An Enhanced Graphical Authentication Scheme Using Multiple-Image Steganography

Most remote systems require user authentication to access resources. Text-based passwords are still widely used as a standard method of user authentication. Although conventional text-based passwords are rather hard to remember, users often write their passwords down in order to compromise security. One of the most complex challenges users may face is posting sensitive data on external data centers that are accessible to others and do not be controlled directly by users. Graphical user authentication methods have recently been proposed to verify the user identity. However, the fundamental limitation of a graphical password is that it must have a colorful and rich image to provide an adequate password space to maintain security, and when the user clicks and inputs a password between two possible grids, the fault tolerance is adjusted to avoid this situation. This paper proposes an enhanced graphical authentication scheme, which comprises benefits over both recognition and recall-based graphical techniques besides image steganography. The combination of graphical authentication and steganography technologies reduces the amount of sensitive data shared between users and service providers and improves the security of user accounts. To evaluate the effectiveness of the proposed scheme, peak signal-to-noise ratio and mean squared error parameters have been used.     

Secure Graphical One Time Password (GOTPass): An Empirical Study

ABSTRACT

The traditional text-based password has been the default security medium for years; however, the difficulty of memorizing secure strong passwords often leads to insecure practices. A possible alternative solution is graphical authentication, which is motivated by the fact that the capability of humans’ memory for images is superior to text, which helps to improve password usability and security. Recently, some implementations of graphical authentication techniques have been deployed in practice. This paper introduces a new hybrid graphical authentication, “GOTPass,” that authenticates by means of a one-time numerical code that needs to be typed in based on a sequence of secret images and a prechosen input format. An important focus for this paper was the security aspects of the graphical password scheme. This paper reports an in-depth analysis of the security evaluation and shows a high resistance capability of GOTPass against common graphical password attacks. Three attacks were simulated (Guessing, Intersection, and Shoulder-surfing), and the results showed that nearly 98% of the 690 attempts failed to compromise the system.     

Why That Picture? Discovering Password Properties in Recognition-Based Graphical Authentication

Numerous graphical authentication ideas have been proposed on how to address the security and usability of text-based passwords. However, it remains unclear how users approach graphical password selection and the inherent personal bias when selecting images. This study investigates user choices in password selection for recognition-based graphical authentication. Our analysis is based on a total of 302 participants continuously using a graphical authentication system during a 6-week long study. The results show pronounced preference effects for image properties such as color, shape, and category. Additionally, there is a significant difference between genders in the selected images based on the same properties.     

Encouraging users to improve password security and memorability

Security issues in text-based password authentication are rarely caused by technical issues, but rather by the limitations of human memory, and human perceptions together with their consequential responses. This study introduces a new user-friendly guideline approach to password creation, including persuasive messages that motivate and influence users to select more secure and memorable text passwords without overburdening their memory. From a broad understanding of human factors-caused security problems, we offer a reliable solution by encouraging users to create their own formula to compose passwords. A study has been conducted to evaluate the efficiency of the proposed password guidelines. Its results suggest that the password creation methods and persuasive message provided to users convinced them to create cryptographically strong and memorable passwords. Participants were divided into two groups in the study. The participants in the experimental group who were given several password creation methods along with a persuasive message created more secure and memorable passwords than the participants in the control group who were asked to comply with the usual strict password creation rules. The study also suggests that our password creation methods are much more efficient than strict password policy rules. The security and usability evaluation of the proposed password guideline showed that simple improvements such as adding persuasive text to the usual password guidelines consisting of several password restriction rules make significant changes to the strength and memorability of passwords. The proposed password guidelines are a low-cost solution to the problem of improving the security and usability of text-based passwords.

     

图形密码身份认证方案设计及其安全性分析

为了解决身份认证方案中口令的安全性和易记忆性的矛盾,针对传统的字符式口令的诸多缺点,提出了结合新型图形密码的身份认证参考方案.在图形密码设计原则下,依据基于识别型和基于记忆型的设计思想,提出图形密码身份认证参照方案,并将图形密码的安全性与文本密码进行比较,分析了图形密码的密钥空间和抵抗常见口令攻击的能力.经分析多数图形密码在易记忆性和安全性方面优于传统密码.     

A Human-Cognitive Perspective of Users’ Password Choices in Recognition-Based Graphical Authentication

ABSTRACT

Graphical password composition is an important part of graphical user authentication which affects the strength of the chosen password. Considering that graphical authentication is associated with visual search, perception, and information retrieval, in this paper we report on an eye-tracking study (N = 109) that aimed to investigate the effects of users’ cognitive styles toward the strength of the created passwords and shed light into whether and how the visual strategy of the users during graphical password composition is associated with the passwords’ strength. For doing so, we adopted Witkin’s Field Dependence-Independence theory, which underpins individual differences in visual information and cognitive processing, as graphical password composition tasks are associated with visual search. The analysis revealed that users with different cognitive processing characteristics followed different patterns of visual behavior during password composition which affected the strength of the created passwords. The findings underpin the need of considering human-cognitive characteristics as a design factor in graphical password schemes. The paper concludes by discussing implications for improving recognition-based graphical passwords through adaptation and personalization techniques based on individual cognitive characteristics.     

An Enhanced Drawing Reproduction Graphical Password Strategy

Passwords are used in the vast majority of computer and communication systems for authentication. The greater security and memorability of graphical passwords make them a possible alternative to traditional textual passwords. In this paper we propose a new graphical password scheme called YAGP, which is an extension of the Draw-A-Secret (DAS) scheme. The main difference between YAGP and DAS is soft matching. The concepts of the stroke-box, image-box, trend quadrant, and similarity are used to describe the images characteristics for soft matching. The reduction in strict user input rules in soft matching improves the usability and therefore creates a great advantage. The denser grid granularity enables users to design a longer password, enlarging the practical password space and enhancing security. Meanwhile, YAGP adopts a triple-register process to create multi-templates, increasing the accuracy and memorability of characteristics extraction. Experiments illustrate the effectiveness of YAGP.     

Ku-Chien远程身份认证方案的安全性分析

Ku－Chien远程身份认证方案是一种使用智能卡、低开销、实用的口令认证方案。本文分析了Ku－Chien方案的安全性,指出了Ku－Chien方案的安全缺陷：不能抵御并行会话攻击和伪造主机攻击。分析了产生安全缺陷的原因：登陆阶段用户计算出的秘密信息和认证阶段远程主机计算出的秘密信息具有类似的结构。最后,利用口令更改计数器,给出了一种改进的口令认证方案。该方案允许用户自主选择并更改口令,实现了双向认证;能够抵御重放攻击、内部攻击,具备强安全修复性;能够抵御并行会话攻击和伪造远程主机攻击。     

A graphical-based password keystroke dynamic authentication system for touch screen handheld mobile devices

Since touch screen handheld mobile devices have become widely used, people are able to access various data and information anywhere and anytime. Most user authentication methods for these mobile devices use PIN-based (Personal Identification Number) authentication, since they do not employ a standard QWERTY keyboard for conveniently entering text-based passwords. However, PINs provide a small password space size, which is vulnerable to attacks. Many studies have employed the KDA (Keystroke Dynamic-based Authentication) system, which is based on keystroke time features to enhance the security of PIN-based authentication. Unfortunately, unlike the text-based password KDA systems in QWERTY keyboards, different keypad sizes or layouts of mobile devices affect the PIN-based KDA system utility. This paper proposes a new graphical-based password KDA system for touch screen handheld mobile devices. The graphical password enlarges the password space size and promotes the KDA utility in touch screen handheld mobile devices. In addition, this paper explores a pressure feature, which is easy to use in touch screen handheld mobile devices, and applies it in the proposed system. The experiment results show: (1) EER is 12.2% in the graphical-based password KDA proposed system. Compared with related schemes in mobile devices, this effectively promotes KDA system utility; (2) EER is reduced to 6.9% when the pressure feature is used in the proposed system. The accuracy of authenticating keystroke time and pressure features is not affected by inconsistent keypads since the graphical passwords are entered via an identical size (50 mm × 60 mm) human–computer interface for satisfying the lowest touch screen size and a GUI of this size is displayed on all mobile devices.     

Investigating the Viability of Multifactor Graphical Passwords for User Authentication

ABSTRACT

Authentication using images (i.e., graphical passwords) is claimed to be one of the alternatives for overcoming weaknesses in the traditional username and password authentication. This paper reports on the study to explore the feasibility of combining two graphical password methods for better security. A graphical password prototype scheme, the Enhanced Graphical Authentication System (EGAS), was developed (which combines the methods of clicking on the image (i.e., click-based) and selecting a series of images (i.e., choice-based). The EGAS was tested by 30 participants randomly chosen from the authors’ university and two evaluations were made; namely user performance of the combined method and the feasibility of authentication strategies toward the introduced method itself. From both evaluations, it is found that positive results have been obtained, which suggest that these methods could be combined together effectively without giving impediment to users.     

一种适合远程访问场景的认证和密钥交换方案

提出了一种基于基本ECMQV协议的非对称式认证和密钥交换方案AEAS,可实现对客户端的口令认证和对服务端的公钥认证;AEAS中的客户端口令认证具有零知识安拿属性,允许用户使用弱口令,并能抵御各种字典攻击和重放攻击;与同类非对称认证和密钥交换方案相比,AEAS具有最少的公钥计算开销。AEAS协议能集成到现有WTLS协议框架中,从而实现一种高安全性和低计算开销的WTLS扩展,它完全可满足无线终端在企业远程访问场景下的高安全性要求。     

A user authentication system using back-propagation network

Information security has been a critical issue in the field of information systems. One of the key factors in the security of a computer system is how to identify the authorization of users. Password-based user authentication is widely used to authenticate a legitimate user in the current system. In conventional password-based user authentication schemes, a system has to maintain a password table or verification table which stores the information of users IDs and passwords. Although the one-way hash functions and encryption algorithms are applied to prevent the passwords from being disclosed, the password table or verification table is still vulnerable. In order to solve this problem, in this paper, we apply the technique of back-propagation network instead of the functions of the password table and verification table. Our proposed scheme is useful in solving the security problems that occurred in systems using the password table and verification table. Furthermore, our scheme also allows each user to select a username and password of his/her choice.     

基于动态ID的远程用户身份认证方案

用户身份认证作为网络安全和信息安全的第一道屏障,有着非常重要的作用.口令与智能卡相结合的认证方式可以克服传统口令认证方式的诸多弊端,能够提高网络和信息系统整体的安全性.对基于动态ID的远程用户身份认证方案进行了分析,指出了该方案在入侵者持有用户智能卡的情况下,即使不知道用户口令也能够伪装成合法用户通过远程系统的身份验证,获取系统的网络资源.提出了一种改进方案,能有效抵御重放攻击、伪造攻击、口令猜测攻击、内部攻击和伪装攻击.     

User interface design affects security: patterns in click-based graphical passwords

Design of the user interface for authentication systems influences users and may encourage either secure or insecure behaviour. Using data from four different but closely related click-based graphical password studies, we show that user-selected passwords vary considerably in their predictability. Our post-hoc analysis looks at click-point patterns within passwords and shows that PassPoints passwords follow distinct patterns. Our analysis shows that many patterns appear across a range of images, thus motivating attacks which are independent of specific background images. Conversely, Cued Click-Points (CCP) and Persuasive Cued Click-Points (PCCP) passwords are nearly indistinguishable from those of a randomly generated simulated dataset. These results provide insight on modeling effective password spaces and on how user interface characteristics lead to more (or less) security resulting from user behaviour.     

Effectiveness of image-based mnemonic techniques for enhancing the memorability and security of user-generated passwords

Complex passwords are hard to remember, so people often pick simple passwords, write complex ones down, and reuse the same password across multiple accounts. Proactive password checking (PPC) restrictions and mnemonic techniques can enhance password security and memorability. Participants in this study were assigned to one of three password generation groups: PPC restrictions alone, image-based mnemonic, or text-based mnemonic. They were asked to generate and later recall passwords for five separate fictitious online accounts. The use of mnemonic techniques resulted in the generation of longer and more complex passwords. Furthermore, passwords were more accurately recalled when they were generated using the image-based mnemonic technique or PPC restrictions alone, as opposed to the text-based mnemonic technique. However, passwords generated using PPC restrictions alone were more easily forgotten and susceptible to being cracked. Thus, the image-based mnemonic technique was shown to be the most effective method for generating secure and memorable passwords.     

Bu-Dash: a universal and dynamic graphical password scheme (extended version)

Passwordless authentication is a trending theme in cyber security, while biometrics gradually replace knowledge-based schemes. However, Personal Identification Numbers, passcodes, and graphical passwords are still considered as the primary means for authentication. Passwords must be memorable to be usable; therefore, users tend to choose easy to guess secrets, compromising security. The Android Pattern Unlock is a popular graphical password scheme that can be easily attacked by exploiting human behavioristic traits. Despite its vulnerabilities, the popularity of the scheme has led researchers to propose adjustments and variations that enhance security but maintain its familiar user interface. Nevertheless, prior work demonstrated that improving security while preserving usability remains frequently a hard task. In this paper we propose a novel graphical password scheme built on the foundations of the well-accepted Android Pattern Unlock method, which is usable, inclusive, universal, and robust against shoulder surfing and (basically) smudge attacks. Our scheme, named Bu-Dash, features a dynamic user interface that mutates every time a user swipes the screen. Our pilot studies illustrate that Bu-Dash attracts positive user acceptance rates, it is secure, and maintains high usability levels. We define complexity metrics that can be used to further diversify user input, and we conduct complexity and security assessments.

     

Token-based graphical password authentication

Given that phishing is an ever-increasing problem, a better authentication system is required. We propose a system that uses a graphical password deployed from a Trojan and virus-resistant embedded device. The graphical password utilizes a personal image to construct an image hash, which is provided as input into a cryptosystem that returns a password. The graphical password requires the user to select a small number of points on the image. The embedded device will then stretch these points into a long alphanumeric password. With one graphical password, the user can generate many passwords from their unique embedded device. The image hash algorithm employed by the device is demonstrated to produce random and unique 256-bit message digests and was found to be responsive to subtle changes in the underlying image. Furthermore, the device was found to generate passwords with entropy significantly larger than that of users passwords currently employed today.     

基于椭圆曲线密码体制的口令认证系统研究

针对现有口令认证系统中存在的安全问题,本文在研究椭圆曲线密码体制ECC基本原理的基础上,设计了一种新的基于ECC的口令认证方案,给出了该方案的详细实现过程,最后对方案进行了安全性分析。本方案的特点是用户口令在系统存储和传输过程中难以被破解;认证信息保持动态性,能有效防止重放攻击;用户还可以及时发现秘密使用其口令的非法用户,杜绝了信息泄漏或资源盗用。整个方案安全有效,易于实现,有着良好的应用前景。     

Elastic password authentication scheme using the Passcell-based virtual scroll wheel

User authentication such as password setting has become increasingly important for the secure management of the information stored in mobile devices. However, in the password authentication schemes used in mobile devices, enhancing security reduces their usability, and passwords become hard to memorize. In addition, enhancing their usability makes them vulnerable to shoulder-surfing or recording attacks involving stealing a glance at the authentication process through the system interface. In this paper, we propose a password authentication scheme that uses a virtual scroll wheel, called WheelLock, to ensure appropriate usability and prevent brute force, shoulder-surfing, and recording attacks.