International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
Volume 2, Issue 11, November 2013
ISSN 2319 - 4847
Active Image Authentication System (AIAS):
Design, Implementation and Analysis
S.B.Nikam1, P.A.Jadhav2 and A.D.Kadam3
1
Asst.Professor, Computer Engineering Department, BVDUCOE, Pune-43(INDIA)
Asst.Professor, Information Technology Department, BVDUCOE, Pune-43(INDIA)
3
M.tech. scholar, Information Technology Department, BVDUCOE, Pune-43(INDIA)
2
Abstract
Providing a security to the information system is the necessity of today’s networking age. Authentication is one of the important
principal of security. Provision of the unique combination of username and password is the common way to authenticate the
system. A graphical based authentication mechanism had provided a strong alternative for knowledge based, biometric and token
based authentication mechanism. In this paper we have proposed new graphical based authentication mechanism. This Active
Image Authentication System (AIAS) provides a strong solution on guessing attack using random positioning of Active Points
(AP) with respect to time domain.
Keywords: Security, Authentication, Active Points (AP), Active Image Authentication System (AIAS).
1. INTRODUCTION
Security is the important issue for any information system. Information technology has reached in almost all areas.
Organizations such as governments, military, corporations, financial institutions, hospitals have to deal with the
confidential information about their employees, customers, products, research and financial status. Most of this
information is now collected, processed and stored on electronic computers and transmitted across networks to other
computers. So to access this information one has to authenticate himself. Importantly, security and usability are two main
measures for authentication schemes [3]. Basically authentication is carried out using different techniques like
Knowledge based, token based and biometric based [1] [2].
Knowledge based authentication technique requires to enter text or characters as the password but this technique is
vulnerable to dictionary search, social engineering etc. So to prevent from these one can use complex password but it may
be very difficult to remember. Token based authentication allows user to use an authentication token, which is a physical
device that gives an aid in authentication. Token based authentication reduces burden on human memory but it may be
stolen, forgotten or shared with unauthorized person.
Biometric based techniques authenticate human being through identification of human characteristics or traits. Mainly
behavioral (such as typing rhythm, voice) and physiological (such as fingerprint, face recognition, DNA, Palm print,
hand geometry, iris recognition, retina) characteristics have been used for describing human to authenticate. In biometric
systems, each stage is independent to transform the input and so sometimes due to poor quality of image, some of the
stages could not utilize the entire input data, which becomes the drawback of this system. For mitigating the flaws within
these traditional methods graphical based authentication schemes have been proposed to provide strong alternative for
knowledge based, token based & biometric authentication mechanism. And psychological studies also say that human
memory more tends to remember pictures rather than text.
2. LITERATURE SURVEY:
Security and usability problems cannot be fully addressed by the text based password mechanism but graphical based
passwords can provide the solutions in both of these aspects i.e. usability and security.
Graphical passwords have become an effective research area after introducing the concept of click based passwords by
Blonder [5]. His concept is mainly based on click points on predefined areas of image. And as this scheme forces user to
click on predefined areas this scheme is vulnerable to predictive attacks. Later Wiedenbeck et al. Proposed PassPoints.
Passpoints consists of passwords that could be composed of several points anywhere on an image [6].
Adrian Perrig, Dawn Song proposed a graphical password based scheme Déjà Vu, based on Hash Visualization algorithm
[7]. In this scheme large amount of pictures have to be stored at server side and may require transferring over the
network, which delays the authentication process. Also the process of selecting a set of picture from the database of
picture can be tedious and very time consuming.[9] Passfaces[8] is authentication scheme, which is based on
recognition. In this scheme user has to select set of faces. During login user is presented with the decoy of faces among
them user has to select faces from his preselected set of faces. But passface scheme is more vulnerable to predictive attack.
Volume 2, Issue 11, November 2013
Page 228
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
Volume 2, Issue 11, November 2013
ISSN 2319 - 4847
Jansen et al. [10] introduced the graphical based authentication scheme as “picture password”. In this scheme user has to
select a theme at the time of password creation. The theme consists of thumbnails. Then the user then selects a sequence
of thumbnail photos as a password.
Oorshot proposed hybrid authentication approach called Two-Step [11]. This scheme is composed of two steps. In the first
step user has to enter text based password. If the text based password is correct then user is presented with an image
portfolio. User must correctly select the images which previously selected at the time of registration in each round of
graphical password verification. Although this scheme provides a security through the combination of text based and
graphical based schemes, it has put burden on for remembering text based password as well as image.
