A NEW PASSWORD AUTHENTICATION SCHEME RESISTANT AGAINST SHOULDER SURFING ATTACK

A NEW PASSWORD AUTHENTICATION SCHEME RESISTANT AGAINST SHOULDER SURFING ATTACK

Mohammed Abbas Fadhil Al-Husainy* Diaa Mohammed Uliyan

Department of Computer Science Middle East University Amman, Jordan 11831, J.O.

Key Words: shoulder surfing attack, textual password authentication, infor- mation security.

ABSTRACT

Personal Identification Number (PIN) is one of the simplest ways for user authentication that is commonly used to protect user information through online information systems such as ATMs. PINs are vulnerable to several types of attacks. Usually, users tend to choose easy passwords or short pass- words to make them easier to remember. However, this makes passwords vulnerable to multiple forms of attack, such as camera recording attacks and shoulder surfing attacks. This research presents a new textual password authentication technique that can be used as a competitive scheme to both tra- ditional textual and graphical password schemes. In the proposed technique, a new 6  6 keyboard has been designed as an alternative to the traditional keyboard to be used by the user to enter password characters. The user does not need to press the keys that represent the password characters. The pro- posed technique was tested on a group of users and the recorded results of the experiments have been evaluated using a specific set of criteria. Based on the evaluation of the tests, the proposed technique succeeded to provide a more secure session for the user to enter the password. Moreover, the pro- posed technique helps to solve most of the defects, especially the shoulder sur- fing attack that exists in the authentication systems use textual or graphical passwords.

I. INTRODUCTION

One of the main security lines against attackers in any information system is user authentication. Many online in- formation systems have widely used password based mecha- nisms to keep services secured from illegal access [1]. For safety, users must be authenticated by using their password before opening their personal information or performing any operation on their data. Through the user login interface, different types of passwords are usually used, such as textual, numerical, or graphical formats. To make your password more secure, any traditional password must meet the basic

requirements:

(a) The password must be easy to remember,

(b) The user authentication mechanism must be run quickly, (c) Passwords must be difficult to guess by attackers.

Therefore, it became necessary to protect online appli- cations and mobile devices through the lock and unlock ope- rations using a password authentication method as seen with Personal Identification Numbers (PINs). The security of the system will crumble if unauthorized access is given to the wrong person. When the user forgets to follow the guide- lines of creating secure passwords and tends to use weak passwords, this will lead to a breach of system security.

*Corresponding author: Mohammed A. Fadhil Al-Husainy, e-mail: [email protected]

(a) ATM keypad (b) Shoulder surfing attack (c) Walls protect the ATM keypad

Fig. 1 The keypad used in ATM and shoulder surfing attack

(a) Select points in the image (b) Select images in order (c) Determine specific pattern

Fig. 2 Different types of graphical passwords

In the login session, especially in the crowded places, the password entry process is vulnerable to direct observational attacks. Nearby attackers can easily observe the password in what is known as a “shoulder surfing attack”. When de- signing an authentication scheme, four types of attacks should be taken into consideration [2].

1. Shoulder Surfing Attack

An adversary who tries to obtain the user’s PIN during the user login process. In a secure password authentication scheme, it must be very hard for the shoulder surfers to cap- ture the user’s password by recording or watching the user login session [3].

2. Dictionary Attacks

It’s an attempt to recognize a user’s password and use it to defraud the system. These threats become more effective if they are applied to test the most probable passwords. [4].

3. Brute Force Attack

It works in the same way as the dictionary attack, but it tries to create all the possible passwords that can be used to attack the original password. Because brute force attacks may be applied either online or offline, this gives brute force attacks enough computation time and power to find the match- ing password. However, it may not be possible to find all passwords due to large password spaces. [5].

4. Spyware Attack

Some spyware tools are hidden in the computer system and they record all sensitive information relates to users.

Then without the user’s awareness, the recorded information is transferred out of the system. [6].

Usually, the Automated Teller Machines (ATMs) are designed to include the main keypad that is used to enter the password of the card (Fig. 1(a)). One of the commonly used threats facing the user while using an ATM, especially when the user enters the password is the shoulder surfing (Fig. 1(b)).

