Seminar Report

On
“Image Based Authentication System”

Submitted in Partial Fulfillment of the Requirements For the Degree of Bachelor of

Technology In Electronics and Communication engineering

Submitted By:

Saurabh Gupta
2K19
B.Tech (ECE)
CSJMA19001390109

TO

Department of Electronics and Communication Engineering

University Institute of Engineering & Technology

C.S.J.M. University KANPUR

2021-2022
UNIVERSITY INSTITUTE OF ENGINEERING & TECHNOLOGY

C.S.J.M UNIVERSITY KANPUR

DEPARTMENT OF ELECTRONICS AND COMMUNICATION

ENGINEERING

CERTIFICATE

This is to certify that the seminar entitled “Image Based Authentication

System” has been submitted by “SAURABH GUPTA” under my guidance in
partial fulfilment of the degree of Bachelor of Technology in “ELECTRONICS AND
COMMUNICATION ENGINEERING”, FROM UNIVERSITY INSTITUTE OF
ENGINEERING AND TECHNOLOGY, C.S.J.M. UNIVERSITY, KANPUR
during the academic year 2021-2022

SEMINAR GUIDE SEMINAR INCHARGE HEAD OF THE

DEPARTMENT
Dr. Vishal Awasthi Er. Parul Awasthi Dr. Vishal Awasthi
 ACKNOWLEDGEMENT

It is matter of great pleasure for me to submit this project report on “Image Based
Authentication System”, as a part of curriculum for award of “Bachelor of
Technology in Electronics and Communication Engineering” at
UNIVERSITY INSTITUTE OF ENGINEERING & TECHNOLOGY, C.S.J.M
UNIVERSITY, KANPUR. I am thankful to my seminar guide Dr. Vishal
Awasthi for their constant encouragement and able guidance. I also thankful to Dr.
Vishal Awasthi, Head of Electronics & Communication Engineering
Department & Er. Parul Awasthi, Seminar incharge for her valuable support. I
take this opportunity to express our deep sense of gratitude towards those, who have
helped us in various ways, for preparing my project. At the last but not least, I am
thankful to my parents, who had encouraged & inspired me with their blessings.

SAURABH GUPTA(109)
 Table of Content

LIST OF FIGURES………………………………………………………1

ABSTRACT……………………………………………………………….2

Chapter 1: INTRODUCTION……………………………………………3

Chapter 2 : AUTHENTICATION…………………………………….4-11

2.1 Why do we need it?

2.2 The need and use of strong authentication

2.3 Authentication Factor

2.3.1 Something you know : Password

2.3.2 Something you have: Token

2.3.3 Something you have: Biometric

2.4 Summary

Chapter 3: IMAGE BASED AUTHENTICATION…………………12-18

3.1 Introduction

3.2 Current System

3.3 Proposed System

3.4 Working of Image based authentication

3.5 Implementation

CONCLUSION…………………………………………………………..19

REFERENCES………………………………………………………….20
LIST OF FIGURES

Figure 1 . Authenticator Factor………………………………………….07

Figure 2 . Tokens…………………………………………………………08

Figure 3 . Biometric Devices…………………………………………….10

Figure 4 . Pass Selection Grid Image………………………………….16

Figure 5 . Authentication Process……………………………………….16

Figure 6 . Flowchart………………………………………………………17.

1
 ABSTRACT

Username and password are the most commonly used mechanism for authentication
because of simplicity and convenience. However it suffers from few drawbacks like
selection of weak passwords by the users, users disclosing their passwords etc. This
weakens the security posture of the organizations. Hence we propose a new image
based authentication system. Research suggests that use of images may be more
effective in terms of security and ease of use for some application. This is because we,
humans are good at recognizing images than remembering password. In this paper we
describe new image based authentication system which can be used independently or
along with current character based authentication system to improve security and
usability. We implemented the said system along with current authentication system
(username and password).

Security-sensitive environments protect their resources against unauthorized access by

enforcing access control mechanisms. Text based passwords are not secure enough for
such applications. User authentication can be improved by using both text passwords
and structured images. The system developed displays an image or set of images to the
user, who would then select one to identify them. The system uses such image based
passwords and integrates image registration and notification interfaces. Image
registration enables users to have their favorite image.

