1Suchita Hegde
1PG Scholar, Dept of MCA, SIES College of Management Studies, Nerul, Navi Mumbai-400706, India
E-mail:suchi.s.hegde@gmail.com.
Abstract—Providing Authentication to any system leads to provide more security to that system. There are many authentication techniques available such as textual password,
Graphical password, etc. Current authentication systems suffer from many weaknesses. Textual passwords are commonly used; however, users do not follow their requirements. Users tend to choose meaningful words from dictionaries, which make textual passwords easy to break and vulnerable to dictionary or brute force attacks. Many available graphical passwords have a password space that is less than or equal to the textual password space. Smart cards or tokens can be stolen. Many biometric authentications have been proposed; however, users tend to resist using biometrics because of their intrusiveness and the effect on their privacy. Moreover, biometrics cannot be revoked. In this paper, we present and evaluate our contribution, i.e., the 3-D password. The 3-D password is a multifactor authentication scheme. To be authenticated, we present a 3-D virtual environment where the user navigates and interacts with various objects. The sequence of actions and interactions toward the objects inside the 3-D environment constructs the user's 3-D password. The 3-D password can combine most existing authentication schemes such as textual passwords, graphical passwords, and various types of biometrics into a 3-D virtual environment. The design of the 3-D virtual environment and the type of objects selected determine the 3-D password key space.
Keywords-Authentication,Graphical Password, 3D password, Virtual Environment, Textual password,Security.
I.
I NTRODUCTION
Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be [1]. The process of identifying an individual usually based on a username and password. In security systems, authentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual [2]. Authentication is one of the most important security service provided to system by the different authentication schemes or algorithms. To protect any system authentication must be provided, so that only authorized persons can have right to use or handle that system & data related to that system securely. There are many authentication algorithms are available some are effective & secure but having some drawbacks.
II.
T YPES O F H UMAN A UTHENTICATION
Due to recent events of thefts and terrorism, authentication has become more important for an organization to provide an accurate and reliable means of authentication. Currently what we have in the field, are the following set of techniques:
A.
Knowledge Based Authentication
It is commonly referred to as KBA, is a method of authentication which seeks to prove the identity of someone accessing a service, such as a financial institution or website. As the name suggests, KBA requires the knowledge of private information of the individual to prove that the person providing the identity information is the owner of the identity. There are two types of KBA: "static
KBA", which is based on a pre-agreed set of "shared secrets"; and "dynamic KBA", which is based on questions generated from a wider base of personal information [3].
A good KBA question should meet these four criteria:
1.
The question should be appropriate for a large segment of the population.
2.
The answer should be something that is easily remembered.
3.
The question should only have one correct answer.
4.
The answer should not be easy to guess or discover through research.
In a static scheme, the end user pre-selects the questions he would like to be asked and provides the correct answers.
The question/answer pairs are stored by the host and used later to verify the person's identity. KBA questions can be factual, like "Where did you spend your holidays?" or "How many pets do you have?" or they can be about preferences, like "What is your favorite food?" or "Who was your favorite teacher?" The problem with static KBA questions is that if someone has shared that information on a social media site, the answer can be easily guessed.
In a dynamic scheme, the end user has no idea what question will be asked. Instead, the question/answer pairs are determined by harvesting data in public records.
Examples of dynamic KBA questions are "What was your street address when you were 10 years old?" or "What color
Ford Mustang was registered to you in New York State in

