Draw-A-Secret (BDAS). A DAS password is a free-form picture drawn on an N x N grid. The grid is denoted by discrete rectangular coordinates (x, y) which will be used to indicate the cells that are crossed by the user’s drawn secret (password). DAS password, which will be recorded by the system as a sequence of coordinate pairs: (2,2); (3,2); (3,3); (2,3); (2,2); (2,1); (5,5), where (5,5) is distinguished as a “pen-up” indicator. Here are the three techniques; in Decoy Strokes technique the user first draws the strokes on the screen for DAS. The method employed here is that when the user draws the strokes the user sees only the points in the screen. The points are intersection of strokes with the grid in the DAS screen along with starting and ending points in the stroke. The points are generated as the user draws the password. However this algorithm is not applied while the user setting his password. This algorithm is applied during the login session where the user enters this password for authentication. The disappearing stroke solution entails the user stroke being removed from the screen after it has been drawn. The idea behind this is that the password information of an individual stroke is removed, which gives the attacker less time to store the image to memory. This solution is designed for both passwords that have multiple strokes, and passwords of one long stroke, although it might work better for the former type of passwords. The stroke was designed to be wiped from the screen only after the user has finished drawing that particular stroke (i.e. when the stylus is removed from the screen). This was designed using a timer whose purpose was to remove the stroke after a certain period of time (after the pen up event). The line snake defence was designed to combat shoulder surfing for passwords containing long singular strokes. Hence, allowing stroke information to be removed from a long singular stroke, whilst the stroke is still being drawn. The variable factor for this solution was decided upon as being the speed at which the user stroke disappears (or snaking away) from the screen.

https://cups.cs.cmu.edu/soups/2011/proceedings/a6_Zakaria.pdf

3-Level Password Authentication System

Summary

 The first level is the image ordering which simply means the selection of previously set images in the same order. From a sequence of images, the user can select few images at random. The images provided are commonly used, user friendly and easy to remember images. The maximum limit of image selection will be set to three images. During authentication phase, the sequence of images will be given in a shuffled order, from which the user selects the same set of images chosen during registration phase in the same order. In case of any invalid selection of images, the system will be locked automatically after few trials based on the count given. After image ordering, the second level is the selection of color pixels. The user can select a single color pixel from the different blocks of colors provided. The maximum limit of color pixel selection will be set to one. During authentication phase, the previously set images should be chosen in the first level and then the user will be redirected to the second level i.e. the color pixel selection, where the user selects the same colour pixel chosen in the registration phase. In case of any invalid selection of images or colour pixel the system will be locked automatically after few trials based on the count given. In the Third level, one time password (OTP) technique is used that is a password which is valid for a single session. OTP will securely be generated and verify using Smartphone. The major advantage of the system is that, different OTP is generated each time the user tries to login.

http://www.ijrdet.com/files/Volume2Issue4/IJRDET_0414_23.pdf

An Authentication System For Information Security Using Cued Click Point And One Time Session Key

Summary

The proposed authentication system works as follows: At the time of registration, after filling the signup form, the user creates a graphical password by first uploading a picture he or she chooses from his own system using “UploadImage1” button. The user then chooses any one status from given four options: Left-right, Right-Left, Top-bottom, and Bottom-top. The system will then divide the selected picture into a 3x3 grid and label each grid according to the selected status. When the user click on the “Next” button the window for creating image password level-2 is displayed. In this window user have to click on to the “UploadImage2” button to select the second picture as next image password. After selecting the picture the user must have to choose the option for labelling the grids in the picture. Then user click on to the “Next” button once more to select the third picture (image password) as in the previous levels. Finally click on the “Finish” button to complete the registration phase. For authentication the user first enters his userid. Then click on the “Next” button. At the same time a onetime random number key is issued by the system to the user’s mobile number given at the registration stage. For example suppose key is 386. Now the system displays four images which is not labelled. One among this is the first image uploaded by the user and rest of the three images are extra images displayed by the system for confusioning the hacker. Since the key is 386, the user must have to click on the grid 3 on the actual picture among the four images. Then click on “Next” button. Now another set of four images is displayed. Among these four images one will be the second image uploaded by the user during the registration stage and the other three images will be displayed by the system for protecting from hacker. From these four images the user have to correctly click on the grid 8 in the second image uploaded by him. Similarly, when we click on “Next” button another set of four images is displayed. Among these four images one will be the third image uploaded by the user and three images will be displayed by the system. The user must have to correctly click on the grid 5 according to the grid labeling option given to this image during the registration phase. If all the clicks in each level of images are correct then user can successfully logon to the system. Otherwise if there is any mistake in any of the click point(grid no.) system will displays an error message to the user.

