Graphical Password Authentication System.

Overview

Graphical Password Authentication System

Description:

For this project, we designed a Graphical Password Authentication System. This is used to increase the protection/security of a website. Our system is divided into further 4 layers of protection. Each layer is totally different and diverse than the others. This not only increases protection, but also makes sure that no non-human can log in to your account using different activities such as Brute Force Algorithm and so on. The motivation for this project came from a recent attack named Pegasus in which people had their mobile phones compromised for almost a decade without them ever getting the slightest clue. This motivated us to build a stronger authentication system that generates randomized methods which could weaken the attack and eventually prevent it. The 4 layers of Protection that we are using are as follows:

  1. Segmented Images Authentication
  2. Password Image Authentication
  3. Obscured Images Authentication
  4. Garbled Images Authentication

The above layers have been sorted according to their complexities (1 being the least complex and 4 being most complex). The detailed explanation of the layers are as follows:

1: Segmented Images Authentication:

For this layer, the user will be showed 4 different images. These images will be a division of a whole image. User will have to select the correct order of the images. The logic can be explained better with the following picture:

As can be seen in the above image, a circle is divided into 4 parts. These 4 parts will be randomly displayed on the screen and user will be asked to select the pieces in correct order. The order is determined on the basis of the time of click. If an image is clicked first, it will be selected as the first image and so on. If a user selects all 4 pieces in the correct order, he/she will be authenticated.

The key thing to note here is how it offers security but without compromising usability – it is very easy for even young humans to recognise patterns in images and choose the correct order.

According to our implementation, we first display the pieces of circle in a randomized order every time. The user is then asked to select the images in the correct order as being displayed on the screen. Our code will detect the time of click here. Every click on a picture is stored along with the time it was clicked. Once all images are clicked, we simply sort by time and check that they were selected in the correct order. If yes, then the user will be authenticated.

This layer in our system can be seen as follows:

animated

2: Password Image Authentication:

For this layer, we took inspiration from Meezan Bank’s authentication system. Whenever a user registers, he/she is asked to select an image category from the 3 given categories:

  • Cat
  • Mouse
  • Flower

Whatever the user selects, is associated with his/her password and every time the user logs in, he/she will be asked to select the same image from the randomly displayed images.

Now here’s the twist. We have stored multiple images for each category. So, if a user selects cat, he/she will not be displayed the same cat every single time. The images per category are different as can be seen below.

a) Cat:

b) Mouse:

c) Flower:

According to our implementation, we have stored 3 categories i.e., cat, mouse, flower in our database. Whatever the user has selected while registering has been stored into the database along with his password. Each category has 3 different versions named 0, 1, 2. At the start of the program, a random number is generated between 0 and 2. Whatever the number is, is the picture of each category that is to be displayed. This is to just add a bit more complexity to the code. Let’s say a user has selected image 1 of cat. Upon authentication he may be shown image 0 of cat (which will be a different cat) but the key thing is that it will be a cat and the user must select it in order to be authenticated.

This layer in our system can be seen as follows:

animated

3: Obscure Image Authentication:

This is one of the most interesting layers. In this layer, not only are we preventing bots but we are also enhancing security by introducing image-to-speech-to-text concept. Let’s dig deeper into what this concept really is.

Image-to-Speech-to-Text:

In this concept, a user is displayed an image with obscure text. The reason for adding this obscurity is to confuse a NLP or OCR type mechanisms in bypassing the authentication. Random words are generated on a file which is then covered with an obscure text.

For example:

This picture is then displayed to the user and user is asked to speak the words in the given image. Now, here a trained model will give false results as it wouldn’t know which text to read whereas a human can do so.

Then the user will speak the text in correct order which our system will then convert to text and verify if the user spoke correct text. If verified, the user will be granted access.

For this feature, we are using “Speech Recognition” module of Python. User will be displayed the obscure text image and there will be a microphone button. When user will click the button, the recording will start and user will be asked to say the words in the image. When user says all the words, he/she must say stop in order for the program to stop recording. Then all the speech will be converted into individual words and stored in each index of an array. This array will then be compared to the expected output array. If both the arrays match, then the user will be authenticated.

This module can be installed using: pip install speechrecognition

This layer in our system can be seen as follows:

animated

4: Garbled Image Authentication:

The last and the most difficult layer is the garbled text authentication. In this layer, the user will be displayed a Garbled text whose readability will be really low and user will be asked to read and then type in the text. The garbled texts will be randomly generated as follows:

For this layer, we have generated multiple garbled text images and stored the correct value of each image in a file. User is shown a random image in the start of this layer and is asked to type in the correct text. Whatever the user types is then compared to the already stored correct values and if the answer is correct, then user will be authenticated and authentication dialogue box will pop up.

This layer in our system can be seen as follows:

animated

Security Analysis:

Following is the detailed security analysis of our system:

1: Issues Covered:

The majority of applications/websites use text-based passwords to authenticate a user, with the additional use of CAPTCHA to verify that the user is a human. Unfortunately, this is not very secure and leaves the system vulnerable to different sorts of attacks. While text-based passwords sound secure in theory, in practice most users will end up making simple, common passwords that are frequently repeated across different applications or accounts. Bot attacks or hackers can take advantage of this and launch dictionary attacks, try to brute force the password or employ other ways to compromise user accounts.