2
 CHAPTER 1
INTRODUCTION

Authentication is a process of determining whether a particular individual or a device

should be allowed to access a system or an application or merely an object running in a
device. This is an important process which assures the basic security goals, viz.
confidentiality and integrity. Also, adequate authentication is the first line of defense for
protecting any resource.

It is important that the same authentication technique may not be used in every
scenario. For example, a less sophisticated approach may be used for accessing a
‘‘chat server’’ compared to accessing a corporate database. Most of the existing
authentication schemes require processing both at the client and the server end. Thus,
the acceptability of any authentication scheme greatly depends on its robustness
against attacks as well as its resource requirement both at the client and at the server
end. The resource requirement has become a major factor due to the proliferation of
mobile and hand-held devices. Nowadays with the use of mobile phones, users can
access any information, including banking and corporate databases. In this paper, we
specifically target the mobile banking domain and propose a new and intelligent
authentication scheme. However, our proposal can also be used in other domains
where confidentiality and integrity are the major security requirements.

Human factors are often considered the weakest link in a computer security system.
Point out that there are three major areas where human-computer interaction is
important: authentication, security operations, and developing secure systems. Here we
focus on the authentication problem. On the other hand, passwords that are hard to
guess or break are often hard to remember. Studies showed that since user can only
remember a limited number of passwords, they tend to write them down or will use the
same passwords for different accounts. To address the problems with traditional
username-password authentication, alternative authentication methods, such as
biometrics, have been used. In this paper, however, we will focus on another
alternative: using pictures as passwords.

Image based password schemes have been proposed as a possible alternative to text-
based schemes, motivated partially by the fact that humans can remember pictures
better than text; psychological studies supports such assumption. Pictures are generally
easier to be remembered or recognized than text. In addition, if the number of possible
pictures is sufficiently large, the possible password space of a graphical password
scheme may exceed that of text-based schemes and thus presumably offer better
resistance to dictionary attacks. Because of these advantages, there is a growing
interest in Graphical password. In addition to workstation and web log-in applications,
graphical passwords have also been applied to ATM machines and mobile devices.

3
 CHAPTER 2
AUTHENTICATION

Authentication is the verification of an entity's identification. That is the host, to whom

the entity must prove his identity, trusts (through an authentication process) that the
entity is in fact who he claims to be

2.1 Why do we need it?

In a wireless network environment, there is a need to :

• Control access to the network,
• Control access to the resources and services provided by the network
• Be able to verify that the mechanisms used to control that access are providing proper
protection.

Network access control is provided by an authentication service. This service is pivotal

in providing last two points stated above. Until and unless the network user is properly
identified and authenticated, there is no point in trusting and granting access to the
resources.

2.2 The Need and Use of Strong Authentication

The password authentication model is the most prevalent authentication model and has
been used for decades. It is still widely used by the operating system manufacturers. In
order to authenticate, the user has to provide a username-password duo to the server.
The server then usually performs a one-way function on this combination, and
compares the result to the value it has stored and associates with the user. If server
finds a match, it deems that the user is who he avouches to be else he is not a
legitimate user.

For many standalone systems, this password model is sufficient where the user
provided
password traverses a small distance from the user workstation to the server.
Vulnerabilities that exist in this model in a standalone environment include:

• Host receiving a plaintext password.

• Easy to predict, user generated passwords.

On the other hand, in today’s extremely networked and distributed domain, such a
paradigm does not offer strong, reliable and legitimate authentication. The most
common targets of menacing attacks are such networked domains with alarming

4
consequences. The client server model is such an example. People use machines by
remotely logging in and accessing their services like files, printers etc. Therefore, in this
networked environment, there is a necessity of strong authentication that goes beyond
providing a simple password model to the machine.
There is a requirement of a lot more sophisticated authentication technique than that of
a simple password when the authentication of the user to the remote host (or service)
and also authentication of the remote host (or service) to the user is needed. When
transmitting passwords over the network, they should not be in clear text to avoid
getting filched. In a network, it is advisable to manage passwords with various systems
so that each user has a distinct password for every machine.