http://www.ijert.org/view-pdf/4591/an-authentication-system-for-information-security-using-cued-click-point-and-one-time-session-key

A Simple Text Based Graphical Password Scheme to Overcome Shoulder Surfing Attacks

There are no text-based shoulder surfing resistant graphical password schemes which are both secure and efficient enough. So, the proposed scheme which is simple text based efficient graphical password scheme using pointers. In which we have considered 64 characters of which 24 Upper cases and 24 Lower cases which also includes all special symbols and alphanumeric characters.It consist of two phases, Registration Phase and Login Phase. In registration phase When the user register for the first time he/she has to enter his/her password K of length L characters and select one pointer which will be a default pointer out of given 8 pointers. The user has to register an e-mail address for enabling his disabled account. The Registration phase should not be working in a Shoulder Surfing environment. In addition, a secure channel should be established between the system and the user during the registration phase by using SSL/TLS or any other secure transmission mechanism. The user’s textual password gain by the system from the user’s entry in password table should be encrypted by the system key To login the system the user have to go through the following algorithm known as text based graphical password MANS algorithm. Step 1: The user request to login into the system. Step 2: The system shows a circle composed of 8 equally sized sectors, and places 64 characters in which the 8 sectors randomly so that each sector contains some characters. All the characters are in three typefaces in that the 26 upper case letters are in bold typeface, the 26 lower case letters and the Special symbols are in regular typeface, and the 10 alphanumeric characters are in italic typeface. It alsodisplays, the button for rotating clockwise, the button for rotating anticlockwise, the “Confirm” button, and the “Login” button are also displayed on the login screen. All the shown characters can be simultaneously rotated into either the sectors clockwise by clicking the “clockwise” button once or the adjacent sector anticlockwise by clicking the “anticlockwise” button once, and the rotation operations can also be performed by scrolling the mouse wheel. Let i = 1.The user has to select the rotating sector containing the i-th character of his password K, denoted by K_i, into his pointer , and then Click on the “Confirm” button. Let i = i + 1. Step 4: If i< L, the system randomly shows all 64 characters, and then GOTO Step 3. Otherwise, the user has to click the “Login” button to complete the login process. If the account is unsuccessfully authenticated for three consecutive times, this account will be disabled and the system will send to the user’s registered e-mail address an e-mail containing the secret link that can be used by the own user to re-enable his disabled account. The user has to rotate the sector containing K_i into his pointer.The user can easily and simply login into the system without using any on-screen keyboard or normal keyboard. Finally, we have analyzed the resistances of the proposed scheme to shoulder surfing and accidental login.

http://www.ijarcce.com/upload/2015/march-15/IJARCCE%2087.pdf

Advance Secure Login

Advance secure login is an advance technique used as a counter measure for the shoulder surfing attack.First of all the user creates an authentication account and the information regarding his/her username and password is saved in the DATABASE. For a strong password it is advisable that the password length should be between 7 to 20 characters. Most importantly, this database is hidden from the user and only accessible to the system ADMINISTRATOR of the particular system .Let us suppose that, at a later point of time, someone wants to logon to a system (here system need not be a standalone one, a user could perform remote login too) which contains the information about several users who have already registered and have the right to use the system. The incoming user will be asked to enter his authentication information, Username &Password as is usually done for a secured system. We have an “interactive screen” where, as usual, the username & password need to be entered. The username will be entered in the usual fashion as is done in most computer systems. But the trick lies while entering the password. The software uses an inbuilt technique to make the users enter their password. As the cursor is clicked on the password field a popup box appears. It contains a 7*7 “MATRIX”. But only the Columns are numbered (1-7). The elements of the matrix will be a RANDOMLY generated setof alphabets, numerals and symbols “without” REPITITION of any alphabet, numerals or symbols in the matrix.Thus we include 12 special CHARACTERS in the first two rows followed by the APLHABETS and then the NUMBERS. The special characters are shuffled in the first two columns and are not mixed with the numbers or alphabets. While the numbersand alphabets are shuffled separately.Now here’s the trick. The user when asked for the “PASSOWRD” then he/she will type the “column position” of each password character. Now the major advantage is that even if the person would type the position of his password characters then too the person looking over his password would be confuse as there are 8 characters in each columns.Now in case if the same person comes a second time to login his username and password then first of all the matrix would be“shuffled” automatically and then positions of the characterswould change.Thus we can see that we have a wide range of combinations for selecting the password. So it will be very difficult for an unauthorized person to enter into a system by merely guessing a password of another user.

http://www.ijsrp.org/research_paper_dec2011/ijsrp-dec-2011-08.pdf

Implementing Black hole Password Entry Technique For Mitigating Shoulder-surfing Threat

