Verification Grid and Map Slipping Based Graphical Password against Shoulder-Surfing Attacks

Wang, Ziqi; Liao, Lingzhi; Meng, Ruohan; Yang, Ching-Nung; Zhou, Zhili; Yang, Hengfu

doi:https://doi.org/10.1155/2022/6778755

Security and Communication Networks

On this page

Abstract Introduction Related Work Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

New Cryptographic Technologies and Artificial Intelligence in Outsourced Data Security

View this Special Issue

Research Article | Open Access

Volume 2022 | Article ID 6778755 | https://doi.org/10.1155/2022/6778755

Verification Grid and Map Slipping Based Graphical Password against Shoulder-Surfing Attacks

Ziqi Wang,^1,2Lingzhi Liao,^1,2Ruohan Meng,^1,2Ching-Nung Yang,³Zhili Zhou,⁴and Hengfu Yang⁵

Academic Editor: Ahmed A. Abd El-Latif

Received19 Jun 2021

Revised19 Jan 2022

Accepted05 Apr 2022

Published28 Apr 2022

Abstract

Graphical password systems have received significant attention as one potential solution to the need for more usable authentication, but graphical passwords are often considered prone to shoulder-surfing attacks. In this paper, in order to build a balance between usability and security for authentication, we propose a new graphical password scheme by combining a specific verification grid with map slipping strategy. In the proposed scheme, a set of fixed grids are pregenerated on a map. During the registration process, the user is not only asked to select several points in sequence on the map to form a password route, but also required to choose one of the pregenerated grids as a specific verification grid for the subsequent authentication. The password route and the specific verification grid together form the complete graphical password. During the authentication process, the user needs to slip the map to let each point on the password route sequentially fit inside the specific verification grid which is already remembered by the user but difficult to be detected by the attackers. With the specific verification grid and the map slipping strategy, the proposed scheme can effectively defend against shoulder-surfing attacks. Meanwhile, the password points are represented as coordinates on the map; therefore, the proposed scheme has a negligible storage burden. The comparative experiments show that, using the proposed scheme, the success rate of shoulder-surfing defense can be increased by 37% to 56% with different grid sizes and password point numbers, and the usability of passwords can also be improved by 3% to 6%. Therefore, the proposed scheme can achieve good shoulder-surfing defense and reasonable usability simultaneously.

1. Introduction

In nowadays information age, the user’ data is facing an increasing risk of being attacked or stolen [1–5]. Identity authentication has become more and more important which can secure information systems by preventing unauthorized users from gaining access to the systems, so as to protect information security.

A plenty of methods have been proposed to perform authentication [2, 6–19]. Among them, the alphanumerical password authentication is the primary form, because this form is easy to implement. A secure password should be random and easy to remember at the same time. Unfortunately, a random alphanumerical password is usually not easy to remember. Therefore, the graphical password is introduced as an alternative to help users to memorize their password better, since it is much easier for humans to remember images than verbal representations [20].

Besides the advantages, the common problem with graphical passwords is that they are hardly resilient against shoulder-surfing attacks [21]. That means graphical passwords are not difficult to get by looking over the user’s shoulder, or with the aid of recording devices such as cameras.

In this paper, in order to get a balance between usability and security, we propose a verification grid and map slipping based graphical password (VGMSGP) scheme. In the proposed scheme, a set of fixed grids are pregenerated on a map. During the registration process, the user is not only asked to select several points in sequence on the map to form a password route, but also required to choose one of the pregenerated grids as a specific verification grid for the subsequent authentication. The password route and the specific verification grid together form the complete graphical password. During the authentication process, the user needs to slip the map to let each point on the password route sequentially fit inside the specific verification grid which is already remembered by the user but difficult to be detected by the attackers. With the specific verification grid and the map slipping strategy, the proposed VGMSGP scheme can effectively defend against shoulder-surfing attacks. Meanwhile, the password points are represented as coordinates on the map; therefore, the proposed scheme has a negligible storage burden. The following lists the main contributions of the proposed scheme.(1)Effective resistance against shoulder-surfing attacks: in the proposed VGMSGP scheme, the password consists of two components. One is the password route with some points on the map, and the other is the specific verification grid which is blended with the regular ones. To perform authentication, the users cannot, respectively, click the password points in an indefensible way; they have to slip the map to let each point on the password route sequentially fit inside the specific verification grid. Since the specific verification grid is blended with the regular grids, it is difficult to be detected by the attackers. Except that, the track of map slipping is not easy to capture neither. Therefore, the proposed VGMSGP scheme can achieve an effective resistance against shoulder-surfing attacks.(2)High usability of passwords: in the proposed VGMSGP scheme, during the registration process, the user needs to select several points on the map. Since the points are related with the locations on the map, and the locations are full of information, the points along with the password route are easy to remember. At the same time, the pregenerated grids are scaled well; it is also easy to remember the position of the specific verification grid. Therefore, the proposed VGMSGP scheme can achieve a high usability of passwords.(3)Less burden on the authentication server: in the proposed VGMSGP scheme, instead of storing a great amount of pictures on the server, we take advantage of Google Maps API to implement both the registration and the authentication. In this way, the server only needs to store the coordinates of the password points, which reduces the pressure of the system storage.