People used a variety of distinctive features long before computers in order to

authenticate each other. Nowadays, the computer systems have applied these aspects
whenever people have found a cost effective way to implement them digitally.
Consequently, four authentication techniques have been categorized in accordance to
the unique characteristic. Each of these techniques relies on a different kind of
distinguishing characteristic to authenticate people. When a user authenticates to an
access control system, the user presents an identity along with evidence of this identity.
This evidence is either something the user knows (e.g., a password), has (e.g., a token
or smart card), is (a biometric), or geo-location (latitude, longitude, altitude). Each of
these is considered an authentication factor. If only one of these factors is used to verify
an identity, it is called single-factor authentication. Similarly if four factors are used, it is
four-factor authentication.

There are few systems that combine the above stated approaches. As an example, a
smart card that is something you have, requires the user to enter a personal
identification number (PIN) that is something you know to unlock it, makes a good
combination. Presumably, it is considered better to merge at least two characteristics,
because an attacker can filch either one: the entity you have is vulnerable to ordinary
pilfering, and the entity you know is compromised by sniffing if it moves over the
network but it's unusual for anyone to acquire both at the same time. This is called
strong authentication wherein a user is authenticated using at least two factors.
Automatic teller machines (ATMs) use this approach; however, it is a relatively effortless
affair for an attacker to obtain both simultaneously if he is watching you use the
machine. When you are standing by the machine trying to authenticate your identity, he
can obtain your PIN and steal your card after use. Thus the attacker knows: what you
have, card, and what you know, PIN.

5
2.3 Authentication Factors

There are varieties of distinctive aspects available to authenticate a particular user.

Today’s authentication procedures are categorized according to the distinguishing
characteristic they use and are classified in terms of three factors described below and
summarized in Figure 1. Each factor relies on a different kind of discrete feature to
authenticate individuals.

2.3.1 Something you know: a password

Confidential information is a unique attribute that is known only to genuine users. Even
before computers came into existence, this information was shared either through a
spoken password or a memorized combination or a lock. But in the computer world, it is
a password, a paraphrase, or a PIN.

Authentication that is based on something you know depends on the fact that something
is hard to guess and is a secret . You need to know the secret reliably if you have to
authenticate reliably. A lot of people are not good at making up and memorizing not
easily guessable things, and they are worst at confiding secrets. A password is a
sequence of characters that is a mutual secret between the user and host. It is relatively
easy to guess if you are using short passwords but it is comparatively taxing to commit
to memory if you are using long passwords. A person will end up converting one type of
authentication to another if writes it down somewhere, that is, converting from
something you know to something you have that is discussed subsequently.

A lot of system administrators who advise their users not to jot down passwords most
likely have a few stockpiled in their wallets anyway; which brings together something
you know and something you have. Something you know is how to comprehend your
own handwriting, and the slip of paper containing the passwords is something you have.

6
 Figure 1: Authenticator Factor

The major advantage of using a password is that it is fast, cheap, not so intricate to
implement, and, in practice, people don't forget them or lose the pieces of paper all that
often. For people who connect to the server from unpredictable remote locations, a
memorized combination of a username and a password is a perfect solution for them
since it travels with them. However, it is absolutely impractical to pass this combination
across the Internet in any form that can be used safely. This authentication type is weak
for two reasons.

Firstly, it is a relatively easy matter to intercept them or sniff, as there are a number of
ways available like freely available password hacking online tools etc. Its very success
depends on confidentiality and it is challenging to keep it a secret. If there is a
successful sniffing attack, then there is generally no way to detect it unless some sort of
damage is done.

Secondly, growing threats on passwords have made it comparatively trouble-free for

attackers to figure out the passwords that people are most likely to choose and
remember. People tend to forget hard-to-guess passwords or are compelled to pen
down somewhere in order to remember. The trouble comes with a written password, as
it is more susceptible to theft rather than the memorized password. Regardless of all the
hazards of something you know systems, it is still feasible to use such systems,

7
provided that you are not revealing the secret to anyone in the near surrounding area
whenever you authenticate.
The flaws associated with this authentication model can be summarized below:

• Passwords can be shared, written, forgotten or guessed.

• It is a relatively easy affair to steal it by observation.
• Mostly encrypted passwords are readable publicly, which makes them vulnerable to
cryptographic analysis.
• It is straightforward to guess the short passwords by means of brute force method or
dictionary attack.

