Haichang Gao,Zhongjie Ren,Xiuling Chang,Xiyang Liu,Uwe Aickelin

DOI: https://doi.org/10.1109/cw.2010.34

2010-01-01

SSRN Electronic Journal

Abstract:Shoulder-surfing is a known risk where an attacker can capture a password by direct observation or by recording the authentication session. Due to the visual interface, this problem has become exacerbated in graphical passwords. There have been some graphical schemes resistant or immune to shoulder-surfing, but they have significant usability drawbacks, usually in the time and effort to log in. In this paper, we propose and evaluate a new shoulder-surfing resistant scheme which has a desirable usability for PDAs. Our inspiration comes from the drawing input method in DAS and the association mnemonics in Story for sequence retrieval. The new scheme requires users to draw a curve across their password images orderly rather than click directly on them. The drawing input trick along with the complementary measures, such as erasing the drawing trace, displaying degraded images, and starting and ending with randomly designated images provide a good resistance to shouldersurfing. A preliminary user study showed that users were able to enter their passwords accurately and to remember them over time.

Xinyan Zhou,Jiaqi Pan,Zenan Zhang,Xiaoyu Ji,Haiming Chen

DOI: https://doi.org/10.1109/icpads56603.2022.00039

IF: 4.3

2023-01-01

IEEE Sensors Journal

Abstract:Verifying the user identity of wearable devices is crucial for system security, especially for sensitive operations like making financial payments. A photoplethys-mography (PPG)-based two-factor authentication can be a promising solution with widely deployed PPG sensors within wearable devices. Our observations find PPG readings reveal a significant relevance to the user's hand motions, that is, gestures, while the user's heartbeat characteristics and wearing habits are also implicitly related, which can be utilized for user authentication. In this article, we design G-PPG, a gesture-related PPG-based two-factor authentication mechanism that can nonintrusively validate the user's identity. In G-PPG, a gesture detection and segmentation module and a specific feature set are designed for accurate gesture-related PPG characteristic extraction. Moreover, a user-defined security level and an adaptive update scheme are proposed for the high accuracy of long-term authentication. The experimental results among 15 participants demonstrate that G-PPG can achieve over 90% accuracy in different scenarios on average. With a carefully designed authentication mechanism, the pass rate for legitimate users can reach up to 96.67%, while the value is only 0.62% for attackers.

Qibin Sun,Zhi Li,Xudong Jiang,Alex Kot

DOI: https://doi.org/10.1109/iscas.2008.4542082

2008-01-01

Abstract:Graphical password (i.e., image based authentication) is considered as a promising alternative to traditional textual password for mobile devices, to achieve better tradeoff between usability and security. However, previous proposals of graphical password have the limitation of limited entropy. In this paper, we propose a new scheme incorporating user face based authentication into the association-based graphical password solution we proposed before, aiming at achieving higher security without compromising user-friendliness for mobile application scenarios. System performance analysis and comparisons with other schemes are presented to validate our scheme.

Chengxue Qian,Xingwei Song,Yun Huang,Xuejia Lai

DOI: https://doi.org/10.2991/icacsei.2013.146

2013-01-01

Abstract:In this paper, we present a novel user-friendly graphical password scheme resistant against "watching" attacks. Snapshot, remote monitoring, and shoulder-surfing have in common that all these attacks act as if one could directly watch the users' behavior on the screen, resulting in an insecure use of alphanumeric passwords ("watching" attacks). New technology based on graphical passwords uses graphs as authentication media where the user identifies, reproduces, or interacts with graphs to prove his identity, which partly blocks the danger. However, current graphical passwords such as D-A-S, PassPoints, Passfaces TM, and the algorithms D. Hong and Sobrado, etc. proposed are either too complicated or ineffective against "watching" attacks. In our proposal, the authentication process uses familiar images that only true users can recognize. It is hard to fabricate even many previous authentication processes are totally exposed. Furthermore a detailed application in OTP, which basically establishes an extra OTP input encryption, is discussed and its security analysis is presented.

