icAuth: Image Color Based Authentication Systempramod/icauth/paper.pdficAuth: Image Color Based Authentication System Pramod Verma Johns Hopkins University Baltimore MD, 21218 [email protected]

icAuth: Image Color Based Authentication System

Pramod VermaJohns Hopkins University

Baltimore MD, [email protected]

ABSTRACTAuthentication interfaces are GUIs that provide the protec-tion for an application or system. In this paper, we presenticAuth: a novel image and color based authentication inter-face for the authentication process. We enhance the existingImage Based Authentication (IBA) with an additional inter-active method. In our approach, the user not only choosesimage(s) as a key during the registration process, but alsoclicks on various regions on the image to generate an addi-tional key. This additional key is in the form of a sequenceof colors that correspond to the clicked areas. In essence, theuser chooses a color sequence along with the selected images.During the next authentication process, the user has to pro-duce the same color sequence on the recognized images. Theuser is required to remember the same switching sequenceamong the images, without having to memorize the preciselocation of the initial clicks during setup.

Author KeywordsIBA, Security, Usability

ACM Classification KeywordsH.5.m. Information Interfaces and Presentation (e.g. HCI):Miscellaneous

INTRODUCTIONImage Based Authentication (IBA) is more usable than TextBased Authentication (TBA)[1]. In a basic IBA, during theregistration process, the user has to choose images from agiven set of images and recognize them during the authen-tication process[2]. Researchers also experimented to selectand recognize objects or patterns in the given image for theauthentication process. We extend the basic IBA process byusing an interactive approach described in next section.

ARCHITECTUREicAuth system needs a pointing device to click or some kindof interactive technique such as a touch screen to click ortouch the images. The system has two components: Client

Copyright is held by the author/owner(s).IUI’12, February 14–17, 2012, Lisbon, Portugal.ACM 978-1-4503-1048-2/12/02.

Figure 1. An example of icAuth system where two images were usedas key images and color key can be produced by clicking on regionA,B,C,D,E to generate sequence WiBiBjGjBi where i is top andj is bottom image and W, B, G are key-letter for color white, blue andgreen.

and Server. Client gets user credentials and the server doesauthentication based on authentication protocol describedbelow.

Protocol: During the registration process, the user firstchooses images as a key. Then user produces an additionalkey by clicking on the image regions. The user can switchto any image during the clicking process, but needs tomemorize both the color sequence and switching sequence.The key is a sequence of colors related to the clicked areasof the respective images. Colors are sampled to a few levelsto reduce complexity. During the authentication processthe user has to reproduce the key. To make it more usable,in a given image, the user is not required to click on theexact locations to generate the desired color sequence. Theprotocol described here is a generalized version that can becustomized according to one’s requirements.

Demonstration IUI'12, February 14-17, 2012, Lisbon, Portugal

329

Figure 2. Example of a authentication interfaces on handheld devicessuch as iPhoneTM(Left) and AndroidTM(Right).

GRAPHICAL USER-INTERFACEGUI for icAuth has two interfaces. First GUI helps the userto register a color key. The user selects images and generatesa key. To assist the user, we display the key sequence under-neath the key-image. In the second GUI on the Client side,the user enters a token or user name and submits the request.Afterwards, the Server sends sets of images back to ClientGUI. The user then selects appropriate images and generatesthe color key sequence to complete the authentication.

IMPLEMENTATIONWe implemented the icAuth system for the authentication ofa website using aforementioned protocol and GUIs. Inter-faces were built using PHP and AJAX on the Apache2 webserver.

We also implemented the icAuth system on an iPhone4Ghandheld device. The login page contains an image(s) onwhich user has to produce a key-color sequence for a suc-cessful authentication. Most of these handheld devices havetouch screen capabilities, where it may be easier to generatekey sequences by tapping than by typing using a virtual key-board.

To address the precision and fuzziness of colors matching weset following equation.

α ≤ ~c1.~c2‖~c1‖‖~c2‖

= cos θ ≤ 1 (1)

Where ~c1 and ~c2 are two color vectors with ci[Ri, Gi, Bi, Ii]and they are treated the same if their dot product (or cosinesimilarity) is greater than or equals to a predefined thresholdα such as 0.99. ~c1 and ~c2 can be estimated by averaging thecolor vectors or pixels values of clicked areas with a smallradius r.

DISCUSSIONOur approach is easy to implement and adds an additionallayer of security in IBA. The system can be used at various

Figure 3. Demonstration of icAuth interface on a handheld device. Userselects [red, green, blue, blue, green] color sequences to unlock the de-vice.

places where small PIN like identification is required via key-board entry on handheld devices, where a user frequently en-ters the passcode to unlock the device. For example, Google’sAndroid uses a pattern based authentication interface.

One another advantage of the icAuth system is that it cre-ates an associative memory in the user’s brain regarding thepassword. For instance, in Figure 3, the password can be eas-ily remembered by viewing objects such as red leaves, greengrass, blue sky, etc.

It has similar drawbacks as IBA, such as brute force attack.However, it can be used with combination of other robustmethods. In addition, the system has a limitation that userswith color blindness are unable to use the icAuth system. Fur-thermore, sometimes users may have trouble distinguishingprecise colors in specific light conditions. But, we can chooseappropriate images to overcome these issues.

icAuth relies not only on a sequence of different regions inone image but on a sequence of different colors in a sequenceof images; therefore, the system would utilize images that canbe fully or partially segmented into few sections of colors.

CONCLUSION AND FUTURE WORKWe present a novel idea for image and color based authenti-cation. Future work may involve designing and performing adetailed user study comparing authentication methods usingdesktop and handheld interfaces.

REFERENCES1. Dhamija, R., and Perrig, A. D ej a vu: A user study using

images for authentication. proceedings of USENIXSecurity Symposium (Aug. 2000).

2. Newman, R. E., Harsh, P., and Jayaraman, P. Securityanalysis of and proposal for image-based authentication.proceedings of IEEE ICCST (Oct. 2005), p. 141.

Demonstration IUI'12, February 14-17, 2012, Lisbon, Portugal

330