A New Multi Level Access Control System based on Face Recognition System and Graphical Password K. R. Singh1, R. S. Khedgaonkar2 1,2 Computer Technology Department, Y.C.C.E, Nagpur, 441110, India. 1singhkavita19@yahoo.co.in, 2roshni.k86@gmail.com Abstract -- Authentication and authorization are two different aspects of access control systems. In this respect, in this paper we take an opportunity to present a novel multi level access control system. The proposed system uses face recognition system as a biometric for authentication at first level and graphical password for authorization at second level. The advantage of the proposed system is twofold; first it overcomes the flaw of face recognition system alone, that anyone logging with the photo of some person and second is it totally overcomes the problem of shoulder surfing existing with graphical based passwords. Keywords: Access control system, face recognition system, graphical password, shoulder surfing. I. INTRODUCTION Security is the degree of protection to safeguard a nation in general or a person against danger or loss of data. Security is generally provided through different types of access control systems. Authentication and authorization are two different aspects of access control systems. Authentication is the mechanism whereby systems may securely identify their users. Briefly speaking, authentication systems provide answers to the questions: 1) who is the user? 2) Is the user really who he/she represents himself to be? Authorization, by contrast, is the mechanism by which a system determines what level of access a particular authenticated user should have to secure resources controlled by the system. Authorization systems provide answers to the questions: 1) is user X authorized to access resource R? 2) is user X authorized to perform operation P? and 3) is user X authorized to perform operation P on resource R? Authentication and authorization are somewhat tightly-coupled mechanisms, i.e., authorization systems depend on secure authentication systems to ensure that users are who they claim to be and thus prevent unauthorized users from gaining access to secured resources. Further, access to any authenticated system can be achieved through various means such as text based passwords [20], graphical based passwords [21 and 22] and biometrics [23 and 24]. Text based passwords are difficult to remember and easy to crack. Therefore, in order to overcome the drawbacks of text based passwords, different biometrics and graphical passwords have been designed. Graphical passwords [21 and 22] are more memorable and easier for people to use and, therefore, more secure. A new and more secure graphical password system; called Pass-Points have been proposed in [21]. In addition to these two approaches, biometrics is most commonly used authentication mechanism in today’s day to day life. Most commonly used biometric is Face recognition System [24]. In face recognition, person just has to stand in front of camera in order to get authenticated. This is physiological characteristics which cannot be hacked or given to others. However as reported in [24], these techniques are useful but somewhere it fails to perform. Moreover, recently according to report [19], chromium OS was able to break into one device that used facial recognition authentication software just by holding it up to the user's photo. Thus we can see the failure of single level authentication systems. Designing a secure as well as a user-friendly password-based method has always attracted the security researchers for a long time. Therefore, the goal of proposed hybrid approach is to exploit the strengths of graphical based passwords and biometrics to build a multi level authentication system that can be a robust access control system for authentication and authorization process. In this paper we propose a new technique of authentication by combining both graphical password and face recognition in order to make our system, confidential data more secure. The proposed approach is a multilevel security system. At authentication level we propose to use face recognition and at authorization level we propose a graphical based password technique. The rest of the paper is organized as: Section I gives a brief introduction; Section II presents a literature survey. In Section III the overview of three different techniques of authentication has been presented. Section IV presents the brief introduction on proposed system followed by conclusion in Section V. II. LITERATURE SURVEY Authentication and authorization are the two basic ways of access control mechanism. These two methods commonly guarantee access control, at the first boundary of the system that ensures the identity of user before accessing resources of the system. The most common way to authenticate the user is through alphanumeric passwords [1]. Studies have shown that users tend to pick short passwords or passwords that are easy to remember [4]. Unfortunately, such passwords can be easily guessed or broken. Thus, text password is a means to find a balance between easy‐to‐remember and easy‐to‐break passwords. To address the problems with alphanumeric password authentication, graphical passwords can be used like