2.3.2 Something you have: a token

The unique attribute of “something you have” systems is that legitimate individuals
possess some particular thing. Way before computers came in existence; this particular
thing was a seal with a private insignia or a key for a lock. But in the computer world it is
a device like a smart card, or a magnetic strip card. Such items are called tokens. A
token is an object whose features are in some way confidential, and that is difficult to
duplicate.

Some examples are shown in Figure 2 below and discussed subsequently.

8
 Figure 2: Tokens

• A hardware device that attaches to an I/O channel (e.g., a serial line with an RS-232
connector), which can be interrogated by the system, and which must be present to
execute certain programs.
• A SIM card or a smart card having non-volatile memory to store information and a
CPU for processing.

This authentication model is so far the most challenging technique to exploit because of
the fact that it depends on a distinct physical object that the user should possess to log
on. It is extremely backbreaking to determine if a password has been stolen; on the
contrary it is relatively trouble free for the owner to find out if a token has been stolen or
got lost. It is impractical to share the token with someone and still be able to log on.

The major flaws associated with this model are summarized below:

• The danger of keys getting lost, broken, borrowed, lent, or hardware failure.
• Keys and tokens can be stolen.
• It is comparatively expensive to replace the keys and compromised locks.
• It can be difficult or impossible to automatically or remotely revise authorizations
associated with a particular token.
• It is extremely important to physically manage the tokens, that is, stored, logged, kept
secure, etc.

2.3.3 Something you are: a biometric

9
A physical feature or behavior is another distinct aspect, which is exclusive to an
individual
being authenticated. Before computers, this might have been a personal signature, a
portrait, a fingerprint, or a written description of the person’s physical appearance. But
nowadays, an individual’s distinct features are calculated, stored digitally, and
compared against an already stored pattern. Precisely, it consists of comparing some
easily accessible and reliably distinct physical attribute of a human user against the
system's stored values for that attribute. Well known techniques use a person’s voice,
fingerprints, written signature, hand shape, or eye features for authentication. Such
things are called biometrics. Biometrics that are being used frequently are shown in
Figure 3 and are summarized as follows:

• Hand geometry.
• Facial image.
• Iris scans.
• Finger prints.
• Voice recognition.

This authentication model serves as the most convenient method for individuals. A
finely
designed biometric system accepts readings from an individual and precisely carries out
the authentication. Obviously, it overcomes the flaw of portability of something you have
model, as it is a part of the person’s body.

10
 Figure 3: Biometric Devices
Biometrics supports two basic core processes that together provide organizations the
ability to verify claims of identity

• Enrollment – the preliminary correlation of an identity with a biometric feature.

• Verification – the comparison of data captured during enrollment process to the
biometric data gathered during an authentication request process.

To support the enrollment and verification process, there are administrative and
cryptographic functions. If the user cannot show his biometric feature may be due to
injury or physical change, there should be a fallback process to take care of
authentication.

People have two views of biometric authentication. According to some, this model is a
replacement for authentication relative to the first two factors since it provides a level of
handiness, which is nonexistent in the other models. However, some believe that
biometric is a supplement and, thus is augmenting the present authentication
techniques.

In spite of possessing many benefits, a few shortcomings are very obvious. The cost of
the device plays an important role. It is comparatively expensive than the one used for
something you have model. In addition, there is an overhead of installation and
operation that is so unlike other authentication models. Besides, if it’s a remote user
then there is a danger of interception. It is relatively straightforward for an attacker to
repeat the reading to disguise as its owner. As biometric aspect is impossible to modify,
the owner has no way to reverse the damage if attacker steals the biometric readings.
In reality, it is challenging to construct a system precise enough to deny illicit users
without sporadically denying legitimate users. Physiological changes and injuries can
also invalidate biometric readings: in one case a woman working at a high-security
installation was denied entrance by the biometric device at the front door because her
pregnancy had caused changes in her retinal blood vessels.

Various flaws linked with biometric authentication are summed up below:

• Biometric equipment is relatively expensive.
• For hand geometry scan and finger printing, the user should have a computable hand,
that is, the hand should be ungloved and clean.
• Iris scan necessitates the user to have a computable retina. The contact lens or
spectacles should not interfere.
• Voice recognition greatly depends on the clarity of throat and the surrounding
environment.
• A person’s appearance should not change to a large extent for facial geometry scan.

