Thematic Graphical User Authentication: Graphical User Authentication Using Themed Images on Mobile Devices

Transcription

1 Int'l Conf. Security and Management SAM' Thematic Graphical User Authentication: Graphical User Authentication Using Themed Images on Mobile Devices Joshua Sherfield 1, Cheryl V. Hinds 2 1 Lawrence Livermore National Labs, Livermore, California, 94550U.S.A. 2 Computer Science Department, Norfolk State University, Norfolk, Virginia, 23504, U.S.A. Abstract - Authentication is a useful method of restricting access to a device. On traditional computer systems, authentication is usually performed with an alphanumeric username and password. On mobile devices, authentication is similar, however because of the touch-based interfaces found on many mobile devices, typing text passwords can be challenging. Graphical user authentication, is an alternative form of authentication which consist of using images as the form of authentication. In this research, we create a prototype of a graphical user authentication application for mobile devices which uses groups of different themed images to secure the user s authentication. This method is different from other graphical user authentication schemes in that it requires the user to select an image from three different screens where the images consists of different themed images. We show how this method improves usability, and how it resists various common attacks of graphical user authentication. Keywords: Thematic Graphical User Authentication, Mobile Device Security, Mobile Device Authentication. 1 Introduction Computers and many other digital devices can store and process huge amounts of data. To protect the data and possession of the device, security is required to make sure only the appropriate users have access to these resources. Authentication is usually the first line of defense for a computer system. It ensures that the correct users have access to the system. It can also be used to enhance other security methods such as encryption. Authentication, when used to prove user access, usually comes in the form of asking for a user name and an authentication test. The user enters their user name, which may not be a secret, and the authentication test, which should only be able to be completed by the correct user. There are many ways to perform authentication. The most popular methods are separated into three main categories: what you know, what you have, or what you are. 1.1 Types of Authentication What you know authentication relies on the memory of the user [1]. The user must remember some key element of the authentication process, such that other users would not be able to guess the correct authentication key. Typically users are required to enter a user name or personal ID, and the user's authentication information, such as a password or personal identification number (PIN). Typically, these systems are implemented using an alphanumeric password. The drawback of this authentication method is that users are required to create complex passwords for security reasons, however long passwords can be difficult to remember and passwords based on memory are subject to dictionary, guessing and brute force attacks. What you have authentication requires the user to use an authentication token to authenticate themselves [1]. The object is usually man made and portable, rather than being part of the user. Examples of objects used for this type of authentication are smart card authentication, USB key authentication, and token-based authentication [3]. Smart card authentication requires the user to authenticate themselves with a card that can be read in many different ways, including scanning a barcode, swiping a magnetic strip or reading an embedded chip. USB key authentication requires the user to insert a USB drive that contains data used to authenticate the user into a USB slot, and the user can only be authenticated with that key. Token-based authentication includes smart card authentication, USB key authentication, and any other object that is used to authenticate a user. The drawbacks of this type of authentication is the price of additional hardware in many token-based authentication schemes, and the ability to lose the token, smart card, or USB key. Since the key may be all that is needed to authenticate, this method of authentication can be risky, in that never losing the key may ensure the user's authenticity is secure, but simply misplacing the key, or allowing the key to be handled by unapproved users, brings the same authenticity into question.