2002?" Although the answers to dynamic questions could be researched, it would take time -- and time is something the answerer is not given. If the respondent does not answer the dynamic question within a certain time period, the question is discarded and treated as a wrong answer [1].
Biometric recognition (also known as biometrics ) refers to the automated recognition of individuals based on their biological and behavioral traits. Examples of biometric traits include fingerprint, face, iris, palm print, retina, hand geometry, voice and signature [5].
Biometric authentication is a type of system that relies on the unique biological characteristics of individuals to verify identity for secure access to electronic systems. Biometric verification s considered a subset of biometric authentication.
The biometric technologies involved are based on the ways in which individuals can be uniquely identified through one or more distinguishing biological traits, such as fingerprints, hand geometry, earlobe geometry, retina and iris patterns, voice waves, keystroke dynamics, DNA and signatures. Biometric authentication is the application of that proof of identity as part of a process validating a user for access to a system. Biometric technologies are used to secure a wide range of electronic communications, including enterprise security, online commerce and banking
-- even just logging in to a computer or smartphone.
Biometric authentication systems compare the current biometric data capture to stored, confirmed authentic data in a database. If both samples of the biometric data match, authentication is confirmed and access is granted. The process is sometimes part of a multifactor authentication system. For example, a smartphone user might log on with his personal identification number (PIN) and then provide an iris scan to complete the authentication process [1].
Figure 1.KBA UI
B.
Token Based Authentication
A security token (or sometimes a hardware token , authentication token , USB token , cryptographic token , software token , virtual token , or key fob ) may be a physical device that an authorized user of computer services is given to ease authentication. The term may also refer to software tokens [4]. The device may be in the form of a smart card.
Security tokens provide an extra level of assurance through a method known as two-factor authentication : the user has a personal identification number
(PIN), which authorizes them as the owner of that particular device; the device then displays a number which uniquely identifies the user to the service, allowing them to log in.
The identification number for each user is changed frequently, usually every five minutes or so.
Unlike a password, a security token is a physical object. A key fob, for example, is practical and easy to carry, and thus, easy for the user to protect. Even if the key fob falls into the wrong hands, however, it can't be used to gain access because the
PIN (which only the rightful user knows) is also needed [1].
Figure 2.Security Tokens
C. Biometric Based Authentication
Figure 3.Biometric Authentication System
III.
T YPES O F G RAPHICAL P ASSWORD
Graphical passwords may be a solution to the password problem. The idea of graphical passwords, first described by
Greg Blonder [G. Blonder, Graphical Passwords, United
States Patent 5559961 (1996)], is to let the user click (with a mouse or a stylus) on a few chosen regions in an image that appears on the screen. To log in, the user has to click in the same regions again [6]. A graphical password is an authentication system that works by having the user select from images, in a specific order, presented in a graphical user interface (GUI). For this reason, the graphical-password approach is sometimes called graphical user authentication (GUA) [1]. It is classified into two

categories Recall Based Technique and Recognition Based
Technique. In Recall Based Technique a user is asked to reproduce something that he created or selected earlier during the registration stage. In Recognition Based
Technique a user is presented with a set of images and the user passes the authentication by recognizing and identifying the images he selected during the registration stage.
A.
Schemes under Recall Based Technique
Draw a Secret is a purely graphical password selection and input scheme. The scheme replaces alphanumeric password strings, with a picture drawn on a grid. Instead of entering an alphanumeric password, this authentication method allows users to use a set of gestures drawn on a grid to authenticate. The user's drawing is mapped to a grid on which the order of coordinate pairs are used to draw the password are recorded in a sequence. New coordinates are inserted to the recorded "password" sequence when the user ends one stroke (the motion of pressing down on the screen or mouse to begin drawing followed by taking the stylus or mouse off to create a line or shape) and begins another on the grid [7].
Figure 5.Signature Scheme
Passpoint Scheme a password consists of a sequence of click points (say 4 to 7) that the user chooses in an image.
The image is displayed on the screen by the system. The image is not secret and has no role other than helping the user remember the click points. Any pixel in the image is a candidate for a click point. To log in, the user has to click again closely to the chosen points, in the chosen sequence.
Figure 6.Passpoint Scheme
B.
Schemes under Recognition Based Technique set of images as shown in figure 7. This system is vulnerable to shoulder-surfing.
Dhamija and Perrig [8] proposed a graphical authentication scheme where the user has to identify the pre-defined images to prove user’s authenticity. In this system, the user selects a certain number of images from a set of random pictures during registration. Later, during login the user has to identify the pre-selected images for authentication from a Figure 4.Draw-a-Secret
Signature Scheme the authentication is conducted by having the user to draw their signature using a mouse. This scheme proposes a system where authentication is conducted by having user drawing their signature using mouse. This technique includes two stages, namely, registration and verification. During the registration stage, user will first be asked to draw their signature with mouse, and then the system will extract the signature area and either enlarges or scale-down signatures, rotates if needed, (also known as normalizing). The information will later be saved into the database. The verification stage first takes the user input, and does the normalization again, and then extracts the parameters of the signature. The system conducts verification using geometric average means and a dynamic update of database. The biggest advantage of this approach is that there is no need to memorize one’s signature and signatures are hard to fake.
Figure 7.Random images used by Dhamija and Perrig
Passface [9] is a technique where the user sees a grid of nine faces and selects one face previously chosen by the user as shown in figure 8. Here, the user chooses four images of human faces as their password and the users have to select their pass image from eight other