11
2.4 Summary

Authentication is the process of verifying the identity and determining the genuineness
of an individual. It is required to control the access to the network, its resources and the
services.
Usually, it is based on the username and password combination. However, it is
vulnerable to theft. Therefore, there is a need of strong authentication. The three
authentication techniques have been identified based on something the user knows like
a password, something the user has like a token, something the user is like a biometric.
All these authentication techniques possess some flaws that make it harder for the
military personnel to authenticate truly the identity of the user.

CHAPTER 3
IMAGE BASED AUTHENTICATION

INTRODUCTION

To minimize vulnerability in character-based password systems such as 4-digit PIN or

alphanumeric password, image based authentication, where the user selects pre-
defined images (referred to as pass-images) from multiple images displayed on screen,
are being proposed. These systems are focusing on a human aspect rather than
mathematical security. Researchers of image-based authentication state that they
would minimize a human’s cognitive load by effectively using the human cognitive ability
to recall images. They state that “an image once seen is easy to recall.”
Although we basically agree with this subjective argument, we have noted that few
quantitative evaluations has been done to prove it. Is it true that images are easier to
remember or recall than character-based passwords, particularly over a long period of
time? Another issue in image based authentication is an implementation issue.
However, they did not tackle practical issues such as how we register photos, how we
select pass images.

Authentication is the process of verifying the identity of the subject. Subject can be
human user or some process. Hence authentication is the act of confirming the claims
made by the subject. Authentication system can be describe by following five
components .

12
1. Authentication data (A), which is provided by the user for verification like username
and password.
2. Complementary data(C), which is stored on the system and used to validate
authentication data provided by the user. For example password stored in the shadow
file in Unix OS.
3. Complementation function (f) provides mapping of A with C. For eg. If password are
stored as a message digest (MD) of password than f is the hash functions that creates
MD.
4. Authentication function (L) proves the identity for eg. It can be equality function for
comparison of A and C.
5. Selection function (S) allows users to create or change data in A or C. For eg.
Change password function or set password function.

Traditionally Identity is established by any one or combination of two or more of the

following methods:

 Knowledge factor. What user knows for eg. password

 Ownership factor. What user has for eg. smart card
 Inherence factor. What user is for eg. fingerprints, Iris scan etc

Recently in some authentication systems, apart from the above mentioned factors,
locations , as well as social factors are also used for establishing identity. If only one
factor is used for establishing the identity of the user we call that as one factor
authentication. If two factors are used for establishing identity than we call that as two
factor authentication. A classical example of two factor authentication is the use of credit
or debit card and a PIN at the ATM machine. Here we use knowledge factor (PIN) and
ownership factor (credit or debit card). In this paper, we describe two level
authentication system using knowledge factors. First level is character based i.e
username and password and second level is image based.

CURRENT SYSTEM

Username password is one of the most widely used authentication system for long. In
this system, end user provides username and password at the login screen and system
verifies the same. Outcome of the system can be binary either true or false,
authenticated or not authenticated, success or failure. Alternative to username and

13
password based authentication system is biometric system and smart card based
system. Biometric system provides better security but requires an additional hardware
which increases the cost. This also raises the question about every day usability and
affordability. Also some biometric systems like iris scan are intrusive in nature to capture
authentication data. Other alternative is a smart card based system.
However smart card can be easily lost or stolen. Therefore many smart cards based
systems use knowledge based authentication systems to prevent impersonation
through loss of card or theft of card. In spite of common use and popularity of username
and password based system, it has multiple shortcomings. Since the authentication
data can be formed from a set of characters like combination of upper case, lowercase,
numerals, special characters etc, it is subjected to brute force attack or dictionary
attack. Selection of password plays a very important role for providing strength to the
security of the system. If the password selected is dictionary word like apple or some
common passwords like pass123 etc, password can be easily guessed by the attacker
and system can be easily compromised. To overcome this problem, many organizations
have password policy which enforces the rules for the formation of strong password and
regular change of password. In many situations this has failed because users simply
make a variation of old password or write down password or swap them with their
friends or family. All this solutions do not remedy the main cause of password insecurity,
which is the human limitation in terms of memory for secure passwords. Many times
people communicate or share their password with other people for multiple reasons.
This weakens the security of the organizations. To overcome this we propose new
system which uses images along with password to provide authentication.