Black hole, a similar approach to password entry that retains the ease of use of traditional passwords, while reduce shoulder-surfing and acoustics attacks. The black hole system uses the traditional system but in this system the user enters the new password sequence, when the users logs in the mechanisms for black hole uses traditional password system but during the user registration, the user enter 5*4 matrix password a sequence and while the user logs in the password, the highlight character from 5*4 matrix password sequence is given and the user enters the highlighted characters in the password box and again when the user logs into account the user have enter new sequence of password. When any other unauthenticated user tries to observe our password for the four character password, the authenticated user may try to enter the password to login but since the password sequence has changed row the authenticated enter the wrong sequence or may enter the previous password sequence, which is not the same for the next login time so, if the unauthenticated person tries hit and trail method for login, the password field, changes from the four character password field since he/she  may all the combination of four characters to the user account, but this changes make impossible tasks for the authenticated user to break the password to login and makes the security login system more safer.

http://www.rroij.com/open-access/implementing-black-hole-password-entrytechnique-for-mitigating-shouldersurfing-threat.pdf

Extended Text and Color Based Session Password Security against Shoulder Surfing and Spyware

In this paper, a new technique called extended text and color based session password security against shoulder surfing and spyware was suggested .It involves two phases; in registration phase user register him/her self with credential like name, number, address, and password in provide manually with keyboard. User can be entering their textual password of fixed length i.e. six. And choose one color as his pass-color from 8 colors assigned by the system. The remaining 7 colors not chosen by the user are his decoy-colors. After registration successfully the randomly color combination sequence is generated as per textual password and it will send to the user via text massage and it will be use only one time login. In login phase the user requests to login the system, and the system displays a circle composed of 8 equally sized sectors initially, 64 characters with different color combinations are placed averagely and randomly among these sectors. All the displayed characters and character colors can be simultaneously rotated into either the adjacent sector clockwise by clicking the “clockwise” button once or the adjacent sector anticlockwise by clicking the anticlockwise button once and the rotation operations can also be performed by scrolling the mouse wheel. User selects its password with color combination according to the text message they have received during registration. By rotating the circle clockwise or anticlockwise, if color and character matches then user will successfully login the system. If user enters wrong color character continuously three times then session will expire automatically. And get new password to user.

http://www.jetir.org/papers/JETIR1407015.pdf

Defending Shoulder Surfing Attacks in Secure Transactions Using Session Key Method

When a PIN entered as a numeric password in mobile or stationary systems, the Shoulder Surfing Attack (SSA) becomes great unease. To establish a secure transaction, The Session key mechanism is proposed. The session key method has the 4 rounds. The first round is the session key decision round, and the remaining three rounds are PIN-entry rounds. In the session key decision round, ten randomly arranged objects are displayed to the user. The user can decide any of the symbols and assign it to the 1st digit of the PIN using the ―Up or ―Down buttons. If the user presses the ―Up button, then the symbols move immediately upper wards. If the user presses the ―Down button, then the symbols move immediately downwards. Using this Up and Down buttons, user moves the decided key to the PIN and then presses ―OK. While the user moves the symbols, then all the symbols will move Up and Down in which direction the user moving the symbols. So, if the shoulder surfer watches the user enters or even though if attacker records the process, can‘t find the PIN. In next round, the symbols were shuffled with new symbols too. So this is too tuff to guess or find the PIN by this Session key logon procedure. Now the Session key was decided by the user as well as the 1st digit of a PIN is validated. This same Session key (Symbol) must use for remaining 3 rounds which is the PIN entry method.The remaining 3 rounds are PIN-entry rounds, in which the ith digit of the PIN is entered in the ith round (Here i = 2, 3, 4). In each of these each rounds, the 10 symbols were shuffle. The user wants to assign the session key for each round using the ―Up and ―Down button. In each round user presses the ‗Ok button. When the user presses the OK button, then the PIN considered. This method makes harder for a criminal to obtain PINs even if the iteration are fully observes the entire input of a PIN entry procedure.For Secure transaction, HMAC (Hash Message Authentication Code) is used to compress the PIN by using secret key and is sent to Server on public channel so that an active attacker cannot extract the PIN by monitoring the channel. Once Server Authenticated the PIN, Quick Response for the Mobile App will be redirected the user to the Services and a secure transaction between the mobile App and Server is established by using The Session Key Method.

