TIME BASED PERSUASIVE CUED CLICK-POINTS
(TPCCP)
Neenu Mol
M.Tech Student
Department of Computer Science and Engineering
Malabar College of Engineering and Technology, Trissur
neenuvinay@gmail.com
Abstract— Varieties of authentication techniques are available
passwords are difficult to remember by the user. From
in recent times. Text based passwords are most commonly
these it is concluded that a password authentication system
used for authentication, but they are highly sensitive to several
should encourage strong passwords while maintaining the
kinds of attacks. Another type of authentication technique is
based
on
graphical
passwords.
Graphical
memorability. So a new alternative authentication method
password
has been proposed using pictures as passwords.
authentication techniques are more useful and unsusceptible
In graphical passwords [1] the user has to work with
compared to text passwords, because human can remember
images better than texts. This paper presents a graphical
images, i.e. user performs some events on pictures like
password authentication technique that enables users to select
clicking,
secure
based
authentication techniques gain more importance because
authentication scheme minimizes the chance of capture
Human brain has remarkable ability to remember thousands
attacks like shoulder surfing. This product encourages user
of images with detail. Whereas it difficult to keep text in
choices and also influences users to select strong passwords.
memory.
and
memorable
passwords.
This
time
The time based approach is more secure since password
dragging,
moving
mouse
etc.
Graphical
This paper proposes a time based graphical password
authentication is based on both time and click points. The
authentication scheme, called time based persuasive cued
proposed scheme has a much higher password space than the
click-points that encourages user choices and also allows
other graphical authentication schemes. The scheme is very
them to choose a strong password. In this system the task of
convenient to use.
selecting weak passwords is more tedious. This click-based
Keywords- Graphical password authentication, Text based
graphical authentication scheme influence users to set a
passwords, Shoulder surfing, Password space.
strong password which cannot be guessed by the attackers.
I.
It covers all usability and security issues. It is effective at
INTRODUCTION
reducing hotspots (areas of the image where users are more
In knowledge-based authentication techniques, we
likely to select click-points) and avoiding patterns formed
usually prefer text based passwords. The major issue
by click-points within a password, while still maintaining
related with the text based passwords is that they are
the usability.
vulnerable to be hacked. The attackers can easily guess the
II.
passwords with other details of the system. In order to
BACKGROUND
avoid this problem system can assign strong passwords,
Authentication techniques can be categorized into three
which the attackers cannot guess. But the system assigned
main areas: Token based, Biometric based and Knowledge
1
based authentication. In token based authentication
A. PassPoints
schemes a token is provided to the user, which contains
In PassPoints a single password involves a sequence of
data created by the server. The server uses this information
five different click points on a given image. During
to identify a particular user. Bank cards, Smart cards, and e-
registration user may select any pixels as click points. At
passports are examples of the tokens for authentication. In
the time of login the user has to choose the click points in
Biometric based authentication user is identified by his/her
correct order within the system defined tolerance square of
physical or behavioural traits. It is based on shape of the
the original click points.
body such as fingerprint, face, palm print, DNA etc.
The major problem associated with this password scheme
Knowledge based authentication technique can be
is hotspots. Hotspots are areas of the images that have
subdivided into two major categories: Alphanumeric and
higher likelihood of being selected by users as password
Graphical passwords. In Alphanumeric or Text based
click points. Attackers who gain knowledge about these
passwords user has to provide some text/characters from
hotspots can build attack dictionaries and more easily guess
keyboard or any other input device. Alphanumeric
the
passwords are susceptible to dictionary attacks [10],
discretization square is used, which is the tolerance area
guessing, brute force attack and shoulder surfing. In view
around the original click point. The user should click on the
of shortcomings of text based passwords Graphical
discretization area. Here, the system does not have any
techniques are gaining importance.
influence over the selection of the click points. Since it is
Graphical Passwords [2] can be of two types:
PassPoints
passwords.
For
correct
validation,
being very simple, it can easily be attacked.
Recognition based and Recall based. For recognition based
B. Cued Click-Points
technique a user is presented with a collection of images
Cued Click-Points (CCP) [4] was developed to overcome
from which they are able to select pictures, icons or
the shortcomings of PassPoints. That means it was designed
symbols. At the time of authentication process, the user is
to reduce patterns and hotspots problems. Rather than five
required to recognize their registration choice from among
click points on one image CCP uses five click points on
a set of images.
five different images in sequence as a single password.
Recall based technique can be of two types: Pure recall
While creating a password the user can choose these five
based and Cued-recall based. For pure recall based
click-points on five different images.
technique, a user has to reproduce her password without
At the time of authentication the user has to click the
being given any reminder, hints or gestures. Cued-recall
chosen click points in sequence within the defined
based technique is based on reminders, hints and gestures
tolerance square of the original click points. Here the next
that assists the user to reproduce their password or to make
image displayed is based on the user’s previous click as
a reproduction more accurate.
shown in Fig 1. When logging on, seeing an image they do
Click-based graphical passwords [3] are a type of
not recognize alerts users that their previous click-point
knowledge based authentication systems, in which users
was incorrect and users may restart password entry.
identify and target previously selected locations within one
In this scheme user is free to select the password without
or more images. The images act as memory cues to aid
system’s intervention. So the attackers can easily guess the
recall. Example systems include PassPoints and Cued
hotspots. CCP is a secure authentication scheme than
Click- Points (CCP).
