15-10-2010, 01:33 PM
This article is presented by:Fawaz A. Alsulaiman and Abdulmotaleb El Saddik, Senior Member, IEEE
ABSTRACT
Current authentication systems suffer from many weaknesses. Textual passwords are commonly used; however, users do not follow their requirements. Users tend to choose meaningful words from dictionaries, which make textual passwords easy to break and vulnerable to dictionary or brute force attacks. Many available graphical passwords have a password space that is less than or equal to the textual password space. Smart cards or tokens can be stolen. Many biometric authentications have been proposed; however, users tend to resist using biometrics because of their intrusiveness and the effect on their privacy. Moreover, biometrics cannot be revoked. In this paper, we present and evaluate our contribution, i.e., the 3-D password. The 3-D password is a multifactor authentication scheme. To be authenticated, we present a 3-D virtual environment where the user navigates and interacts with various objects. The sequence of actions and interactions toward the objects inside the 3-D environment constructs the user’s 3-D password. The 3-D password can combine most existing authentication schemes such as textual passwords, graphical passwords, and various types of biometrics into a 3-D virtual environment. The design of the 3-D virtual environment and the type of objects selected determine the 3-D password key space.
INTRODUCTION
THE DRAMATIC increase of computer usage has given rise to many security concerns. One major security concern is authentication, which is the process of validating who you are to whom you claimed to be. In general, human authentication techniques can be classified as knowledge based (what you know), token based (what you have), and biometrics (what you are). Knowledge-based authentication can be further divided into two categories as follows: 1) recall based and 2) recognition based [1]. Recall-based techniques require the user to repeat or reproduce a secret that the user created before. Recognitionbased techniques require the user to identify and recognize the secret, or part of it, that the user selected before [1]. One of the most common recall-based authentication schemes used in the computer world is textual passwords. One major drawback of the textual password is its two conflicting requirements: the selection of passwords that are easy to remember and, at the same time, are hard to guess. Klein [2] collected the passwords of nearly 15 000 accounts that had alphanumerical passwords, and he reached the following observation: 25% of the passwords were guessed by using a small yet well-formed dictionary of 3 × 106 words. Furthermore, 21% of the passwords were guessed in the first week and 368 passwords were guessed within the first 15 min. Klein [2] stated that by looking at these results in a system with about 50 accounts, the first account can be guessed in 2 min and 5–15 accounts can be guessed in the first day. Klein [2] showed that even though the full textual password space for eight-character passwords consisting of letters and numbers is almost 2 × 1014 possible passwords, it is easy to crack 25% of the passwords by using only a small subset of the full password space. It is important to note that Klein’s experiment was in 1990 when the processing capabilities, memory, networking, and other resources were very limited compared to today’s technology. Many authentication systems, particularly in banking, require not only what the user knows but also what the user possesses (token-based systems). However, many reports [3]–[5] have shown that tokens are vulnerable to fraud, loss, or theft by using simple techniques. Graphical passwords can be divided into two categories as follows: 1) recognition based and 2) recall based [1]. Various graphical password schemes have been proposed [6]–[8], [10]–[12]. Graphical passwords are based on the idea that users can recall and recognize pictures better than words. However, some of the graphical password schemes require a long time to be performed. Moreover, most of the graphical passwords can be easily observed or recorded while the legitimate user is performing the graphical password; thus, it is vulnerable to shoulder surfing attacks. Currently, most graphical passwords are still in their research phase and require more enhancements and usability studies to deploy them in the market. Many biometric schemes have been proposed; fingerprints, palmprints, hand geometry, face recognition, voice recognition, iris recognition, and retina recognition are all different biometric schemes. Each biometric recognition scheme has its advantages and disadvantages based on several factors such as consistency, uniqueness, and acceptability. One of the main drawbacks of applying biometrics is its intrusiveness upon a user’s personal characteristic. Moreover, retina biometrical recognition schemes require the user to willingly subject their eyes to a low-intensity infrared light. In addition, most biometric systems require a special scanning device to authenticate users, which is not applicable for remote and Internet users.
