IBA, or image-based authentication, is a method of user authentication that uses a set of images selected by the user as their password. The user must correctly identify their password images from a presentation set of images during the authentication process. IBA aims to address problems with traditional text passwords, such as susceptibility to dictionary attacks. However, IBA still has vulnerabilities, such as attacks on the information stored on the authentication server or transmitted between the server and user's device. Techniques like displaying images in random order and only when mouse is over can help counter shoulder surfing and keystroke logging attacks against the user's device input and output.

1. IMAGE-BASED AUTHENTICATION
By
Rishabh Gupta
IET LUCKNOW

2. Authentication
The process of identifying an individual, usually based
on a username and password.
In security systems, authentication is distinct from
authorization , which is the process of giving
individuals access to system objects based on their
identity.

3. What Is IBA
IBA is Based On User’s Successful identification of
his image Password Set.
After username is sent to the authentication
module, it responds by displaying an image set,
which consists of images from user’s password with
other images. The User is authenticated by
correctly identifying the password images.

4. Human Authentication
• What you are (biometric)
• What you have (token)
• What you know (password)

5. Problems with Passwords
• Word of mouth transfer
• Finger Attack
• Dictionary Attacks
Image-based authentication (IBA) can
solve these

6. Definitions
• Image Space (IS) –the set of all images used by
the IBA system.
• Individual Image Set (IISa) – the set of images
that a user Alice (a) chooses to authenticate
herself.
• Key Image – any image in a user's IIS.
• Presentation Set (PS) – the set of images
presented to Alice (from which the key images
must be selected) for a given authentication
attempt.
• PS_i – the ith
subset of PS presented to Alice
during a run – PS = U PS_i

7. Architecture
• Authentication User Agent (AUA)
• Authentication Server (AS)
The communication between them is
encrypted using authenticated Diffie-
Hellman
The AS is assumed to be a part of the
Trusted Computing Base

8. Basic Protocol - Initialize
• Alice selects ‘n’ images (n is set by the
administrator, Bob)
• Bob stores the image set at the AS
Image Set Selection
• Bob picks one image from IISa and some
other images from IS-IISa for each PS_i
• Alice picks the IISa image from each PS_i
Presentation Subsets

9. Basic Protocol - Authenticate
• A→B: Username=Alice
• B→A: Presentation set for Round 1, PS1.
• A→B: Identified image.
• B→A: Presentation set for Round 2, PS2.
• A→B: Identified image.
• …...
• B→A: Presentation set for Round R, PSR.
• A→B: Identified image.
If all R steps are successful, Bob authenticates Alice
Authentication

10. CAPTCHA
CAPTCHA stands for Completely
Automated Public Turing Test.
CAPTCHA is an automated Test That can
Distinguish between Machine and
Human Alike.
Types of Image Based CAPTCHA
1.PIX
2.Pessimal Print

11. PIX
1. Create a Large Database of Labeled
Image.
2. Pick a Concrete Object.
3. Pick more random images of the
object from the image Database.
4. Ask user to pick an object from list of
images

13. Pessimal Print
Pessimal Print works by pseudo randomly
Combining a Word, Font and a set of
Images degradation to generate images
Like the ones in the figure.

14. Attacks
• Image-based authentication is not
foolproof
• The are four points of vulnerability
– information stored on the AS
– information sent between the AS and
the AUA
– the output at the AUA
– the input at the AUA.

15. Keystroke Logging: AUA Input
• Eve can observe or log Alice’s keystrokes
and later authenticate herself as Alice.
Counter
• Display the images in random order
- keystrokes are are only meaningful for
this PS in this display order

16. Shoulder Surfing: AUA Output Logging
• Eve can observe Alice’s screen (during
the authentication process)and later
authenticate herself as Alice.
Counter
• Display the image when the mouse is
over it. Otherwise, gray out the image
• If input is hidden, then which image is
selected is not known – only get PS_i’s
• More on PS-based attacks later

17. TEMPEST Attack: AUA Output
• Electromagnetic emanations from the
output are used to recreate the screen
a distance away.
Counter
• Use contrasting colors that a person can
easily distinguish, but which look the
same to the eavesdropper.
• Blur the images.
• Add random noise to the images.

18. Brute Force Attack
• Select every possible combination.
• Note that dictionary attack is impossible.
Counters
• Keep IIS and IS large
• Attack cannot be done offline

19. Conclusions
• IBA is easy to remember than string based
Password
• IBA is more user-friendly
• IBA offers an alternative to passwords that may
be attractive for some situation
• Protection at AS still an issue
• Less Vulnerable by Attacker