Token based systems rely on the use of a physical device such as smartcards or
electronic-key for authentication purpose. Graphical-based password techniques have
been proposed as a potential alternative to text-based techniques, supported partially
by the fact that humans can remember images better than text. In general, the graphical
password techniques can be classified into two categories: recognition-based and recall
based graphical techniques.

In recognition-based systems, a group of images are displayed to the user and an

accepted authentication requires a correct image being clicked or touched in a particular
order. In recall- based systems, the user is asked to reproduce something that he/she
created or selected earlier during the registration phase. Recall based schemes can be
broadly classified into two groups,pure recall-based technique and cued recall-based
technique.

14
Disadvantages:
1. Alphanumeric passwords are used widely, they have problems such as being
hard to remember, vulnerable to guessing, dictionary attack, key-logger,
shoulder surfing and social engineering.
2. The major problem of biometric as an authentication scheme is the high cost of
additional devices needed for identification process.
3. Although a recognition-based graphical password seems to be easy to
remember,which increases the usability, it is not completely secure. It needs
several rounds of image recognition for authentication to provide a reasonably
large password space, which is tedious.

PROPOSED SYSTEM

In the proposed system we use images along with the password to overcome the
problem which arises because of sharing and selection of weak passwords. Hence the
system aims to achieve following:
 Authentication should not be based on precise recall of password.
 Make it difficult to share or write passwords.
 Provide good user experience.
Also it’s a proven fact that human user recognizes images faster as compared to recall
of words . Standing shows that people can recognize images in spite of distracters and
can retain over a period of time.

Advantages:
1. The strength of IBAS depends greatly on how effectively the authentication
information is embedded implicitly in an image and it should be easy to decrypt
for a legitimate user and highly fuzzy for a non-legitimate user.
2. No password information is exchanged between the client and the server in
IBAS, Since the authentication information is conveyed implicit l

15
 Working of Image Based Authentication System

Stages of System

The proposed system has two stages: Registration stage and authentication stage.

3.1.1 Registration Stage

In registration stage, first users need to fill personal details like name, DoB, email
address etc. During this stage user selects a password with the following constraints
 Minimum of eight characters as per the Anderson formula
 Atleast one uppercase character and one numeral
 Atleast one special character from the character set {!, @, #, $, %,^,&}
Apart from selecting the password, user needs to select minimum one image as a pass
image. User can select images from the various categories display in the Pass image
selection grid as shown in figure .

Figure: 4 Pass selection Grid Image

C1 to C9 represents various categories of the images. Image categories selected were

related to animals, natural scenery, random art, flowers, objects etc. Every time user
refreshes the page, various category images are populated in the grid randomly. We
assume user selects three images. To select first image, say user selects C1 from the
fig 4 .
Immediately a new randomly generated grid of 3x3 is presented to the user which
contains 9 similar but distinct images of category C1. User selects one of the images as
the pass image. Every time a grid is displayed position of the image changes randomly.
These make it difficult for the user to share or describe the image to someone else.
After the selection of first image, user selects second image from Pass image selection
grid (fig 3) say C2. Second grid containing various images for category 2 is presented
for the selection of second image. Similarly third image is selected. Once images are
selected, user submits the same to the system to be stored as complementation data.
Now once the user is registered he moves on to training phase where user needs to
correctly identify the pass images from a group of decoy images. This completes the
first stage.

3.1.2 The authentication stage

16
 Now whenever user tries to log in, user needs to provide the username password and
pass images. Pass images need not be in the same sequence as selected during
registration phase. Pass images are randomly distributed on the login rounds. Every
round may have all, some or none of the pass images. At least one round need not
have pass images to counter intersection attack.

Figure 5:
Authentication
Process

User Input Article Random Question Select an image which

Generation is displayed

NO

If Image
Matched
with
database

YES

Grant Access to use

Figure 6: Flowchart
17
Advantages of the system

 Adds one more layer of security to the existing system and hence makes
the system more secure.
 Log in by sharing of password is prevented as user needs to provide the
password as well as pass images to log in. Sharing of pass images is
difficult.
 Prevents brute force attack. After three unsuccessful attempts user
account gets locked. This can be unlocked by the administrators.
 Prevents automated attack by the bots.
 Eliminate the possibility of deducing the user’s image set by means of an
intersection attack.

Limitation of the system

 System cannot prevent offline dictionary attack.