2 274 Int'l Conf. Security and Management SAM'17 What you are authentication requires the user to present some biometric data to prove their identity [1]. Biometric authentication utilizes unique physical or behavioral traits about a specific person to authenticate that person into a system. Some examples of sources for biometric authentication are fingerprints, facial structure, iris authentication, and hand recognition. In addition, some types of biometric authentication uses behavior-based techniques that track a user's actions. Since all these methods are unique to a specific person they require users to be physically available, and the uniqueness of each method, should be enough to make sure other users would not be able to impersonate since it can be difficult to fake a person s personal characteristics. 1.2 User Authentication on Mobile Devices Authentication systems for mobile devices use multiple types of authentication that usually require an alternative method of user interaction. For example, mobile authentication uses keyboard-based authentication techniques such as passwords and PIN numbers, but since touch screen-based behaviors is the main source of input on most mobile devices, touch-based authentication is available. Some examples of touch-based authentication schemes are pattern-based authentication, touch biometric authentication, and rhythm-based authentication. Pattern-based authentication gives the user the opportunity to create a pattern that the user must create and complete to authenticate themselves. Touch biometric authentication lets the user place their finger or palm on the device, and the various attributes unique to their hand will be used to identify the user and authenticate them. This method is often paired with other methods of authentication, such as methods that measure the behavior of the user, to ensure the method used to authenticate is truly unique. Rhythm-based biometric authentication requires the user to perform an action at whatever rhythm they choose, and that rhythm will be used as their authentication key. There are also types of authentication that take advantage of the mobility of the device. Some authentication systems require a connection to a specified network or device to authenticate the user. On touch screen mobile devices, password, PIN and pattern authentication schemes similar to traditional password methods can sometimes be difficult for users to remember. To overcome this weakness we propose a user authentication method for mobile devices which uses graphical images. The two requirements, memory of the correct key and keeping the key complex, are in direct conflict, leading to issues such as the user not remembering the key correctly due to its complexity, or the user decreasing the complexity of the key for simplicity, which increases the vulnerability of the key. 1.3 Problem Motivation Some forms of authentication are more suitable to desktop and laptop computers, such as alphanumeric passwords. These however are less suitable for mobile devices due to their reliance on touch keyboards and the difficulty in remembering complex keys. Token-based authentication addresses the difficulty of entering the passwords, but requires a secure, physical device, which may not be simple or suitable to carry around with a mobile device. Graphical user authentication has features that are more suitable for a secure, mobile authentication system but some implementations are susceptible to attacks, such as shoulder surfing attacks and smudge attacks. To address the issue of unusable authentication on mobile devices, we created a novel graphical user authentication system which uses three layers of authentication. The user is presented with three different screens of different themed images and is required to select an image from each screen. The three images constitute the user s password. Our authentication scheme is usable, secure, and addresses several problems found in previous mobile graphical user authentication implementations such as shoulder surfing and smudge attacks. We implement strategies that have defeated one or more attacks on their own, but have not been applied to mobile systems. By addressing these problems, we believe users of mobile devices would be less likely to forget their passwords, find their passwords easy to enter, and would be protected against certain attacks most likely to succeed against other graphical systems. The rest of this document is organized as follows. In Section 2, we discuss related work in graphical and mobile authentication. We discuss our authentication system in section 3, and evaluate the results of our work in section 4. We discuss our conclusion and future work in Section 5 and conclude the paper with the references in Section Related Work In this section we describe alternative authentication systems in mobile devices. Chiang et al. [4] designed and implemented a recall-based mobile authentication system based on the issues they believed exist in mobile graphic authentication systems. They compared their password scheme, called Touchscreen Multi-layered Drawing (TDM), to other implemented mobile password schemes which included graphical, drawing and images. When surveying users about the previously used systems, they found many usability issues that related specifically to the mobile platform, such as issues related to inaccuracy due to a small screen or the user not seeing the actual point they are touching due to their finger. The lessons learned from testing TDM and others give great suggestions for a better password scheme on mobile devices. Wang et al. [5] created a time sensitive authentication system for mobile devices that becomes more secure over time and frequency of use [5]. The user would pick an image as their password, and every time the user would try to authenticate, multiple distorted images were presented, including the correct one. The images displayed when the user tests their password, however, are significantly distorted. The authors believed this