The rest of this paper is outlined as follows. Section 2 reports the related works. The proposed VGMSGP system is introduced in Section 3. The evaluation results and analysis are given in Section 4. Conclusions are drawn in Section 5.

Fundamentally, graphical passwords can be categorized into three categories: recognition-based [22–28], redrawing-based [29–35], and reselection-based [36–44]. In recognition-based systems, the user needs to choose a number of images from a large portfolio of images to create a password for the first time. During the authentication process, the user must successfully identify the prior password images and distinguish them from other decoy images. In redrawing-based systems, the user needs to create or select a secret drawing when registering for the first time and then reproduces the same drawing on a grid or a blank canvas during the authentication stage. In reselection-based systems, the user creates the password by selecting several predefined objects on a single image or several images. For authentication, the user is demanded to reselect the same objects chosen by the user in the registration process.

2.1. Recognition-Based Graphical Password System

There are many graphical password authentication systems based on the recognition of different kinds of images or objects, such as describable abstract images [27], face photos [24], thumbnail pictures [23], and object icons [25, 26, 28, 35]. In some references [23, 24, 27], the user chooses several images from a database as the key images to register on an authentication server. In the login phase, users can identify his/her chosen images from a set of images displayed on a screen to perform authentication.

Wiedenback et al. [22] developed an object recognition-based graphical password authentication scheme to resist shoulder-surfing attacks. The user needs to recognize a set of preselected object icons displayed on the screen and then to click inside the convex hull region formed by connecting these pass-object icons.

Yu et al. [26] proposed an evolvable graphical password-based authentication mechanism, called as EvoPass, to resist shoulder-surfing attacks. In EvoPass, each user identifies object sketches from a set of preselected images, where the object sketches are generated by an edge extraction algorithm from the personal images or the images downloaded from webs. Their pass sketches are more secure than the pass images against shoulder-surfing attacks since it is hard to remember the pass sketches.

The recognition-based graphical password system is easy to use. However, the displaying area to display objects is usually small, and the amount of objects which can be displayed is limited then, which greatly reduces the password space and then might result in bad resistance to security attacks. Moreover, the authentication server has to store a large number of password pictures. Therefore, this method undoubtedly causes great storage load on the server.

2.2. Redrawing-Based Graphical Password System

As another authentication strategy, redrawing-based graphical password systems have been developed to expand the password space.

Jermyn et al. [29] proposed Draw-a-Secret (DAS) technique, in which each user is allowed to draw a unique password. In the registration phase, users draw a simple picture on grids. After that, the coordinates of the grids occupied by the picture are stored in the order they are drawn. During the registration process, the user needs to redraw the picture. During the authentication process, if the redrawing path goes through the correct grids in the correct order, users are authenticated successfully. Besides, some works [30, 31] studied the password space and stroke-count of the DAS technique and illustrated that the stroke-count plays an important role in the DAS password space.

To enhance the security of FinTech authentication against cybercriminals, Meng et al. [35] proposed an authentication system based on the map graphical password. In their method, the user will initialize a route on a world map as the credentials. When logging into the system, the user is required to redraw the route. This scheme achieved good performance in authentication accuracy and multiple password storage.

However, because the directly displayed password route is easy to be detected, the shoulder-surfing attacker can easily steal the user's password.