2: Security Strengths:

Graphical passwords are a more secure alternative to standard text-based passwords, especially as they don’t significantly lower usability. Using graphical password authentication, we can avoid the problem of keystroke logging, and be protected against dictionary attacks and social engineering. This technique for user authentication also requires human interaction on part of the user, which doubles as verifying the user was a human without having to make use of CAPTCHA (which is infamously annoying for users.) There will be several security layers, and the system will be customizable i.e., you can choose the types of security you want, depending on your security requirements.

3: Security Weaknesses:

There are no major security vulnerabilities. However, our system is limited in scope so there are very small number of options for each module. Such as garbled text has a limited number of pictures to be chosen randomly from. This is not an inherent weakness of the system, as on a larger scale it could be adapted to generate or segment images dynamically and so on. But in the current state of the system, it would be possible for a computer to eventually brute force its way to the solution.

Contributors:

In the end, I'd like to mention my group members who helped me alot in this project. You can find them at:

Sana Khan

Wajeeha Malik

📫 Contact Me:

Website Gmail GitHub LinkedIn

You might also like...
Simple extension that provides Basic, Digest and Token HTTP authentication for Flask routes

Flask-HTTPAuth Simple extension that provides Basic and Digest HTTP authentication for Flask routes. Installation The easiest way to install this is t

Authentication Module for django rest auth

django-rest-knox Authentication Module for django rest auth Knox provides easy to use authentication for Django REST Framework The aim is to allow for

Authentication for Django Rest Framework

Dj-Rest-Auth Drop-in API endpoints for handling authentication securely in Django Rest Framework. Works especially well with SPAs (e.g React, Vue, Ang

Simple yet powerful authorization / authentication client library for Python web applications.

Authomatic Authomatic is a framework agnostic library for Python web applications with a minimalistic but powerful interface which simplifies authenti

Django CAS 1.0/2.0/3.0 client authentication library, support Django 2.0, 2.1, 2.2, 3.0 and Python 3.5+

django-cas-ng django-cas-ng is Django CAS (Central Authentication Service) 1.0/2.0/3.0 client library to support SSO (Single Sign On) and Single Logou

JWT authentication for Pyramid

JWT authentication for Pyramid This package implements an authentication policy for Pyramid that using JSON Web Tokens. This standard (RFC 7519) is of

Toolkit for Pyramid, a Pylons Project, to add Authentication and Authorization using Velruse (OAuth) and/or a local database, CSRF, ReCaptcha, Sessions, Flash messages and I18N

Apex Authentication, Form Library, I18N/L10N, Flash Message Template (not associated with Pyramid, a Pylons project) Uses alchemy Authentication Authe

JSON Web Token Authentication support for Django REST Framework

REST framework JWT Auth Notice This project is currently unmaintained. Check #484 for more details and suggested alternatives. JSON Web Token Authenti

Simplifying third-party authentication for web applications.

Velruse is a set of authentication routines that provide a unified way to have a website user authenticate to a variety of different identity provider

Owner
Hassan Shahzad
I am a passionate Software Developer who is always aspiring to learn more. Practice makes perfect and I am always working on improving my skills and myself.
Hassan Shahzad
Integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication.

Welcome to django-allauth! Integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (soc

Raymond Penners 7.7k Jan 1, 2023
Integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication.

Welcome to django-allauth! Integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (soc

Raymond Penners 7.7k Jan 3, 2023
A simple username/password database authentication solution for Streamlit

TL;DR: This is a simple username/password login authentication solution using a backing database. Both SQLite and Airtable are supported.

Arvindra 49 Nov 25, 2022
Customizable User Authorization & User Management: Register, Confirm, Login, Change username/password, Forgot password and more.

Flask-User v1.0 Attention: Flask-User v1.0 is a Production/Stable version. The previous version is Flask-User v0.6. User Authentication and Management

Ling Thio 997 Jan 6, 2023
Customizable User Authorization & User Management: Register, Confirm, Login, Change username/password, Forgot password and more.

Flask-User v1.0 Attention: Flask-User v1.0 is a Production/Stable version. The previous version is Flask-User v0.6. User Authentication and Management

Ling Thio 916 Feb 15, 2021
REST implementation of Django authentication system.

djoser REST implementation of Django authentication system. djoser library provides a set of Django Rest Framework views to handle basic actions such

Sunscrapers 2.2k Jan 1, 2023
Extending the Django authentication system with a phone verification step.

Extending the Django authentication system with a phone verification step.

Miguel Grinberg 50 Dec 4, 2022
Two factor authentication system using azure services and python language and its api's

FUTURE READY TALENT VIRTUAL INTERSHIP PROJECT PROJECT NAME - TWO FACTOR AUTHENTICATION SYSTEM Resources used: * Azure functions(python)

BHUSHAN SATISH DESHMUKH 1 Dec 10, 2021
Django Auth Protection This package logout users from the system by changing the password in Simple JWT REST API.

Django Auth Protection Django Auth Protection This package logout users from the system by changing the password in REST API. Why Django Auth Protecti

Iman Karimi 5 Oct 26, 2022
A JSON Web Token authentication plugin for the Django REST Framework.

Simple JWT Abstract Simple JWT is a JSON Web Token authentication plugin for the Django REST Framework. For full documentation, visit django-rest-fram

Simple JWT 3.3k Jan 1, 2023