http://ijsetr.org/wp-content/uploads/2015/02/IJSETR-VOL-4-ISSUE-2-330-335.pdf

GRAPHICAL PASSWORD AUTHENTICATION USING PCCP WITH SOUND SIGNATURE

Summary

In graphical password PCCP techniques is strong but not satisfied. In PCCP technique the chances of shoulder surfing attack is more for avoiding shoulder surfing attack dead zone concept is added to it. Using the dead zone in PCCP (At the login phase, images are displayed without shading and users needed to select correct click points for authentication.) we create the password is more strong secure and also adding sound signature for forgot password. User must select sound at the time of registration. When user not memorize the password that time the user click on forgot password button then system gives sound clip if user play the correct sound then system gives the permission to create new password and gives the image sequence for creating password otherwise system goes through exit mode. Dead zone is concept take for avoiding shoulder surfing attack. Shoulder surfing concept is if user enters the password and select the images sequence of his password and any person standing backside of user and looking the password sequence then there is many chances of hack your account by using guessing attack. This concept is shoulder surfing. But using the dead zone concept we can avoid that attack. The dead zone is some particular area that is allocated user on registration time which is store in all image sequence. When click on that area the system shows image sequence from starting image. If user enter the password and some person looking that then user can select the wrong click point then system gives wrong image sequence to user which is dead zone is present then user click on dead zone then again system gives correct image sequence. This process can be repeated many time then this person is confused and very hard to crack password by using shoulder surfing attack.

http://esatjournals.org/Volumes/IJRET/2015V04/I01/IJRET20150401008.pdf

Graphical password authentication using Pass faces

Summary

System goes through several phases before creating a password and while logging into the system such as image selection, image distortion, text association and finally password generation. At the time of login, one correct image from a 3X3 grid is identified. Grid shows up one correct image and eight decoy faces and shuffles faces for every attempt. Only upon identifying correct image and entering text associated with it, user gets access to the system. In Password creation phase, user is given two options; user can either provide images of their choice or can select images from system database. In either of the choice user is required to provide three images. System uses distortion technique in Distortion phase to distort received or the provided images. This distortion of images is carried out by using filters. System then displays both the distorted and original images to the user; so that it is easier for user to mentally associate the distorted images. User is also required to enter some random text for each of these images. Both original and distorted images along with the text are saved or preserved in database.During Authentication phase, only valid user is or will be granted access to the system. The system will ask the user to identify one out of three user entered images from the grid containing one correct image and 8 decoy faces and also entering the associated text. User gets only two attempts to identify correct images from the grid and to enter the associated text of the image. The system shuffles the images in the grid every time the user logs in to the system. There is a growing interest in using pictures as passwords instead of alphanumeric passwords. The main reason for using Graphical passwords is they can be easily recalled. The Distortion Technique can mitigate the risk of the collective educated guess attacks using the Biases in users’ choices of authentication images.

http://www.ijera.com/papers/Vol5_issue3/Part%20-%205/M503056064.pdf

Techniques to prevent shoulder surfing

Shoulder Surfing 

In computer security, shoulder surfing refers to using direct observation techniques, such as looking over someone’s shoulder, to get information. Shoulder surfing is particularly effective in crowded places because it’s relatively easy to observe someone as they enter passwords on a computer, fill out a form or enter their PIN at an automated teller machine (ATM).

Shoulder surfing can also be done at a distance using binoculars or other vision-enhancing devices. Inexpensive, miniature closed circuit television cameras can be concealed in ceilings, walls or fixtures to observe data entry.

To prevent shoulder surfing, these papers describe some techniques:

1. http://www.ijsrp.org/research_paper_dec2011/ijsrp-dec-2011-08.pdf
2. http://www.ijarcce.com/upload/2015/march-15/IJARCCE%2087.pdf
3. http://ijsetr.org/wp-content/uploads/2015/02/IJSETR-VOL-4-ISSUE-2-330-335.pdf
4. http://research.ijcaonline.org/volume114/number19/pxc3902031.pdf
5. http://ijarcsms.com/docs/paper/volume2/issue10/V2I10-0058.pdf
6. http://www.ijera.com/papers/Vol5_issue3/Part%20-%205/M503056064.pdf
7. http://esatjournals.org/Volumes/IJRET/2015V04/I01/IJRET20150401008.pdf
8. http://ijartet.com/papers/NCRIT15/V02S170327.pdf
9. http://www.ijrdet.com/files/Volume2Issue4/IJRDET_0414_23.pdf
10. http://www.ijert.org/view-pdf/4591/an-authentication-system-for-information-security-using-cued-click-point-and-one-time-session-key
11. http://www.ijcsit.com/docs/Volume%205/vol5issue02/ijcsit20140502293.pdf
12. http://www.hindawi.com/journals/tswj/2014/838623/
13. 
    
    https://cups.cs.cmu.edu/soups/2011/proceedings/a6_Zakaria.pdf
14. http://www.rroij.com/open-access/implementing-black-hole-password-entrytechnique-for-mitigating-shouldersurfing-threat.pdf
15. http://www.jetir.org/papers/JETIR1407015.pdf