Liming Wang,Xiuling Chang,Zhongjie Ren,Haichang Gao,Xiyang Liu,Uwe Aickelin

DOI: https://doi.org/10.1109/AINA.2010.46

2013-06-01

Abstract:Text-based password schemes have inherent security and usability problems, leading to the development of graphical password schemes. However, most of these alternate schemes are vulnerable to spyware attacks. We propose a new scheme, using CAPTCHA (Completely Automated Public Turing tests to tell Computers and Humans Apart) that retaining the advantages of graphical password schemes, while simultaneously raising the cost of adversaries by orders of magnitude. Furthermore, some primary experiments are conducted and the results indicate that the usability should be improved in the future work.

Cryptography and Security

Gloriya Mathew,Shiney Thomas

DOI: https://doi.org/10.48550/arXiv.1311.4037

2013-11-16

Abstract:User authentication is one of the most important part of information security. Computer security most commonly depends on passwords to authenticate human users. Password authentication systems will be either been usable but not secure, or secure but not usable. While there are different types of authentication systems available alphanumeric password is the most commonly used authentication mechanism. But this method has significant drawbacks. An alternative solution to the text based authentication is Graphical User Authentication based on the fact that humans tends to remember images better than text. Graphical password authentication systems provide passwords which are easy to be created and remembered by the user. However, the main issues of simple graphical password techniques are shoulder surfing attack and image gallery attack. Studies reveals that most of the graphical passwords are either secure but not usable or usable but not secure. In this paper, a new technique that uses cued click point graphical password method along with the one-time session key is proposed. The goal is to propose a new authentication mechanism using graphical password to achieve higher security and better usability levels. The result of the system testing is evaluated and it reveals that the proposed system ensures security and usability to a great extent.

Cryptography and Security

Neha Bora,Dinesh Chandra Jain

DOI: https://doi.org/10.37965/jait.2023.0216

2023-05-12

Journal of Artificial Intelligence and Technology

Abstract:The internet and web security are integral aspects of our daily lives. Many commercial firms provide clients with internet services. For web access, it is assumed that only the genuine user, who is a human, will register. Yet automated hacking programs can also do registrations with fake data that consume a lot of bandwidth, slowing down or occasionally even shutting down websites, leading to Distributed denial-of-service (DDOS) attacks. Completely Automated Public Turing test to tell Computers and Human Apart (CAPTCHA) is the solution. Complex CAPTCHA is challenging for humans to recognize, but simple CAPTCHA is simple for AI to decipher. With the developments in neural networks and machine learning bots are mimicking humans and it is becoming difficult to distinguish humans and bots apart. This generated a need to think of some more innovative and novel CAPTCHA. Now, utilizing the same AIML approach to increase the efficacy of CAPTCHA and make it stronger against the bot attack. Biometric 3D Animated (B3DA) Algorithm proposed in this research is a novel approach based on the Face Detection AI algorithm along with handwritten 3D animated characters selected randomly to create a string which makes CAPTCHA simple that humans can identify but very difficult for bots. The test results have proven this to be a very robust CAPTCHA. The machine learning algorithm employed will keep on increasing the efficacy of this CAPTCHA each time the bot tries to break this.

Jing Tian,Chengzhang Qu,Wenyuan Xu,Song Wang

2013-01-01

Abstract:Password-based authentication is easy to use but its security is bounded by how much a user can remember. Biometrics-based authentication requires no memorization but ‘resetting’ a biometric password may not always be possible. In this paper, we propose a user-friendly authentication system (KinWrite) that allows users to choose arbitrary, short and easy-to-memorize passwords while providing resilience to password cracking and password theft. KinWrite lets users write their passwords in 3D space and captures the handwriting motion using a low cost motion input sensing device—Kinect. The low resolution and noisy data captured by Kinect, combined with low consistency of in-space handwriting, have made it challenging to verify users. To overcome these challenges, we exploit the Dynamic Time Warping (DTW) algorithm to quantify similarities between handwritten passwords. Our experimental results involving 35 signatures from 18 subjects and a brute-force attacker have shown that KinWrite can achieve a 100% precision and a 70% recall (the worst case) for verifying honest users, encouraging us to carry out a much larger scale study towards designing a foolproof system.