Therefore, most companies that produced ATMs are always trying to redesign the keypad in a new form or add protection tools to save the user password from the shoulder surfing attack (ATM keypad protector as walls that surround the keypad (Fig. 1(c)). This keypad and all the attached protec- tion tools add extra cost to the total cost of producing these machines.

The main challenge is to protect the user’s password from theft by shoulder surfing attackers. The shoulder sur- fing attack is classified into two categories:

1. The direct observation attack, which the authentication password is determined by an adversary who monitors the login session.

2. Recording attacks, which the authentication password has been recorded by a camera device for later analysis.

User password authentication schemes are classified,

based on the type of password used, to a textual and graphical password authentication schemes. Most information sys- tems use traditional textual passwords due to ease of use and being easy to remember by users, some other researchers have tried to use a graphical password to raise the security of the user authentication system [7, 8] as an alternative to textual password methods [9, 10]. This password includes the use of images or shapes to determine the users password.

The user selects points or regions in the image, determines specific shape or arranges the displayed shapes (Fig. 2). The use of graphical passwords, adds more operations to the in- formation systems to deal with the images used and the de- termination of the selected region by the users or to manage and record the steps that the user performed to choose the correct sequence of the specified shapes.

There are two types of graphical password schemes based on the selected points or regions in the image [11]:

(1) Picture-based password and (2) Pattern-based password.

Some picture based password methods [12], struggle against dictionary attacks and shoulder surfing attacks. Some attackers try to identify the users password by observing a legitimate user over his/her shoulder during the login session into the system instead of attempting to guess the authentication pass- word. Therefore, the Android password pattern is commonly vulnerable to shoulder surfing attacks.

Furthermore, many users still favor using the textual passwords because they only contain a set of characters.

The users feel that the use of the graphical password still:

1. Require complex ways to learn, memorize and deal with it;

2. Require a long time to enter it into the system in the login session; and

3. There is a high probability the password being stolen by the shoulder surfing attack.

This motivated researchers to develop effective me- thods that enable users to use the textual password in an easy way that also protects the textual password during the login session from the shoulder surfing attacks. Recent tex- tual password methods try to reduce this threat by requiring users to enter their passwords indirectly. New textual pass- word methods are designed to ask users to enter their password indirectly in order to conceal the users actual password. This can be done by performing certain mental tasks to derive the indirect password.

In this paper, a textually based method has been developed and implemented that employs the fundamental of conceal- ing passwords as much as possible. A new 6  6 keyboard has been designed and displayed on the screen in the login

session for entering the textual password. To enter each character in the password, the user must choose the column in the keyboard that contains the desired character. The user does not need to press the key itself when entering the password characters. This will prevent shoulder surfing attackers from knowing the password characters as well as give the user a more secure session to enter his/her own password.

The remainder of this paper is organized as follows.

Section 2 presents the related works. Section 3 describes the proposed method. Experimental results are discussed in Sections 4. A conclusion is drawn at the end of the paper to summarize the deliverables of the proposed method.

II. RELATED WORKS

There have been many user authentication schemes pro- posed over recent years [13, 14] according to the type of password. Studies of user password authentication me- thods are classified into two categories:

1. Graphical Password Techniques

This approach mapped the set of character that compose the password into image regions in the password space based on a set of criteria [15]. The main advantage of this approach is resilient to dictionary attacks. However, few graphical password schemes are developed in practice. The weakness of this approach is that it struggles to protect passwords against shoulder and spyware attacks.

2. Textual Password Techniques

This approach was implemented to examine the problem associated with a conventional and secured password using alphanumeric and symbols in order to more easily recall it.

The main challenge is in how to keep it secret and protected from certain attacks like shoulder surfing and spyware attacks [16].

Shoulder surfing is one of the major forms of attacks users face when entering their passwords in login sessions.

Several shoulder surfing resistant techniques have been proposed in [13, 14].

Istyaq & Agrawal presented a new authentication tech- nique based on using a one-time password scheme [17].

This technique is already used by governments and banks

to enhance the security and privacy. The user does not need

to remember the password because the technique sends the

user’s password to the users email at login time. The login

session in the technique usually takes more time and the

probability of stealing the password is proportionally higher.