Basically, the redrawing-based method offers a large password space comparable to that of the recognition-based scheme. However, it still faces security issues. These redrawing-based passwords are still vulnerable to shoulder-surfing attacks.

2.3. Reselection-Based Graphical Password System

Different from redrawing-based graphical password systems, the reselection-based graphical password achieves higher password space and maintains usability through simple selection actions. Generally, three reselection-based graphical passwords have been popularly adopted: pass-points graphical passwords (PPGP) [37–40], cued click-points graphical passwords (CCPGP) [41, 42], and Google map-based graphical password (GMGP) [43, 44].

In the PPGP system [37–40], each user is required to sequentially select several squares in a picture as the password. During the authentication process, the user needs to reselect the preselected squares in the correct sequence.

According to [45], humans are good at remembering one point per image for a sequence of images than multiple points on a single image. This important knowledge is used in the CCPGP systems [41, 42] to improve the usability of authentication. However, the CCPGP system has a storage drawback for requiring a large number of images to be stored on the server.

Recently, the popular Google map is integrated with CCPGP to reduce the storage burden on the authentication server. The Google map graphical password systems (GMGP) [43, 44] enable the users to select password points on the Google map. The password points are represented as coordinates on the map, thus avoiding storing a large number of pictures on the server. Furthermore, comparing with the redrawing-based systems, the GMGP system not only offers a large password space, but also provides a better usability because the action of selecting is usually easier to do than drawing. However, the GMGP system still has its flaws. During the authentication process, as the user reselects the password points on the map, the attacker can detect the path of selection with little effort and then get the password.

In this paper, in order to build a balance between usability and security for authentication, we proposed the VGMSGP scheme. During the authentication process, the user is not asked to select the password points by clicking, but do some actions of slipping, the path of which is not easy to peek. And at the same time, in order to improve the resistance against shoulder-surfing attacks further, we use a specific verification grid in our method.

3. The Proposed VGMSGP System

The proposed VGMSGP is a kind of map-based graphical password system that provides a good usability, a large password space, and an effective resistance against shoulder-surfing attacks.

In this system, a set of fixed grids are pregenerated on the Google map. During the registration process, the user is not only asked to select several points in sequence on the map to form a password route, but also required to choose one of the pregenerated grids as a specific verification grid for the subsequent authentication. During the authentication process, the user needs to slip the map to let each point on the password route sequentially fit inside the specific verification grid. With the specific verification grid and the map slipping strategy, the proposed VGMSGP scheme can effectively defend against shoulder-surfing attacks. Meanwhile, the password points are represented as coordinates on the map; therefore, the proposed scheme has a negligible storage burden.

3.1. Registration

During the registration process, the user will register an account with serval password points in sequence and a specific verification grid. The registration process consists of four steps, each of which is detailed as follows: Step 1: the user selects the size of pregenerated grids, such as 6 × 6, 11 × 11, and 16 × 16. Then, the set of fixed grids and a map are shown on the screen. Note that the size of pregenerated verification grids can be determined based on certain security requirements. Step 2: the user chooses one of the pregenerated verification grids as a specific verification grid. After the first selection, the system will ask the user to confirm the selected verification grid again. If the second selection is the same as the first selection, the verification grid selection is successful. Otherwise, the verification grid selection fails, and the user needs to select the verification grid one more time. Step 3: after the user selects the verification grid, users are required to select several points in sequence on the map to form a password route. By slipping, zooming in, zooming out, and then clicking the map, or directly finding the appropriate point on the map through the search function, the user can set the password points. In addition, the user can operate on either a standard map or a satellite map to facilitate the selection. Step 4: the password points should be selected under the same scale to ensure the accuracy of the password route. To reduce the memory burden of the user, the route between the two password points is set as a straight line rather than the actual road between the two locations. By this means, the user can easily remember the password route with the order of the points on the password route. After the selection of the password points, the user only needs to click on the selected password points in the same order again to complete the confirmation of the password route.

Taking the pattern in Figure 1 as an example, the user first selects a verification grid at . After that, the user needs to click on the place of “Bund Shanghai” and “Shanghai International Conference Center” and finally click and stop at the “East Nanjing Road.” The three points can be used to form a route in “Shanghai.”