M. Tariq Banday,N. A. Shah

DOI: https://doi.org/10.48550/arXiv.1112.5605

2011-12-23

Abstract:Atomizing various Web activities by replacing human to human interactions on the Internet has been made indispensable due to its enormous growth. However, bots also known as Web-bots which have a malicious intend and pretending to be humans pose a severe threat to various services on the Internet that implicitly assume a human interaction. Accordingly, Web service providers before allowing access to such services use various Human Interaction Proof's (HIPs) to authenticate that the user is a human and not a bot. Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is a class of HIPs tests and are based on Artificial Intelligence. These tests are easier for humans to qualify and tough for bots to simulate. Several Web services use CAPTCHAs as a defensive mechanism against automated Web-bots. In this paper, we review the existing CAPTCHA schemes that have been proposed or are being used to protect various Web services. We classify them in groups and compare them with each other in terms of security and usability. We present general method used to generate and break text-based and image-based CAPTCHAs. Further, we discuss various security and usability issues in CAPTCHA design and provide guidelines for improving their robustness and usability.

Cryptography and Security,Computers and Society

N.Tariq,F.A.Khan,S.A.Moqurrab,G.Srivastava

2023-07-17

Abstract:The proliferation of the Internet and mobile devices has resulted in malicious bots access to genuine resources and data. Bots may instigate phishing, unauthorized access, denial-of-service, and spoofing attacks to mention a few. Authentication and testing mechanisms to verify the end-users and prohibit malicious programs from infiltrating the services and data are strong defense systems against malicious bots. Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is an authentication process to confirm that the user is a human hence, access is granted. This paper provides an in-depth survey on CAPTCHAs and focuses on two main things: (1) a detailed discussion on various CAPTCHA types along with their advantages, disadvantages, and design recommendations, and (2) an in-depth analysis of different CAPTCHA breaking techniques. The survey is based on over two hundred studies on the subject matter conducted since 2003 to date. The analysis reinforces the need to design more attack-resistant CAPTCHAs while keeping their usability intact. The paper also highlights the design challenges and open issues related to CAPTCHAs. Furthermore, it also provides useful recommendations for breaking CAPTCHAs.

Cryptography and Security

Jiaming Gong,Oluwatobi Noah Akande,Chia-Chen Lin,Saurabh Agarwal

DOI: https://doi.org/10.1109/access.2024.3503637

IF: 3.9

2024-12-04

IEEE Access

Abstract:Knowledge-based authentication techniques remain one of the proven ways of maintaining confidentiality, ensuring integrity, and guaranteeing the availability of an information system. They employ what a user knows (Passwords or PINs) to authorize or grant access to an information system. While passwords employ a fixed combination of characters, Personal Identification Numbers (PINs) are majorly numbers. Existing implementations of these authentication techniques involve the repetitive use of static passwords and PINs at every login instance. These have been exposed to various attacks, such as keyloggers, shoulder surfing, brute force, and dictionary attacks. To overcome these attacks, this study presents an authentication technique where users' PINs are incremented during successive login attempts. Users are expected to choose a preferred incremental factor, which can be any number they can remember, that will be added to the default 6-digit PIN to produce a dynamic PIN that can be used in subsequent login sessions. Furthermore, an additional layer of security that involves the use of a dynamic 4 by 4 graphical grid was integrated into the proposed incremented PIN technique. At every login session, users are presented with a set of 16 possible PINs to choose from. The security analysis of the proposed authentication technique revealed that the proposed technique could resist existing password attacks, thereby enhancing security. A performance testing and usability analysis was also carried out among 1145 individuals who interacted with the web application that uses the incremental authentication technique. The questionnaire items were structured based on the constructs of the Unified Theory of Acceptance and Use of Technology (UTAUT) Model. Statistical analysis of the responses received showed an appreciable level of acceptance in terms of performance expectancy, effort expectancy, social influence, and facilitating conditions. The positive user acceptance results provide reassurance about the practicality and effectiveness of the proposed technique. It is believed that the proposed incremental graphical grid authentication technique will further enhance the security of our growing mobile and web applications.

computer science, information systems,telecommunications,engineering, electrical & electronic