Nugroho ect. proposed a graphical text-based password scheme to avoid shoulder surfing attack [18]. The scheme uses colors, in the authentication, and combines characters and images that represent the user’s password. The pro- posed scheme seems more complicated when put into use by the user and the user needs to remember three different things (colors, characters, and images).

Vachaspati et al. suggested a textual-graphical authenti- cation scheme, wherein the user must click on the displayed image that contained randomly distributed characters to form a triangle that contains the specific passwords characters of the user [19]. Although the scheme is proportionally re- sistant to shoulder surfing, the user in this scheme needs to click many times to determine all the passwords characters.

Kumar, et al. [20] presented the “EyePassword” authen- tication system, which reduces the effect of shoulder surfing attacks. In this system, the user selects the passwords characters from the displayed keyboard on the screen using his eyes. Moreover, the system determines the right or wrong of the users selection depending on the orientation of the users eyes. As the researchers said, the system succeeded in reducing impact of shoulder surfing impact, but it takes a great deal of time to complete the login session.

Gokhale & Waghmare [21] developed an authentication system against shoulder surfing attack. The proposed sys- tem is a modification of the existing system in order to overcome its limitation. In this system, the user selects a minimum set of six images and three different questions for each image and determines the answer for each question. Al- though that the modification adds more immunity against the shoulder surfing attack, but it makes the system more complex to use by the user and takes a long time in the login session.

Kaur & Kaur [22] proposed a multi-factors authenti- cation technique in cloud platforms for mobile devices.

This technique seems suitable to protect against shoulder surfing attack. However, it still adds more load on the user in remembering two different forms of password for authen- tication.

As seen in the study by Biddle, Chiasson, & Van Oorschot [23], graphical password methods struggle to pro- tect user passwords from shoulder surfing, when it uses more password images. It may increase the chance of producing a large area in the user interface to be used. As a result, it will increase the vulnerability to guessing attack.

To solve these challenging problems, this paper aims to develop a method that has the ability to hide the user pass-

words during the login session. It also prevents the adver- sary that has knowledge of a subset of the password from log in session. The following section introduces the proposed technique in detail.

III. RELATED WORKS

One of the most common attacks facing and worrying the users while entering their textual passwords is a shoulder surfing attack. Therefore, many recent authentication tech- niques sought to use a graphical password as an alternative to the textual password.

The main objective of these techniques is to give a high- level of protection for the login session against the shoulder surfing attack. In the result, this has added more difficulties in entering and remembering graphical passwords by users;

furthermore, the authentication system became need a long time to process the password and large space to store the graphical passwords. The real challenge here is the ability to develop a technique to enter a password that:

1. Has resistance to this shoulder surfing attacks;

2. Reduces the complexity of entering a password in the login session;

3. Reduces the time needed to process a password; and 4. Reduces the space required to store a password on the

computer.

A design of a good authentication system comes from the ability to process the following key points:

1. Most users still prefer using the textual password and not the graphical password.

2. To enter the users password, most current authentication systems still ask the user: Press the keys themselves on the keyboard, click on specific images, objects or shapes, determine the specific pattern displayed on the screen, or draw a specific shape on the screen. All these be- haviors give shoulder surfing attackers important in- formation about the users password.

3. The attempts of most proposed authentication systems to add more protection to the password through merging between textual and graphical passwords led to: Increas- ing the complexity of using the authentication system, spending a relatively long time to complete the login ses- sion, and increasing the burden on the user to remember the compound password.

In order to treat the above issues and to overcome the

shortcomings in most existing authentication systems, the

proposed authentication technique is designed to achieve the

following goals:

(a) Registration session (b) Login session Fig. 3 Screen shot of: (a) Registration session (b) Login session

(a) Uppercase alphabetic (b) Lowercase alphabetic (c) Digits Fig. 4 Three keyboards used in the proposed authentication system

(1) Keep using the textual password for authentication as most users prefer.

(2) Keep users away from pressing the keys themselves on the keyboard.

The registration and login sessions of the proposed authentication technique are designed to be as simple and as easy to use as possible by the user. The two sessions also look similar to each other. The screenshots of the registra- tion and login sessions are depicted in Fig. 3, and the two sessions look similar to each other. The screenshots of the registration and login sessions are depicted in Fig. 3. As can be seen in Fig. 3, the only difference between the two sessions is that in the registration session, the user should enter his/her password twice to confirm the password.

