Image Shield

User Study of an Image Based Web
Authentication System
Lijo George
Submitted in partial fulfilment of the requirements for the degree of Master of Science
MSc Computer Network Administration and Management
Supervisor: Mr Chi Nguyen

2014-15

Table of Contents
List of Figures .................................................................................................................... iii
Abstract ............................................................................................................................... iv
Acknowledgements .............................................................................................................. v
1

Aim of the project ........................................................................................................ 1

2

Introduction and Background Study ............................................................................ 2

3

2.1

Authentication ....................................................................................................... 2

2.2

Types of authentication systems ........................................................................... 3

2.2.1

Knowledge Based Authentication.................................................................. 3

2.2.2

Object Based Authentication ......................................................................... 4

2.2.3

Attribute based Authentication ...................................................................... 4

Drawbacks of the current authentication systems ........................................................ 5
3.1.1

Drawbacks of knowledge based authentication systems ............................... 5

3.1.2

Drawbacks of object based authentication systems ....................................... 7

3.1.3

Drawbacks of Attribute based authentication system .................................... 8

4

Sample authentication systems .................................................................................... 9

5

Image-Shield: Image based Authentication System .................................................... 9

6

5.1

Ideal authentication system ................................................................................... 9

5.2

Why image-shield? ................................................................................................ 9

5.3

Terminologies –Image Based Authentication ..................................................... 10

5.4

Structure of the system ........................................................................................ 11

5.4.1

Training on the portfolio images and register .............................................. 11

5.4.2

Logging in (authentication).......................................................................... 12

Image-shield Design Justifications ............................................................................ 13
6.1

Selection of Portfolio images .............................................................................. 13

6.1.1

7

Why select random art images for image space? ......................................... 13

6.2

Why training? ...................................................................................................... 14

6.3

Why three step login process? ............................................................................. 14

6.4

Why no feedback on key images in each login phases? ..................................... 14

6.5

Why only one to four random images per page? ................................................ 14

6.6

Why shuffle image locations? ............................................................................. 14

6.7

Why lock the account after 5 failed login? ......................................................... 15

Working of the Image-shield system ......................................................................... 16
i

7.1

8

9

Image-shield: Registration and training .............................................................. 16

7.1.1

Selection of Portfolio images ....................................................................... 16

7.1.2

Training ........................................................................................................ 19

7.2

Image-shield: Login ............................................................................................ 22

7.3

Image-shield: Account locking after 5 failed logins ........................................... 25

Possible Attacks and counter measures ..................................................................... 26
8.1.1

Brute-force Attack ....................................................................................... 26

8.1.2

Educated guess attack .................................................................................. 26

8.1.3

Key Logger attacks ...................................................................................... 27

8.1.4

Shoulder surfing ........................................................................................... 27

PIN Based Authentication System ............................................................................. 28
9.1

Register................................................................................................................ 28

9.2

Login ................................................................................................................... 29

10 User Study.................................................................................................................. 30
10.1

User Experiment .............................................................................................. 30

11 User experiment Results ............................................................................................ 32
11.1

Quantitative results .......................................................................................... 32

11.2

Survey Creation ............................................................................................... 33

11.3

Survey Questions and responses...................................................................... 33

11.3.1

Feedback of the system ................................................................................ 33

11.3.2

User’s background ....................................................................................... 37

11.3.3

Control questions ......................................................................................... 40

11.4

Survey Findings ............................................................................................... 42

11.5

User Study Result analysis .............................................................................. 43

11.6

Limitations of the Image based authentication system .................................... 46

12 Conclusions and future work ..................................................................................... 47
12.1

Conclusions ..................................................................................................... 47

12.2

Future work...................................................................................................... 47

13 Bibliography .............................................................................................................. 49

ii

List of Figures
Figure 1 Steps in the project ................................................................................................ 1
Figure 2 Types of Authentication Systems .......................................................................... 3
Figure 3 Training and Registration .................................................................................... 11
Figure 4 Logging in ........................................................................................................... 12
Figure 5 Random art - sample pictures .............................................................................. 13
Figure 6 Selecting Register ................................................................................................ 16
Figure 7 Registration screen with deactivated 'submit' button .......................................... 17
Figure 8 Five portfolio images selected ............................................................................. 18
Figure 9 Phase 1 training ................................................................................................... 19
Figure 10 Phase 2 training ................................................................................................. 20
Figure 11 Phase 3 Training ................................................................................................ 21
Figure 12 Training and registration result page ................................................................. 21
Figure 13 Image-shield login ............................................................................................. 22
Figure 14 Login phase 1 .................................................................................................... 22
Figure 15 Login Phase2 ..................................................................................................... 23
Figure 16 Login Phase 3 .................................................................................................... 24
Figure 17 Login Result ...................................................................................................... 25
Figure 18 Account lock ...................................................................................................... 25
Figure 19 Alice, Bob and Eve scenario ............................................................................. 26
Figure 20 Register Using PIN ............................................................................................ 28
Figure 21 Login Using PIN ............................................................................................... 29
Figure 22 Graph- Login data.............................................................................................. 43
Figure 23 Fourth week Login chart ................................................................................... 44

Appendix A

:

Project Definition Form

Appendix B

:

CD with source code

iii

Abstract
Security of systems is one of the major concerns for individuals and companies around
the world. We always hear different kind security breaches happening even in big
companies, who spend a lot of money and resources on secure authentication systems.
But after analysing the problems, it be can found that most of these companies forget
about the human computer interaction element when designing an authentication system.
People working in a company can be identified as the weakest link in the security and
most of the authentication systems today forget this fact that, the harder the password the
harder it is for a user to remember it. If you force people to remember harder passwords,
then there is a chance that they will write it down at somewhere thus making it less
secure. In this project, we use the fact that humans can recall seen images much more
easily than remembering secure passwords. Also images cannot be written down, so it
will close that security problem as well.
An image based authentication system called ‘Image-Shield’ is developed, which
can be used in web based authentication system to secure the systems with customisation.
Image-shield uses a set of images from which the user can select some of them and use
that image portfolio as their password. And it uses the user’s ability to recall previously
seen images as the security factor. And we reached on a conclusion that that the system
provides high level of security without many of the drawbacks of the password based
authentication systems. Nearly 87% of users successfully logged in using art image based
keys even after two weeks. And PIN based sample authentication system was
successfully logged on only by 66% of the users just after a week. Image based
authentication provides users with an easy authentication with less cognitive load. And
most of the users had fun using the new authentication system. This kind of image-based
systems have a definitely a future in the field of authentication. A well planned and
implemented image based authentication will inhibit users from selecting a weak
password or storing them in browser or writing down passwords. Image-based
authentication systems can achieve this because it considers the HCI (Human computer
Interaction) factor which is usually not taken in to consideration in the case of password
based authentication systems.