Passpoints. During login, when user sees an unseen image,
he knows that his previous click-point was incorrect.
2
But CCP is also vulnerable to hotspot problem, because
user must choose the five click points on five different
the user is free to select the password without the system’s
images in sequence within the defined tolerance square of
guidelines. In this case attackers can guess the hotspots in
the original click points. The invalid click-points lead to
the images and also can log in to the system easily. Here
incorrect image sequence. Hence the user cannot login
the authentication failure is indicated after the final click-
successfully.
point. So it protect against the guessing attacks.
Fig. 1. A user navigates through images to form a CCP password. Each
click determines the next image.
Fig. 2. PCCP Create Password interface. The viewport highlights part of
C. Persuasive Cued Click-Points
the image.
Persuasive Technology was first articulated by Fogg [5].
Persuasive technology allows users to select strong
PCCP [7] operates in two dimensions; x and y positions
passwords and do not impose system assigned passwords.
from the top left corner of the image are used for the login
Persuasive Cued Click-Points (PCCP) [6] was designed by
process. The sequence of five click-points on five different
adding the persuasive feature to the CCP. At the time of
images of PCCP password increases its security. It is
registration images are shaded except for a viewport as
difficult for attackers to guess these click-points. PCCP
shown in Fig 2. The viewport is located at random, which
reduces the formation of patterns and also minimize hotspot
enables to avoid the hotspots problem.
problems. It eliminates most of the drawbacks of Cued
The user must choose the click points within this
Click-Points (CCP).
viewport and also cannot click outside of the viewport.
But they are susceptible to capture attacks like shoulder
Here a shuffle button is used to reposition the viewport.
surfing [8]. Shoulder surfing means act of obtaining private
These viewport and shuffle buttons are displayed only
information through direct observation. So that observing
during password creation.
the approximate location of click points may reduce the
During login images are displayed normally and user
number of guesses to determine the password.
may click anywhere on the images. The viewport and the
shuffle button are absent at the time of authentication. Then
3
III.
the other parts of the image are shaded, so that the user can
TIME BASED PERSUASIVE CUED CLICK- POINTS
(CCP)
click only inside the view port. The view ports are selected
encourages users to select more arbitrary click-points,
by the system randomly for each image to create a
hence more secure passwords. As PCCP [9], TPCCP uses a
graphical password. It will be very hard for the attackers to
sequence of five click-points on five different images as a
guess the click point in all the images. The users are
single password. When user creates a password all the
allowed to click anywhere in the view port. There is an
images are faintly shaded except for a viewport. The
option for changing the viewport position also. This option
viewport is situated at random during the password creation
is called the Shuffle. There is a limit on the number of
to avoid the known hotspots.
times the shuffle option to be used.
Persuasive
feature
in
Cued
Click-Points
A shuffle button is used to shift the viewport arbitrarily.
While users may shuffle as often as desired, this
The viewport and the shuffle button are present only during
significantly slows password creation. The viewport and
the registration phase. At the time of password creation the
shuffle button appear only during password creation.
user should select the threshold time for each click-point,
During later password entry, the images are displayed
while login, the users have to click on image within the
normally, without shading or the viewport, and users may
threshold time selected here. Else they don’t have
click anywhere on the images. During login click-points
permission to login.
must be within the defined tolerance squares of the original
points and must be clicked within the threshold time.
At the time of authentication, the images are sported
normally without any shading, users may allow to click
Like PCCP, TPCCP implements centered discretization,
anywhere on the images. Then the user must choose the
in which the approximately correct click-points to be
click-points within the chosen threshold time as shown in
accepted by the system. In centered discretization each
Fig. 3. In the case of incorrect click-points and the selection
image is divided into square tolerance areas and then
of click-points beyond the threshold time are leads to
determines whether the login click points falls within this
invalid image sequence. Like PCCP, it provides the
tolerance area of original click-point. For each click-point,
feedback about the correctness of the password in every
this fixed sized square area is set around the original click-
attempt.
point during the registration. At the time of login, the
system checks the acceptability of each click-point.
IV.
IMPLEMEMTATION ISSUES
For each password PW, the system hashes the username
Persuasive Cued Click-Points (PCCP) is works in two
W, and the following details for each click-point Ci
dimensions i.e. x and y positions from top left corner of the
(i=1….5): its grid offset (Gxi;Gyi), a tolerance area
image are used for authentication. Besides these, the
identifier Txi; Tyi (indicating the exact square containing
TPCCP take into consideration the time interval (threshold
the click-point), threshold time ti and its image identifier Ii.
time) for each click-point. While registering the password,
The system stores additional information Aw such as Gx,
user should also choose the time interval for the particular
Gy for each click-point and a random seed Sw to determine
clicks point. At the time of authentication each click must
collection of images for a user. These components are
be performed within the chosen time interval. The
described as
following sections describe several practical design and
Pw = h( [C1,….Ci], W )
implementation choices in building the TPCCP.