In both sessions, after the user writes his/her username, the user should enter the password characters using the (6  6) square keyboard (2D square matrix) that is displayed on the screen. The system provides the user with three types of keyboards on the right side of the screen as shown in Fig. 4.

The user can switch between these three keyboards easily by selecting the desired radio button. Each keyboard randomly displays a set of non-repeated 36 characters:

ABC

Consists of alphabet characters (Uppercase) AZ

and ., ,, ;, :,  (, ), {, },  [, ]

abc

Consists of alphabet characters (Lowercase) a z

and ., ,, ;, :,  (, ), {, },  [, ]

Num/Sym

consists of decimal digits 1, 2, 3, 4, 5, 6, 7,

8, 9, 0 and !, @, #, $, %, ^, &, *, , ,

=, /, ?, ~, <, >, \, \, |, _,  (, ), {, },  [, ]

The button “Reset” is used to delete all the password characters that have been typed and enter a new password.

The “Delete” button is used to delete only the last character typed in the password.

It should be mentioned here that the size of the key- board that is adopted by the proposed technique (i.e., 6  6) has been chosen to be suitable enough for users to locate the desired character on the keyboard quickly and simply.

It can also be larger or smaller than 6  6 as desired. In

the following paragraphs, we used a matrix M of 6  6

elements (Fig. 5(a)) to refer to the keyboards used by the

proposed technique, each cell in the matrix M contains one

character of 36 characters mentioned above that are used

(a) The matrix M represents the index (row column)

of each key in the keyboard (b) The six red arrow buttons under the keyboard M

Fig. 5 (6  6) keyboard used in the proposed authentication system

on the keyboard of the authentication system (Fig. 5(b)).

Where M (x, y) is an element of the matrix M at row x (in Blue color) and column y (in Red color).

To enter the password characters, the user must use the six buttons (Red arrow buttons) under the keyboard (see Fig. 5(b)). Each button is related to one column of the keyboard. The user does not need to click on the characters themselves in the keyboard, but on the arrow button associ- ated with that character.

The proposed mechanism for entering any character in the password passes through the following steps:

Step 1

The user clicks on the arrow button that point to the column containing the desired character in the displayed keyboard K

. This click specifies a column number C

that contains six elements on the keyboard K

. This prevents the login session observer (i.e., shoulder-surfing attacker) from knowing the chosen character by the user in the selected col- umn C

(Fig. 6(a)).

Step 2

The system immediately performs the following opera- tions:

i. Records the column number C

of the currently dis- played keyboard K

, which was selected by the user.

ii. Adds an asterisk symbol “*” (in red color) to the password in the passwords bar above the keyboard on the screen.

The red color of the asterisk symbol is used to give a notification to the users that the current character still needs another click to complete the process entering the current character.

iii. Performs a matrix transpose operation on the current keyboard K

to produce a new keyboard K

. The trans- pose of the keyboard (matrix) is an operation that flips

the keyboard over its diagonal. In other words, each row becomes a column and vice versa. This means that the selected column number C

by the user on the keyboard K

becomes refers to the row number C

in the new keyboard K

(Fig. 6(b)).

The matrix transpose of a 6  6 square matrix M is denoted as M

. The element at the location (x, y) in the matrix M, where x represents the row number and y represents the column number of the element in the matrix M, becomes at the new location (y, x) in the matrix transpose M

using the Eq. (1):

( , )

( , )

M x y



(1)

An example of a matrix transpose operation is performed on the matrix M to produce M

is shown in Fig. 6(c). The programming code used to perform the transpose operation on the keyboard K

to produce a new keyboard K

is:

1, , 5 ( 1), , 6 ( , ) ( , )

x

y x

y x x y



 



2 1

1 : for do

2 : for do

3 : 4 : end for 5 : end for

!

!

