Protecting Picture Passwords
Researchers at the University of Tsukuba develop a new system for graphical authentication online using key images with adjustable levels of distortion to thwart over-the-shoulder and screen-capture snooping, which may make online sites more secure
Tsukuba, Japan—Scientists from the Faculty of Engineering, Information, and Systems at the University of Tsukuba propose an alternative to text passwords using an improved graphical authentication method. By randomly distorting the key images differently each time, the system is much more secure against password crackers, even if they can see the user's screen. This work can lead to significant improvements in internet security.
Although text passwords are a mainstay of a modern life on the internet, they represent a major vulnerability in the global Internet. To remember them, people often choose passwords that are too simple, and may be easily cracked by bad actors. One proposed solution is to instead use a set of pictures, called "key images." To log in, the user choses his or her secret key images from a lineup of pictures. While easy to remember and relatively secure, this approach is still susceptible to what are called "over-the-shoulder attacks," in which someone is watching the screen. Thus, a new approach is needed to help make graphical authentication more resistant to these vulnerabilities.
Now, researchers from the University of Tsukuba have introduced the "Estimating Your Encodable Distorted images" (EYEDi) system. EYEDi works by generating distorted versions of key images during each log-in by applying several image processing filters. Even if the computer has been compromised with a screen-capture program, which allows a hacker to see the user's screen, they would still not be able to decern the original key images. "Although some previous image distortion methods have been proposed, these methods cannot prevent camera recording or screen-capture attacks, because the key images are the same each time," author Professor Keiichi Zempo explains.
To register using the EYEDi system, five key images are chosen. Then, to log in, a 5x5 grid of images is displayed. Key images are randomly cropped and distorted with a different filter each time. The team tested the system with 20 users over the course of 300 simulated screenshot attacks, using a camera looking over their shoulder. They found that EYEDi prevented hacking better than previous graphical methods. The system can also dynamically adjust the strength of distortion to make sure only authorized users can log in. "Humans are very good at recognizing prominent features of their chosen key images, even with random distortion filters applied," author Professor Keiichi Zempo says. This research may help secure websites as graphical authentication becomes more widespread.
The work is published in IEEE Access as "EYEDi: Graphical Authentication Scheme of Estimating Your Encodable Distorted Images to Prevent Screenshot Attacks" at DOI:10.1109/ACCESS.2021.3138093
Assistant Professor ZEMPO Keiichi
Faculty of Engineering, Information and Systems, University of Tsukuba
Faculty of Engineering, Information and Systems (in Japanese)