3 Int'l Conf. Security and Management SAM' distortion would result in a greater level of security since attackers looking at the user's system would have no clear clue to which image is correct and so that the images are never exactly the same, but still recognizable to the user. Chiasson et al. [6] conducted a study where they studied the effects of using multiple passwords in text and graphical password systems [6]. Their results showed that users were able to recall the graphical passwords at a higher rate than the text passwords, at least for short term recall. For a longer period of memory recall, there was not a significant difference in the text and graphical recall since many users simply could not remember their passwords after a long period of time. Also, users were less likely to make errors when entering graphical passwords in the short term as well [6]. Mobile authentication has several issues that affect the security of graphical user authentication on mobile devices. One of these issues is smudge attacks on touch screen devices which is a shoulder surfing attack where the attacker uses shoulder surfing attacks and guesses the password simply by discerning the dirt and oil patterns on the device. Zezschwitz et al. [2] implemented a solution to smudge attacks on touch devices. They observed the usability of several graphical user authentication methods and their ability to resist smudge attacks. In addition to Android s pattern unlocking scheme, five other methods were tested. The methods varied in features, with three of them allowing the user to choose multiple objects in order, and two others relying on a modified Android pattern that can be rotated in various positions [2]. The study only reviewed 12 participants, so there may not be enough data to determine how usable each scheme was, but each system was reviewed for its ability to resist smudge attacks. The authors found that the Android pattern authentication system was vulnerable to smudge attacks, as was the orientation changing similar approaches, as the attacker could still make out the pattern used on the device. For the color examples that only required sliding to a specific location, however, there were no smudge attacks that they tested that were successful in this system. This demonstrated that there is a possibility that smudge attacks are possibly avoidable in graphical user authentication systems if the selection the user is given is randomized, and does not show any discernible pattern. Schaub et al. [7] explored the design space of graphical passwords on smartphones. They implemented several popular mobile graphical user authentication schemes and examined their design features. In their results, they found that certain design features effected the security, performance, and usability of the system. The authors also found that password sessions that were longer to enter were harder to attack due to more information for an attacker to observe. Alt et al. [8] investigated methods used by users in creating graphical passwords. Users passwords were collected over a year, and the image selection, password selection and password security were assessed in the study. In their results, they found users tend to be biased in favor of certain images when selecting images for their passwords, and that visually significant features in the pictures were more likely to be chosen than any random point of the image [8]. Also, users who tested drawing authentication applications were biased towards one corner of the screen. 3. Themed Images Graphical User Authentification System In this section, we describe our mobile user authentication system. 3.1 Implementation In this research, we created a mobile graphical user authentication system for mobile devices which uses images displayed in related groups for memorable authentication. One image out of three groups of images are used to authenticate the user, and each group of images has a related theme. The user chooses one image out of every group and if the images match the ones the user used to create their password, they are given access to the system. 3.2 Mobile Platform The application was developed using the Android Studio Integrated Development Environment (IDE) for the Android Operating System. The application was developed as a prototype of an authentication system, such that it can be tested for validity of its security and usability. Most of the testing occurred on a OnePlus One phone, running Cyanogenmod 13 (a customized version of Android 6.0.1). It was also tested on the Android Virtual Device (AVD) emulating a Nexus Data Storage The application uses three groups of images which along with the user s authentication details, are stored in a SQLite database. The images are stored as BLOBs in a table, with each group of images in separate rows as shown in Table 1. BLOBs are data types that allow raw data for their value. While SQLite technically allows for any data to be stored in BLOBs, the data must first be converted into bytes. This means that the images are stored as bytes in the database, and must be converted into bitmaps to be displayed. Before the images are stored into the database, however, they are stored as drawable objects accessible to the application. This is for the simple storage of the default set of images, in the case of unforeseen errors in storage. There are four groups of images stored in the application three of which are randomly assigned for the user s password selection. The user s authentication information is stored in a separate table, which includes their user ID for the device (acquired from ANDROID_ID, which is tied to the account of the user), and their hashed password, and the salt. The user ID in the table is tied to the ID of the user who created the password, so

4 276 Int'l Conf. Security and Management SAM'17 in the case of factory resets and manipulation of the user ID, the user must create a new password. Table 1: Structure of Image Database Row IMG0 IMG1 IMG8 Number 0 img0_0 img0_1 img0_8 1 img1_0 img1_1 img1_8 2 img2_0 img2_1 img2_8 3.4 Password Creation The user is presented with a password creation menu containing 3 buttons. When each button is pressed, the user is presented with groups of images which are randomly assigned from the image database. When each button is pressed a grid of all the themed images in that group are presented and the user selects an image from each group by tapping on their selected image. Each screen of images is displayed in a 3x3 grid set around the particular theme. Figure 1 provides an example of this process. Table 2: User Database USR PASS1 PASS2 PASS3 SALT ID0 SHA1(img0 +salt0) ID1 SHA1(img0 +salt1) 3.5 Authentication SHA1(img1+ SHA1(img2 salt0) +salt0) SHA1(img1+ SHA1(img2 salt1) +salt1) salt0 salt1 When the user authenticates themselves, they are presented with three buttons and they must select each button just as they did in the password creation process. When each button is pressed the user is presented with a 3x3 grid of images. The images are randomly selected from the theme with the user s password image from that theme randomly placed. Each time the user authenticates themselves their selected image will be placed in a different location in the grid among a set of themed images. The user must choose the correct images from each screen in order to confirm their password selection. When all images are correctly selected, the user will be given a notification if the password is correct. If the password is incorrect, the user is informed as such. When all three images are chosen correctly, the user is given access to the device. 4. Results The results of the research, in terms of the usability and security, are discussed in this section. 4.1 Usability In this research, the application was created to be usable as well as secure. To keep the authentication usable, it would have to be simple to remember and simple to input. Figure 1: Password Creation Process The password is then created by using a random string as a salt, and the image data as bytes which is then hashed. This is stored as a SHA1 hash. This process which is created for each of the three images the user selects. For verification purposes the user must correctly create their password twice and an entry of the user s password is then stored in a user table containing the password of all users. The user table is shown in Table 2. To reduce the load of memory for the user, the system groups images together by some common theme. For example, one set of images was of different fruits. All the images that appear in each group are related, so the user only is required to remember their image in each themed group. With only three groups of randomly assorted images, the user is more likely to have less trouble remembering their password. To keep the password entry simple for the user, the user is not given too many options at once. Their password only consists of only three images, and the only interaction they need to authenticate is by clicking or tapping the screen. In addition, the user only has to tap the screen 6 times to authenticate themselves. Three times to click on the buttons to open each grid, and three times to select an image. The requirements for interaction are very few, which should result in the user not becoming overwhelmed with either excessive options or frustrating requirements.

5 Int'l Conf. Security and Management SAM' Security As an authentication application, there are several features that have been applied to ensure the user is the only one with access to the system. These features can be split into the categories of common vulnerabilities that were addressed: brute force attacks or guessing, smudge attacks, and shoulder surfing. To protect against brute force attacks, the password the user inputs has multiple possible solutions. Each grid has 9 randomly located images, and each set of images is available in one of the password selection buttons. This means there are 27 images in all, and an attacker must discover which 3 images, one for each set of 9 images, are the user s key. The fact that each image on each screen is related adds a level of complexity for an attacker since it would not be obvious which image is the password. With the sets themselves also being randomly organized, the attacker must take a considerable amount of time attempting the correct combination to successful guess the key. The chance that an attacker could guess one image in a grid correctly is 1/9, given that that there are 9 images. The probability that the attacker could guess all three images correctly is 1/729, or 1/9 * 1/9 * 1/9. This is the probability that the attacker could physically attempt to guess the user s password by trying different combinations. If the attacker were to attempt to guess the password of the user through selecting the image from a specific location on the grid, such as the center, the chance to guess goes up to 1/3.100 x 10 6 for each grid, such that there is a 1/2.979 x chance that the user can guess correctly for each set of image. Table 3 compares this chance with the chance required to brute force alphanumeric passwords of two lengths: 8 character and 16 character. Each of these text passwords are assuming upper case, lower case, numerals, and 33 symbols are possible for each character of the password. As shown in Table 3, the graphical password chance to be guessed or brute forced is similar to the 8 character password, but is less than the 16 character password. Table 3: Probability to Guess Password Type of Authentication Probability to Guess 8 Character Password 1/6.70 x Character Password 1/4.45 x Graphical user authentication 1/2.979 x In addition, there is limited support to protect the user from attacks that can get access as the image grid is displayed but not the database. If an attacker were to intercept the