decoy images. Since there are four user selected images it is done for four times.
Figure 8: Example of Passfaces
IV.
3D P ASSWORD S CHEME
3D password is multifactor authentication scheme that combine Recognition + Recall + Tokens + Biometrics in one authentication system. The 3D password will present a virtual environment containing various virtual objects.
The User walks through the environment and interacts with various virtual objects. It is the combination and sequence of user interactions that occur in 3D environment. The user is presented with this 3D virtual environment where the user navigates and interacts with various virtual objects. The sequence of actions and interactions towards the objects inside the 3D environment constructs the user's 3D password. 3D Password is multi-featured so multiple password schemes such as textual password, graphical password, biometrics and token based passwords together can be used as a part of users 3D Password. Different users have different requirements so users must be given the freedom of selection and decision to choose which authentication schemes will be part of users 3D Password.
V.
W ORKING O F 3D P ASSWORD
Let us consider a 3D virtual environment space of size G
×G × G. The 3D environment space is represented by the coordinates(x, y, z) ∈ [1. . . G] × [1. . . G] × [1. . . G]. The objects are distributed in the 3D virtual environment with unique (x, y, z) coordinates. We assume that the user can navigate into the 3D virtual environment and interact with the objects using any input device such as a mouse, keyboard, fingerprint scanner, iris scanner, stylus, card reader, and microphone. We consider the sequence of those actions and interactions using the previous input devices as the user’s 3D password.
For example, consider a user who navigates through the 3D virtual environment that consists of an office and a meeting room. Let us assume that the user is in the virtual office and the user turns around to the door located in (21, 65, 84) and opens it. Then, the user closes the door. The user then finds a computer to the left, which exists in the position (50, 20,
10), and the user types “HELLO.” Then, the user walks to the meeting room and picks up a pen located at (10, 24, 80) and draws only one dot in a paper located in (0, 0, 30), which is the dot (x, y) coordinate relative to the paper space is (350, 180).The user then presses the login button. The initial representation of user actions in the 3D virtual environment can be recorded as follows:
(21, 65, 84) Action = Open the office door;
(21, 65, 84) Action = Close the office door;
(50, 20, 10) Action = Typing, “H”;
(50, 20, 10) Action = Typing, “E”;
(50, 20, 10) Action = Typing, “L”;
(50, 20, 10) Action = Typing, “L”;
(50, 20, 10) Action = Typing, “O”;
(10, 24, 80) Action = Pick up the pen;
(0, 0, 30) Action = Drawing, point = (350, 180).
After the user has performed these actions, he will exit out of the 3D environment. After backend verification, access will be granted.
Creating a 3D virtual environment is a complex process and can be broken down into the following steps:
Modeling: We create the physical environment and objects using brushes, primitives and solid entities.
Layout: We organize all the objects on a base map.
Texturing: All the objects are given detailing and color by mapping them onto 2D bitmaps.
Rendering: The final scene is rendered from different places at different camera angles and lightning angles.
Figure 9.3D Virtual Environment
The 3D virtual environment construction manners the strength of the 3D password. The first step is to build a 3D object environment that reflects the administration needs and the security requirements.
While designing such an environment, we must keep consider the following points-


Real Life Simulation: The environment should be as close to the real life as possible. Objects and interactions amongst them should reflect real life situations.

Object uniqueness and peculiarity: Every virtual object is distinct. Every object has its own attributes such as position, color, shape, size, location. Therefore the interaction of the user towards various objects is unique and the distinguishing factor increases the user’s recognition of objects. Hence, it provides more enhancements to the system usability.

Environment Size: A 3D virtual environment can be as large as a city or even as small as a single room or office. The time factor is directly proportional to the size of the 3d environment.