Chiasson et al. [14] have proposed the scheme of cued click points (CCP). User click on particular point per image for a
sequence of image and next image is based on previous click point as it is cued scheme. PCCP enhances CCP by adding
the persuasive features. PCCP encourages users to select less predictable passwords, and makes it more difficult to select
passwords where all click-points are hotspots [15]. Hotspots are areas of the image that have higher likelihood of being
selected by users as password click-points [16]. These both schemes consist of sequence of image which may put burden
on user memory to remember more click points.
3. AIAS TECHNIQUE
3.1 PROPOSED SYSTEM
Figure 1 shows the architecture of active image authentication system. Architecture mainly consists of following phases
Phase 1: User name verification
Phase 2: Click
Phase 3: Authentication token calculation
Phase 4: Authentication token matching
As user enters username and password, this combination of user name and password verified with the combination of
user name and password in the database through the user name verification phase.
Then user has to enter click points which serves as password. Time vector and click vector are generated after entering
the click points. Click vector is based on positions of clicks on image and time vector is nothing but the timestamp at
which click can be done on image.
Authentication token is calculated from time vector and click vector.
Then the authentication token will compare with the token which was already there in database. Token in the database
was stored at the time of registration. If the authentication token matches with the token in database then authentication
will be successful otherwise failure notification will generate
3.2 Caparison with existing work
AIAS provides different advantages over existing schemes like paassfaces, CCP, PCCP etc. we design authentication
mechanism based on calculation along with click points. Our system has following advantages over others
1. Authentication is not only based on sequence of successful consecutive clicks but it depends upon calculation of
accurate authentication token.
2. User have rights to select security precisions i.e. selection of security level by deciding tolerance of active points.
3. Due to dynamic click points it shows strong resistance to guessing, directory etc attacks.
Easy to operate & understand
Figure 1 Architecture of AIAS
Volume 2, Issue 11, November 2013
Page 229
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
Volume 2, Issue 11, November 2013
ISSN 2319 - 4847
4. LAB STUDY & USABILITY REVIEW
Lab study is carried out for usability review of our system & it is according to ethics in psychological studies. We perform
this study to collect data for benchmarking & to find nature of our system as real world application. For this we select 20
participants, 10 with technical background & remaining are novices. In the series experiments we use mouse operated
screen instead of touch screen panel. We perform different experiments to get benchmarks for performance analysis.
Using experimental data different studies are carried out for
1. To collect baseline data for benchmarking.
2. To study memorability of participant with compare to other systems.
3. To find usability of our system as an application according to existing systems.
In this study we select following systems for benchmarking along with our system:
1. Text password
2. PCCP
Lab work is conducted in 2 phases:
Phase-I: Lab level study
Phase-II: Field / application level study
4.1 PHASE-I: LAB LEVEL STUDY
This phase is conducted in two stages at first we select 10 novice participants & 10 with technically computer background
to deal with 3 systems one by one as text password system, PCCP & AIAS in sequence. While dealing with each system
participant first have to complete registration & then login process 3 times for each system. In this phase environment is
controlled & experiments are carried out on standalone application.
4.1.1 Registration process
At First stage of experiment the registration process is carried out. In this process each participant has to choose 3
different usernames & for each username they need to set a password in each type authentication system.
Table 1 time analysis of Registration process for novice participants
Parameters
Type of authentication system(Registration process for novice participants)
Text based
PCCP
AIAS
No of trials
3
3
3
Avg. registration time
36
53
41
Avg. conformance time
21
32
28
Total process time
171
255
207
Above table 1 shows result of each type of system for registration process. Same procedure is repeated for another 10
participants those are technically computer background. Result of this provided in following table 2.
Table 2 time analysis of Registration process for technical participants
Parameters
Type of authentication system(Registration process for technical participants)
Text based
PCCP
AIAS
No of trials
3
3
3
Avg. registration time
30
42
36
Avg. conformance time
18
24
20
Total process time
144
198
168
4.1.2 Login process
The second stage of experiment is login process. In this process each participant tries to login using previously registered
usernames for each type authentication system. As in previous stage first novice users are trying to login then remaining
batch of 10 participants will try for it. Table 3 show time analysis of login process for novice participants
Volume 2, Issue 11, November 2013
Page 230
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
Volume 2, Issue 11, November 2013
ISSN 2319 - 4847
Table 3 time analysis of login process for novice participants
Parameters
Type of authentication system(Login process for novice participants)
Text based
PCCP
AIAS
No of trials
3
3
3
Avg. login time
25
42
31
Total process time
75
126
93
Total no of faults occurred
during login
8
7
4
Data collected in this phase provide comparison between text based authentication & graphical based authentication with
respected to memorability overhead. As participants are from two broad categories like technical & novice it helps to
prove usability. Time analysis for login process for technical users is given in table 4.