Moreover, the system will review the selected password route to ensure security. If the security of the password root cannot meet the minimum requirements of the system, the system will suggest to modify the password route. The system will review the password from the following aspects:(1)The number of password points: insufficient password points will make the password path vulnerable. Therefore, an allowable password path should consist of at least three password points.(2)The distance between the password points: in case that two password points exist at the same time with one verification grid, the distance between each two password points should be greater than a certain distance. This suggestion ensures the precision of the password.(3)The shape of the password path: for maintaining security performance, the password route should be avoided in a simple shape, i.e., a straight line.(4)Popular password routes: inevitably, users are willing to set some popular routes as password routes, which involves risks. Thus, the system will remind users to avoid using these popular routes.

3.2. Authentication

During the authentication process, the user needs to slip the map to let each point on the password route sequentially fit inside the specific verification grid. After that, the users can be authenticated successfully. Step 1: the user first selects the required size of pregenerated verification grids, which corresponds to the security level, and thus system displays the corresponding number of pregenerated verification grids on the upper layer of the map. Step 2: the user slips the map so that the first password point fits inside the verification grid. The preselected verification grid looks the same as any other pregenerated grid but already remembered by the user. Then, the user is required to slip the map so that the remaining points sequentially fit inside the pregenerated grid to pass the authentication. In order to ensure the correctness of the password route, when one password point fits inside the grid, it is necessary to keep the other ones outside the verification grids. Figure 2 illustrates the login process of the password route. In Figure 2(a), the user first slips the map to fit the first point, “Bund Shanghai,” inside the and implements the same operations for the “Shanghai International Conference Center” and the “East Nanjing Road” in Figures 2(b) and 2(c). The pregenerated grid and password route are highlighted for demonstration.

(a)

(b)

(c)

4. Experiments

In this section, we first design two experiments to evaluate the security and usability of VGMSGP compared with DAS system and analyze the experiment results. Then we designed another experiment to evaluate the running time of VGMSGP. Finally, we analyze the storage load of the system.

4.1. Security

For security, we designed two experiments to obtain the success rate of the system under different conditions of shoulder-surfing attacks. The success rate against shoulder-surfing attacks is determined by the number of attacks and the number of times the attacker successfully stole the password. Formally, the success rate against shoulder-surfing attacks can be calculated as . Considering that the password authentication of the system mainly consists of two parts, i.e., the verification grid and the password points, we design the experiments from the two aspects. The first experiment focuses on the influence of the size of the pregenerated grids on the success rate, which evaluates the security performance by calculating the success rate of against shoulder-surfing attacks with different sizes of the pregenerated grids. The second experiment focuses on the impact of the number of selected password points on the success rate against shoulder-surfing attacks, which compares the security performance of the evaluation system for the success rate of against shoulder-surfing attacks with different numbers of password points.

We have solicited 80 participants in the experiments. All the participants had understood the registration and authentication process of the system, and 70 of them have completed the VGMSGP password route registration in the system before the experiment began. In order to evaluate the performance of the system, we also asked them to create a DAS password to compare the performance of the VGMSGP. The password number of each password type is shown in Table 1.

The other 10 participants acted as the shoulder-surfing attackers, peeking the user enter the password route and then trying to reenter it. During the experiment, the users are required to accurately enter the password route a few times. When a password is entered, three attackers peek at the process behind the user each time. The attackers reentered the user's password route when they had observed each participant's password entry. Finally, we recorded ten attacks for each password route. Then we obtained the average success rate of the system against shoulder attacks in this case.

By sorting and analyzing the experimental data, we obtained the following experimental results. The experimental data of VGMSGP are shown in Figures 3 and 4. With the increase of the size of pregenerated verification grids or the number of selected password points, the success rates of the system against shoulder attacks gradually increase. Besides, when the number of password points increased in the early stage, the success rate of the system against shoulder attacks increased significantly. Yet in the later stage when the numbers increased, the rising trend of the success rate of the system against shoulder attacks decreased.

The success rate against shoulder-surfing attacks of DAS compared with VGMSGB is shown in Table 2. The VGMSGP shows better results in the experiment of resisting shoulder attacks. The success rate of shoulder-surfing defense can be increased by 37% to 56% with different grid sizes and password point numbers. Through analysis, we conclude this is because the users do not directly click the password points on the screen, and then the attacker cannot directly get the password route of the user through peeking. In addition, we found that only the password points need to be passed through the verification grids in a certain order. Therefore, there are a variety of ways to enter the password when the user slides the map to verify the password route, which may include some meaningless sliding ways that can increase the security of the system.