iv

Also I would like to give thanks to my moderator Dr Linda Yang for proving me with inspiration in improving my research. proving me with good notes on writing my desertion and giving me his valuable feedbacks. especially the guidance provided on doing a good research. Finally I would like to give thanks to all my friends and fellow students for taking time participating in the user study. support and guidance. v . doing my survey and giving me with their valuable feedbacks.Acknowledgements I would like to thank my project supervisor Mr Chi Nguyen for all his help.

divided in to following steps to achieve these aims  Design and implementation of Sample Authentication systems  Preparation of Survey questions  Conducting User experiment  Conducting the survey and collecting results  Collecting login data from database  Result Analysis(Survey and Login Data) Design and Implement Authentication systems User experement Preparation of survey questions Result Analysis Survey & Data Collection Figure 1 Steps in the project 1 .1 Aim of the project The aim of the project is to study the strength and weakness of an image based authentication system. The major 3 aims of the project are as follows  Implement an experimental authentication system with image based keys  Test the system using surveys on real users  Analyse the strength and weakness of the system The project can be further sub.

or what people say it is” (Cambridge Dictionaries. almost all of us use some kind of authentication system in our daily lives. n. Security is one of the important aspects in all of the modern systems. 2 . It will help to prove that someone is who they say they are and provides security for the genuine users and their data by denying access to unauthorised users. true.d. And the main goals of any authentication system can be summarised as  Allow authorised persons to access the system  Prevent unauthorised persons from accessing the system As more and more everyday services are moving online. According to Federal Financial Institutions Examination Council report. an effective authentication method “should have customer acceptance. It can be fingerprint scanner in your phone or password based login to online accounts or key based authentication used by your bank to authenticate you to your account.2 Introduction and Background Study 2.Today’s authentication systems are doing just the same. There are different types of authentication systems and methods exist today. implemented and maintained authentication system will help in that aspect.1 Authentication According to the Cambridge dictionary the meaning of the word authenticate is” to prove that something is real. Authentication system tests if someone is who they say they are. reliable performance. A well designed. scalability to accommodate growth. So the importance having of a robust authentication system is important for both the organisations and individuals. 2008). But for increased security a hybrid of different types of authentication can be used.). and interoperability with existing systems and future plans” (Federal Financial Institutions Examination Council.

Based on this authentication systems can be divided in to basically three types 1.2. The system uses this unique password to authenticate you when you try to access the 3 . Knowledge based authentication (what you know?) 2. It is usually the password based authentication.2 Types of authentication systems Figure 2 Types of Authentication Systems There are different kinds of authentication systems based on the type of human computer interaction going on in the particular system. 2. Knowledge based authentication is based on what you know. When you register to a system either the system provides you with a password or you can select a password. Attribute-based authentication (who you are?) (Gorman. 2003) And most of the authentication system exists today can be classified as one of the above three or a combination of the above three.2. Object Based authentication (what you have?) 3.1 Knowledge Based Authentication Password based authentication system is the most widely used knowledge based authentication system . At that time they were useful in making sure that the time-sharing system resources are not misused and everybody got a fair share.Password based authentication systems were used from the start of 1960.

2 Object Based Authentication It is based on what you have...But according to a study by Philip Inglesant & M. Angela. The American Defence Advanced Research Project Agency (DARPA) is researching about a new kind of authentication system where ‘the way a user types characters in a keyboard’ can be used in authenticating a user. use of special characters etc. It can be your biometrics like finger print. retina scan etc. the use of uppercase and lower case characters. It can be a physical key (security device). And it is also used in many companies to control the physical access to their premises. Each door has a unique key and only those who possess the key can open that particular door. These criteria can be the number of characters. if the key get lost or stolen the security will get compromised. Richard Guidorizzi.2. This can be compared to the physical key you need to hold to unlock the doors. The main problem with this is that. he/she need to provide the secret key generated by his/her unique electronic key generator. PM of 4 . Many of the todays bank this kind of authentication to secure customers access to their accounts and other financial systems. Here the authentication system uses something that uniquely identifies you. This makes sure that only those who have the key can access the account and thereby preventing unauthorised access my people with malicious intent. 2. Every customer of the bank will be provided with an electronic key which creates a unique key which is valid only for a very short period of time. And there are so many exciting researches happening in this field.2. when the designers of the authentication system forget the HCI(Human computer Interaction) factor while designing an authentication system. This kind of biometric security systems are widely used in electronic passports to increases the security. someone could copy it and use to gain unauthorised access to a system. which is only processed by you.3 Attribute based Authentication It is based on who you are. Or if the security system in the key is not adequate enough. 2010) . When a customer wants to access his account details. 2. These characters are found to uniquely identify a person and can be used for secure authentication.system at a later point in time. the security policies will become too inflexible for the users and it will have a negative effect on the staff and the organisation itself. To make these passwords more secure different systems have different criteria for the password. Similar kind of electronic key can be used to uniquely authenticate you to a secure system. Angela Sasse (Inglesant & M.

1. We are concentrating on the drawbacks of knowledge based authentication systems (password based authentication systems). But all these problems were easy to solve as all of the users were working under the same umbrella. they don’t meet human requirements. Your child’s name 5 . But hackers are aware of this fact. 1994) writes in his book that people are the weakest link in a security system. And the problems arise from these system is not solvable from a single place. A family member’s birthday 4. Pet names 2.” he says. “Humans aren’t built to understand random connections of characters” (Guidorizzi. The main purposes of these passwords were mainly to protect system resources and avoid other people from doing practical jokes. 2014).But in today’s world. A notable date. the MIT (BONNEAU. 3. and even then those who are responsible for the security of the system refuse to acknowledge this. And Dennis Fiery (Fiery. As from our daily life experience we can see that password based authentication systems in most of the places. According to another survey done by google with two thousand people. we use authentication systems every day. 2013) 1. and use their social engineering skills to learn information about the security of a system and use this information to break in to supposedly secure systems. the most common password people uses can be classified into ten groups (Allen. At that time in MIT there were reports about people guessing other people’s passwords.DARPA made a comment about complex passwords “The problem is. 3 Drawbacks of the current authentication systems Let’s discuss the drawbacks of the above described authentication systems. such as a wedding anniversary 3. 2015).1 Drawbacks of knowledge based authentication systems There were systems in MIT which used passwords in 1960s. This can be the earliest form of password hacking. It depends on a person’s ability to remember a secret word and provide it when you request the system to authenticate you. so that we can find out a solution to the problems described above. A study conducted by Verizon RSK team 76% of attacks on corporate networks in 2013 are because of weak passwords (CloudEntr. 2012).

