International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 10 - Mar 2014 Multifactor Graphical Password Authentication System using Sound Signature and Handheld Device Jyoti Rao*1,Kishan Mistry#2, Bhumika Mistry#3, Divya Malviya#4, Devesh Gudway#5 # Student & Department of Computer Engineering, Padmashree Dr. D. Y. Patil Institute of Engineering & Technology, Pimpri, Pune, Maharashtra, India. * Faculty & Department of Computer Engineering, Padmashree Dr. D. Y. Patil Institute of Engineering & Technology, Pimpri, Pune, Maharashtra, India. Abstract— Every system uses text password but provide poor security. Graphical passwords on the other hand provide greater security and are easy to remember. In this paper we present various authentication schemes using graphical passwords. These provides potential solution to the flaws of text as well as graphical passwords. In this system we present two modes of graphical password authentication system i.e. offline and online. The offline mode consists of a graphical password integrated with sound signature, whereas the online mode focuses on Cued Click Point (CCP) based pattern using encryption and decryption. Keywords— Security, Authentication, Sound signature, Graphical password, CCP, handheld devices. I. INTRODUCTION Traditional authentication systems uses text passwords which includes username and password. These passwords fails to provide the desired level of security. Text passwords, once chosen and learned, the user must able to recall it at the time of login, which makes them hard to remember. However if we keep changing our password frequently it is more vulnerable to be forgotten [6]. To reduce brute force attacks the user should select long passwords which include characters as well as numbers. This makes them all the more difficult to remember. Text passwords include risks of shoulder surfing, hidden cameras and spyware attacks. Also they are prone to dictionary attacks and keyboard sniffers. Thus they are not much reliable and hence for greater security we can use graphical passwords. Number of graphical password systems have been developed. Studies shows that text based password suffer with both security and usability problems. “According to Picture Superiority Effect Theory, concepts are more likely to be recognized and remembered if they are presented as pictures rather than words.”[2]. A graphical password is an image that is uploaded by the user or provided by the server [3]. The user has to click on various ISSN: 2231-5381 points on the image that leads to successful authentication. The user enters the password by clicking on a set of images, specific pixels on an image or by drawing a secret pattern in a predefined manner. A click based graphical password scheme called Cued Click Points uses a sequence of images in which user can select one click point per image or multiple points on a single image. These click points can either be selected by the user or they can be generated randomly by a server at the time of registration. At the time of logging in, the click points selected by the user are verified by the user with the points provided by the user at the time of registration or those provided by the server. If the number of possible pictures is made very large then it offers better resistance to dictionary attacks. It is also difficult to make automated attacks for graphical passwords. Thus graphical passwords presumably a higher usability compared to text based passwords. However in graphical passwords, users have predefined tap regions on one image to form a password. User entered a password by clicking on these regions in a specific order. This scheme is vulnerable to shoulder surfing and suffers from having a predetermined and a very small password space. Visual attention research shows that different people are attracted to the same predictable regions in an image. These regions are known as hotspots. If users select their own click-based graphical passwords without guidance, presence of hotspots will remain an issue. In order to overcome these drawbacks of text as well as graphical passwords, we integrate our system with universal multifactor authentication scheme. Multi-factor authentication is a way of authentication in which two or more independent factors are used as a part of user credentials. Multi-factor authentication is accomplished in our system by combining graphical passwords with another factor. This factors can include smart cards, USB tokens, handheld devices or one-time http://www.ijettjournal.org Page 516 International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 10 - Mar 2014 password token. In our system another factor is provided using sound signature in offline mode and using encryptiondecryption in online mode, both implemented on a handheld device. Having two or more factors strengthens but also complicates the authentication process. The rest of the paper has been organized as follows: Section II describes the various graphical password based system that have already been implemented. Section III describes our system architecture and the methodology that we are going to use. Section IV describes the algorithmic steps for the proposed methodology, and finally we discuss about the future scope of the project and conclude in Section V. II. RELATED WORK Many systems have been implemented that use graphical passwords. The best known of these systems are Passfaces, Click based graphical passwords, Pass-Point system, Persuasive click point systems. Blonder proposed a graphical authentication scheme called graphical password, based on cued recall. In this scheme the user creates a password by clicking on several location on an image, which are stored in the database. The user must click on the approximate areas of location for authentication [4]. Susan Wiedenbeck proposed and enhanced graphical authentication system called Pass-Points [3]. This idea is based on selection of a sequence of multiple click points on a single image as password. At the time of authentication the image is displayed on the screen by the system. The user needs to click on several previously chosen locations in a single image to login. Any pixel value in the image is a candidate for a click point. The problem with this scheme is that the number of predefined regions is small, perhaps a few dozen in a picture, leading to hotspots and pattern formation attacks. The password may have to be having 12 click points for sufficient security, thereby making it difficult for the user to remember. Cued Click Points (CCP) is a proposed alternative to pass points suggested by Sonia et al, designed to reduce patterns and usefulness of hotspots [5]. In CCP, user clicks one point each on multiple images rather than multiple points on a single image. It offers cued recall and introduces visual cues that instantly alerts valid users if they have made a mistake when entering the latest click point (at which they can cancel their attempt and retry from the beginning). Hotspot based attacks become more challenging. Each click results in showing a next image, thus leading users down a “path” as they click on their sequence of points. A wrong click results in an incorrect path with an explicit indication of authentication failure only after the final click. Real User Corporation developed a graphical authentication technique called Passfaces, in which a user logs onto a system by choosing the required number of faces from a grid of faces, thus proving additional security to a general text based password system. This technique is based on human’s verse ability to recognize human faces [4]. R.Dhamija and A.Perrig mentioned ISSN: 2231-5381 a major authentication problem i.e., user’s tend to have remembering secure passwords. In order to overcome this problem, he suggested a solution called Déjà vu in which the user has to select a particular number of images from a set of random pictures called challenge set. At the time of validation the user has to identify the preselected images. Another approach, known as Drawmetric password scheme, in which the user needs to draw a simple outline of the password at the time of registration and to be authenticated, similar drawing must be redrawn by the user [6]. Cognometric authentication is another approach in which the user has to identify a series of recognized images among a larger set of decoy images [4]. Jermyn introduced an authentication technique called Draw A Secret (D-A-S) which is basically intended for devices with stylus inputs such as Personal Digital Assistants (PDAs). Here, the user shall draw a secret drawing (password) on a 2D grid. The co-ordinates of this drawing on the grid are stored in order and the system verifies the drawing by checking the directions of the drawn stroke on the grid [6]. III. PROPOSED METHODOLOGY A. System Architecture: 1) Offline mode: In the offline mode, we have integrated sound signature along with graphical password. The multifactor authentication scheme here includes click points and handheld device. The idea of sound signature is inspired by human ability to recall objects by listening to a sound related to that particular object. The offline mode consists of basically 3 modules, i.e. Registration, Login and Verification modules. The Registration mode includes registering the user along with its details. These details comprises of a unique user-id (UID), Precision Value, e-mail address and phone number. The registration process proceeds further by allowing the user to select images, their respective click points and sound signature. Selection of image can either be done using the handheld device’s in-built camera or using the ones that are already present the device. The user can select any click point on the image. Similar to images, selection of sound signature can either be done by choosing one of the already present sounds or by recording one’s own voice that helps in recalling the object. Once done the user clicks on the sign up button, thus generating a user profile vector which is stored in the database. The profile vector consists of: User-vector (UID, precision, e-mail, Phone number) Image vector (UID, image-id) Click point vector (UID, image-id, click point co-ordinates(x,y)) The precision value helps to draw a circle around the click point which provides a tolerance region in which the user is allowed to click during the time of login. In Login mode, we first enter http://www.ijettjournal.org Page 517 International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 10 - Mar 2014 the user id, which if found, retrieves the respective set of images and the related sound signature from the database. Once the images and the audio are loaded, the user needs to select the click point on each of the image. The sound helps to remember click points (in case the user forgets the click point on a particular image). At this moment, a login vector is created. The login vector comprises of click points selected by the user during the login phase. Once the user selects all the click points, he/she clicks on the validate button in order to verify the click points. This module compares the click points registered in the database with the ones in the login vector. A successful login indicates the exact match of click points. Fig. 1 System Flowchart for Offline mode. 2) Online mode: In this approach, we use a handheld device that acts as a terminal, a server or a challenger which is a typical online web service provider. The server controls storage, retrieval of data and sending of images to the handheld device. This mode also includes 3 modules namely same as in the offline mode. phone number. In the next step the user selects the number of desired click points. Along with that the user also needs to choose the sequence of click