4.2. Usability

In this section, we measured the usability of the system by asking users to enter their VGMSGP password and DAS password with an increase of time after successfully registering the passwords. We use the total accuracy of authentication to measure the memorability of the passwords. The total accuracy of authentication is determined by the number of people who reenter the password and the number of people who successfully pass the verification . In other words, the total accuracy of authentication can be calculated as .

We solicited participants who had registered the password to ask them for entering the password route and DAS password again in different periods. After analyzing the success rate of the participants logging in again after different periods, we obtained the following results shown in Figure 5. Compared with DAS, the participants are easier to remember the VGMSGP password route. The usability of passwords can be improved by 3% to 6%, since most of the participants were able to log in again successfully. Besides, we found that the participants were more likely to remember a simple password route than multiple single points. The above results proved that the proposed system has a very slight memory burden on the users, which shows better memorability.

This phenomenon occurred since the users of VGMSGP only need to remember the route consisting of multiple password points without remembering the complex coordinates. We can conclude that our systems have high usability and they are friendly to use in practice.

4.3. System Running Time and Storage

To evaluate the performances of the proposed system in different situations, we measured the running time of the system when the user passed authentication successfully. Note that our system runs in Alibaba Cloud server with CentOS 7 and the mobile devices used in the experiment are all running under the Android 10 OS with 6 GB of running memory.

The running time of successful authentication is averaged by ten groups of data. The experimental data are shown in Figures 6 and 7. The running time increases as the size of pregenerated verification grids increases. Besides, the running time of the system is also affected by the number of selected password points. As shown in Figure 7, with the number of selected password points increasing, the running time of the system also increases. However, even in the case of the maximum running time, the user can still complete the authentication within ten seconds. The running time of the system allows the users to pass verification quickly and securely. The experimental results prove that the system can guarantee security and quick authentication by calling the Google Maps API. According to the above results, the proposed system involves very slight storage and computing burdens on the authentication server and shows a better performance.

We compared the storage space occupied by the two existing systems and VGMSGP mentioned above, as shown in Table 3. The space consumed by MSGB to store passwords is far less than the traditional graphical password system which reduces the storage pressure on the server. When the system cannot call the Google Maps API, such as when it cannot connect to the Internet, the system needs to download the required maps in advance. The system will take up more storage space on the device but can still be used normally and the effect of resisting shoulder-surfing attacks has not decreased.

5. Conclusion

In this paper, we proposed a map-based graphical password system, i.e., VGMSGP, which is effective to resist shoulder-surfing attacks by combing a password route with a verification grid. The password route and the specific verification grid together form the complete graphical password. In the authentication process, the user is required to slip the map to fit each password point inside the preselected verification grid. It makes the system effectively defend against shoulder-surfing attacks. In addition, the use of Google Maps API helps to reduce the storage pressure of the system in a networked environment. It must be mentioned that, in a nonnetwork environment, the user needs to download map files in advance, which will take up more storage space, but system security is not affected. In future works, we will focus on improving the security of graphical password systems against the strong shoulder-surfing attacks, i.e., multiple camera recordings during the users’ login.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was supported in part by the National Natural Science Foundation of China under Grants 61972205, 62032020, and 62122032, in part by the Teaching Reform and Innovation Research Project of Nanjing University of Information Science and Technology under Grant 2021YBJG13, in part by the Ministry of Science and Technology (MOST) under Grant 110-2221-E-259-005-MY2, Taiwan, in part by the Priority Academic Program Development of Jiangsu Higher Education Institutions (PAPD) fund, in part by the Collaborative Innovation Center of Atmospheric Environment and Equipment Technology (CICAEET) fund, and in part by the NUIST Students’ Platform for Innovation and Entrepreneurship Training Program under Grant 202110300049.