System Importance: The 3D password should be selected such that it reflects the properties of the system. The same logic must be applied while setting the number of objects and their position.
VI.
3D P ASSWORD A DVANTAGES
Following are the advantages of using 3D Password scheme.
1) Easiness to memorize: Users can memorize a 3D password as a “little” story which makes the password easy to remember.
2) Flexibility: 3d passwords allows multi-factor authentication. Smart cards, biometrics and alpha numeric password can embedded in the 3d password technology.
3) Strength: A scenario in a 3D environment offers as almost unlimited combination of possibilities. As such system can have specific 3d world, hack are extremely difficult.
4) The 3D password gives users the freedom of selecting what type of authentication techniques.
5) Secrets those are not easy to write down on paper.
6) The scheme secrets should be difficult to share with others.
VII.
S ECURITY A NALYSIS
We are going to analyze how hard it would be for an attacker to break into this system. A possible measurement is based on the information content of a password space, which is defined in as “the entropy of the probability distribution over that space given by the relative frequencies of the passwords that users actually choose. To determine the password space, we have to count all possible 3D passwords that have a certain number of actions, interactions, and inputs towards all objects that exist in the
3D virtual environments. Users tend to use meaningful words for textual passwords. Therefore finding these different words from dictionary is a relatively simple task which yields a high success rate for breaking textual passwords. Hence it is imperative to have both a large password space and a scheme which has no previous knowledge of user password selection for stronger resistance to attacks.
Attacks and Countermeasures:
To realize and understand how far an authentication scheme is secure, we have to consider all possible attack methods.
We have to study whether the authentication scheme proposed is immune against such attacks or not. Moreover, if the proposed authentication scheme is not immune, we then have to find the countermeasures that prevent such attacks. In this section, we try to cover most possible attacks and whether the attack is valid or not. Moreover, we try to propose countermeasures for such attacks.
1) Brute Force Attack : The attacker has to try all possible
3D passwords. This kind of attack is very difficult for the following reasons.

Time required to login The total time needed for a legitimate user to login may vary depending on the number of interactions and actions, the size of the
3D virtual environment, and the type of actions and interactions. Therefore, a brute force attack on a
3D password is very difficult and time consuming

Cost of attacks the 3D virtual environment contains biometric recognition objects and token based objects. The attacker has to forge all possible biometric information and forge all the required tokens. The cost of forging such information is very high, therefore cracking the 3D password is more challenging. The high number of possible 3D password spaces leaves the attacker with almost no chance of breaking the 3D password.
2) Well-Studied Attack : The attacker tries to find the highest probable distribution of 3D passwords. In order to launch such an attack, the attacker has to acquire knowledge of the most probable 3D password distributions. This is very difficult because the attacker has to study all the existing authentication schemes that are used in the 3D environment.
It requires a study of the user’s selection of objects for the
3D password. Moreover, a well-studied attack is very hard to accomplish since the attacker has to perform a customized attack for every different 3D virtual environment design. This environment has a number of objects and types of object responses that differ from any other 3D virtual environment. Therefore, a carefully customized study is required to initialize an effective attack.
3) Shoulder Surfing Attack : An attacker uses a camera to record the user’s 3D password or tries to watch the