alternative to the text ones. It is generally based on the human’s peculiarity to remember visual images better than the text ones [2 and 3]. Thus in a graphical passwords as described by Blonder [7], a user needs to choose memorable locations in an image. Choosing memorable locations depends on the nature of the image itself and the specific sequence of click locations. To support memorability, images should have semantically meaningful content because meaning for arbitrary things is poor [8]. In the same direction, Dhamija and Perrig [9] proposed a graphical authentication scheme based on the Hash Visualization technique [10]. The weakness of this system is that the server needs to store the seeds of the portfolio images of each user in plain text. Also, the process of selecting a set of pictures from the picture database can be tedious and time consuming for the user. The limitations of proposed approach in [9] was overcome by Akula and Devisetty’s algorithm [13] based on hash function SHA-1, that require less memory. Sobrado and Birget [12] developed a graphical password technique that deals with the shoulder-surfing problem. Man, et al. [13] proposed another shoulder-surfing resistant algorithm. Hong, et al. [14] later extended this approach to allow the user to assign their own codes to pass-object variants. In addition, Jansen et al. [15, 16, and 17] proposed a graphical password mechanism for mobile devices. Takada and Koike discussed a similar graphical password technique for mobile devices. This technique allows users to use their favorite image for authentication [18]. Although, graphical password schemes have been proposed as a possible alternative to text-based schemes, it still suffers from shoulder surfing. To overcome the problems knowledge based techniques are the most widely used authentication techniques and include both text-based and picture-based passwords specifically making use of biometrics [5, 6, 23 and 24]. Generally, biometric based authentication techniques [23, 24], such as fingerprints, iris scan, or facial recognition, although expensive, yet provides the highest level of security. Thus we have seen that every approach have its own advantage and disadvantage. Therefore, the goal of proposed hybrid approach is to exploit the strengths of graphical based passwords and biometrics to build a more robust access control system for authentication and authorization process. III. OVERVIEW OF METHODS USED FOR ACCESS CONTROL SYSTEM In this section we briefly discuss the idea about the text password and graphical password along with their advantage and disadvantages. A. Password Text passwords are generally alpha-numeric passwords. An alpha-numeric password is simply a string of letters and digits. These passwords only offer good security as long as they are complicated enough so that they cannot be cracked easily. Although, alphanumeric passwords are very easy, they have some disadvantages. These disadvantages are Human long term memory [20], decay and interference [20] and dictionary attack [20]. Human long term memory is problem when users use one password for all systems or trivial variations of a single password for long term memory. Secondly, users have many passwords for computers, networks, and web sites. The large number of passwords increases interference and is likely to lead to forgetting or confusing passwords. Items in memory may compete with a password and prevent its accurate recall. Lastly, another drawback is the dictionary attack. Because of the difficulty in remembering random strings of characters, most users tend to choose a common word, or a name. Unfortunately, there are several tools that allow an individual to crack passwords by automatically testing all the words that occur in dictionaries or public directories. This attack will usually not uncover the password of a predetermined user. B. Graphical password As we have seen the weaknesses of text based passwords, many approaches proposed with feasibility of graphics to provide a more secure and usable alternative. Based on the studies showing that human brain is better at recalling images than text, graphical passwords are intended to solve memory burden and small password space problem of text passwords. In addition they are also more resistant to brute-force attacks, since the search space is practically infinite. If graphical password is used for authentication, the user is exposed to the registered picture as shown in fig 1. Next the user has to correctly pick the point of interest as shown in fig 2. The main idea of first type of graphical password is that user has to choose background picture from the given library of images or upload picture that should correspond with method restriction as shown in fig 3. After that the user must define points of control on the current image. Fig 4. Passfaces used in authentication [21] Fig 1. Login Screen The last type of grpahical password is the same as the previous one, the only difference is at the step of authentication. Instead of showing only one “right” image on the screen system output 3 or 4 of them. User needs to create mentally the triangle or square(password picture in each vertex) and click on any image inside this figure as