image data being loaded to the screen, they could potentially quickly determine the user s key. To limit the attackers ability to attack with this method, the data used determine if the image data is correct is a hashed string stored in the database. This hash is created with the image data and a random salt, which means an attacker that would like to recreate this hash either requires the salt and the image data, or simply the image data and the ability to guess then recreate the salt. Recreating this data would be a difficult for the attacker to do, as would getting the correct data for all three images. To combat smudge attacks, the positions for the images in the grids are randomized. When an attacker tries to guess the user s password from finger prints on the screen, the finger prints themselves would not give away the location of the image, since the image will be in a different location at any time. Also, given that there are three images, the attacker would also need to discern which smudge corresponds to which image selection. One of the major focuses for security was to resist shoulder surfing, a common vulnerability in graphical user authentication. To resist a potential attacker s ability to simple view the screen to observe and understand the user s authentication, the application was made so the user can enter their password in the least time as possible for this scheme. Using less time to authenticate the user, or at least show what is being used to authenticate, has been shown to decrease the ability of the attacker to shoulder surf [7]. To succeed in limiting the time the user takes to authenticate, the user must be limited to only a few actions to authenticate, and is given information that is simple to understand and recognize quickly. To reduce this time, the image grid is only shown when necessary, and activity to select the images in the grids is quickly created and ended. The user is not given other unnecessary options while the images are displayed. By limiting the interaction options for the user and not showing the authentication details unless authenticating, the user is less likely to unnecessarily give an attacker enough time to reliably remember their password. 5. Discussion and Future Work In this research, we created a graphical user authentication system that aimed to be secure and usable, while addressing issues found in other implementations of mobile graphical user authentication. We implemented a system that has features designed to resist shoulder surfing, smudge attacks, and brute force attacks. The application is similarly secure to minimum requirements in text password policies in resisting brute force attacks, and can resist common graphical user authentication attacks, but are easier to remember. We also implemented features that would keep the system relatively usable when compared to other similar techniques. We believe that used appropriately, the system is not only relatively usable but secure.

6 278 Int'l Conf. Security and Management SAM'17 There are some areas in the implementation of the application that could be enhanced in the future. We will investigate varying size grids and compare the memorability and security with the smaller 3 x 3 grid. The impact of this is that an attacker would have to guess several more times per grid simply to find the first image, let alone the second and third image in the correct order, for each grid. This also, however, requires more images to be stored and processed on the device, and the added interaction and options could make it harder for users to quickly authenticate. Another consideration that could be taken in the future is the speed of the application. The current application does not use multiple processes, threading techniques, or compressed images to process data. Using any combination of these techniques could reduce latency that can occur on different devices, and could make it easier for devices without advanced processing hardware to use this system with little latency. and Communications Security, New York, NY, USA, 2009, pp [7] F. Schaub, M. Walch, B. Könings, and M. Weber, Exploring the design space of graphical passwords on smartphones, in Proceedings of the Ninth Symposium on Usable Privacy and Security, 2013, p. 11. [8] F. Alt, S. Schneegass, A. S. Shirazi, M. Hassib, and A. Bulling, Graphical Passwords in the Wild: Understanding How Users Choose Pictures and Passwords in Image-based Authentication Schemes, in Proceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services, New York, NY, USA, 2015, pp References [1] J. Brainard, A. Juels, R. L. Rivest, M. Szydlo, and M. Yung, Fourth-factor Authentication: Somebody You Know, in Proceedings of the 13th ACM Conference on Computer and Communications Security, New York, NY, USA, 2006, pp [2] E. von Zezschwitz, A. Koslow, A. De Luca, and H. Hussmann, Making Graphic-based Authentication Secure Against Smudge Attacks, in Proceedings of the 2013 International Conference on Intelligent User Interfaces, New York, NY, USA, 2013, pp [3] C. L. Paul, E. Morse, A. Zhang, Y.-Y. Choong, and M. Theofanos, A Field Study of User Behavior and Perceptions in Smartcard Authentication, in Proceedings of the 13th IFIP TC 13 International Conference on Human-computer Interaction - Volume Part IV, Berlin, Heidelberg, 2011, pp [4] H.-Y. Chiang and S. Chiasson, Improving User Authentication on Mobile Devices: A Touchscreen Graphical Password, in Proceedings of the 15th International Conference on Human-computer Interaction with Mobile Devices and Services, New York, NY, USA, 2013, pp [5] Z. Wang, J. Jing, and L. Li, Time Evolving Graphical Password for Securing Mobile Devices, in Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, New York, NY, USA, 2013, pp [6] S. Chiasson, A. Forget, E. Stobert, P. C. van Oorschot, and R. Biddle, Multiple Password Interference in Text Passwords and Click-based Graphical Passwords, in Proceedings of the 16th ACM Conference on Computer