legitimate user while the 3D password is being performed.
This attack is the most successful type of attack against 3D passwords and some other graphical passwords. However, the user’s 3D password may contain biometric data or textual passwords that cannot be seen from behind.
Therefore, we assume that the 3D password should be performed in a secure place where a shoulder surfing attack cannot be performed.
4) Timing Attack : In this attack, the attacker observes how long it takes the legitimate user to perform a correct sign in using the 3D password. This observation gives the attacker an indication of the legitimate user’s 3D password length.
However, this kind of attack alone cannot be very successful since it gives the attacker mere hints. Therefore, it would probably be launched as part of a well studied or brute force attack. Timing attacks can be very effective if the 3D virtual environment is poorly designed.
5) Key Logger: In this kind of attack, attacker install software called key logger on the system where authentication scheme is used. This software stores text entered through keyboard and those text are stored in text file. This attack is more effective only for textual password scheme. Thus this attack is not much effective in this case because 3D password is a multi password authentication scheme.
VIII.
A PPLICATIONS OF 3D P ASSWORD
The 3D password can have a password space that is very large compared to other authentication schemes, so the 3D password’s main application domains are protecting critical systems and resources.
1) Networking involves many areas of computer networks like client-server architecture, critical servers, etc.
To provide more security to server of this architecture 3D password can be used. It very efficient & more secure way to keep data or important information secure from unauthorized people. For email applications 3D password is most secure & easier scheme to used.
2) Banking: Almost all the Indian banks started 3D password service for security of buyer who wants to buy online or pay online.
3-D Secure is an XML -based protocol designed to be an additional security layer for online credit and debit card transactions. It was originally developed by Arcot Systems, Inc and first deployed by Visa with the intention of improving the security of Internet payments and is offered to customers under the name Verified by Visa . Services based on the protocol have also been adopted by MasterCard as MasterCard
SecureCode [13] .
3) Nuclear and military facilities such facilities should be protected by the most powerful authentication systems.
The 3D password has a very large probable password space, and since it can contain token, biometrics, recognition and knowledge based. Authentications in a single authentication system, it is a sound choice for high level security locations.
3D password scheme can protect data or secrete information about these areas very securely.
4) Airplanes and jet fighters Because of the possible threat of misusing airplanes and jet fighters for religion, political agendas, and usage of such airplanes should be protected by a powerful authentication system.
5) In addition, 3D passwords can be used in less critical systems because the 3D virtual environment can be designed to fit to any system needs. A small virtual environment can be used in the following systems like
1.
ATM
2.
Personal Digital Assistance
3.
Desktop Computers & laptop logins
4.
Web Authentication
5.
Security Analysis
IX.
C ONCLUSION A ND F UTURE W ORK
Currently available schemes include textual password and graphical password .But both are vulnerable to certain attacks. Moreover, there are many authentication schemes that are currently under study and they may require additional time and effort to be applicable for commercial use. The 3-D password is a multifactor & multi password authentication scheme that combines these various authentication schemes. The virtual environment can contain any existing authentication scheme or even any upcoming authentication schemes. Due to which passwords space increases. It is the user‘s choice and decision to construct the desired and preferred 3-D password. The 3D password is still new & in its early stages. Designing various kinds of 3-D virtual environments, deciding on password spaces, and interpreting user feedback and experiences from such environments will result in enhancing and improving the user experience of the 3-D password. Gathering attackers from different background and attack made by them and how to overcome them is main future work. Shoulder surfing attacks are still possible so how to overcome that is a field of research & development.
Inclusion of biometrics leads to increasing cost & hardware in scheme, to reduce this is still field of research. So that 3D password can be used in many application areas as discussed earlier & also many more area other than those.
Thus this paper tells about our study about 3D password, still it is in early stage. Future work is needed in 3d password scheme to develop this scheme up to more secure level. Implementing 3D password for mobile handset is another important future work of this paper.

X.
A CKNOWLEDGMENT
I would like to thank my guide, Prof. Shilpa Deshmukh for her inspiring guidance, rich experience and sustained encouragement which enabled me to develop an intensive understanding of my research area.
XI.
R EFERENCES
[1] http://searchsecurity.techtarget.com/definition
[2]http://www.webopedia.com/TERM/A/authentication.htm
l
[3] https://en.wikipedia.org/wiki/Knowledgebased_authentication
[4] https://en.wikipedia.org/wiki/Security_token
[5]http://www.scholarpedia.org/article/Biometric_authentica tion
[6] http://clam.rutgers.edu/~birget/grPssw/
[7] https://en.wikipedia.org/wiki/Draw_a_Secret
[8] R. Dhamija, and A. Perrig. “Déjà Vu: A User Study
Using Images for Authentication”. In 9th USENIX Security
Symposium, 2000.
[9] Real User Corporation: Passfaces. www.passfaces.com
[11] http://www.iosrjournals.org/iosr-jce/papers/Vol16issue2/Version-5/A016250106.pdf
[10] https://docs.google.com/document/d/15cEybQnZuxOSd6EZKaevOUDfk8uu3_0J8VYyUYpeg/edit
[12]http://www.ijesit.com/Volume%202/Issue%202/IJESIT
201302_16.pdf
[13] https://en.wikipedia.org/wiki/3-D_Secure