In TPCCP, when the image is displayed the randomly
Ci = ( Ii, Txi, Tyi, Gxi, Gyi, ti )
Aw = ( [ Gx1, Gy1,………Gxi, Gyi ], Sw )
selected grid called the view port only clearly seen out. All
4
In order to improve the security of the system the
In TPCCP, each image displayed is based on a
number of click-points used for a single password can be
deterministic function
increased.
To increase the memorability of the user, an audio support
Ii+1 = f( Sw, Ci, ti).
can be used, i.e. each valid click-point is associated with an
audio sound. So that for invalid click-points user can be
i.e. During login the first image loaded is I1 =f(SW; 0). Sw
alarmed by a different sound.
is generated during the password creation and is
The password strength is increased with the password
regenerated during the authentication process. Each time a
space. The effective password space is determined by the
password is changed a new Sw is formed.
area of the viewport. So for creating a strong password, the
Human eye is visible to small portion of images at a time.
viewport should be larger. It increases security of the
So the viewport must be large enough to satisfy the user’s
password, but decreases the memorability of the password.
choice, but small enough to distribute the click-points
This system can be improved by including better image
across the image. As PCCP this system uses a 75×75 size
features.
viewport. This viewport is positioned randomly on the
VI.
CONCLUSIONS
image. During password creation TPCCP uses a shuffle
Since click based graphical passwords are secure and
button to arbitrarily relocate the viewport. In TPCCP the
random, the attacker cannot guess it. Also these passwords
chance of shuffle is restricted to three.
are very easy to remember. The purpose of good
authentication system is to provide a strong and effective
password space. By the use of random viewport the system
can generate more robust password. The use of shuffle
during password creation is restricted here. Thus the
registration process will be faster. This system allows user
choice while increasing the password space.
The time interval associated with each click-point helps
the user to fast login. In the case of hacker, who doesn’t
know the correct time interval cannot make login
successfully. The major advantage of time based persuasive
cued click point scheme is its large password space since
the entire image is used for creating the password and the
viewport limits the possibility of hotspots. Thus it provides
high security.
TPCCP is based on the time interval for each click-point.
While choosing small time interval (threshold time) during
Fig. 3. TPCCP Login interface.
the password creation, the problem of shoulder surfing is
greatly reduced.
V.
FUTURE WORK
In Time based PCCP, user choice is allowed and also the
The following aspects can be added to the concept
system direct their selection. That means it guides users for
discussed above:
5
making strong passwords by the use of viewport during
password creation. It makes secure choices rather than
vague instructions such as “pick a password that is hard to
guess.” The use of persuasive technology increases the
randomness of the password. It reduces the formation of
patterns and hotspots, thus the effective password space is
increased.
VII. REFERENCES
[1]
“Graphical Password Authentication Schemes: Current Status
and Key Issues” Harsh Kumar Sarohi1, Farhat Ullah Khan.
[2]
R. Biddle, S. Chiasson, and P. van Oorschot, “Graphical
Passwords: Learning from the First Twelve Years,” to be
published in ACM Computing Surveys, vol. 44, no. 4, 2012.
[3]
S. Chiasson, R. Biddle, and P. van Oorschot, “A Second Look
at the Usability of Click-Based Graphical Passwords, ” Proc.
ACM Symp. Usable Privacy and Security (SOUPS), July 2007.
[4]
S. Chiasson, P. van Oorschot, and R. Biddle, “Graphical
password authentication using Cued Click Points,” in European
Symposium On Research In Computer Security (ESORICS),
LNCS 4734, September 2007, pp. 359–374.
[5]
“Persuasive Cued Click-points:Design, Implementation, and
Evaluation
of
a
Knowledge-Based
Authentication
Mechanism”, Sonia Chiasson, Elizabath Stobert, Alain Forget,
and Paul C. Van.
[6]
“Design, Implementation and Evaluation of Knowledge-Based
Authentication Mechanism Using Persuasive Cued ClickPoints” by Prof. Anil Kulkarni, Sangameshwar.
[7]
B. Fogg, Persuasive Technologies: Using Computers to
Change What We Think and Do. Morgan Kaufmann
Publishers, San Francisco, CA, 2003.
[8]
“Shoulder
Surfing
attack
in
graphical
password
authentication”, Arash Habibi Lashkari, Samaneh Farmand,
Dr.Omar Bin Zakaria, Dr.Rosli Saleh.
[9]
S. Chiasson, A. Forget, R. Biddle, and P. van Oorschot,
“Influencing users towards better passwords: Persuasive Cued
Click-Points,” in Human Computer Interaction (HCI), The
British Computer Society, September 2008.
[10]
B. Pinkas and T. Sander, “Securing Passwords against
Dictionary
Attacks,” Proc. Ninth ACM Conf. Computer and Comm.
Security(CCS), Nov. 2002.
6