Table 4 time analysis of login process for technical participants
Parameters
Type of authentication system(Login process for technical participants)
Text based
PCCP
AIAS
No of trials
3
3
3
Avg. login time
23
32
27
Total process time
69
96
81
Total no of faults occurred
during login
6
5
3
4.2
PHASE-II: FIELD/APPLICATION LEVEL STUDY
In the second phase of lab work we follow most of the steps in phase-I for both registration & login process. In this phase
we are going to interact users with considered authentication systems. But instead of dividing participants into to two
groups we consider them commonly. Two stages i.e. registration process & login process are objectives for participants.
For this phase we deploy our system as a part of web application. Each user needs to go through two processes i.e.
registration & login for 3 times using single a username.
4.2.1 Registration process
At this stage user will register using single username for each authentication system. We collect data to get idea about
time required for registration as well as participants performance. As all participants become familiar with all systems in
phase-I it reflects considerable progress in performance. Time analysis of registration process at field study is given
bellow in the table 5.
Table 5 Time analysis of Registration process at field study
Parameters
Type of authentication system(Registration process for novice participants)
Text based
PCCP
AIAS
No of trials
1
1
1
Avg. registration time
33
48
39
Avg. conformance time
20
33
24
Total process time
53
81
61
4.2.2 Login process
Participants are going to login using username & password combination acquired by them during registration process of
respective authentication system. Table no. shows performance of participants during login process in phase-II. Table 6
shows time analysis of login process during field study.
Volume 2, Issue 11, November 2013
Page 231
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
Volume 2, Issue 11, November 2013
ISSN 2319 - 4847
Table 6 Time analysis of login process at field study
Type of authentication system(Login process for technical participants)
Parameters
Text based
PCCP
AIAS
No of trials
1
1
1
Avg. login time
24
37
29
Total process time
Total no of faults
occurred during login
24
37
29
7
6
3
5. RESULT ANALYSIS
Lab study has been conducted in two phases to analyze usability study of our system. In result analysis we are going to
analyze collected data with respect to two dimensions i.e. time required for interaction with each system & no of faults
occurred during lab work.
5.1 Timeline analysis
Time requires for registration or login is also important factor to decide usability of system. Any system is said to be
usable if it is user friendly & user can take considerable time span to interact with it. Important factor in lab study phase-I
is availability of two types of user i.e. novice & technical. They are focus us on whether the system is handy or not with
compare to another type of systems.
Figure 1 comparison of timeline analysis of novice participants (A) & technical participants in (B)
Above figure 1 show that time required to register novice participants (fig (A)) were more than that of technical
participants in fig (B). For text based system both participants took least time compare to others as to confirm password
they need enter text only. But compare PCCP both participants were took less time to register themselves in AIAS.
5.2 Fault analysis
No of faults occurred during lab study are also measuring parameter which reflect participants approach towards system.
Figure 2comparison of no of fault occurred during both phase of study by novice (A) & technical (B) users
Above figure 2 shows the number of trials along with the total number of faults. Fig (A) shows trial and the fault ratio for
novice participants and it shows that our system has come across less number of faults. Fig (B) shows trial and the fault
ratio for technical participants and figure clearly indicates superiority of AIAS over text based and PCCP.
Volume 2, Issue 11, November 2013
Page 232
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
Volume 2, Issue 11, November 2013
ISSN 2319 - 4847
5.3 Success rate of AIAS over PCCP and Text based
We analyze our system by calculating success coefficient. We define the success coefficient mathematically as follows
S α Ts
and
S α 1/T
Where,
S is the success coefficient and
Ts is the number of successful trials
T is the number of fail trials
Success rate is mainly depends on two factors i.e. successful trial and fail trial. When a user tries to create a new account
and if he will get a success in creating that account then it is a successful trial otherwise a fail trial. So, by observing the
user behavior we analyze our system.
A password entry attempt was considered successful any time the entire correct password for an account was entered,
with no mistakes or restarts. We have considered 20 participants.
Create
Text
based
PCCP
AIAS
Table 7 Success rate comparison
Confirm
Login
18/20 (95%)
14/20(70%)
15/20 (75%)
17/20(85%)
18/20(95%)
15/20(75%)
16/20(80%)
16/20(80%)
17/20(85%)
Table 7 shows the comparisons of text based, CCP/PCCP and AIAS. We analyze our AIAS system by taking clicking
samples of participants. We observe their clicking points at various phases and calculate the success rate.