shown in fig 5. Only after few repetitions system will be able to identify user correctly. This method called triangle scheme [21]. Fig 2. An example of creating a graphical password using the proposed system. Sequence of these points presents user password. During authentication process the user has to repeat clicks on the all points at the right sequence (its’s possible to have permissible deviation in points because it is almost impossible for man to click in the same position every time during authentication [22]. Fig 3. POIs on large image[22] In second type of garphical password, user has to choose some amount of the images from the given set, sometimes there is the possibility to upload picture by himself. Usually these are pictures of the people of different ages,sex and nationalities shown in fig 4. Chosen once will be the user password and during the authentication process user “type” his password by clicking on the prevously chosen images [22]. Fig 5. Triangular scheme password[21] All the three different types of graphical passwords discussed above are advantagoues in respect of 1) usability, 2) security, 3) difficult to tell and 4) balance between usability and security. From usability point of view graphical password is more preferable for users because combination of images is easier to remember and reproduce than the combination of the letters and digest. Another benefit for using graphical password is alphabetic independency. Second advantage of graphical scheme is infeasibility to dictionary attacks and thus are more secured. Next the POIs are difficult to tell any person especially by phone. This cannot be sent through email easily, so it is more secure. Another advantage is that images are more easier to remember as compared to text passwords. This helps the user in choosing any image from a collection of images or he/she can register its own images. Genarlly, choosing any images doesn’t lead to dictionary attacks or brute force attack. Thus it maintains perfect balance between usability and security [21, 22]. However, apart fron the above said advantages, graphical passwords suffer from some limitations. This limitation originates from usability advantage only. Because for human it is easy to remember visual images, possibilities of “shoulder‐surfing” attack increasing. This usability has double effect: from one side it becomes easily for average user to remember the password, from the other side criminal can easily remember the whole combination of images or areas on the image by standing behind the user. C. Biometrics Genrally when either physiological or behavioral nature of a human is used to distinguish one person from that is called as biometrics. Different examples of biometrics are iris, retina, fingerprint, face recognition etc. [23]. Biometrics offer advantage in many ways. Biometric traits cannot be lost or forgotten. They are difficult to copy , share & distribute. Face recognition technique records face images through a digital video camera and analyses facial characteristics like the distance between eyes, nose, mouth, and jaw edges. These measurements are broken into facial planes and retained in a database, further used for comparison. Face recognition can be done in two ways: In order to overcome the limitations of graphical passwords and face recognition system, we propose a new multilevel access control system. This system is a hybrid method to authentication that inherits the advantages of both biometrics [24] and graphical passwords [21, 22]. The details of proposed system are explained in forthcoming section IV IV. PROPOSED SYSTEM We have seen that there are many ways through which we can get authenticated, however most secured are biometric and graphical password. However, these two techniques even endure certain limitations. This motivates us to present a new hybrid multi level security system. In proposed system, security is achieved at two different levels, one at authentication level and second one as authorization. For authentication we used face recognition system and graphical password concept is applied at authorization level. In order to understand the need of a two level security system, we describe a circumstance shown in fig 6. Consider a big rectangle as a hall in which four laboratories are established i.e., Laboratory 1, Laboratory 2, Laboratory 3, Laboratory 4. For each laboratory few persons are assigned. This means that only those persons are authorized to that specific department or laboratory. In their absence no other person should operate that unassigned department. This will safeguard the department from any unwanted or mischievous activity by intruder. For such circumstances if only face recognition is as biometric means, the authentication can be breach with the help of the image of an absence person. On the other hand if graphical passwords are kept they will have a problem shoulder surfing. In this regard, in our proposed system, first face recognition device is placed at the entrance of hall and one touch screen display device is placed in front of each laboratory/department. When any person wants the entry, that person is first authenticated by face recognition device at the entrance. This will help that