Hung-Min Sun,Shiuan-Tung Chen,Jyh-Haw Yeh,Chia-Yun Cheng

DOI: https://doi.org/10.1109/tdsc.2016.2539942

2016-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Authentication based on passwords is used largely in applications for computer security and privacy. However, human actions such as choosing bad passwords and inputting passwords in an insecure way are regarded as “the weakest link” in the authentication chain. Rather than arbitrary alphanumeric strings, users tend to choose passwords either short or meaningful for easy memorization. With web applications and mobile apps piling up, people can access these applications anytime and anywhere with various devices. This evolution brings great convenience but also increases the probability of exposing passwords to shoulder surfing attacks. Attackers can observe directly or use external recording devices to collect users’ credentials. To overcome this problem, we proposed a novel authentication system PassMatrix, based on graphical passwords to resist shoulder surfing attacks. With a one-time valid login indicator and circulative horizontal and vertical bars covering the entire scope of pass-images, PassMatrix offers no hint for attackers to figure out or narrow down the password even they conduct multiple camera-based attacks. We also implemented a PassMatrix prototype on Android and carried out real user experiments to evaluate its memorability and usability. From the experimental result, the proposed system achieves better resistance to shoulder surfing attacks while maintaining usability.

Monther Aldwairi,Suaad Mohammed,Megana Lakshmi Padmanabhan

DOI: https://doi.org/10.48550/arXiv.2004.04497

2020-04-09

Cryptography and Security

Abstract:With the growth of connectivity to smart grids, new applications, and the changing interaction between customer and energy clouds, clouds are more vulnerable to denial-of-service attacks. Efficient detection methods are required to authenticate, detect and control attackers. Completely Automated Public Turing test to tell Computers and Humans Apart, CAPTCHA, is one efficient tool to thwart denial of service attacks. The server presents the user with a client puzzle to solve in order to gain access to the service or website. The puzzle should be hard enough for computers, but easy for humans to solve. Several methods have been suggested including the popular image-based, as well as video-based, and text-based CAPTCHAs. In this paper, we present a new Flash-based gaming CAPTCHA to differentiate bots from humans. We propose a drag and drop client puzzle where the user will play a simple game to answer a visual question. Our method turns out to be convenient, easy for users and challenging for bots. Additionally, it has gaming aspect, which makes it interesting to users of all age groups.

ASN Chakravarthy,Prof. P S Avadhani,Prof.P S Avadhani

DOI: https://doi.org/10.48550/arXiv.1110.1495

2011-10-07

Cryptography and Security

Abstract:Password authentication is a common approach to the system security and it is also a very important procedure to gain access to user resources. In the conventional password authentication methods a server has to authenticate the legitimate user. In our proposed method users can freely choose their passwords from a defined character set or they can use a graphical image as password and that input will be normalized. Neural networks have been used recently for password authentication in order to overcome pitfall of traditional password authentication methods. In this paper we proposed a method for password authentication using alphanumeric password and graphical password. We used Back Propagation algorithm for both alphanumeric (Text) and graphical password by which the level of security can be enhanced. This paper along with test results show that converting user password in to Probabilistic values enhances the security of the system

Xuehu Yan,Feng Liu,Wei Qi Yan,Yuliang Lu

DOI: https://doi.org/10.3390/math8030332

IF: 2.4

2020-01-01

Mathematics

Abstract:Nowadays, lots of applications and websites utilize text-based captchas to partially protect the authentication mechanism. However, in recent years, different ways have been exploited to automatically recognize text-based captchas especially deep learning-based ways, such as, convolutional neural network (CNN). Thus, we have to enhance the text captchas design. In this paper, using the features of the randomness for each encoding process in visual cryptography (VC) and the visual recognizability with naked human eyes, VC is applied to design and enhance text-based captcha. Experimental results using two typical deep learning-based attack models indicate the effectiveness of the designed method. By using our designed VC-enhanced text-based captcha (VCETC), the recognition rate is in some degree decreased.

Ahmad B. A. Hassanat

DOI: https://doi.org/10.48550/arXiv.1409.0925

2014-09-03

Abstract:For the last ten years, CAPTCHAs have been widely used by websites to prevent their data being automatically updated by machines. By supposedly allowing only humans to do so, CAPTCHAs take advantage of the reverse Turing test (TT), knowing that humans are more intelligent than machines. Generally, CAPTCHAs have defeated machines, but things are changing rapidly as technology improves. Hence, advanced research into optical character recognition (OCR) is overtaking attempts to strengthen CAPTCHAs against machine-based attacks. This paper investigates the immunity of CAPTCHA, which was built on the failure of the TT. We show that some CAPTCHAs are easily broken using a simple OCR machine built for the purpose of this study. By reviewing other techniques, we show that even more difficult CAPTCHAs can be broken using advanced OCR machines. Current advances in OCR should enable machines to pass the TT in the image recognition domain, which is exactly where machines are seeking to overcome CAPTCHAs. We enhance traditional CAPTCHAs by employing not only characters, but also natural language and multiple objects within the same CAPTCHA. The proposed CAPTCHAs might be able to hold out against machines, at least until the advent of a machine that passes the TT completely.