Creation rate of AIAS is 95% which is more superior to PCCP as our scheme contains only one active image instead of
sequence of image as that in the PCC/CCCP. Confirmation and login success rate of AIAS is 80% and 85% respectively
which is more than PCCP/CCP and text based. In text based scheme user has to remember texts or character so it can be
difficult to remember to remember because some percipients have created complex text password. So Confirmation and
login success rate of text based password is less than our system. And PCCP/CCP also involves sequence of image and
different click points which may enhance security but cannot attain satisfactory usability so due to this participant have
faced little difficulty during confirmation and login.
6. Conclusion:
Active image authentication system has attained both usability and security. We have conducted feasibility test of our
system and obtained satisfactory results. It proves AIAS is more user-friendly as it put fewer burdens on human memory
and along with that it is more secure as it involves active image and prevent from predictive attack. AIAS surely become
a best alternative against existing graphical password schemes. An important usability and security goal in authentication
systems is to help users’ select better passwords and thus increase the effective password space. We believe that users can
be persuaded to select stronger passwords through better user interface design. We obtained favorable results both for
usability and security.
References:
[1] Hafiz Zahid, Ullah Khan, “Comparative Study of Authentication Techniques,” International Journal of Video&
Image Processing and Network Security IJVIPNS-IJENS Vol: 10 No: 04
[2] Xiaoyuan Suo, Ying Zhu G., Scott. Owen “Grphical password: A survey”
[3] Yuxin Meng, “Designing click-draw based graphical password scheme for better authentication”, IEEE seventh
International conference on networking, networking and storage 2012
[4] Sonia Chiasson, Alain Forget, Robert Biddle, P.C. van Oorschot, “Influencing Users Towards Better Passwords:
Persuasive Cued Click-Points” British computer society
[5] Blonder, G. (1996), Graphical password, 5.559.961, available at: http://www.patentstorm.us/ Patents/5559961.html
[6] Wiedenbeck, S., Waters, J., Birget, J.-C., Brodskiy, A. and Memon, N. (2005), 'PassPoints: design and longitudinal
evaluation of a graphical
[7] A.Perrig and D.Song, “Hash Visualization: A New Technique to improve Real-World Security”. In International
Workshop on Cryptographic Techniques and E-Commerce, pages 131--138, 1999.
[8] Passfaces
Corporation,
“The
science
behind
Passfaces,”
White
paper,
http://www.passfaces.com/enterprise/resources/white papers.htm, accessed July 2009
[9] Wazir Zada Khan, Mohammed Y Aalsalem, Yang Xiang, “ A Graphical Password Based System for Small Mobile
Devices” International Journal of Computer Science Issues, Vol. 8, Issue 5, No 2, September 2011
Volume 2, Issue 11, November 2013
Page 233
International Journal of Application or Innovation in Engineering & Management (IJAIEM)
Web Site: www.ijaiem.org Email: editor@ijaiem.org, editorijaiem@gmail.com
Volume 2, Issue 11, November 2013
ISSN 2319 - 4847
[10] JANSEN, W., GAVRILA, S., KOROLEV, V., AYERS, R., AND SWANSTROM, R. 2003, “Picture Password: A
Visual Login Technique for Mobile Devices”, NIST Report - NISTIR7030
[11] Oorschot, P. C. V., Wan, T. (2009), TwoStep: An AuthenticationMethod Combining Text and Graphical Passwords.
4th InternationalConference, MCETECH
[12] R. N. Shepard, "Recognition memory for words, sentences, and pictures," Journal of
Verbal Learning and Verbal
Behavior, vol. 6, pp. 156-163, 1967.
[13] Partha Pratim Ray, “Ray’s Scheme: Graphical Password Based Hybrid Authentication System for Smart Hand Held
Devices” Journal of Information Engineering and Applications www.iiste.org ISSN 2224-5782 (print) ISSN 22250506 (online)Vol 2, No.2, 2012
[14] Sonia Chiasson, P.C. van Oorschot, Robert Biddle, “Graphical Password Authentication Using Cued Click Points”
ESORICS 2007, LNCS 4734, pp.359-374, 2007.
[15] Sonia Chiasson, Elizabeth Stobert, Alain Forget, Robert Biddle, Paul C. van Oorschot “Persuasive Cued ClickPoints: Design, Implementation, and Evaluation of a Knowledge-Based Authentication Mechanism” IEEE
TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 2, MARCH/APRIL 2012
[16] J. Thorpe and P.C. van Oorschot, “Human-Seeded Attacks and Exploiting Hot-Spots in Graphical Passwords,” Proc.
16th USENIX Security Symp., Aug. 2007.
Volume 2, Issue 11, November 2013
Page 234