What you are (biometric) What you have (token) What you know (password)
Finger attacks Word of mouth transfer Dictionary attacks Image Based Authentication (IBA) can solve all of these
IBA is based on a user’s successfulidentification of his image password set. After theusername is sent to the authentication module, itresponds by displaying an image set, which consistsof images from the user’s password set mixed withother images. The user is authenticated by correctlyidentifying the password images.
Image Space(IS): the set of all images used by IBA system. Individual Image Set (IIS) – the set of images that a user (u) chooses to authenticate himself. Key Image – any image in a users IIS. Presentation Set (PS) – the set of images presented to a user from which the key images must be selected for a given authentication attempt.
Authentication User Agent (AUA) Authentication Server (AS) The communication between them is encrypted using authenticated Diffie-Hellman. The AS is assumed to be a part of the Trusted Computing Base.
Image Set Selection Alice selects ‘n’ images (n is set by the administrator, Bob) Bob stores the image set at the AS Presentation Subsets Bob picks one image from IISa and some other images from IS-IISa for each PS_i. Alice picks the IISa image from each PS_i.
A→B: Username= Alice B→A: Presentation set for Round 1, PS1. A→B: Identified image. B→A: Presentation set for Round 2, PS2. A→B: Identified image. …... B→A: Presentation set for Round R, PSR. A→B: Identified image. If all R steps are successful, Bob authenticates Alice.
Image Based Authentication is not foolproof. There are four points of vulnerability:1. Information stored on the AS.2. Information Sent between the AS and AUA.3. The output at the AUA.4. The input at the AUA.
Eve can observe or log Alice’s Key stroke and later authenticate herself as Alice. Display the images in random order. Keystrokes are only meaningful for this PS inthis display order.
Eve can observe Alice’s screen ( during the authentication process) and later authenticate herself as Alice. Counter: Display the image when the mouse is over it. Otherwise gray out the image. If input is hidden, then which image is selected is not known- Only get PS_i’s.
Brute Force Attack Frequency Correlation Attack Intersection Attack Logic Attack Countering Frequency Correlation Attack Decoy Screen Image Buckets Fixed PS per Key Image
Image Set Storage : Password schemes normally store only the hash of auser’s password. By compromising the server, the attackercannot recover the password. In our scheme, the servercannot merely store the hash. The server needs to knowthe image set itself in order to present the authenticationscreens. If a server is compromised, it will be possible toretrieve the image set of every user. However, manyauthentication schemes depend heavily on theimpenetrability of the Trusted Computing Base and theyhave been widely deployed.
CAPTCHA stands for Completely Automated Public Turing Test to tell Computers and Humans Apart. CAPTCHA is an automated test that can distinguish between machines and humans alike. It differentiates between humans and bot by setting some task that is easy for most humans to perform but is more difficult and time consuming for current bots to complete.
Preventing Comment Spam in Blogs. Protecting Website Registration. Protecting Email Addresses From Scrapers. Online Polls. Preventing Dictionary Attacks. Worms and Spam.
1. PIX: Create a large Database of labeled images. Pick a concrete object. Pick more random images of the object from the image database. Distort the images Ask user to pick the object for a list of words.
2. BONGO Visual Puzzle Computer can generate and display, but not solve Bongo is based on a visual pattern recognition problem.
As Figure below shows, a Bongo CAPTCHA uses two sets of images; each set has some specific characteristic. One set might be boldface, for example, while the other is not. The system then presents a single image to the user who then must specify the set to which the image belongs.
3. Pessimal Print Pessimal Print works by pseudo randomly combining a word, font, and a set of image degradations to generate images like the ones in Figure.
Image-based authentication techniques, although currentlyin their infancy, might have a wider applicability in future.We perceive it be a more user-friendly technique thathelps to increase the password quality tremendouslycompared to a text-based approach. In this seminar we haveproposed a simple yet secure authentication technique.We have also identified various issues related with such asystem and proposed a novel concept of Image Buckets inovercoming some shortcomings. Its better to be safe than sorry!!