Jing Tian,Chengzhang Qu,Wenyuan Xu,Song Wang

2013-01-01

Abstract:Password-based authentication is easy to use but its security is bounded by how much a user can remember. Biometrics-based authentication requires no memorization but ‘resetting’ a biometric password may not always be possible. In this paper, we propose a user-friendly authentication system (KinWrite) that allows users to choose arbitrary, short and easy-to-memorize passwords while providing resilience to password cracking and password theft. KinWrite lets users write their passwords in 3D space and captures the handwriting motion using a low cost motion input sensing device—Kinect. The low resolution and noisy data captured by Kinect, combined with low consistency of in-space handwriting, have made it challenging to verify users. To overcome these challenges, we exploit the Dynamic Time Warping (DTW) algorithm to quantify similarities between handwritten passwords. Our experimental results involving 35 signatures from 18 subjects and a brute-force attacker have shown that KinWrite can achieve a 100% precision and a 70% recall (the worst case) for verifying honest users, encouraging us to carry out a much larger scale study towards designing a foolproof system.

Lin Yao,Lei Wang,Xiangwei Kong,Guowei Wu,Feng Xia

DOI: https://doi.org/10.1016/j.camwa.2010.01.010

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:In a pervasive computing environment, mobile users often roam into foreign domains. Consequently, mutual authentication between the user and the service provider in different domains becomes a critical issue. In this paper, a fast and secure inter-domain authentication and key establishment scheme, namely IDAS, is proposed. IDAS adopts Biometrics to guarantee the uniqueness and privacy of users and adopts signcryption to generate a secure session key. IDAS can not only reduce the burden of certificates management, but also protect the users and authentication servers against fraud. Compared with some other authentication methods, our approach is superior with faster key exchange and authentication, as well as more privacy. The correctness is verified with the Syverson and Van Oorschot (SVO) logic. Crown Copyright (C) 2010 Published by Elsevier Ltd. All rights reserved.

陈文娣,荣钢,周杰

DOI: https://doi.org/10.3969/j.issn.1000-3428.2004.03.059

2004-01-01

Abstract:This paper proposes a novel application of an on-line signature verification system to embedded OS, such as personal digital assistant (PDA). When PDA starts up, the system can function automatically for user authorization. As far as is known, PDA holds an embedded OS and a limited memory. Accordingly, it selects modified dynamic time warping (DTW) as a matching algorithm and extracts position and velocity as features. Preliminary experimental result looks encouraging.

Hung-Min Sun,Shiuan-Tung Chen,Jyh-Haw Yeh,Chia-Yun Cheng

DOI: https://doi.org/10.1109/tdsc.2016.2539942

2016-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Authentication based on passwords is used largely in applications for computer security and privacy. However, human actions such as choosing bad passwords and inputting passwords in an insecure way are regarded as “the weakest link” in the authentication chain. Rather than arbitrary alphanumeric strings, users tend to choose passwords either short or meaningful for easy memorization. With web applications and mobile apps piling up, people can access these applications anytime and anywhere with various devices. This evolution brings great convenience but also increases the probability of exposing passwords to shoulder surfing attacks. Attackers can observe directly or use external recording devices to collect users’ credentials. To overcome this problem, we proposed a novel authentication system PassMatrix, based on graphical passwords to resist shoulder surfing attacks. With a one-time valid login indicator and circulative horizontal and vertical bars covering the entire scope of pass-images, PassMatrix offers no hint for attackers to figure out or narrow down the password even they conduct multiple camera-based attacks. We also implemented a PassMatrix prototype on Android and carried out real user experiments to evaluate its memorability and usability. From the experimental result, the proposed system achieves better resistance to shoulder surfing attacks while maintaining usability.