Three-Dimensional Password for More
Secure Authentication
Secure Authentication
ABSTRACT
Current authentication systems suffer from many weaknesses. Textual passwords are commonly used; however, users do not follow their requirements. Users tend to choose meaningful words from dictionaries, which make textual passwords easy to break and vulnerable to dictionary or brute force attacks. Many available graphical passwords have a password space that is less than or equal to the textual password space. Smart cards or tokens can be stolen. Many biometric authentications have been proposed; however, users tend to resist using biometrics because of their intrusiveness and the effect on their privacy. Moreover, biometrics cannot be revoked. In this paper, we present and evaluate our contribution, i.e., the 3-D password. The 3-D password is a multifactor authentication scheme. To be authenticated, we present a 3-D virtual environment where the user navigates and interacts with various objects. The sequence of actions and interactions toward the objects inside the 3-D environment constructs the user’s 3-D password. The 3-D password can combine most existing authentication schemes such as textual passwords, graphical passwords, and various types of biometrics into a 3-D virtual environment. The design of the 3-D virtual environment and the type of objects selected determine the 3-D password key space.
INTRODUCTION
THE DRAMATIC increase of computer usage has given rise to many security concerns. One major security concern is authentication, which is the process of validating who you are to whom you claimed to be. In general, human authentication techniques can be classified as knowledge based (what you know), token based (what you have), and biometrics (what you are). Knowledge-based authentication can be further divided into two categories as follows: 1) recall based and 2) recognition based [1]. Recall-based techniques require the user to repeat or reproduce a secret that the user created before. Recognitionbased techniques require the user to identify and recognize the secret, or part of it, that the user selected before [1]. One of the most common recall-based authentication schemes used in the computer world is textual passwords. One major drawback of the textual password is its two conflicting requirements: the selection of passwords that are easy to remember and, at the same time, are hard to guess. Klein [2] collected the passwords of nearly 15 000 accounts that had alphanumerical passwords, and he reached the following observation: 25% of the passwords were guessed by using a small yet well-formed dictionary of 3 × 106 words. Furthermore, 21% of the passwords were guessed in the first week and 368 passwords were guessed within the first 15 min. Klein [2] stated that by looking at these results in a system with about 50 accounts, the first account can be guessed in 2 min and 5–15 accounts can be guessed in the first day. Klein [2] showed that even though the full textual password space for eight-character passwords consisting of letters and numbers is almost 2 × 1014 possible passwords, it is easy to crack 25% of the passwords by using only a small subset of the full password space. It is important to note that Klein’s experiment was in 1990 when the processing capabilities, memory, networking, and other resources were very limited compared to today’s technology. Many authentication systems, particularly in banking, require not only what the user knows but also what the user possesses (token-based systems). However, many reports [3]–[5] have shown that tokens are vulnerable to fraud, loss, or theft by using simple techniques. Graphical passwords can be divided into two categories as follows: 1) recognition based and 2) recall based [1]. Various graphical password schemes have been proposed [6]–[8], [10]–[12]. Graphical passwords are based on the idea that users can recall and recognize pictures better than words. However, some of the graphical password schemes require a long time to be performed. Moreover, most of the graphical passwords can be easily observed or recorded while the legitimate user is performing the graphical password; thus, it is vulnerable to shoulder surfing attacks. Currently, most graphical passwords are still in their research phase and require more enhancements and usability studies to deploy them in the market. Many biometric schemes have been proposed; fingerprints, palmprints, hand geometry, face recognition, voice recognition, iris recognition, and retina recognition are all different biometric schemes. Each biometric recognition scheme has its advantages and disadvantages based on several factors such as consistency, uniqueness, and acceptability. One of the main drawbacks of applying biometrics is its intrusiveness upon a user’s personal characteristic. Moreover, retina biometrical recognition schemes require the user to willingly subject their eyes to a low-intensity infrared light. In addition, most biometric systems require a special scanning device to authenticate users, which is not applicable for remote and Internet users.