K K

Step 3

The user clicks again on the arrow button that points

to the column containing the same character, was selected

in Step 1, in the new displayed keyboard K

. This click spe-

cifies a column number C

that contains six elements on the

keyboard K

. Again, this prevents the login session observer

(i.e., shoulder-surfing attacker) from knowing the chosen

character by the user in the selected column C

. This se-

(a) Selected column C1 by the user

(b) Transpose operation of the user selected column C1 in Step 1

(c) Example of the transpose operation of the matrix M to produce MT

M M^T

Fig. 6 (a) Step 1 (b) Step 2 of the proposed technique (c) Matrix M and its transpose M

lection makes an intersection between the previously selected row number C

with the current selected column number C

. This intersection exists in the element at the location index (C

, C

) in the keyboard K

(Fig. 7).

Step 4

The system immediately performs the following op- erations:

i. Records the column number C

of the displayed key- board K

, which was selected by the user.

ii. Convert the color of the asterisk symbol added previ- ously in the password's bar above the keyboard on the screen (in Step 2) to be in green color *. The green color of the asterisk symbol is used to give a notification to the users that the process of entering the current cha- racter has been completed.

iii. Find the desired character entered by the user using Eq. (2).

Desired character 

(

,

) (2) Where C

represents the row number and C

represents

(C1, C2)

C2

C1

Fig. 7 The element (C

, C

) that is produced from the intersection between row C

and column C

the column number of the element on the keyboard K

. iv. Adds the desired character found by Eq. (2) in the user

password.

Step 5

The system immediately redistributes the characters in the displayed keyboard randomly and display a new keyboard.

The five steps mentioned above are repeated to enter each character in the password.

IV. EXPERIMENTS, ANALYSIS AND DISCUSSION

1. Experiments

For a deeper look at the proposed mechanism, an ex- ample to enter the fourth character of the password (which is the character “B” for example), will be mentioned here.

After the login session of the system started and the user enters the user name (for example “Omer”). The five steps listed above are implemented for each character, we assumed here that the user entered three characters of the password and now he wants to enter the fourth character.

Fig. 8 shows the implementation of the five steps.

2. Analysis and Discussion

As in many other security systems, the proposed authen-

tication system needs to strike a balance between security,

usability, ease of implementation and improving working pro-

cedures. While security is an important factor to achieve the

immunity for the user accounts against attackers and increas-

ing system reliability. The usability refers to another import-

ant factor affecting users acceptance of the authentication

system. At the same time, ease of implementation and im-

proving working procedures plays a key role in the success-

ful adoption of the proposed authentication system in certain

areas of information technology.

(a) Step 1 (b) Step 2 and 3 (c) Step 4 and 5 Fig. 8 Steps of entering the fourth character B of the password in the login session.

i. Security Issue

Some experiments of shoulder surfing attack have been conducted to examine whether the proposed scheme is re- sistant against this type of attack or not. 15 participants have been selected as shoulder surfing attackers. Our experimental analysis covered two stages:

(1) Training stage

The scenario of the training phase started with pre- senting our proposed method to the participants and showing them a brief demo on how an attack can be accomplished by shoulder surfing attackers. The participants are partitioned into 3 groups. Each group has 5 skilled users who can perform a faster login time. Skilled users are employed in our method and other two states of art graphical based methods: multi- color based PIN method [24] and picture-based password authentication method [25].

The next stage allowed each group to make the attack on the three examined methods. Each participant was attacked for about 15 rounds for each of the methods.

(2) Test stage:

Shoulder surfing was conducted during the 15 login sessions by skilled users for each participant. The total number of experiments were about (15  5) = 225 results from the participants for each of the 3 suggested methods. As shown in Fig. 9, only 68.3%

of the shoulder surfing attackers are able to guess all characters of password content from the picture- based method. The duration of each login session was about 12 seconds (6 seconds for transposition operations made in login keyboard and 1 second for every character) entered by skilled users in our method. During the login session, none of them

Percentage of Houlder surfers

Compromised Characters in Password 75 73

3.3 21

6.6 6 8.4 8

00.6 0 0

80 70 60 50 40 30 20 10

0 No char One character Two characters Three characters All characters 14.6

68.3

26.6

Our method

Multi-color based method Picture based method

Fig. 9 The performance of shoulder surfers for our me- thod compared with the multi-color method [24]

and picture based method [25]

was able to retrieve all the characters successfully.