References

G. I. Shidaganti, A. S. Inamdar, S. V. Rai, and A. M. Rajeev, “Scef: a model for prevention of ddos attacks from the cloud,” International Journal of Cloud Applications and Computing, vol. 10, no. 3, pp. 67–80, 2020.
View at: Publisher Site | Google Scholar
L. Y. Por, L. A. Adebimpe, M. Y. I. Idris, C. S. Khaw, and C. S. Ku, “LocPass: a graphical password method to prevent shoulder-surfing,” Symmetry, vol. 11, no. 10, p. 1252, 2019.
View at: Publisher Site | Google Scholar
K. Abbas, L. A. A. Tawalbeh, A. Rafiq, A. Muthanna, I. A. Elgendy, and A. A. Abd El-Latif, “Convergence of blockchain and IoT for secure transportation systems in smart cities,” Security and Communication Networks, vol. 2021, Article ID 5597679, pp. 1–13, 2021.
View at: Publisher Site | Google Scholar
T. Huang, Q. Zhang, J. Liu, R. Hou, X. Wang, and Y. Li, “Adversarial attacks on deep-learning-based SAR image target recognition,” Journal of Network and Computer Applications, vol. 162, Article ID 102632, 2020.
View at: Publisher Site | Google Scholar
T. Huang, Y. Chen, B. Yao, B. Yang, X. Wang, and Y. Li, “Adversarial attacks on deep-learning-based radar range profile target recognition,” Information Sciences, vol. 531, pp. 159–176, 2020.
View at: Publisher Site | Google Scholar
N. Mani, M. Moh, and T.-S. Moh, “Defending deep learning models against adversarial attacks,” International Journal of Software Science and Computational Intelligence, vol. 13, no. 1, pp. 72–89, 2021.
View at: Publisher Site | Google Scholar
R. Gad, M. Talha, A. A. A. El-Latif et al., “Iris recognition using multi-algorithmic approaches for cognitive internet of things (CIoT) framework,” Future Generation Computer Systems, vol. 89, pp. 178–191, 2018.
View at: Publisher Site | Google Scholar
W. Jerbi, A. Guermazi, and H. Trabelsi, “A novel secure routing protocol of generation and management cryptographic keys for wireless sensor networks deployed in internet of things,” International Journal of High Performance Computing and Networking, vol. 16, no. 2-3, pp. 87–94, 2020.
View at: Publisher Site | Google Scholar
L. Li, B. Abd-El-Atty, A. A. Abd El-Latif, and A. Ghoneim, “Quantum color image encryption based on multiple discrete chaotic systems,” in Proceedings of the 2017 Federated Conference on Computer Science and Information Systems (FedCSIS), pp. 555–559, IEEE, Prague, Czech Republic, September, 2017.
View at: Publisher Site | Google Scholar
N. Wang, Q. Li, A. A. Abd El-Latif, T. Zhang, and X. Niu, “Toward accurate localization and high recognition performance for noisy iris images,” Multimedia Tools and Applications, vol. 71, no. 3, pp. 1411–1430, 2014.
View at: Publisher Site | Google Scholar
A. A. Abd El-Latif, X. Yan, L. Li, N. Wang, J.-L. Peng, and X. Niu, “A new meaningful secret sharing scheme based on random grids, error diffusion and chaotic encryption,” Optics & Laser Technology, vol. 54, pp. 389–400, 2013.
View at: Publisher Site | Google Scholar
M. Sumathi and S. Sangeetha, “Blockchain based sensitive attribute storage and access monitoring in banking system,” International Journal of Cloud Applications and Computing, vol. 10, no. 2, pp. 77–92, 2020.
View at: Publisher Site | Google Scholar
S. Kaushik and C. Gandhi, “Ensure hierarchal identity based data security in cloud environment,” International Journal of Cloud Applications and Computing, vol. 9, no. 4, pp. 21–36, 2019.
View at: Publisher Site | Google Scholar
X. Yang, S. Yang, J. Liu, C. Wang, Y. Chen, and N. Saxena, “Enabling finger-touch-based mobile user authentication via physical vibrations on IoT devices,” IEEE Transactions on Mobile Computing, p. 1, 2021.
View at: Publisher Site | Google Scholar
G. N. Nguyen, N. H. L. Viet, M. Elhoseny, K. Shankar, B. B. Gupta, and A. A. A. El-Latif, “Secure blockchain enabled Cyber-physical systems in healthcare using deep belief network with ResNet model,” Journal of Parallel and Distributed Computing, vol. 153, pp. 150–160, 2021.