Most of the companies are investing money for providing support for customers who want to reset the password because of a security lockdown. when you force the user to create a complicated password. And there is a financial factor as the downside as well. The tighter the password policy of a company. an attacker’s ability to break a password is usually greater than expected. but this makes the password more guessable. Complex passwords generated by systems are usually less crackable than passwords generated by users. A favourite holiday 8. And some system asks the users to change the passwords in a regular interval. Your birthplace 7. But the problem is that. Something related to your favourite sports team 9. This will make the password less secure and compromise the security of the entire authentication system. 6 . The by-product of this is that the user will most probably write down the password in some other place or save it in the browser itself. Many of the security systems today are not designed by studying the user’s feedback. lower case characters and special characters. The name of a significant other 10. People with malicious intent can research about a particular person to find out these information and can be used to guess the password using brute force attack. password should include upper case. But these passwords are difficult to remember and there is more chance that users compromise the security by disclosing the password. We can see these kinds of features in user authentication in many of the today’s authentication systems.5. 1993). Different system uses different criteria for their passwords like the password should contain certain number of minimum characters. According to Davies and Ganeshan (Davies & Ganeshan. But these passwords are usually less secure. And most of the users will try to evade these security mechanisms. 2013) People use this because it makes it easier for them to remember and recall at a later point in time. In contrast the passwords created by users are normally easier to remember for them and there is less chance that they are going to disclose it. And thus this kind of security system creates more difficulties for the user. The word “Password” (Allen. Another family member’s name 6. you are increasing the difficulty for the user in remembering it.

1. The drawback is that.2 Drawbacks of object based authentication systems In the object based authentication. So if somehow the security of one of the service is compromised. different email accounts. 1998) established that most users are not going to change a password until it is proved that their password is compromised. users will start to use the same password or same password with very little change for all these services. This user needs to remember 10 different passwords to access all these services. DeAlvare (DeAlvare. company accounts and bank accounts. the security is based on the key you have. capital letters numbers and symbols meet the system security policy but doesn’t meet the “Human Requirements” because humans are not build to understand connection between random characters and numbers. 3. Also a genuine user may not be able to access the system resources if the user don’t processes the key at that particular period of time. Consider a user using 10 different systems. this can lead to a genuine user getting denied to valuable system access. the security of the system gets compromised. 2013) and according to him these are the same reasons the passwords don’t work. 2012) says in his talk called ‘Beyond Passwords’ says that passwords like “Fn87GH$%^&$DF19n” which is 15 character and long and contains small letters. But this makes the system more expensive to implement and maintain. DARPA (Defence Advanced Research Projects Agency) programme manager Richard Guidorizzi (Guidorizzi. naiveté are the reasons we still use passwords according to Chad Vander Veen (Veen.usually the more money they need to spend to make sure those customers can access their accounts when in need. Organisations and government are not doing the correct procedures to correct this because it is a very difficult job to change these systems. it can have ten times as bad ramifications. Here as well so many banks implement the system. Laziness. ignorance. And when you include the naiveté to that it becomes worst. where the users are provided with an electronic code generator. stupidity. So the need to break away from using password based authentication is essential. Also if the user loses the key or the key get stolen. most of the services we access require us to provide a password like social media accounts. In this modern age. This generator will be used to create a unique key for the user to login. carelessness. 7 .

a group of hackers from Germany called Chaos Computing Club were able to bypass the security system using artificial finger print (Gilbert. The proposed imagebased authentication system and the user study.1. The touch ID sensor technology used in IPhone 5s and Samsung Galaxy S5 brought this technology to the general public (Genuth. The most common biometric character is the fingerprints. The biometrics identifies a person uniquely.3 Drawbacks of Attribute based authentication system Many of the system use biometrics for user authentication and access control. The main problem with biometrics is its uniqueness. in this project are trying to learn overcome the drawbacks of these old style password based authentication systems. Some of the drawbacks of all three types of systems can be minimised by better user education and designing systems using the feedback from the proposed users. 2015).And unfortunately the newly introduced Apple pay is introduced in these phone. But days after the release of this system.Apple continued this fingerprint system in their latest phone-Iphone6. When windows8 introduced picture based password. where the user select random points in a picture or use a gesture on a known image. But later it proved to be easily crackable (Claburn. 2013). the whole security will be compromised. 8 . That is in some unfortunate circumstances if your biometrics information is compromised. 2013).3. which can enable users to pay for their purchase using this ID system. you cannot change your biometrics. it was kind of a revolutionary idea (Sinofsky. In the beginning fingerprinting were used by police for identifying criminals. 2011).

5.  Prevent users from using personal details in passwords  Prevent users from writing down passwords  Decrease users difficulty in remembering complex passwords  Prevent users from choosing easy to guess passwords 9 . which can be integrated to different systems to increase the security of the web based authentication systems. the type of users. the type of data and resources to be secured etc… This will provide the intended amount of security with minimal effect on usability on any particular case. This prototype system. By this system we are planning to reduce many of the drawbacks of the password based authentication systems as described above. Image-shield is based on the user’s ability to recall previously seen images rather than remembering difficult passwords. This proposed system is developed using PHP language and MySQL as the database. In this project a test system called ‘Image-shield’ is developed. it always depends on the particular scenario. They are as follows  Image-shield: Image based authentication system &  PIN/Password based authentication system 5 Image-Shield: Image based Authentication System 5. The name is selected because here the images are used to shield a system from unauthorised access. which uses image based keys for the authentication of a user to a web based system. but there are many flows in the password based authentication systems as discussed in the above section.4 Sample authentication systems In order to conduct the study two simple authentication systems were developed.1 Ideal authentication system Ideal authentication system provides maximum security with minimal user difficulty. The following are the main features of the system. This ideal authentication is not easy to design or implement. So when we design an authentication system.2 Why image-shield? Password based authentication system are very easy to use and fast.

