Ray's Scheme: Graphical Password Based Hybrid Authentication System for Smart Hand Held Devices

Passwords provide security mechanism for authentication and protection services against unwanted access to resources. One promising alternatives of textual passwords is a graphical based password. According to human psychology, human can easily remember pictures. In this paper, I have proposed a new hybrid graphical password based system. The system is a combination of recognition and pure recall based techniques and that offers many advantages over the existing systems and may be more convenient for the user. My approach is resistant to shoulder surfing attack and many other attacks on graphical passwords. This scheme is proposed for smart hand held devices (like smart phones i.e. PDAs, ipod, iphone, etc) which are more handy and convenient to use than traditional desktop computer systems. Keywords: smart phones, graphical passwords, authentication, network securit

SSSL: Shoulder Surfing Safe Login

Classical PIN-entry methods are vulnerable to a broad class of observation attacks (shoulder surfing, key-logging). A number of alternative PIN-entry methods that are based on human cognitive skills have been proposed. These methods can be classified into two classes regarding information available to a passive adversary: (i) the adversary fully observes the entire input and output of a PIN-entry procedure, and (ii) the adversary can only partially observe the input and/or output. In this paper we propose a novel PIN-entry scheme- Shoulder Surfing Safe Login (SSSL). SSSL is a challenge response protocol that allows a user to login securely in the presence of the adversary who can observe (via key-loggers, cameras) user input. This is accomplished by restricting the access to SSSL challenge values. Compared to existing solutions, SSSL is both user-friendly (not mentally demanding) and cost efficient. Our usability study reveals that the average login time with SSSL is around 8 sec in a 5-digit PIN scenario. We also show the importance of considering side-channel timing attacks in the context of authentication schemes based on human cognitive skills

Designing leakage-resilient password entry on touchscreen mobile devices

Singapore Management Universit

A second look at the usability of click-based graphical passwords

Click-based graphical passwords, which involve clicking a set of user-selected points, have been proposed as a usable alternative to text passwords. We conducted two user studies: an initial lab study to revisit these usability claims, explore for the first time the impact on usability of a wide-range of images, and gather information about the points selected by users; and a large-scale field study to examine how click-based graphical passwords work in practice. No such prior field studies have been reported in the literature. We found significant differences in the usability results of the two studies, providing empirical evidence that relying solely on lab studies for security interfaces can be problematic. We also present a first look at whether interference from having multiple graphical passwords affects usability and whether more memorable passwords are necessarily weaker in terms of security

Algebraic Attacks on Human Identification Protocols

Human identification protocols are challenge-response protocols that rely on human computational ability to reply to random challenges from the server based on a public function of a shared secret and the challenge to authenticate the human user. One security criterion for a human identification protocol is the number of challenge-response pairs the adversary needs to observe before it can deduce the secret. In order to increase this number, protocol designers have tried to construct protocols that cannot be represented as a system of linear equations or congruences. In this paper, we take a closer look at different ways from algebra, lattices and coding theory to obtain the secret from a system of linear congruences. We then show two examples of human identification protocols from literature that can be transformed into a system of linear congruences. The resulting attack limits the number of authentication sessions these protocols can be used before secret renewal. Prior to this work, these protocols had no known upper bound on the number of allowable sessions per secret

Methods and techniques to protect against shoulder surfing and phishing attacks

Identity theft refers to the preparatory stage of acquiring and collecting someone else's personal information for criminal purposes. During the past few years, a very large number of people suffered adverse consequences of identity theft crimes. In this thesis, we investigate different methods and techniques that can be used to provide better protection against identity theft techniques that have some hi-tech relevance such as shoulder surfing of user's passwords and personal identification numbers (PINs), phishing and keylogging attacks. To address the shoulder surfing threat to traditional PIN entry schemes, two new PIN entry schemes are proposed. Both schemes achieve a good balance between security and usability. In addition, our analysis shows that these two schemes are resilient to shoulder surfing, given that the attacker has a limited capability in recording the login process. We also propose a click-based graphical password authentication scheme. This scheme aims at improving the resistance to shoulder surfing attacks while maintaining the merits of the click-based authentication solutions. It is also resilient to shoulder surfing attacks even if the attacker can record the entire login process for one time with a video device. Finally, in order to defend against online phishing attacks, we present a framework to strengthen password authentication using mobile devices and browser extensions. The proposed authentication framework produces a different password depending on the domain name of the login site. Besides defending against phishing attacks, this solution does not require any modifications at the server sid