View at: Publisher Site | Google Scholar
I. A. Elgendy, W. Zhang, Y.-C. Tian, K. Li, D. Unal, and M. Khayyat, “Resource allocation and computation offloading with data security for mobile edge computing,” Future Generation Computer Systems, vol. 100, pp. 531–541, 2019.
View at: Publisher Site | Google Scholar
H. Yan, M. Chen, L. Hu, and C. Jia, “Secure video retrieval using image query on an untrusted cloud,” Applied Soft Computing, vol. 97, Article ID 106782, 2020.
View at: Publisher Site | Google Scholar
H. Ren, T. Huang, and H. Yan, “Adversarial examples: attacks and defenses in the physical world,” International Journal of Machine Learning and Cybernetics, vol. 12, no. 11, pp. 3325–3336, 2021.
View at: Publisher Site | Google Scholar
H. Yan, L. Hu, X. Xiang, Z. Liu, and X. Yuan, “PPCL: privacy-preserving collaborative learning for mitigating indirect information leakage,” Information Sciences, vol. 548, pp. 423–437, 2021.
View at: Publisher Site | Google Scholar
R. N. Shepard, “Recognition memory for words, sentences, and pictures,” Journal of Verbal Learning and Verbal Behavior, vol. 6, no. 1, pp. 156–163, 1967.
View at: Publisher Site | Google Scholar
M. Backes, M. Dürmuth, and D. Unruh, “Compromising reflections-or-how to read LCD monitors around the corner,” in Proceedings of the 2008 IEEE Symposium on Security and Privacy (Sp 2008), pp. 158–169, IEEE, Oakland, CA, USA, May, 2008.
View at: Publisher Site | Google Scholar
S. Wiedenbeck, J. Waters, L. Sobrado, and J.-C. Birget, “Design and evaluation of a shoulder-surfing resistant graphical password scheme,” in Proceedings of the Working Conference on Advanced Visual Interfaces, pp. 177–184, Venezia, Italy, May, 2006.
View at: Publisher Site | Google Scholar
W. Jansen, S. I. Gavrila, V. Korolev, R. P. Ayers, and R. Swanstrom, “Picture password: a visual login technique for mobile devices,” NIST Interagency/Internal Report (NISTIR) - 7030, CreateSpace Independent Publishing Platform, Scotts Valley, California, US, 2003.
View at: Google Scholar
D. Davis, F. Monrose, and M. K. Reiter, “On user choice in graphical password schemes,” USENIX security symposium, vol. 13, no. 2004, pp. 151–164, 2004.
View at: Google Scholar
D. Kim, “Multi-touch authentication on tabletops,” in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 1093–1102, Atlanta, Georgia, USA, April, 2010.
View at: Publisher Site | Google Scholar
X. Yu, Z. Wang, Y. Li, L. Li, W. T. Zhu, and L. Song, “EvoPass: evolvable graphical password against shoulder-surfing attacks,” Computers & Security, vol. 70, pp. 179–198, 2017.
View at: Publisher Site | Google Scholar
R. R. Heckle and W. G. Lutters, “Privacy implications for single sign-on authentication in a hospital environment,” in Proceedings of the 3rd Symposium on Usable Privacy and Security, pp. 173-174, Pittsburgh, Pennsylvania, USA, July, 2007.
View at: Publisher Site | Google Scholar
X. Suo, Y. Zhu, and G. S. Owen, “Graphical passwords: a survey,” in Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC'05), pp. 463–472, IEEE, Tucson, AZ, December, 2005.
View at: Google Scholar
I. H. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A. D. Rubin, The Design and Analysis of Graphical Passwords, USENIX Association, Berkeley, California, USA, 1999.
J. Thorpe and P. C. van Oorschot, “Graphical dictionaries and the memorable space of graphical passwords,” in Proceedings of the USENIX Security Symposium, pp. 135–150, San Diego, CA, USA, August, 2004.
View at: Google Scholar
J. Thorpe and P. C. Van Oorschot, “Towards secure design choices for implementing graphical passwords,” in Proceedings of the 20th Annual Computer Security Applications Conference, pp. 50–60, IEEE, Tucson, AZ, USA, December, 2004.
View at: Google Scholar
A. F. Syukri, E. Okamoto, and M. Mambo, “A user identification system using signature written with mouse,” in Proceedings of the Australasian Conference on Information Security and Privacy, pp. 403–414, Springer, Brisbane, Queensland, Australia, July, 1998.