points which he/she will have to remember in order to login into the system. Thus a user profile is generated and sent to the server. The first screen (in Registration module) on the terminal asks the user for its unique user id, precision value, email address, ISSN: 2231-5381 http://www.ijettjournal.org Page 518 International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 10 - Mar 2014 Fig 2. System Flowchart for Online mode At the time of login, the user needs to enter the registered user id on the terminal side. The terminal sends a request to the server for generating an image with a number of click points on it. The server accepts the request, generates random click points on the image and sends the encrypted image to the handheld device. AES i.e. Advanced Encryption Standard technique is used for encryption. The encrypted image, now received on the terminal, is decrypted. The user now needs to select the click points in the same sequence which he/she had selected during the registration phase. The image provided by the server will have a number of click points each numbered with a single digit. The position of ISSN: 2231-5381 the click points will change every time a server responds to a request, however the sequence of click points is the main key to access login into the system. The addition click points are added just to confuse the unauthorized user. The verification module includes verification of the sequence of click points during the time of login with the one at the time of registration. An exact match of sequence leads to a successful login. http://www.ijettjournal.org Page 519 International Journal of Engineering Trends and Technology (IJETT) – Volume 9 Number 10 - Mar 2014 1. 2. 3. 4. 5. IV. ALGORITHM Start. Select mode i.e online or offline mode. If mode selected is offline 3.1. Select operation i.e Registration or Login. 3.2. If operation is Registration 3.2.1. Enter user if, precision value, email id and phone number. 3.2.2. Select an image from the device gallery or using camera 3.2.3. Select click point and sound signature for that image. 3.2.4. For more number of images goto step 3.2.2 else goto step 3.2.5 3.2.5. Create user profile vector. 3.2.6. Store the user profile vector in the database. 3.3. If operation is Login 3.3.1. Enter user-id to fetch image and sound signature from the database. 3.3.2. Play sound signature. 3.3.3. Select click point. 3.3.4. Compare click point including precision value with the one stored in the database for each image. 3.3.5. If valid for all images, Login successful else failure. If the mode selected is online 4.1. Select Operation i.e Login Or Registration 4.2. If Operation selected is Registration 4.2.1. Enter User Id,Email id, Phone No, and the number of Click Points. 4.2.2. Enter a sequence for the clicks. 4.2.3. Create User Profile Vector. 4.2.4. Store it in Database at Server. 4.3. If Operation selected is Login 4.3.1. Enter User Id to request the Server to send a random image. 4.3.2. Server selects a random image and creates random position for click points which are numbered and send it to the User’s handheld device. 4.3.3. User clicks on the image according to his sequence 4.3.4. The sequence is sent to the Server 4.3.5. Server verifies the sequence. 4.3.6. If Match of Sequence occurs ,login is successful else failure Stop. V. RESULT On the other hand, graphical passwords where the click points are randomly generated avoids shoulder surfing, dictionary attacks. Guessing of passwords in both the cases is difficult. Since we are using encryption technique (AES) for transmission over the network, brute force attacks are avoided. VI. CONCLUSION AND FUTURE SCOPE Text based authentication schemes face usability and security issues even though they are the most commonly used technique worldwide. Graphical passwords are easier to remember than text based passwords, but even the existing graphical password authentication systems have major drawbacks. In this paper, we propose a new graphical password system that overcomes difficulties like hotspot prediction, shoulder surfing, dictionary attacks. The system combines graphical passwords along with a handheld device and sound signature to form a multifactor authentication system. The generation of random click points during the online mode prevents the shoulder surfing attack as well as dictionary attacks. Storing the images at the server provides better security as compared to offline mode. The scope of the project can be further improved by using various techniques like Sudoku. The passwords can be changed every minute, thus making the user free from remembering passwords. He does not have to register on each and every website. Passwords are automatically generated and changed every time the user has to login. REFERENECES [1] [2] [3] [4] [5] [6] [7] S. Singh, and G. Agarwal, “Integration of Sound Signature in Graphical Password Authentication System”, IJCA January 2011. A. P. Sabzevar, A. Stavrou, “Universal Multifactor authentication system using Graphical Password”. S. K. Bandyopadhyay, D. Bhattacharyya, P. Das, “User Authentication by secured graphical Password Implementation”, IEICE 2008. S. Malempati, S. Mogalla, “Grid based approach for Data Confidentiality”, IJCA July 2011 V. Priya darshini, A. Gomathi, N. Saravanaselvam, “A Novel based Multilevel Graphical Authentication System”, IJARCCE Vol 2, September 2013. T. Srinivasa Ravikiran, K.V.S. Rao, M. K. Rao, A. Srisaila, “A symbol based graphical schema resistant to peeping attack”, IJCSI Vol 10 on September 2013. I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, A.D. Rubin,”Design and Analysis of Graphical Password”, The USENIX Association. The Graphical password scheme used along with sound signature provides a better recall based security system compared to pure text passwords or pure graphical passwords. ISSN: 2231-5381 http://www.ijettjournal.org Page 520