 Slower than traditional username password system as loading of image
grid take some time.

Results

After implementation, users were invited to register with the system and then give
feedback about their experience and the system. We had prepared questionnaire to get
structured feedback from the users of the system. Objectives of this survey are given
below:
 To assess the general awareness of the user regarding image based
authentication system.
 To assess the time consumed while registering and logging with system.
 To assess the ease of use of system.
 To obtains user’s opinions regarding our system in comparison with other
authentication systems in terms of the speed, the ease of use etc.
 To find out the reasons behind the inability by some users either to
register or to authenticate.

18
  To assess some other different areas that is not covered by the objectives
above. An example of this is to assess the Random Art features of the
images.

Future Scope

The world is being mechanized and all the offices and institutions are being
computerized. So the use and need for this will not decline. Also man always like to see
all works getting more secure. Since we are living in a world of smart technologies like
smart phones, tablets, notebooks etc so may be in future more enhancement will seen
by adding more level of security but this may be headache for human. So , may be its
also be user friendly.

Implementation

The system has a very user friendly graphical user interface GUI. The main window has
options for a new user or an existing user. A user has to register before he can log into
the system. A user is registered using his first name, middle name, last name, user
name and an image. All the fields except middle name are required fields. Once the
user selects the image, it is displayed on the window for the user to verify his image.
The image is user’s choice. He can bring his own image in a storage device.

CONCLUSION

Authentication based on images can be used successfully for a particular purpose. A

functional system was developed and user survey was carried out for seventy real
users. Users were successfully able to recognize pass images from a group of images.
It was not just based on the recognition but also on recall. This is because many users
associated some images with some recall hints specifically for random images. For eg
some random images appears to be a highway. However users favoured images with

19
animals, objects rather than random art or abstract images. We implemented system
along with username and password, but it can be implemented independently also.

 Image based authentication technique have a wider applicability in future.

 We design it in a more user friendly way that helps to increase the password
quality compared to CAPTCHA.
 In this project we had proposed the concept of random picture and image
generation technique which is unable to crack by unauthorized user.

REFERENCES

[1] M. Bishop, S.S. Venkatramanayya, “Introduction to Computer Security”, Pearson

Education, 2009
[2] Shraddha D. Ghogare, Swati P. Jadhav, Ankita R. Chadha, Hima C. Patil, “Location
Based Authentication: A New Approach towards Providing Security”, International
Journal of Scientific and Research Publications, Volume 2, Issue 4, April 2012.
[3] J. Brainard, A. Juels, R. Rivest, M. Szydlo, M. Yung, “Fourth Factor Authentication:
Somebody you know”, [Online].
ACM’06. Available:http://www.rsasecurity.ca/rsalabs/staff/bios/ajuels/publications/fourth-
factor/ccs084-juels.pdf
[4] (2013) Imperva Site [Online]. Available:
http://www.imperva.com/docs/wp_consumer_password_ worst_practices.pdf
[5] M. Whitman, H. Mattford, “ Principles of Information Security”,2nd Ed. Cengage
Learning,2009
[6] I. Rock and P. Engelstein, “A study of Memory for Visual Form”,[Online].Available:
http://www.jstor.org/stable/1419366
[7] L. Standing,” Learning 10,000 Pictures”,[online]. Available:
http://cvcl.mit.edu/SUNSeminar/standing73.pdf

20
[8] G. Danezis and A. Serjantov, “ Statistical Disclosure or Intersection attacks on
anonymity systems”,[Online]. Available:
http://research.microsoft.com/enus/um/people/gdane/papers/poolsda3.pdf
[9] Rachana Dhamija and Adrian Perrig, “Déjà vu: A user using images for
authentication”, [online]. Available :
https://sparrow.ece.cmu.edu/group/pub/oldpubs/usenix.pdf
[10] Hideki Koike, Tetsuji Takada, Takehito Onuki, “AwaseE: Photo-based User
Authentication System”, [online]. Available:
http://www.netaro.info/~zetaka/publications/papers/awas ee-UBICOMP2005.pdf
[11] Hideki Koike and Tetsuji Takada, “Awase-E: Image based Authentication for Mobile
Phones using User’s Favorite Images”,
[online]. Available :
http://www.netaro.info/~zetaka/publications/papers/awas ee-MobileHCI03.pdf

21
22