View at: Publisher Site | Google Scholar
M. Martinez-Diaz, J. Fierrez, and J. Galbally, “The DooDB graphical password database: data analysis and benchmark results,” IEEE Access, vol. 1, pp. 596–605, 2013.
View at: Publisher Site | Google Scholar
M. Martinez-Diaz, J. Fierrez, and J. Galbally, “Graphical password-based user authentication with free-form doodles,” IEEE Transactions on Human-Machine Systems, vol. 46, no. 4, pp. 607–614, 2015.
View at: Google Scholar
W. Meng, L. Zhu, W. Li, J. Han, and Y. Li, “Enhancing the security of FinTech applications with map-based graphical password authentication,” Future Generation Computer Systems, vol. 101, pp. 1018–1027, 2019.
View at: Publisher Site | Google Scholar
H.-M. Sun, S.-T. Chen, J.-H. Yeh, and C.-Y. Cheng, “A shoulder surfing resistant graphical authentication system,” IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 2, pp. 180–193, 2016.
View at: Google Scholar
S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon, “Authentication using graphical passwords: effects of tolerance and image choice,” in Proceedings of the 2005 Symposium on Usable Privacy and Security, pp. 1–12, Pittsburgh, Pennsylvania, USA, July, 2005.
View at: Google Scholar
P. C. Van Oorschot, A. Salehi-Abari, and J. Thorpe, “Purely automated attacks on passpoints-style graphical passwords,” IEEE Transactions on Information Forensics and Security, vol. 5, no. 3, pp. 393–405, 2010.
View at: Publisher Site | Google Scholar
A. E. Dirik, N. Memon, and J.-C. Birget, “Modeling user choice in the PassPoints graphical password scheme,” in Proceedings of the 3rd Symposium on Usable Privacy and Security, pp. 20–28, Pittsburgh, Pennsylvania, USA, July, 2007.
View at: Publisher Site | Google Scholar
A. Meiappane, V. P. Venkataesan, and V. Premanand, “Security enhancement in shoulder surfing attacks using passpoints for random similar images (PRSIm),” International Journal of Computer Networks and Applications, vol. 2, no. 2, pp. 84–91, 2015.
View at: Google Scholar
H. M. Aljahdali and R. Poet, “Challenge set designs and user guidelines for useable and secured recognition-based graphical passwords,” in Proceedings of the 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 973–982, IEEE, Beijing, China, September, 2014.
View at: Publisher Site | Google Scholar
J. Spitzer, C. Singh, and D. Schweitzer, “A security class project in graphical passwords,” Journal of Computing Sciences in Colleges, vol. 26, no. 2, pp. 7–13, 2010.
View at: Google Scholar
H.-M. Sun, Y.-H. Chen, C.-C. Fang, and S.-Y. Chang, “PassMap: a map based graphical-password authentication system,” in Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, pp. 99–103, Seoul Korea, May, 2012.
View at: Google Scholar
B. MacRae, A. Salehi-Abari, and J. Thorpe, “An exploration of geographic authentication schemes,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 9, pp. 1997–2012, 2016.
View at: Publisher Site | Google Scholar
S. Chiasson, P. C. Van Oorschot, and R. Biddle, “Graphical password authentication using cued click points,” in Proceedings of the European Symposium on Research in Computer Security, pp. 359–374, Springer, Málaga Spain, October, 2007.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2022 Ziqi Wang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Security and Communication Networks

New Cryptographic Technologies and Artificial Intelligence in Outsourced Data Security

Verification Grid and Map Slipping Based Graphical Password against Shoulder-Surfing Attacks

Abstract

1. Introduction

2. Related Work

2.1. Recognition-Based Graphical Password System

2.2. Redrawing-Based Graphical Password System

2.3. Reselection-Based Graphical Password System

3. The Proposed VGMSGP System

3.1. Registration

3.2. Authentication

4. Experiments

4.1. Security

4.2. Usability

4.3. System Running Time and Storage

5. Conclusion

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright