tion system named PassMatrix that protects users from of them can be easily compromised to shoulder surfing
be-coming victims of shoulder surfing attacks when attacks if attackers use video capturing techniques like
inputting passwords in public through the usage of
one-time login indicators. A login indicator is Google Glass [15], [26]. The limitations of usability
randomly generated for each pass-image and will be include issues such as taking more time to log in,
useless after the session terminates. The login passwords being too difficult to recall after a period of
indicator provides better security against shoulder time, and the authentication method being too
surfing attacks, since users use a dynamic pointer to complicated for users without proper education and
point out the position of their passwords rather than practice.
clicking on the password object directly.
In 2006, Wiedenbeck et al. proposed PassPoints [7] in
which the user picks up several points (3 to 5) in an
Motivation image during the password creation phase and re-
enters each of these pre-selected click-points in a
As the mobile marketing statistics compilation by correct order within its tolerant square during the login
Danyl, the mobile shipments had overtaken PC phase. Com-paring to traditional PIN and textual
shipments in 2011, and the number of mobile users passwords, the Pass-Points scheme substantially
also overtaken desktop users at 2014, which closed to increases the password space and enhances password
2 billion [17]. However, shoulder surfing attacks memorability. Unfortunately, this graphical
have posed a great threat to users privacy and authentication scheme is vulnerable to shoulder
confidentiality as mobile devices are becoming indis- surfing attacks. Hence, based on the PassPoints, we
pensable in modern life. People may log into web add the idea of using one-time session passwords and
services and apps in public to access their personal distractors to develop our PassMatrix
accounts with their smart phones, tablets or public authentication system that is resistant to shoulder
devices, like bank ATM. Shoulder-surfing attackers surfing attacks.also extended the DAS based on finger-
can observe how the passwords were entered with the drawn doodles and pseudosignatures in recent mobile
help of reflecting glass windows, or let alone device [32], [33]. This au-thentication system is based
monitors hanging everywhere in public places. on features which are extracted from the dynamics of
the gesture drawing process (e.g., speed or
Passwords are exposed to risky environments, even if
acceleration). These features contain behavioral
the passwords themselves are complex and secure. A
biometric characteristic. In other words, the attacker
secure authentication system should be able to defend
would have to imitate not only what the user draws,
against shoulder surfing attacks and should be
but also how the user draws it. However, these three
applicable to all kinds of devices. Authentication
authentication schemes are still all vulnerable to
schemes in the literature such as those in [6], [18],
shoulder surfing attacks as they may reveal the
[19], [20], [21], [22], [23], [24],are resistant to
graphical passwords directly to some unknown
shoulder-surfing, but they have either usability
observers in public.
limitations or small password space. Some of them are
not suitable to be applied in mobile devices and most
1.2 Organization
touching at or clicking on them during the registra- icons) for users during the authen-
tion phase. tication phase. In our implementation, we used
characters A to G and 1 to 11 for a 7 11 grid. Both
Overview letters and numbers are generated randomly and
therefore a different login indicator will be provided
PassMatrix is composed of the following components each time the module is called. The generated
(see Figure 6): login indicator can be given to users visually or
acoustically.
Image Discretization Module
For the former case, the indicator could be shown on
Horizontal and Vertical Axis Control Module the display (see Figure 7(a)) directly or through
another predefined image. If using a predefined
Login Indicator generator Module image, for instance, if the user chooses the square (5,
9) in the image as in Figure 7(b), then the login
Communication Module indicator will be (E, 11). For the acoustical
delivery, the indicator can be received by an audio
Password Verification Module signal through the ear buds or Bluetooth. One
principle is to keep the indicators secret from people
Database other than the user, since the password (the sequence
of pass-squares) can be reconstructed easily if the
indicators are known.
indicator to a pass-square will be described in the the username is to give the user an imagination of
next section having a personal account. The username can be
omitted if PassMatrix is applied to authentication
Database. The database server contains several systems like screen lock. The user can either
tables that store user accounts, passwords (ID choose images from a provided list or upload
numbers of pass-images and the positions of pass- images from their device as pass-images. Then
squares), and the time duration each user spent on the user will pick a pass-square for each selected
both registration phase and login phase. PassMatrix pass- image from the grid, which was divided by
has all the required privileges to perform the image discretization module. The user repeats
operations like insert, modify, delete and search. this step until the password is set.
Figure 9 is the flowchart of the registration phase. 1) The user inputs his/her username which
At this stage, the user creates an account which was cre-ated in the registration phase.
contains a user-name and a password. The
password consists of only one pass-square per 2) A new indicator comprised of a letter and a
image for a sequence of n images. The number of number is created by the login indicator generator
images (i.e., n) is decided by the user after module. The indicator will be shown when the user
considering the trade-off between security and uses
usability of the system [42]. The only purpose of
Accuracy
k
bits, there will be 2 possible passwords in that space. REFERENCES
[1] S. Sood, A. Sarje, and K. Singh,
Entropy = log2((Dx Dy)i)n (3) Cryptanalysis of password authentication
schemes: Current status and key issues, in
The definition of notations used in equation 3. Methods and Models in Computer Science,
2009. ICM2CS 2009. Proceeding of
Notation Definition International Conference on, Dec 2009, pp. 17.
Dx The number of partitions in x-direction [2] S. Gurav, L. Gawade, P. Rane, and N.
Dy The number of partitions in y-direction Khochare, Graphical password authentication:
i=1 Obtain login indicators by touching the Cloud securing scheme, in Electronic
screen with hand grasped
Systems, Signal Processing and Computing
i=2 Obtain login indicators by predefined
images Technologies (ICESC), 2014 International
Conference on, Jan 2014, pp. 479483.
[3] K. Gilhooly, Biometrics: Getting back to
business, Computer-world, May, vol. 9, 2005.
V. CONCLUSION [4] R. Dhamija and A. Perrig, Deja vu: A user
With the increasing trend of web services and apps, study using images for authentication, in
users are able to access these applications anytime and Proceedings of the 9th conference on USENIX
anywhere with various devices. In order to protect Security Symposium-Volume 9. USENIX
users digital prop-erty, authentication is required Association, 2000, pp. 44. [5] Realuser,
every time they try to access their personal account http://www.realuser.com/.
and data. However, conducting the authentication [6] I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and
process in public might result in potential shoulder A. Rubin, The design and analysis of graphical
surfing attacks. Even a complicated password can passwords, in Proceedings of the 8th
be cracked easily through shoulder surfing. Using conference on USENIX Security Symposium-
tradi-tional textual passwords or PIN method, users Volume 8. USENIX Association, 1999, pp.1-1.
need to type their passwords to authenticate
themselves and thus these passwords can be revealed
Mr.T.Sudharan Simha has
easily if someone peeks over shoulder or uses video
received B.Tech review
recording devices such as cell phones.
degree in Information
To overcome this problem, we proposed a Technology(INF) in the year 2014
shoulder-surfing resistant authentication system and Pursuing M.Tech in
based on graphi-cal passwords, named PassMatrix. Computer Science and
Using a one-time login indicator per image, users can Engineering (CSE) from
point out the location of their pass-square without Priyadarshini College of
directly clicking or touching it, which is an action Engineering and Technology(Affiliated to
vulnerable to shoulder surfing attacks. JNTUniversity, Ananthapuram), Nellore, Andhra
Pradesh, India
Based on the experimental results and survey data,
PassMatrix is a novel and easy-to-use graphical pass- Prof.D.Srinivasulu has received
word authentication system, which can effectively B.Tech review degree in Computer
alleviate shoulder-surfing attacks. In addition, Science and Engineering from
PassMatrix can be ap-plied to any authentication K..L College of Engineering,
scenario and device with simple input and output Vijayawada and M.Tech in
capabilities. The survey data in the user study also Computer Science and
showed that PassMatrix is practical in the real world. Engineering from JNTUnversity,
Kukatpally,
Hydearbad.. Presently Pursuing Ph.D in Computer