Presentation Set: It is the set of images shown to a user at the login page when the user requests authentication.The image-shield system is based on the ability of humans to easily remember previously seen images. 10 . NY) got a surprising 90% recognition rate in the next step (Lionel Standing. and in one of these kind of studies conducted on an audience using 2600 images by Lionel standing. 1995).3 Terminologies –Image Based Authentication Here are the terminologies used in the image based authentication system (Newman & Harsh. et al.. Jerry Conezio and Ralph Norman Haber (University of Rochester. Individual Image Set (IIS)/ Image Portfolio: It is the set of images used by the user as a key to authentication himself/herself Key Image: It can be any one of the image from the individual image set. 1970). 2005) Image space (IS): Image space is a collection of all the images that is involved in an image based authentication system. 1988) (Hafner. 5. Lots of studies are conducted on this (Homa & Viera.

The result can be only seen after the training is finished. random 1 to 4 images from the image portfolio is shown among a set of decoy images. the session data will be added to the MySQL database along with the username. the user will be then moved to the training. The system process can be divided in to following 1. During the training the information is stores in the server using PHP session variable. The training got 3 phases. the user then successfully added to the system along with the selected portfolio images and username. When the user clicks the registration link. User need to identify the key images in each of the phases. No feedback is given to user in each phase. 11 . a page with a set of images (5x5) will be shown along with a field for username. The system is based on the ability of a user to recall previously seen set of images more easily than a complex password. Logging in (authentication) 5. The number of failure and success will be stores in the database by the system for future analysis.5. In the figure below you can see the training phase.4. Once the user selects five images and enters a username. The training is a simulation of the login method.1 Training on the portfolio images and register Figure 3 Training and Registration The first step is the training and registration to the system. In each phase. which corresponds to the portfolio selection from previous section.4 Structure of the system Image-shield is developed using PHP and MySQL. The user selects 5 images from the set of images as their Portfolio image set or Individual image set. After the successful training. Registration and Training 2. If the user passes all the three training steps.

In this final step the user will be asked for the username.5. Here as well. Users only know whether the login was a success or failure at the end of the process. no feedback is given to the user in each of the three phases.4. In each step one to four key images of the particular user will be shown to the user in each step. Once the username is provided.2 Logging in (authentication) Figure 4 Logging in This is the authentication stage in the process. 12 . The user needs to select all the key images from the decoy images to successfully log in to the system. user will be forwarded to a three step authentication process.

The same art image was described by one user as ‘road marking’ and by another user as ‘human skeleton’. The user can select five images from the set.d. An Art image reminds each person of different things.sample pictures There are lots of different kinds of images that can be selected for image space such as places.1. 6. From our survey different people described the same random art image completely different. n. This will serve as a unique identifier to that particular user along with the user-id. The random art images are created by using mathematical equations. Figure 5 Random art .). famous people’s pictures etc… So why is random art images selected for image-space? This is because. buildings. This is called the user portfolio. We are using random art images which are generated by mathematical equations.1 Why select random art images for image space? Examples of random art are as follows. the user will be presented with a set of images.6 Image-shield Design Justifications 6. Art images are preferred in image based authentication because they are very hard for someone to guess the image from the description of someone else. they processes unique features. So even if someone took a note of the images they selected as their 13 .1 Selection of Portfolio images When the user registers to the system. You can see sample random art images generated by a programme written by Andrej Bauer (Bauer.

where the user is asked only to enter specific characters from their password rather than entering the full password. In each step the users will be challenged with random number of key images from their image portfolio along with decoy images.. 6. 6.4 Why no feedback on key images in each login phases? There is no feedback given to the users in each login step. 6.2 Why training? Image based authentication system concept is completely new to users who are familiar with password based authentication. This will make sure that users understood the working of the new authentication system. This will reduce the chance that someone seeing all the key images while login process.3 Why three step login process? We are using a 3 phase login process. But the location of the images in the image space will be always random. This will be also helpful in eliminating unwanted login failure data because the users were not familiar with the system. picture of famous people etc.. Users must complete the training session before they can be successfully registered to the system.image based key. And this will also make sure that the users selected images that can be recalled by them. it is harder for someone else to use it to find the actual key images. pictures of places.6 Why shuffle image locations? In the three step login process key images along with decoy images will be shown at each step. 6. Training will help them to go through the log in process and identifying the selection method of images before they actually go and try the login. This will also help in reducing the chance that someone doing a shoulder surfing and finding out the entire key images in the image portfolio at the same time. This will 14 . but only 1 to 4 random images from the set is shown in each login phase along with decoy images. The users would only know whether the login is successful or not after the end of the three phase login. 6. So random art images gives better security compared with other kind of images such as animal pictures. This will help in increase the difficulty of an attack by selecting random images as will give three separate set of challenge for each single login attempt.5 Why only one to four random images per page? The image portfolio set contains 5 images. This feature can be seen employed in some password based authentication systems.

This can be seen employed in many password based authentication systems were the user account gets locked after some number of failed login attempts. So we employ these to reduce the chance of a successful key logger attack. This can be adjusted based on the type of security any particular system needs. This will help to prevent to reduce the effectiveness of attacks were attacker tries different tries to find the key images. 6. 15 .7 Why lock the account after 5 failed login? The login account is programmed to lock after 5 failed logins. This can be configured to give a certain time interval or lock the account altogether until the real user contacts the system administrator. This along with the multi-level authentication process will help to increase the security of the login system.help in reducing some kind of a key logger tracking the mouse locations and finding out the key images in the image portfolio set.

16 . The website is hosted at the address http://www. The selected pictures will be shown below the selected picture. one needs to select click ‘register’ from the top menu.com 7.7 Working of the Image-shield system Let’s go through the actual login and registration process.1 Selection of Portfolio images To register to image-shield. where you can see a set of 25 images and a place to select a username.image-shield. Users can select a picture by clicking on the picture.1.1 Image-shield: Registration and training 7. Figure 6 Selecting Register Then the user will be forwarded to the registration screen.

the ‘Submit’ button will get activated.Figure 7 Registration screen with deactivated 'submit' button Once the user select five images. 17 .

Figure 8 Five portfolio images selected And once the user clicks the ‘submit’ button. 18 . they will be forwarded to the 3 step training process.

Then the user will be forwarded to faze 2 of the training. 19 .7. three random images are shown in phase 1 Figure 9 Phase 1 training The user needs to click on all these 3 images to select them and once all the key images are selected from among the decoy images.2 Training Training Phase 1: In each of the training phase one to four random images from the user’s image portfolio will be shown. click the next button.1. Here in the picture phase 1.

Once it is finished click the next button and will be forwarded to faze 3 of the training process.Training phase 2 Figure 10 Phase 2 training In the phase 2 four random images are shown in this case. Then the user need to select all the key images (all the four in this case) to complete this phase. 20 .

Once the user selects the key images and click next. Figure 12 Training and registration result page 21 . In this case the training and the registration is success.Training Phase 3 Figure 11 Phase 3 Training Here in this case 2 random key images are shown from the portfolio. the training and registration result page will be shown.

2 Image-shield: Login To login the user need to click the login link from the menu. they will be forwarded to phase 2. four random images are shown from the image portfolio. Figure 13 Image-shield login Once the user enters his username and clicks submit the 3 phase login will be started. 22 .7. Login Phase 1 Figure 14 Login phase 1 In the case of phase 1. Once the user selects all key images and clicks nest.

three key images are shown along with decoy images.Login Phase 2 In the phase 2 of this particular login. And once user clicks next last phase of login will be shown. Figure 15 Login Phase2 23 .

Login Phase 3 Here in the phase 3 of login 2 random images are shown from the image portfolio. Figure 16 Login Phase 3 Once the user selects all the key images and click next the login result page will be shown. Here the login is a success as shown in the figure below. 24 .

25 .3 Image-shield: Account locking after 5 failed logins Figure 18 Account lock Once a user account has 5 failed logins. that particular user account gets locked for 10 minutes.Figure 17 Login Result 7.

Let’s discuss this based on the common scenario used based on Alice. after a set number of failed attacks. Bob and Eve. So here the speed of brute-force attack can be reduced to a safe level.1 Brute-force Attack Brute force attack is a trial and error method. In the case of image based authentication system. Eve uses the available information about Alice and tries to guess her image portfolio. Bob and Eve scenario 8.8 Possible Attacks and counter measures Let’s discuss the different types of possible attacks and counter-measures. et al. 2012). 8. Figure 19 Alice. 26 . To prevent this kind of password attack. the users may be denied access for some time.. In the case of brute-force attacks Eve selects random set of images with Alice’s username and tries to guess Alice’s image portfolio to gain access to Bob.1. By studying Alice’s personal character. Bob is the server/service and Eve is the attacker who is trying gain access using Alice’s credentials. Here Alice is a genuine user. the authors concluded that the value added by complex password policies are poorly understood and there isn’t much proof available that these security policy will create guess attack resistant passwords (Kelley. The probability of success depends on the total number of images shown and the size of the image portfolio.000 passwords. Or the account can be locked all together until Alice contacts the administrator and asks to unlock her account.1.2 Educated guess attack A study conducted using 12.

But in the case of image based authentication system. There are different types of spywares. it will become useless information. mouse-clicks and clipboard data from the system where it is planted. 2014) Mentions that shoulder surfers can be much powerful than anyone expect. A multi layered login process was implemented to reduce the time window for this type of attack. 8. which contains these types of key loggers.3 Key Logger attacks Attackers can plant key logging software/hardware in a system. someone can check your monitor and keyboard while you are entering the password and it may be possible for them to guess your password. And at a later point in time. 8.1. To prevent or reduce the chances of shoulder surfing.4 Shoulder surfing As the name suggests. This kind of attacks can end up in huge financial losses for customers especially if the customers are using a key logger infected computer for doing online bank transactions. (Kwon.it may be possible to guess pictures appealing to her. it will start to record all keystrokes. So even though the hacker can get the mouse click co-ordinates. Once a user unknowingly installs this software thinking it is a useful software or the software gets automatically installed.000 US dollars from his account when hackers stole his bank account information using key loggers (Grebennikov. In 2005 a customer of bank of America named Joe Lopez lost 90. each phase in the login should not contain all the set of image keys. Also these images should be selected so that it is less appealing to users. this information will be send to the creator of this key logger.. random art images can be used. 2007). keylogging can be prevented by randomising the position of the images displayed. We have also used famous people’s images to do a comparison study. et al. In order to prevent these kinds of attacks.1. 27 .

This PIN is used by customers whenever they want to make a money transaction using their bank card.1 Register Users were asked to select a six digit secure PIN number they have never used before. A picture of login screen is shown below Figure 20 Register Using PIN 28 .9 PIN Based Authentication System PIN numbers are usually used in chip and PIN debit and credit cards. Customers are provided with a random generated Pin number when they get their bank card. A simple PIN/Password based authentication system is coded to collect data for comparison study. especially in Europe. The system got two sections  Register  Login 9.

9.2 Login A simple login screen as shown below is used for users to login to the system. Figure 21 Login Using PIN 29 .

1 User Experiment After the successful implementation of the Image-Shield system and the PIN based authentication system.10 User Study After the implementation of the image based authentication system and the PIN based authentication system. For this experiment we used art images created using an online art image creating software developed by Andrej Bauer (Bauer. Then they were asked to login to the system every day at their convenient times for that week. For this a four week user study on fifteen different users were conducted.d. All users were contacted and described about the system and explained how the system works and gave them instructions on how to register and login to the system. next step is to test the system with the help of real users and collect the feedback. n. The login data was captured in the database. The user study is of two steps  User experiment  Survey 10. Also a survey is created to get the feedback from the users after they use the sample systems. Then they were asked to register to the system using a username and image based keys. Week 2 On the second week users were asked to register to the PIN based authentication system. The data from the survey and experiment was used to analyse the proposed image based authentication system. a study is conducted using real users.  The pin number/password must be six characters long  Should not be continuous characters (neither in increasing order or decreasing order) 30 . Week 1 On the first week all users were given a brief of the working of the image based authentication system. Fifteen different users were selected for this study. The following instructions were given as a guideline for selection of the PIN.). Users were also allowed to use a complex password as well. All of the users are familiar with normal password based authentication systems and almost use it every day in their daily life.

All the users were asked to login to the system only one time using the art image based keys. Then users were instructed to register for new account using the famous people’s pictures as the new image based keys and the same username they used in before. After all the users were logged in. 31 . the data was collected. the users were asked to fill in a survey to gather the feedback from the users and to better understand their background for the data analysis. Week 4 At the start of the week. After this was finished. The login data was collected from the database. Week 3 On the third week. After the successful registration. the art images were replaced by famous people’s faces. they were asked to login to the system for the rest of the week. After the successful registration. Then the users were asked to login to the system using the image key they created on the third week of the experiment. And finally the art images were replaced by the famous people’s faces. Should select a complete random PIN code/password. whether it was successful or not. they were asked to login to the system for the rest of the week. Then they were asked to login to the PIN based authentication system using the PIN they created on the second week of the experiment and the data was collected. the images were reverted back to art based images. These instructions were provided to make sure to get useful data for the study. they have never used before.

33% Famous 14 1 93% 7% people Table 4 Week4 data 32 .33% PIN 10 5 66. Week 2 data: Description Successful Login PIN Login 75 Failed login 6 Success Percentage 93% Failure Percentage 7% Table 2 Week2 data Week 3 data: Description Successful Login Failed login Success Failure Percentage Percentage Famous People’s 75 0 100% 0% faces Login Table 3 Week3 data Week4 data: Type Success (Users) Failure Success Failure (Users) Percentage Percentage Art Image 13 2 86.66% 13.11 User experiment Results 11.67% 33.1 Quantitative results Week 1 data: Description Successful Login Failed login Success Failure Percentage Percentage Art Image Login 75 0 100% 0% Table 1 Week1 data And the users took an average two training session before they were successful in logging in.

2 Survey Creation The survey questions must be designed so that we can capture and analyse feedback from the users. 11. The login and training data can be collected from the database.11. With the help of these two data.66% 13. User’s knowledge about the working of the system: These questions will used make sure that the users understood the Image-shield system and its working. I do.1 Feedback of the system These questions will be useful in getting the users feedbacks and opinions about their experience with the experimental image based authentication system. I don't. User’s Backgrounds: These set of questions will be used to analyse user’s background with different kind of authentication systems and their feedback on those systems.3.33% 33 . User’s feedback about different features: This will help us to collect data for research and future development. 2. No. Question1: "Recalling images from memory is easier than remembering a secure and completely new password”. 3. The information needed from the users can be categories in to 1. we can analyse the system. Can’t say] Options Yes . I don't Number 13 2 Percentage 86.I do No.3 Survey Questions and responses The survey questions can be divided in to three sets like  Questions to get feedback of the system  Questions to know users background  Control questions 11. Research Questions can be created so that data can be collected on the above three topics. do you agree? Options: [Yes.

PIN/password. Options Art images People images PIN/password Number 15 0 0 Percentage 100% 0% 0% Questions 4: Please describe the following art images in your own words? 34 . Famous People's pictures] This will help to understand which system the user thought took most of their time. Obviously as the image-shield system image based authentication system is completely new to the system and users are used to using password/PIN based authentication systems. PIN/password. Options Art images People images PIN/password Number 15 0 0 Percentage 100% 0% 0% Questions 3: Which of the following took you more time to register? Options: [Art Images. Famous People's pictures] This will help to understand which system the user thought took most of their time to register.This question was used to get an idea about their experience about recalling images from the memory compared to conventional password remembering Questions 2: Which of the following took you more time to login? Options: [Art Images.

33% 66. People. A B C D Body Skeleton Nested waves It reminds a Radiation flower symbol looks like looks like a looks like a looks like a upside down bunch of semi bunch of semi metal orb in "v" s stacked circles circles the centre with on top of each arranged arranged other shapes other together together around it It’s like a blue sun and pink sky Road marking flower Fly wheel so many red waves in red waves in arrows flying green water green water eye together Question5: What Kind of Images you prefer as your image based keys Options: [Random Art. Other (Please mention)] This will be useful in understanding what kind of pictures the users prefer to have as their image based keys.66% 35 . Options Random Art People Number 5 10 Percentage 33.Answers to this question can be used to identify how different users are keeping note of the same art pictures.

4.Question6: How many images do you think creates a secure and easy to remember "Image-shield" (Image based code/password)? Options: [3. Other] This will help to understand the users concept of a secure but easy to remember image based keys. No comments] As the users are using the new system more frequently. Users are less likely to use a system which is so complex to use. the time spend by them in logging in to a system will change. Options yes no No comments Number 12 3 0 Percentage 80% 20% 0% Question 8: "I will use an image based authentication system. Options 3 4 5 6 Other Number 0 1 13 1 0 Percentage 0% 6. This question can be used to analyse whether the users themselves think whether the time taken for them to login to the system improved or not. This can be useful when designing the number of image based keys to be used when designing an image based authentication system. I agree. No. 5. 6.66% 0% Questions 7: Do you believe that the speed of login (with images) increased as you got more familiar with the system? [Yes. I disagree.66% 86. if it’s proved to be secure" Options: [I strongly agree. I strongly disagree] The will help to analyse how many users are willing to use and image based authentication if it’s proved to be secure to them.66% 6. 36 .

No.2 User’s background These questions can be used to understand the user’s backgrounds and experience in using image based authentication systems. I don’t have bank card with PIN] 37 . Question10: Approximately how many different accounts you use in your daily lives for authentication? Question11: How many unique passwords you have for all these accounts? Questions 10 and 11 can be used to determine how many unique passwords the users have for separate accounts. No.Options I strongly agree I agree I disagree I strongly disagree Number 12 3 0 0 Percentage 80% 20% 0% 0% Question9: Have you had fun using the "Image based" authentication system? Options: [Yes. Average Average number number of Accounts passwords (rounded ) (rounded) 6 3 Question 12: Do you share your Bank card PIN with your close family/friends? Options: [Yes.3. No comments] Options Yes No No comments Number 15 0 Percentage 100% 0% 0 0% 11.

Options yes no Number 13 2 Percentage 86. Retina scan etc. No] Studies found that users are most likely to write down passwords when the password policy of that particular authentication system when it is not designed to cater the human computer interaction factor.This can be used to analyse how many users have a bank card with PIN and how many of them share it with their close family or friends for convenience.66% 33.33% 38 .66% 13. No] Options yes no Number 10 5 Percentage 66.33% 26.33% Question14: Have you ever used Biometric authentication (Finger print.66% 0% Question13: Do you normally write down/save a password if a system requires really complex password? Options: [Yes. Options yes I don’t no have Card Number 11 4 0 Percentage 73...)? Options: [Yes.

Question15: Do you find the Biometric authentication easy to use and reliable? (If you use any) Options: [Yes.66% Question 17: Do you find the key (token) to login to your bank easy to use? (Answer only if you use a token (key) to login to your bank or similar places) Options: [Yes. No] Options yes no Number 4 6 Percentage 40% 60% Questions 14 and 15 may be used to find out users experience with attribute based authentication systems.33% 46. Question 16: Do you use a token (key) to login to your bank? Options: [Yes. Options yes no Number 2 6 Percentage 25% 75% 39 . No] Questions 16 and 17 can be used to understand whether the users use the token (key) based authentication system and whether the users find this system easy to use and convenient. No] Options yes no Number 8 7 Percentage 53.

5. 4. Question19: How many Images did you select for registration? (Ex: 3.) if that policy is not strictly enforced at the time of registration? Options: [Yes.3. special characters etc. 6) Answer 5 Number 15 Percentage 100% Question20: How many "Pass"/s (Phase) were there in logging in process? Answer 3 Number 15 Percentage 100% 40 .3 Control questions These set of questions are useful in knowing whether the user understood the working of the system and the instructions correctly and to eliminate any non-relevant data. use of upper case and lower case. No] Options yes no Number 2 6 Percentage 25% 75% 11... These questions will cover the essential knowledge the users get by reading the instructions and using the system.Question 18: Do you follow a strict password policy (For example number of characters.

Did you know that? Options: [Yes.Question 21: "Each pass had 1-4 random images from your selected images(image portfolio)”. No] Options Yes No Number 15 0 Percentage 100% 0% 41 .

 Users found the selection of famous people’s faces the easier to remember. None described the same art image in the same way.The same image described by three users( User1: “It reminds a flower” User 2: “looks like the sun in the corner and space around it with inverted colours”)  And surprisingly majority of the users had fun using the new image based authentication system.  Most users agree that remembering a complex password/PIN from memory is tougher than recalling images from memory  It took more time for the users to login and register using the Image based authentication system  The users who used key based authentication with their bank found that it is not convenient at all times.  Users shared (73%) their bank account PIN number with their family and close friends.  75% of the users didn’t follow a strict password policy if it’s not strictly enforced.  Most people preferred the famous people’s image as their password  Most of the users didn’t think that they would be able to remember the image based keys after some time interval.  All the users understood the training and login process like the number of phases in the login section and the number of images in their image based key.4 Survey Findings  Most of the users the same password for different kind of login systems.11.  86 % of the users normally write down complex passwords or save it their browser  Most of the users used some kind of biometric login and found it not reliable all the times. But 86% of them were able to recall the art image based keys and 93% were able to recall the famous people’s pictures after weeks break. For example. 42 .  The description of the art images was unique for each user.

This means that recalling images from your memory was easier for the users than remembering a new password/PIN. A complex password might confirm to a strict security but doesn’t confirm to ‘human policy’ (Guidorizzi. This confirms that the human’s ability to remember relationship between random characters is very low and it degrades as time passes by.5 User Study Result analysis Type Art image success rate PIN/password success rate Initial Login 100% 93% Login After a 86. because it may be possible to guess a user’s image key based by studying the user’s preferences and tastes. If we consider the famous people’s faces you can see that the success rate was 93% in the initial and final state. we can see that the art images had 100% success to login the initial login and degraded to 86. But the famous people’s pictures have one drawback. But the PIN/password success rate really degraded in the final week to 66.67% break Table 5 Login success rate initial and final 120% 100% 80% Initial Login 60% Login After a break 40% 20% 0% Art image PIN/password Figure 22 Graph.Login data  From the data from the above table.11.66% in the final week. 2012) 43 .67% from the initial 93%.66% 66.

This is because the interface was completely new to them and all of them were only familiar to normal password based authentication systems. Even then users found remembering passwords hard than remembering image based keys. In the test very simple password rules were used. But as they got more familiar with the interface and process the time took to register reduced. the success rate would definitely degrade. If we apply stricter password policy. This way images based keys are found to be more secure than a conventional complex password.  Most of the users saved their password somewhere when they found it really hard to remember. 44 .14 12 10 8 successful users Failed Users 6 4 2 0 Art image PIN Famous people Figure 23 Fourth week Login chart  Users took more time to register and login in the start of the experiment. So even if a user’s makes a note of their image based keys it is almost impossible to figure out the images based keys from these descriptions as art images means different to different people. which was much less strict than password policies employed by online authentication systems. But we found that the same image is described different way by different way. This means image based keys gives less cognitive load to users once they get familiar with the interfaces and working.  The selection of images is same for all users.

And if they don’t have the keys with them.  Art images vs Famous people: People preferred famous people’s pictures more than art images. Image based authentication system can be modified to use along with the current password based authentication to provide extra security to bank accounts. 45 . 1994). But there are some drawbacks in using famous people’s pictures like someone could write it down and could end up someone else gaining unauthorised access to that users account. Password/PIN vs Images – Majority of Users strongly agreed that they are ready to use an image based authentication in their daily lives. once they got familiar with the interface and its proved to be secure in protecting their valuable personal data. This means that users were not frustrated with the selection policy of the images comparing to normal strict password selection policies employed by web password based authentication systems.  Image based authentication system considers the human factor in security unlike other kind of systems were they forget about the human factor in the security as described by Dennis Fiery in his book ‘secrets of a super Hacker’ (Fiery. they cannot access bank account to do important transactions.  Users had fun using this image based authentication system.  Users who used key based authentication to authenticate to bank accounts said that the reason they dislike it is because they need to carry the key around with them.

This is not a secure method. So even though studies found it is better than password based authentication systems.  Also the users found the three step login process cumbersome. In this project we used the name of the image as identifier. unless it gets used widely all the vulnerabilities cannot be found.  Also we should research and implement secure methods about storing the image portfolio details.11. By reducing the number of steps. Each type of situations may need specialised set of images. They wanted to have a single step login. This is a prototype system and is not widely used or researched. there is a chance that after a long period of time they might mistake the decoy images for their portfolio images. The selection.  Many of the users preferred to have Famous people’s pictures over art based images. 46 . which provides more security.  More secure way of storing images in the database and reading imaged bit by bit should be considered in future studies to improve the security.  If the users see the same decoy images every time they login. This can be a difficult were the number of users are very large.6 Limitations of the Image based authentication system  There are also limitations to the image based authentication system. So the system needs to provide as many different decoy images as possible. the security of the system could be compromised because of shoulder surfing attacks. creation and storage of images for authentication systems are not easy task.