Liming Wang,Xiuling Chang,Zhongjie Ren,Haichang Gao,Xiyang Liu,Uwe Aickelin

DOI: https://doi.org/10.1109/AINA.2010.46

2013-06-01

Abstract:Text-based password schemes have inherent security and usability problems, leading to the development of graphical password schemes. However, most of these alternate schemes are vulnerable to spyware attacks. We propose a new scheme, using CAPTCHA (Completely Automated Public Turing tests to tell Computers and Humans Apart) that retaining the advantages of graphical password schemes, while simultaneously raising the cost of adversaries by orders of magnitude. Furthermore, some primary experiments are conducted and the results indicate that the usability should be improved in the future work.

Cryptography and Security

Xian Chu,Huiping Sun,Zhong Chen

DOI: https://doi.org/10.1007/978-3-030-54455-3_12

2020-01-01

Abstract:This paper proposes a two-factor graphical password authentication scheme, PassPage, which is suitable for website authentication with enhanced security. It leverages the implicit memory based on the user’s web browsing records. Whenever the user tries to log in, the server returns 9 small pages as a challenge, and asks the user to select all the pages the user has browsed besides inputting a text password. We performed user experiments on 12 volunteers. The experiment results showed that the average login success rate on a news website is steadily over 80% when the users are familiar with the login process, and the login success rate does not decrease sharply in 6 days.

Huiping Sun,Ke Wang,Xu Li,Nan Qin,Zhong Chen

DOI: https://doi.org/10.1145/2785830.2785880

2015-01-01

Abstract:Existing graphical passwords require users to proactively memorize their secrets and meanwhile these schemes are vulnerable to shoulder surfing attacks. We propose a novel graphical password scheme, PassApp, which utilizes users' everyday memory about installed apps on mobile devices as shared secrets. As the registration stage is no longer needed, PassApp exempts users from additional memory burden and greatly enhances user experience. Additionally, PassApp owns a large password set and only a small part of passwords may be exposed during a login. Therefore, PassApp has a natural advance on effectively resisting guessing attacks and shoulder surfing attacks. Our user studies demonstrate that PassApp performs well with a reasonable login time (7.27s) and a high success rate (95.48%). Our security analysis shows PassApp can effectively withstand one-time shoulder surfing attacks and on average 30 times of shoulder surfing are necessary to expose all passwords.

Mizuki Oka,Kazuhiko Kato,Yingqing Xu,Lin Liang,Fang Wen

DOI: https://doi.org/10.1109/icpr.2008.4761233

2008-01-01

Abstract:This paper presents a sketch-based password authentication system called Scribble-a-Secret as a graphical password scheme in which free-form drawings are used as a means to authenticate users. Unlike existing schemes, this approach requires no input of graphical passwords in particular sequences of strokes. Moreover, the system allows for a modicum of variation when users recreate their passwords. Our technique uses edge orientations extracted from sketch images to discern one user from another. Our experiments show that our recognition technique is robust for recognizing sketches while differentiating from others with both a false acceptance rate and false rejection rate of less than 1%.

Zhenkun Zhou,Jiangqin Wu

DOI: https://doi.org/10.1145/2512349.2514912

2013-01-01

Abstract:This paper presents Sidelock, a tangible authentication prototype on mobile devices. Grasp events and finger gestures are sensed by twenty capacitive sensors on left and right sides. They were used in a two-phase authentication process, in which grasp pattern wakes up devices and a 1-D template-based gesture recognizer verifies if input matches pre-defined password templates. Compared with other popular authentication approachers like PINs or grid lock, Sidelock has much larger password space and approximate recognition speed, with only 5.3% critical errors. The prototype could be minimized and embedded broadly in many common mobile devices. The user feedback suggests it is an memorable and acceptable authentication method.

Jingchao Sun,Rui Zhang,Jinxue Zhang,Yanchao Zhang

DOI: https://doi.org/10.48550/arXiv.1402.1216

2014-02-06

Abstract:Mobile authentication is indispensable for preventing unauthorized access to multi-touch mobile devices. Existing mobile authentication techniques are often cumbersome to use and also vulnerable to shoulder-surfing and smudge attacks. This paper focuses on designing, implementing, and evaluating TouchIn, a two-factor authentication system on multi-touch mobile devices. TouchIn works by letting a user draw on the touchscreen with one or multiple fingers to unlock his mobile device, and the user is authenticated based on the geometric properties of his drawn curves as well as his behavioral and physiological characteristics. TouchIn allows the user to draw on arbitrary regions on the touchscreen without looking at it. This nice sightless feature makes TouchIn very easy to use and also robust to shoulder-surfing and smudge attacks. Comprehensive experiments on Android devices confirm the high security and usability of TouchIn.