prohibited area from any intruder. Fig 6..Senario of Multilevel Security Let us say, a person A assigned to laboratory1 is being authenticated at entrance. Once that person gets authenticated, different face templates of the authenticated person are displayed on display device placed in front of laboratory for which that person is authorized. Then person can draw a pattern using these templates (graphical password) to get authorization to particular laboratory. In this way we can come up to a multilevel security system. If a person A after being authenticated in a hall wants to do mischievous work in Laboratory 2 in the absence of B, can’t do as person B is not authenticated at hall door so his/her facial templates are not displayed in the device placed in front of the laboratory. Even a person A knows the graphical pattern of person B which he use for authorization then also he will not be able to enter the laboratory 2 as person B is not authenticated hence facial templates will not be displayed hence he can’t able to draw a graphical pattern. In this way shoulder surfing is eliminated. Thus the advantage of the proposed system is that, the shoulder surfing-the drawback of graphical password is totally eliminated. Even a person knows graphical password however will not be able to able get authorization. V. CONCLUSION AND FUTURE WORK In this paper, we proposed a hybrid multilevel security system. We propose to use face recognition at authentication level and graphical based passwords at authorization level. We have seen how the proposed system is advantageous compared to single means of authentication. The propose system is under development and future work will be development of full fledged system for authentication. REFERENCES [1] L. Sobrado and J.C. Birget, “Graphical passwords”, Department of Computer Science,Rutgers University, Camden New Jersey 08102, 2002; [2] R. N. Shepard, “Recognition Memory for Words, Sentences and Pictures”, Journal of Verbal Learnings and Verbal Behavior, vol: 6, pp: 156–163, 1967. [3] A. Paivio, T. B. Rogers, and P. C. Smythe, “Why Are Pictures Easier to Recall Than Words?”, Psychonomic Science , vol:11,pp: 137– 138, 1968. [4] A. Adams and M. A. Sasse, "Users are not the enemy: why users compromise computer security mechanisms and how to take remedial measures," Communications of the ACM, vol. 42, pp: 41-46, 1999. [5] K. Gilhooly, "Biometrics: Getting Back to Business," in Computerworld, May 09, 2005. [6] A. Jain, L. Hong, and S. Pankanti, "Biometric identification," Communications of the ACM, vol: 33, pp: 168-176, 2000. [7]G.E. Blonder, “Graphical Passwords”, United States Patent 5559961, 1996. [8] D.A. Norman, “The Design of Everyday Things”, Basic Books, New York, 1988. [9] R. Dhamija and A. Perrig, "Deja Vu: A User Study Using Images for Authentication," in Proceedings of 9th USENIX Security Symposium, 2000. [10] A. Perrig and D. Song, "Hash Visualization: A New Technique to Improve Real-World Security”, In Proceedings of the 1999 International Workshop on Cryptographic Techniques and E-Commerce, 1999. [11] S. Akula and V. Devisetty, "Image Based Registration and Authentication System", In Proceedings of Midwest Instruction and Computing Symposium, 2004. [12] L. Sobrado and J.C. Birget, "Graphical passwords", The Rutgers Scholar, An Electronic Bulletin for Undergraduate Research, vol: 4, 2002. [13]S. Man, D. Hong, and M. Mathews, "A shoulder surfing resistant graphical password scheme", in Proceedings of International conference on security and management. Las Vegas, NV, 2003. [14] D. Hong, S. Man, B. Hawes, and M. Mathews, "A password scheme strongly resistant to spyware" , in Proceedings of International conference on security and management. Las Vergas, NV, 2004. [15] W. Jansen, "Authenticating Mobile Device Users Through Image Selection", in Data Security, 2004. [16]W. Jansen, S. Gavrila, V. Korolev, R. Ayers, and R. Swanstrom, "Picture Password: A Visual Login Technique for Mobile Devices", National Institute of Standards and Technology Interagency Report NISTIR 7030, 2003. [17]W. A. Jansen, "Authenticating Users on Handheld Devices," in Proceedings of Canadian Information Technology Security Symposium, 2003. [18] T. Takada and H. Koike, "Awase-E: Image-based Authentication for Mobile Phones using User’s Favorite Images", in Human-Computer Interaction with Mobile Devices and Services, vol. 2795 / 2003:SpringerVerlag GmbH, pp: 347 – 351, 2003. [19]http://www.chromium.org/chromium-s/chromiumos-designdocs/security-overview. [20] Jean-Camille Birget , Alex Brodskiy, NasirMemon, “Authentication Using Graphical Passwords” Susan Wiedenbeck, Drexel University. [21] Graphical Password Technology, Pass faces Corporation. [22] Leonardo Sobrado and Jean‐Camille, “Graphical passwords”, Birget Department of Computer Science, Rutgers University, 2002. [23] Siddhesh Angle, Reema Bhagtani, Hemali Chheda “BIOMETRICS: A FURTHER ECHELON OF SECURITY”, Department of Biomedical Engineering, Thadomal Shahani Engineering College, T.P.S III, Bandra, Mumbai. [24] Anil K. Jain, Sharath Pankanti, Salil Prabhakar, Lin Hong, and Arun Ross, “Biometrics: A Grand Challenge”, Proceedings of the 17th International Conference on Pattern Recognition, pp: 1051-1059, 2004.