Computer Vision and Pattern Recognition,Artificial Intelligence,Human-Computer Interaction

Xian Chu,Huiping Sun,Zhong Chen

DOI: https://doi.org/10.1007/978-3-030-54455-3_12

2020-01-01

Abstract:This paper proposes a two-factor graphical password authentication scheme, PassPage, which is suitable for website authentication with enhanced security. It leverages the implicit memory based on the user’s web browsing records. Whenever the user tries to log in, the server returns 9 small pages as a challenge, and asks the user to select all the pages the user has browsed besides inputting a text password. We performed user experiments on 12 volunteers. The experiment results showed that the average login success rate on a news website is steadily over 80% when the users are familiar with the login process, and the login success rate does not decrease sharply in 6 days.

Andrew Searles,Renascence Tarafder Prapty,Gene Tsudik

2023-11-22

Abstract:Since about 2003, captchas have been widely used as a barrier against bots, while simultaneously annoying great multitudes of users worldwide. As their use grew, techniques to defeat or bypass captchas kept improving, while captchas themselves evolved in terms of sophistication and diversity, becoming increasingly difficult to solve for both bots and humans. Given this long-standing and still-ongoing arms race, it is important to investigate usability, solving performance, and user perceptions of modern captchas. In this work, we do so via a large-scale (over 3, 600 distinct users) 13-month real-world user study and post-study survey. The study, conducted at a large public university, was based on a live account creation and password recovery service with currently prevalent captcha type: reCAPTCHAv2. Results show that, with more attempts, users improve in solving checkbox challenges. For website developers and user study designers, results indicate that the website context directly influences (with statistically significant differences) solving time between password recovery and account creation. We consider the impact of participants' major and education level, showing that certain majors exhibit better performance, while, in general, education level has a direct impact on solving time. Unsurprisingly, we discover that participants find image challenges to be annoying, while checkbox challenges are perceived as easy. We also show that, rated via System Usability Scale (SUS), image tasks are viewed as "OK", while checkbox tasks are viewed as "good". We explore the cost and security of reCAPTCHAv2 and conclude that it has an immense cost and no security. Overall, we believe that this study's results prompt a natural conclusion: reCAPTCHAv2 and similar reCAPTCHA technology should be deprecated.

Cryptography and Security

Eman S. Alkhalifah

DOI: https://doi.org/10.1007/s11042-024-19044-8

IF: 2.577

2024-04-21

Multimedia Tools and Applications

Abstract:In the global environment privacy and security issues were critical to handle the huge number of participants. Many security-based research works have been undertaken in the cloud, including multi-factor authentication using Elliptic Curve Computation Diffie-Hellman Problem, Multi-model Biometric, Signatures, Graphical One-time Passwords and more. In this paper, we propose a multi-level multi-factor authentication procedure that is comprised of three significant entities: Users, Trusted Third Parties and Cloud. This authentication procedure is segregated into three phases: In the first phase, the HMAC-SHA 256 algorithm, watermarking algorithm and logical OR operation are applied which includes user ID, password, and fingerprint. Then in the second phase, three-level authentications are involved to permit users to view, upload and download files from the cloud. On validating each constraint, the user is permitted to participate in the cloud within the limit. Finally, the third phase is for user convenience to modify the prior password with a new one for security purposes. Overall, our main goal is to validate the user's legitimacy for accessing the cloud through multi-factors: ID, password, fingerprint and graphical one-time password. Here, our work is implemented in a Java environment; our technique improves performance indicators such as successful login rates (94.4%), mean login time (10 ms), authentication efficiency, and overall user experience. In conclusion, our suggested MFA-MLS system provides a strong answer to the difficulty of safe authentication in cloud environments, prioritizing user ease and experience while also improving security measures.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

T.V. Laptyeva,S. Flach,K. Kladko

DOI: https://doi.org/10.1209/0295-5075/95/50007

2011-07-01

Abstract:Vulnerabilities related to weak passwords are a pressing global economic and security issue. We report a novel, simple, and effective approach to address the weak password problem. Building upon chaotic dynamics, criticality at phase transitions, CAPTCHA recognition, and computational round-off errors we design an algorithm that strengthens security of passwords. The core idea of our method is to split a long and secure password into two components. The first component is memorized by the user. The second component is transformed into a CAPTCHA image and then protected using evolution of a two-dimensional dynamical system close to a phase transition, in such a way that standard brute-force attacks become ineffective. We expect our approach to have wide applications for authentication and encryption technologies.