Cryptography and Security

Ziming Zhao,Gail-Joon Ahn,Jeong-Jin Seo,Hongxin Hu

2013-01-01

Abstract:Computing devices with touch-screens have experienced unprecedented growth in recent years. Such an evolutionary advance has been facilitated by various applications that are heavily relying on multi-touch gestures. In addition, picture gesture authentication has been recently introduced as an alternative login experience to text-based password on such devices. In particular, the new Microsoft Windows 8™ operating system adopts such an alternative authentication to complement traditional text-based authentication. In this paper, we present an empirical analysis of picture gesture authentication on more than 10,000 picture passwords collected from over 800 subjects through online user studies. Based on the findings of our user studies, we also propose a novel attack framework that is capable of cracking passwords on previously unseen pictures in a picture gesture authentication system. Our approach is based on the concept of selection function that models users' password selection processes. Our evaluation results show the proposed approach could crack a considerable portion of collected picture passwords under different settings.

Xin Su,Bingying Wang,Xuewu Zhang,Yupeng Wang,Dongmin Choi

DOI: https://doi.org/10.1002/cpe.4150

2018-01-01

Abstract:Secure mechanisms have been adapted to satisfy the needs of mobile subscribers; however, the mobile environment is quite different from a desktop PC or laptop-based environment. The existing attack patterns in mobile environments are also quite different, and the countermeasures applied should be enhanced. In regards to usability, the mobile environment is based on mobility, and thus, mobile devices are designed and developed to enhance the owner's efficiency. To avoid forgetting passwords, people are willing to adopt simple alphanumeric-character combinations, which are easy to remember and convenient to enter. As a result, the passwords have a high probability of being cracked or exposed. In this paper, we study the potential security problems caused by simple and weak passwords, discuss drawbacks of some conventional works, and propose 3 creative schemes to increase the complexity and strength of passwords by applying the envisioned features. Note that our proposals are based on the assumption that the textual passwords are not difficult for users to remember or enter and do not cause inconvenience to users. In other words, the proposed methods can increase the complexity of simple passwords without the awareness of users.

Jiaming Gong,Oluwatobi Noah Akande,Chia-Chen Lin,Saurabh Agarwal

DOI: https://doi.org/10.1109/access.2024.3503637

IF: 3.9

2024-12-04

IEEE Access

Abstract:Knowledge-based authentication techniques remain one of the proven ways of maintaining confidentiality, ensuring integrity, and guaranteeing the availability of an information system. They employ what a user knows (Passwords or PINs) to authorize or grant access to an information system. While passwords employ a fixed combination of characters, Personal Identification Numbers (PINs) are majorly numbers. Existing implementations of these authentication techniques involve the repetitive use of static passwords and PINs at every login instance. These have been exposed to various attacks, such as keyloggers, shoulder surfing, brute force, and dictionary attacks. To overcome these attacks, this study presents an authentication technique where users' PINs are incremented during successive login attempts. Users are expected to choose a preferred incremental factor, which can be any number they can remember, that will be added to the default 6-digit PIN to produce a dynamic PIN that can be used in subsequent login sessions. Furthermore, an additional layer of security that involves the use of a dynamic 4 by 4 graphical grid was integrated into the proposed incremented PIN technique. At every login session, users are presented with a set of 16 possible PINs to choose from. The security analysis of the proposed authentication technique revealed that the proposed technique could resist existing password attacks, thereby enhancing security. A performance testing and usability analysis was also carried out among 1145 individuals who interacted with the web application that uses the incremental authentication technique. The questionnaire items were structured based on the constructs of the Unified Theory of Acceptance and Use of Technology (UTAUT) Model. Statistical analysis of the responses received showed an appreciable level of acceptance in terms of performance expectancy, effort expectancy, social influence, and facilitating conditions. The positive user acceptance results provide reassurance about the practicality and effectiveness of the proposed technique. It is believed that the proposed incremental graphical grid authentication technique will further enhance the security of our growing mobile and web applications.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xiangxue Li,Yu Yu,Qiang Li,Haifeng Qian,Yuan Zhou,Jian Weng