A bit more elaborate survey with a lot more users spanning over couple of months can be used to identify and collect data about how to improve the image based authentication system. users with and without technological backgrounds etc… This can be useful in getting a bigger picture in doing further research on image based authentication systems. that will increase their willingness to follow the security rules as that will help them in reducing their cognitive load. It’s found out that recalling previously seen images is much easier than remembering a complex passwords and more importantly users will find this kind of new authentication system as a more fun way to authenticate them.2 Future work Different kind of system need different kind of authentication systems to fulfil their secure authentication needs. it is found that 86% users were able to log on to image based authentication even after 2 weeks compared to only 66% of users just after a week. student authentication. as different authentication systems need different kind of approach. When the users are happy using a system.. A study and survey can be conducted including a larger number of the population including users from various arenas of life like students. 47 . . ordinary users. From the login data.1 Conclusions Image-shield based user study and survey proves that image-based authentication is definitely one of the future authentication systems.12 Conclusions and future work 12. 12. this can be useful in identifying which type of images give better security with less cognitive load to the users.. Forcing users to remember complex passwords and decreasing their productivity is not the solution to todays and future’s authentication systems. professionals. It is time to move on from knowledge (password based) systems to more secure authentication ideas like an image-based authentication system. Also more study can be conducted using different types of images. So it is time to put more time and resources on doing more research on different kind of image based authentication systems. So more specific research and study is needed in to different niches of authentication systems like shopping websites. banks and financial institutions etc.

48 .Also a study needs to be done about the relationship between number of login rounds and user experience.

random-art. V. Proceedings of Unix Security Workshop II.. A.. 2013.USA: Loompanics Unlimited.ibtimes. 2015. WA.com/latest-resources/industry-news/2014/3/19/weakpasswords-among-top-causes-of-data-breaches-tips-for-password-security [Accessed June 2015]. DeAlvare. 10(1). Weak passwords among top causes of data breaches: Tips for password security. 2015.time. 1993. 2013.com/2013/08/08/google-reveals-the-10worst-password-ideas/. Passwords and the Evolution of Imperfect Authentication.. 2008.. 2014.d.. C.org/about/ [Accessed June 2015]. 34-37.co.uk/iphone-6-touch-id-fingerprint-scanner-hacked49 . Genuth. pp.time. p.cloudentr.d. [Online] Available at: http://www.l.ffiec.darkreading. T. A framework for password selection.org/dictionary/english/authenticate [Accessed July 2015]. http://techland. Davies. Secrets of a Super Hacker. [Online] Available at: http://www. 2013. Claburn. LET YOUR BODY BE YOUR KEY.. VAN OORSCHOT. Engineering & Technology (17509637).. D.. Bauer. [Online] Available at: http://www. [Online] Available at: http://www. 1998.n. D. Cambridge Dictionaries. F.. Apasswd: A new proactive password checker. C. Federal Financial Institutions Examination Council. & Ganeshan. 29-30.. n. s.com/2013/08/08/google-reveals-the-10-worst-passwordideas/ [Accessed July 2015]. R. J.13 Bibliography Allen.com/vulnerabilities-and-threats/windows-8-picturepasswords-easily-cracked/d/d-id/1111351? [Accessed Auguest 2015]. & STAJANO. s. A. Authentication in an Internet Banking Environment.pdf [Accessed July 2015]. n. [Online] Available at: http://techland. y. H. /. [Online] Available at: http://www... [Online] Available at: http://dictionary.cambridge. 80. Cambridge Dictionaries Online. CORMAC. Communications Of The ACM. Gilbert. pp. 58(7). CloudEntr. Windows 8 Picture Passwords Easily Cracked. Random Art.gov/pdf/authentication_guidance. 1994. BONNEAU. P. T. Fiery. F.

411-421. P. 2012 IEEE Symposium on. Guidorizzi. Long-term memory for pictures under conditions of thematically related foils. 2007.vol2.pdf [Accessed June 2015]. Kelley. & Viera.. E. 2005. 1988.. P. J. C. Gorman. et al. Shin.edu/SUNSeminar/standing70. Gainesville: CISE Dept. Homa. 2003. 1970.. pp.. pp. [Online] Available at: https://securelist.pdf [Accessed 15 july 2015]. & M.. CA.youtube. Kwon. pp.. p73. Perception and memory for pictures: single-trial learning of 2500 visual stimuli. et al. 729736.l.aspx [Accessed Auguest 2015]. [Online] Available at: http://www. and Cybernetics: Systems. Secure List. 2012. N. 16(5). Man. Lionel Standing. R. Brief Overview of Active Authentication-Video. 1995. Grebennikov. . [Online] Available at: http://cvcl. & Sarang. Hafner. a. IEEE Transactions on Pattern Analysis and Machine Intelligence.com/b/b8/archive/2011/12/16/signing-in-with-a-picturepassword..profsandhu. Systems. and Biometrics. & Harsh. SECURITY ANALYSIS OF AND PROPOSAL FOR IMAGE-BASED AUTHENTICATION. Security and Privacy (SP). Comparing Passwords. P. British Library Document Supply Centre Inside Serials & Conference Proceedings. 2011. San Francisco.com/analysis/publications/36138/keyloggers-how-theywork-and-how-to-detect-them-part-1/ [Accessed Auguest 2015].. Efficient color histogram indexing for quadratic form distance functions. R. University of Florida. R.. N. Newman. S. [Online] Available at: https://www. 50 . Tokens. T. 716-727.. s.com/cs6393_s13/gorman-2003.. H.days-after-launch-1466843 [Accessed July 2015]. The True Cost of Unusable Password Policies: Password Use in the Wild. S.. Sinofsky. Angela. 44(6). S.msdn. N.mit... Covert Attentional Shoulder Surfing: Human Adversaries Are More Powerful Than Expected. J. 2012.com/watch?v=fgNpOzvwOiU [Accessed Auguest 2015]. 2014. Signing in with a picture password. IEEE Transactions. D. Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms. 17(7). [Online] Available at: http://blogs. L. 2010. C. Inglesant.

14-34.Veen. November. C. V. Government Technology [serial online].. pp. 2013. 51 . Why Do We Still Use Passwords?.

Appendix A 52 .

Appendix B CD containing the source code of the Image-shield website and an electronic copy of this report. 53 .