Many of them even failed to guess at least a single character. Fig. 9 mentions the weakness of picture- based method that shoulder surfing attacks can be 68.3% to get all characters entered by skilled users.

Duration of a login session of the multiple color based method was 13 seconds and that of picture based method was 30 seconds as shown in Fig. 10.

From another security standpoint, the total number of

characters used by the proposed system was 96 and has

been classified into three types/keyboards (ABC, abc, and

Num/Sym). This means that the system uses sufficiently

large passwords space which is 96

, where N is the number

of password characters. Brute force attacks need to perform

96 attempts per each character in the password based on trial

and error. But, we must mention here that it can add more

types of characters to the system and classify them into ad-

ditional new categories [18]. Therefore, the number of pos-

sible combinations of choosing a password of length N is

Log in Time

12 35

30

Time in Seconds

25 20 15 10 5 0

13

Our method Multi-color based method Picture based method

Fig. 10 The duration of login session of our method compared with others: [24] and [25]

calculated using Eq. (3):

96^N

C

 (3)

where C is the total possible combinations and L may be ranged from 6 (as a minimum) to 20 (as a maximum).

Thus, when the user chooses a password of length N = 6, then the total choices equal 96

and for password of length N = 20, then the total choices equal 96

.

ii. Usability Issue

A 6  6 grid of alphanumeric characters was employed in the login screen in experimental results. In the registra- tion stage, the participants had to enter passwords with at least 6 characters. They were trained to use their passwords for 15 successful login attempts to disseminate them with the proposed method. Each login attempt required 5 rounds to be tried out. The time required to log in and the frequency of errors was noted by the proposed scheme. After the par- ticipants have achieved 15 successful logins, they also were trained to watch a demo of a user login session. They were instructed to act as the attackers in the challenge round and the password entered by the authorized users via login ses- sion. Then, they were asked to give 3 trials to guess the password used for the login session where appeared in the demo. As pointed in Fig. 11, average times of 15 success- ful login trials are presented. The figure indicates that, over the 15 successful login sessions, the average login time de- creased significantly when participants have more experience with the scheme.

For more details to test usability, Table 1 presents the min login time, max, average, and standard deviations for all successful login attempts. The min login time was 12 se- conds, while the max time was 38 seconds. The participants were required to login and had an average time 23.86 sec- onds; with the standard deviation is 9.077 seconds. The median for all the successful login attempts is 23 seconds.

This indicates that about 50% of the successful login trials

Table 1 The satisfaction evaluation of the proposed tech- nique by 15 participants

Questions Degree of answer

Q1 Q2 Q3 Q4 Q5 1

Password 4.55 4.17 3.39 3.35 3.15 2 3 4 5

38 35 32 29 26 23 20 17 14 11 8

50 1 2 3 4 5 6 7

average time in seconds Linear (average time in seconds)

Login trials

Averagetime (seconds)

8 9 10 11 12 13 14 15

Fig. 11 Average times of 15 successful login trials in the proposed method

required less than 23 seconds to log in session. Then, there is a satisfaction measure used for implementing the usability of our scheme. Some questionnaires were collected from the participants. The questions were:

Q1: Is the password login session convenient and easy to use?

Q2: Can I track my password character during a transposi- tion operation in keyboard?

Q3: Did you have trouble entering a password in the scheme?

Q4: The registration session was easy.

Q5: I think I can remember my password easily.

iii. Implementation Issue

One of the success points for the adoption of an au- thentication system was based on minimizing the time and cost of implementation of the authentication system in a certain computerized system. In addition, the authentication system should improve working procedures. We can sum- marize the advantages of implementing and the improvement in the work procedure when using the proposed authentica- tion technique.

(1) The proposed keyboard used can be implemented

and used easily on various authentication systems

that use a mouse or a touch screen (such as ATM, Smartphone, Tablet, and PC).

(2) The use of the proposed keyboard reduces the cost and the time of designing, manufacturing and embed- ding the actual keypad/keyboard in some authentica- tion systems such as ATM. Where the proposed authentication system used an alternative visual key- board displayed on a touch screen.

(3) Time to complete registration and login sessions is relatively short when compared with the current au- thentication techniques that use a graphical or com- pound password.

(4) It is easy to use any of the famous encryption me- thods to protect the users passwords and the database of passwords within the system.

V. CONCLUSIONS

The proposed authentication technique has successfully helped to solve the problem of the shoulder surfing attack by giving users a more secure login session. This was done by proposing a new mechanism for entering the textual password using an innovative keyboard. Furthermore, the proposed technique succeeded in overcoming most of the existing drawbacks in the current authentication systems that use textual or graphical passwords. Our method increased the level of security in the login session, reduced the cost of production, ease of implementation and ease of remem- bering the password by users. All of these features make the proposed technique have strong points that encouraged us to use it efficiently in authentication systems.

ACKNOWLEDGMENT

The authors are grateful to the Middle East University, Amman, Jordan for the financial support granted to cover the publication fee of this research article.

REFERENCES

1. Schaub, F., R. Deyhle and M. Weber. 2012. “Password Entry Usability and Shoulder Surfing Susceptibility on Different Smartphone Platforms.”ġ In Proceedings of the 11

international conference on mobile and ubiq- uitous multimedia, Ulm, Germary, 4-6 Dec 2012. New York, USA: ACM.

2. Khodadadi, T., A. M. Islam, S. Baharun and S. Komaki.

2016. “Evaluation of Recognition-Based Graphical Pass-

word Schemes in Terms of Usability and Security At- tributes.” International Journal of Electrical and Com- puter Engineering 6 (6): 2939-2948. doi: 10.11591/

ijece.v6i6.11227

3. Kwon, T. and J. Hong. 2015. “Analysis and Improve- ment of A Pin-Entry Method Resilient to Shoulder-Surfing and Recording Attacks.” IEEE Transactions on Infor- mation Forensics and Security 10 (2): 278-292. doi:

10.1109/TIFS.2014.2374352

4. Suo, X., Y. Zhu and G. S. Owen. 2005. “Graphical Pass- words: A Survey.” In IEEE proceedings of 21

annual Computer security applications conference, Tucson, AZ, USA, 5-9 Dec 2005. Washington, DC: IEEE.

5. Narayanan, A. and V. Shmatikov. 2005. “Fast Dictionary Attacks on Passwords Using Time-Space Tradeoff.” In Proceedings of the 12

ACM conference on Computer and communications security, Alexandria, VA, USA, 7-11 Nov 2005: 364-372. New York, USA: ACM.

6. Weinshall, D. 2006. “Cognitive Authentication Schemes Safe Against Spyware.” In IEEE Proceedings of Sym- posium on Security and Privacy, Berkeley/Oakland, CA, USA, 21-24 May 2006: 295-300. Washington, DC: IEEE.

7. Yeung, A. L. C., B. L. W. Wai, C. H. Fung, F. Mughal and V. Iranmanesh. 2015. “Graphical Password: Shoulder- Surfing Resistant Using Falsification.” In IEEE Pro- ceedings of 2015 9

Malaysian Software Engineering Conference (MySEC), Kuala Lumpur, Malaysia, 16-17 Dec 2015: 145-148. Washington, DC: IEEE.

8. Sun, H. M., S. T. Chen, J. H. Yeh and C. Y. Cheng.

2016. “A Shoulder Surfing Resistant Graphical Authen- tication System.” IEEE Transactions on Dependable and Secure Computing 15 (2): 180-193. doi: 10.1109/

TDSC.2016.2539942

9. Von Zezschwitz, E., A. De Luca and H. Hussmann.

2014. “Honey, I Shrunk the Keys: Influences of Mobile Devices on Password Composition and Authentication Performance.” In Proceedings of the 8

nordic conference on human-computer interaction: fun, fast, foundational, Helsinki, Finland, 26-30 Oct 2014: 461-470. New York, USA: ACM.

10. Bianchi, A., I. Oakley and D. S. Kwon. 2010. “The Se- cure Haptic Keypad: a Tactile Password System.” In Pro- ceedings of the SIGCHI Conference on Human Factors in Computing Systems, Atlanta, Georgia, USA, 10-15 Apr 2010: 1089-1092, New York: ACM.