DOI: https://doi.org/10.1145/2660267.2662379

2014-01-01

Abstract:Graphical password methods rely on human experience and hand selection (not well-quantified metric) to evaluate the appropriateness and the confusion of the challenge images. In this paper we propose to use for authentication Chinese characters, for which the entropy can be up to 9.65 (much larger than other languages). We first show an algorithmic framework to authenticate a user and then present an empirical analysis conducted at a university. The advantages of the framework include the following: the storage overhead is low; no personal experience or hand selection is involved; there is no predefined dictionary of likely choices; and it can be easily referenced by personal-style cues.Our study shows that the number of participants that prefer our framework is much close to that in favor of graphical passwords, with an interesting outcome that the two groups of participants present significantly distinct backgrounds. Our framework and graphical passwords can be used as candidate authentication methods for users with different backgrounds. We also measure user choices of patterns and find that there is a slight preference of the 3x3 grid to the circle patterns. While the proposed framework prescribes the challenge characters, the users have the option to define challenge characters of their own.

Yuchen Su,Guoqing Jiang,Yicong Du,Yuefeng Chen,Hongbo Liu,Yanzhi Ren,Huan Dai,Yan Wang,Shuai Li,Yingying Chen

DOI: https://doi.org/10.1109/icdcs57875.2023.00074

2023-01-01

Abstract:Personal Identification Number (PIN), as one of the primary means of protecting digital properties and privacy on mobile devices, has been suffering from shoulder surfing attacks and weak password guessing for the long term. Recent years witness the growing interest in two-factor authentication that takes advantage of two different ways for mutual verification, thereby strengthening user authentication's accuracy and reliability. Especially with the popularity of smartwatches, more physiological signals are readily available to facilitate two-factor authentication. This paper presents a lightweight and unobtrusive two-factor authentication scheme, P 2 Auth, integrating the PIN and unique keystroke-related Photoplethysmography (PPG) measurement on wearables. Specifically, we propose the transformation of the multivariate PPG signal induced by the keystrokes to extract reliable biometric features. We develop short-time energy-based methods to identify the input cases, thus enabling support the authentication for both one-handed and two-handed input cases. Furthermore, we also consider the situation where there is no fixed PIN and design a new enhanced privacy scheme by combining the PPG measurements of different keystrokes to improve authentication security. The experiments involving 15 volunteers demonstrate that our prototype system can achieve an average authentication accuracy of over 95% for one-handed cases and over 90% for two-handed cases.

Edoardo Milotti,Alessio Del Fabbro,Chiara Dalla Pellegrina,Roberto Chignola

DOI: https://doi.org/10.48550/arXiv.physics/0702094

2007-02-12

Abstract:Multisite protein modification is a ubiquitous mechanism utilized by cells to control protein functions. We have recently proposed a dynamical description of multisite protein modification which embodies all the essential features of the process (E. Milotti, A. Del Fabbro, C. Dalla Pellegrina, and R. Chignola, Physica A, in press), and we have used this model to analyze the stability and the time-scales of this mechanism. The same model can be used to understand how the system responds to stimuli: here we show that it displays frequency-dependent dynamical hysteresis. This behavior closely parallels -- with the due differences -- what is observed in magnetic systems. By selecting model parameters that span the known biological ranges, we find that the frequency-dependent features cover the band of the observed oscillations of molecular intracellular signals, and this suggests that this mechanism may have an important role in cellular information processing.

Biological Physics,Molecular Networks