Biblio

Multi-Factor Authentication is an electronic authentication method in which a computer user is granted access to an application or a website only after successfully presenting two or more factors, or pieces of evidence. It is the first step to protect systems against intruders since the traditional log-in methods (username and password) are not completely protected from hackers, since they can guess them easily using tools. Current Systems use additional methods to increase security, such as using two-factor authentication based on a one-time password via mobile or email, or authentication based on biometrics (fingerprint, eye iris or retina, and face recognition) or via token devices. However, these methods require additional hardware equipment with high cost at the level of small and medium companies. This paper proposes a multi-factor authentication system that combines ease of use and low-cost factors. The system does not need any special settings or infrastructure. It relies on graphical passwords, so the user, in registration phase, chooses three images and memorizes them. In the login phase, the user needs only to choose the correct images that he considered during the registration process in a specific order. The proposed system overcomes many different security threats, such as key-loggers, screen capture attack or shoulder surfing. The proposed method was applied to 170 participants, 75% of them are males and 25% are females, classified according to their age, education level, web experience. One-third of them did not have sufficient knowledge about various security threats.

ATM transactions are verified using two-factor authentication. The PIN is one of the factors (something you know) and the ATM Card is the other factor (something you have). Therefore, banks make significant investments on PIN Mailers and HSMs to preserve the security and confidentiality in the generation, validation, management and the delivery of the PIN to their customers. Moreover, banks install surveillance cameras inside ATM cubicles as a physical security measure to prevent fraud and theft. However, in some cases, ATM PIN-Pad and the PIN entering process get revealed through the surveillance camera footage itself. We demonstrate that visibility of forearm movements is sufficient to infer PINs with a significant level of accuracy. Video footage of the PIN entry process simulated in an experimental setup was analyzed using two approaches. The human observer-based approach shows that a PIN can be guessed with a 30% of accuracy within 3 attempts whilst the computer-assisted analysis of footage gave an accuracy of 50%. The results confirm that ad-hoc installation of surveillance cameras can weaken ATM PIN security significantly by potentially exposing one factor of a two-factor authentication system. Our investigation also revealed that there are no guidelines, standards or regulations governing the placement of surveillance cameras inside ATM cubicles in Sri Lanka.

Authentication is a process that provides access control of any type of computing applications by inspecting the user's identification with the database of authorized users. Passwords play the vital role in authentication mechanism to ensure the privacy of the information and avert from the illicit access. Password based authentication mechanism suffers from many password attacks such as shoulder surfing, brute forcing and dictionary attacks that crack the password of authentication schema by the adversary. Key Stroke technique, Click Pattern technique, Graphichical Password technique and Authentication panel are the several authentication techniques used to resist the password attacks in the literature. This research study critically reviews the types of password attacks and proposes a matrix based secure authentication mechanism which includes three phases namely, User generation phase, Matrix generation phase and Authentication phase to resist the existing password attacks. The performance measure of the proposed method investigates the results in terms existing password attacks and shows the good resistance to password attacks in any type of computing applications.

Graphical passwords are most widely used as a mechanism for authentication in today's mobile computing environment. This methodology was introduced to enhance security element and overcome the vulnerabilities of textual passwords, pins, or other trivial password methodologies which were difficult to remember and prone to external attacks. There are many graphical password schemes that are proposed over time, however, most of them suffer from shoulder surfing and could be easily guessed which is quite a big problem. The proposed technique in this paper allows the user to keep the ease-to-use property of the pattern lock while minimizing the risk of shoulder surfing and password guessing. The proposed technique allows the user to divide a picture into multiple chunks and while unlocking, selecting the previously defined chunks results successfully in unlocking the device. This technique can effectively resist the shoulder surfing and smudge attacks, also it is resilient to password guessing or dictionary attacks. The proposed methodology can significantly improve the security of the graphical password system with no cost increase in terms of unlocking time.

Friends, family and colleagues at work may repeatedly observe how their peers unlock their smartphones. These "insiders" may combine multiple partial observations to form a hypothesis of a target's secret. This changing landscape requires that we update the methods used to assess the security of unlocking mechanisms against human shoulder surfing attacks. In our paper, we introduce a methodology to study shoulder surfing risks in the insider threat model. Our methodology dissects the authentication process into minimal observations by humans. Further processing is based on simulations. The outcome is an estimate of the number of observations needed to break a mechanism. The flexibility of this approach benefits the design of new mechanisms. We demonstrate the application of our methodology by performing an analysis of the SwiPIN scheme published at CHI 2015. Our results indicate that SwiPIN can be defeated reliably by a majority of the population with as few as 6 to 11 observations.

Smartphones nowadays are customized to help users with their daily tasks such as storing important data or making transactions through the internet. With the sensitivity of the data involved, authentication mechanism such as fixed-text password, PIN, or unlock patterns are used to safeguard these data against intruders. However, these mechanisms have the risk from security threats such as cracking or shoulder surfing. To enhance mobile and/or information security, this study aimed to develop a free-form handwriting gesture user authentication for smartphones. It also tried to discover the static and dynamic handwriting features that significantly influence the recognition of a legitimate user. The experiment was then conducted by asking thirty (30) individuals to draw or swipe using their fingertip their desired free-form security pattern ten (10) times. These patterns were then cleaned and processed, and extracted seven (7) static and eleven (11) dynamic handwriting features. By means of Neural Network classifier of the RapidMiner data mining tool, these features were used to develop, validate, and test a model for user authentication. The model showed a very promising recognition rate of 96.67%. The model is further tested through a prototype, and it still gave a very satisfactory result.