11. Kita, Y., F. Sugai, M. Park and N. Okazaki. 2013.

“Proposal and Its Evaluation of A Shoulder-Surfing

Attack Resistant Authentication Method: Secret Tap with

Double Shift.” International Journal of Cyber-Security and Digital Forensics (IJCSDF) 2 (1): 48-55.

12. Rittenhouse, R. G., J. A. Chaudry and M. Lee. 2013.

“Security in Graphical Authentication.” International Journal of Security and Its Applications 7 (3): 347-356.

13. Alomar, N., M. Alsaleh and A. Alarifi. 2017. “Someone in Your Contact List: Cued Recall-Based Textual Pass- words.” IEEE Transactions on Information Forensics and Security 12 (11): 2574-2589. doi: 10.1109/

TIFS.2017.2712126

14. Ur, B., P. G. Kelley, S. Komanduri, J. Lee, M. Maass, M. L. Mazurek, T. Passaro et al. 2012. “How does your password measure up? The effect of strength meters on password creation.” Paper presented at the annual meeting for the USENIX Security Symposium, Belle- vue, 8-10 August 2012.

15. Al-Husainy, M. A. F. and R. A. Malih. 2015. “Using Emoji Poctures to Strengthen The Immunity of Pass- words Against Attackers.” European Scientific Journal 11 (30): 153-165.

16. Bianchi, A., I. Oakley, V. Kostakos and D. S. Kwon.

2011. “The Phone Lock: Audio and Haptic Shoulder- Surfing Resistant PIN Entry Methods for Mobile Devices.”

In Proceedings of the fifth international conference on Tangible, embedded, and embodied interaction, Funchal, Madeira, Portugal, 22-26 Jan 2011. New York, USA:

ACM.

17. Istyaq, S. and L. Agrawal. 2016. “A New Technique For User Authentication Using Numeric One Time Password Scheme.” International Journal of Advanced Trends in Computer Science and Engineering 4 (5): 163-165.

18. Nurul, K. U., L. E. Nugroho, and D. Adhipta. 2015.

“Shoulder Surfing Resistant Text Based Graphical Pass- word Schemes Using Color.” International Conference on Science, Technology and Humanity 2015: 109-114.

19. Vachaspati, P., A. Chakravarthy and P. Avadhani. 2013.

“A Novel Soft Computing Authentication Scheme for

Textual and Graphical Passwords.” International Journal of Computer Applications 71 (10): 42-54.

20. Kumar, M., T. Garfinkel, D. Boneh and T. Winograd.

2007. “Reducing Shoulder-Surfing by Using Gaze-Based Password Entry.” In Proceedings of the 3

symposium on Usable privacy and security, Pittsburgh, Pennsyl- vania, USA, 18-20 Jul 2007. New York,USA: ACM.

21. Gokhale, A. S. and V. S. Waghmare. 2016. “The Shoulder Surfing Resistant Graphical Password Authentication Technique.” Procedia Computer Science 79: 490-498.

doi: 10.1016/j.procs.2016.03.063.

22. Kaur, R. and A. Kaur. 2015. “Multi-Factor Graphical Password for Cloud Interface Authentication Security.”

International Journal of Computer Applications 125 (7):

32-35.

23. Biddle, R., S. Chiasson and P. C. Van Oorschot. 2012.

“Graphical Passwords: Learning from the First Twelve Years.” ACM Computing Surveys (CSUR) 44 (4): 1-25.

doi: 10.1145/2333112.2333114

24. Kwon, T., S. Shin and S. Na. 2014. “Covert Attentional Shoulder Surfing: Human Adversaries Are More Power- ful Than Expected.” IEEE Trans. Systems, Man, and Cy- bernetics: Systems 44 (6): 716-727. doi: 10.1109/

TSMC.2013.2270227

25.Ho, P. F., Y. H.-S. Kam, M. C. Wee, Y. N. Chong and L.

Y. Por. 2014. “Preventing Shoulder-Surfing Attack with the Concept of Concealing the Password Objects’ in- formation.” The Scientific World Journal 2014: 12. doi:

10.1155/2014/838623.

Manuscript Received: Oct. 28, 2017 First Revision Received: Aug. 16, 2018 Second Revision Received: Dec. 12, 2018 and Accepted: Dec. 22, 2018