Cryptography and Security,Other Condensed Matter,Chaotic Dynamics

Qibin Sun,Zhi Li,Xudong Jiang,Alex Kot

DOI: https://doi.org/10.1109/iscas.2008.4542082

2008-01-01

Abstract:Graphical password (i.e., image based authentication) is considered as a promising alternative to traditional textual password for mobile devices, to achieve better tradeoff between usability and security. However, previous proposals of graphical password have the limitation of limited entropy. In this paper, we propose a new scheme incorporating user face based authentication into the association-based graphical password solution we proposed before, aiming at achieving higher security without compromising user-friendliness for mobile application scenarios. System performance analysis and comparisons with other schemes are presented to validate our scheme.

Jaskaran Singh Walia,Aryan Odugoudar

DOI: https://doi.org/10.1109/ICTBIG59752.2023.10456218

2024-03-20

Abstract:Several websites improve their security and avoid dangerous Internet attacks by implementing CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart), a type of verification to identify whether the end-user is human or a robot. The most prevalent type of CAPTCHA is text-based, designed to be easily recognized by humans while being unsolvable towards machines or robots. However, as deep learning technology progresses, development of convolutional neural network (CNN) models that predict text-based CAPTCHAs becomes easier. The purpose of this research is to investigate the flaws and vulnerabilities in the CAPTCHA generating systems in order to design more resilient CAPTCHAs. To achieve this, we created CapNet, a Convolutional Neural Network. The proposed platform can evaluate both numerical and alphanumerical CAPTCHAs

Cryptography and Security,Artificial Intelligence,Computer Vision and Pattern Recognition,Machine Learning

Hung-Min Sun,Yao-Hsin Chen,Chiung-Cheng Fang,Shih-Ying Chang

DOI: https://doi.org/10.1145/2414456.2414513

2012-01-01

Abstract:Text passwords have been used in authentication systems for many decades. Users must recall the textual strings selected during registration to pass authentication. However, there are some serious problems with text passwords recollection and security. Hence, various graphical-password authentication systems have been proposed to solve the problems of text passwords. Previous studies indicate that humans are better at recognizing and recalling images than texts. In 2005, Wiedenbeck et al. proposed PassPoints in which a password consists of a sequence of click-points (5 to 8) that a user chooses on an image. In the paper, we proposed an alternative system in which users can memorize fewer points while providing more security than PassPoints. Based on the idea of using an extremely large image as the password space, we propose a novel world map based graphical password authentication system called PassMap in which a password consists of a sequence of 2 click-points that a user selects on an large world map. We also conducted a user study for evaluation. The result shows that the passwords of PassMap are easy to memorize for humans and PassMap is friendly to use in practice. Furthermore, PassMap provides higher entropy than PassPoints and also increases the cost of attacks.

Haichang Gao,Zhongjie Ren,Xiuling Chang,Xiyang Liu,Uwe Aickelin

DOI: https://doi.org/10.1109/cw.2010.34

2010-01-01

SSRN Electronic Journal

Abstract:Shoulder-surfing is a known risk where an attacker can capture a password by direct observation or by recording the authentication session. Due to the visual interface, this problem has become exacerbated in graphical passwords. There have been some graphical schemes resistant or immune to shoulder-surfing, but they have significant usability drawbacks, usually in the time and effort to log in. In this paper, we propose and evaluate a new shoulder-surfing resistant scheme which has a desirable usability for PDAs. Our inspiration comes from the drawing input method in DAS and the association mnemonics in Story for sequence retrieval. The new scheme requires users to draw a curve across their password images orderly rather than click directly on them. The drawing input trick along with the complementary measures, such as erasing the drawing trace, displaying degraded images, and starting and ending with randomly designated images provide a good resistance to shouldersurfing. A preliminary user study showed that users were able to enter their passwords accurately and to remember them over time.