Abstract—Current
authentication systems suffer from many weaknesses. Textual passwords are
commonly used; however, users do not follow their requirements. Users tend to
choose meaningful words from dictionaries, which make textual passwords easy to
break and vulnerable to dictionary or brute force attacks. Many available
graphical passwords have a password
space that is
less than or equal to the textual password space. Smart cards or tokens can be
stolen. Many biometric authentications have been proposed; however, users tend
to resist using biometrics because of their intrusiveness and the effect on
their privacy. Moreover, biometrics cannot be revoked. In this paper, we
present and evaluate our contribution, i.e., the 3-D password.
The 3-D
password is a multifactor authentication scheme. To be authenticated, we
present a 3-D virtual environment where the user navigates and interacts with
various objects. The sequence of actions and interactions toward the objects
inside the 3-D environment constructs
the user’s 3-D password. The 3-D password can combine most existing
authentication schemes such as textual passwords, graphical passwords, and
various types of biometrics into a 3-D virtual environment. The design of the
3-D virtual environment and the type of objects selected determine the 3-D password
key space.
Index Terms—Authentication,
biometrics, graphical passwords, multifactor, textual passwords, 3-D passwords,
3-D virtual environment.
Introduction:
THE DRAMATIC
increase of computer usage has given rise to many security concerns. One major
security concern is authentication, which is the process of validating who you
are to whom you claimed to be. In general, human authentication techniques can
be classified as knowledge based (what
you know),
token based (what you have), and biometrics (what you are).
Knowledge-based
authentication can be further divided into two categories as follows: 1) recall
based and 2) recognition based [1]. Recall-based techniques require the user to
repeat or reproduce a secret that the user created before. Recognitionbased techniques
require the user to identify and recognize the
secret, or
part of it, that the user selected before [1]. One of the most common recall-based
authentication schemes used in the computer world is textual passwords. One
major drawback of the textual password is its two conflicting requirements: the
selection of passwords that are easy to remember and, at the same time, are
hard to guess.
Related Work
Many graphical
password schemes have been proposed [6]–[8],
[10]–[12]. Blonder [6] introduced the first graphical password schema.
Blonder’s idea of graphical passwords is that by having a predetermined image,
the user can select or touch regions of the image causing the sequence and the
location of
the touches to
construct the user’s graphical password. After Blonder [6], the notion of
graphical passwords was developed. Many graphical password schemes have been
proposed. Existing graphical passwords can be categorized into two categories as
follows: 1) recall based and 2) recognition based [1]. Dhamija and Perrig [7]
proposed Déjà Vu, which is a recognition-based graphical password system that
authenticates users by choosing portfolios among decoy portfolios. These portfolios
are art randomized portfolios. Each image is derived from an 8-B seed.
Therefore, an authentication server does not need to store the whole image; it
simply needs to store the 8-B seed. Another recognition-based graphical
password is Passfaces [8]. Passfaces simply works by having the user select a
subgroup of k faces from a
group of n faces. For authentication,
the system shows m faces and one
of the faces belongs to the subgroup k. The user has to do the selection many times
to complete the authentication process. Another scheme is the Story scheme [9],
which requires the selection of pictures of objects (people, cars, foods,
airplanes, sightseeing, etc.) to form a story line.
Our Approach
3-D PASSWORD SCHEME
In this section,
we present a multifactor authentication scheme that combines the benefits of
various authentication schemes. We attempted to satisfy the following
requirements. 1) The new scheme should not be either recall based or recognition
based only. Instead, the scheme should be a combination of recall-,
recognition-, biometrics-, and token-based authentication schemes.
2) Users ought
to have the freedom to select whether the 3-D password will be solely recall-,
biometrics-, recognition-, or token-based, or a combination of two schemes or
more. This freedom of selection is necessary because users
are different
and they have different requirements. Some users do not like to carry cards.
Some users do not like to provide biometrical data, and some users have poor memories.
Therefore, to ensure high user acceptability,
the user’s
freedom of selection is important. 3) The new scheme should provide secrets
that are easy to remember and very difficult for intruders to guess. 4) The new
scheme should provide secrets that are not easy to write down on paper.
Moreover, the scheme secrets should be difficult to share with others. 5) The
new scheme should provide secrets that can be easily
revoked or
changed. Based on the aforementioned requirements, we propose
3D Password Overview
The 3-D
password is a multifactor authentication scheme. The 3-D password presents a
3-D virtual environment containing various virtual objects. The user navigates
through this environment and interacts with the objects. The 3-D password is
simply the combination and the sequence of user interactions
that occur in
the 3-D virtual environment. The 3-D password can combine recognition-,
recall-, token-, and biometrics-based systems into one authentication scheme.
This can be done by designing a 3-D virtual environment that contains objects that
request information to be recalled, information to be recognized, tokens to be
presented, and biometrical data to be verified. For example, the user can enter
the virtual environment and type something on a computer that exists in (x1, y1, z1) position, then
enter a room that has a fingerprint recognition device that exists in a
position (x2, y2, z2) and provide his/her
fingerprint. Then, the user can go to the virtual garage, open the car door,
and turn on the radio to a specific channel. The combination and the sequence
of the previous actions toward the specific objects construct the user’s 3-D
password.
(10, 24, 91)
Action = Open the office door;
(10, 24, 91)
Action = Close the office door;
(4, 34, 18) Action
= Typing, “F”;
(4, 34, 18)
Action = Typing, “A”;
(4, 34, 18)
Action = Typing, “L”;
(4, 34, 18)
Action = Typing, “C”;
(4, 34, 18)
Action = Typing, “O”;
(4, 34, 18)
Action = Typing, “N”;
(10, 24, 80)
Action = Pick up the pen;
(1, 18, 80) Action = Drawing, point = (330, 130).