Researched authentication definitions and methods
Read through slides from unit M591 on authentication
Researched image-based authentication systems

• Deja Vu
• - Read through advantages and disadvantages of this system
• - Noted the main advantages over text based systems, such as the elimination of many text attacks such as key logging
• - Noted the design features - using mathematical formulas to produce random art to display images - Numbers saved to generate user's chosen art
• CAPTCHA systems
• - Looked up captcha techniques
• - Some of which are mentioned on this site - http://goldbach.cse.psu.edu/s/captcha/]

Considered some methods of creating the software for user research
- Website to be created. The website will host the authentication system for ease of use and surveying. The website will contain the MEng specification of stating why the system will benefit them. It will also allow users to log in to the site using the image authentication system. Users may be surveyed using the website as there will be a section for feedback. This method will make it easier to send to people as they can access the site via a link to a webpage which will host the authentication system and the survey. It does not need to be written out and delivered to people.

• -The website should e-mail results to the creator.
• -The website should not force a user to complete the survey.

Some software specifications in regards to looking at weaknesses of other authentication systems:
• The software needs to be easy to use – The images must be clear and organised well. Instructions on what the user must do in order to authenticate must stand out and be straightforward to understand.
• Users should be able to remember their images – The system must be secure, but not overcomplicated for the user. Images should therefore be unique and identifiable and the user should not have to remember large amounts of images.
• The authentication should not be overcomplicated – Select a reasonable amount of images for the user to recall and don’t use many procedures to ensure that a user is authenticated.
• Images should not prompt the user to choose familiar images – Images should not show pictures of animals or hobbies a person may have. Although they need to be unique, familiar images may compromise the security of the system as users are likely to choose pictures that they familiarise themselves with.
• Images must not be similar – Similar images will confuse a user and may mean they pick incorrect choices when they try to recognise their own.
• Support for forgotten images should be available – If a user forgets their image, there should be an option for either an alternate authentication or an e-mailed support where they may select new images.


Software base - Java/html


Software consideration -
Java Applets - Servlets - MySQL

• to interface between the applet and the database. The applet will host the authentication system and the database will hold all the necessary information for logging a person on to the system.

Books taken from the library -

• Java programming for the internet
  • - Michael D Thomas
  • - Pratik R Patel
  • - Alan D Hudson
  • - Donald A Ball Jr.
  
  
• Java Servlet Programming
  • - Jason Hunter
  • - William Crawford

Designs considered for the authentication system
- Cognometric Approach, possibility of using image mapping as a confirmer to increase security. This may only be done with one image to decrease the amount of images the user needs to remember.
Research the MySQL Connector/J driver which allows java to interact with the MySQL database. Through research, discovered that this method is not secure, and the best way to talk to the database through java is with the use of servlets.

Website designs created:

Home
- News | About | Registration | Log In | Contact | Help

Images of each screen layout has been created.

Design change - Implemented using Php/Html instead of java.

Design of the authentication

1) User registers on to the system. - Entering details similar to the registration of facebook to ensure a better comparison for users.

• Forename, Surname, email, password, gender, birthday
• User is given a selection of 25 images
• - The user must select 5 of these images to use - As a verification, the system does not allow the user to proceed if they have selected more or less than 5 images and they are prompted to correct this.
• One the user has entered the correct details, they can click on the submit button, which will bring up a page showing their details
• - The details given to the user are their 5 images and 3 'secrets'
• - The secrets are of 3 different types: A word, an image with a word relation (ie. a picture of a book) and an image of random art (which a user cannot put a name to)
• - The reason for the secrets is that this page is given to the user to revise. During the survey, the last page will test their memory of each of the secrets. They will be asked to write the word (testing recall of the word, similar to username/password techniques), and they will be given a set of images to recognise the other two pictures (testing recognition). By doing this, analysis will see which the user found easier to remember overall. The hypothesis says that the image with a word relation will be the easiest.
• A user is prompted to revise the page for a few minutes before continuing.
• The value equivalent of each image is stored in the database.

2) Users Log in

• The user enters their e-mail address and clicks on the log in button. This is selected first to ensure that the set of images are valid for the user in question.
• The user is then presented with a set of 10 images. These images are generated at random from numbers between 1 and 25, giving the set from the 25 images.
• At least 1 of the 5 images of the user has to be in the 10 random generated images. The generation is looped until 1 of the images is included.
• Up to 5 of the user's images will appear in the image set. This was chosen to add a sufficient distraction to the person logging in. If 3 of the user's images appeared every time, then an attacker would be more likely to notice a repetition of images in the image set.
• Therefore, the user may select up to 5 images from the 10 as their own. If they select any more than this, they will be prompted to enter a maximum of 5 images.
• The number equivalent of the images in the database will be compared against the image set. If they miss an image or select too many images, an error message will appear and they will need to re-log in to the system.

3) The Survey

• The survey consists of 4 sections.
• - 1) The user's previous computer/log in background. 2) Registration questions 3) Logging in questions 4) The secrets

The authentication system is located on the 'Faiveri' website. Faiveri being the given name of the system, comprised of the two words 'faithful' and 'verification' which are key features of the system.


The survey is linked to this site.

Current survey numbers: Total 72 started survey with about 80% completing the survey.

Further Survey to Test The Psychological Side of The Image Set

In addition to the survey conducted previously, regarding primarily the speed of the system compared to facebook, another issue experienced with image authentication is the likelyhood that people close to you may be able to guess the images you choose because they know what you may pick. In the main survey, I have questioned this by asking what made them choose the images they chose... giving examples like 'I chose the images that were aesthetically pleasing' or 'i chose the images that were linked to things i liked' etc.

The further survey proposed is to get groups of people who are close to each other, and get them to try to log in to another persons system. The idea is that, if a person can guess another person's log in using the images in my set, then the image set would not be useful. My image set was chosen to make it easier for the user to recognise their images as they are unique objects in every day life which a person may be able to put a name to. PassFaces image system used a recognition of faces, although they attempted to combat the psychological implications of the system by actually choosing the images for the user, rather than letting them select. This may have been a good technique, but i felt that this method may not have appealed to the user, as they would be more likely to remember images which stuck out to them in the first place.

I have used the 'secrets' idea at the end of my 1st survey to see how easy it would be for users to remember images which are connected to a word, compared to random art. So far by looking at the results, it appears that images with a word would be slightly easier, although both sets have a majority of 'very easy' as a result. 1 person however has got the random art section wrong, compared to 0 for the images with a word.

I will conduct this survey by allowing a user to take a certain amount of attempts to log in to the other person's system by selecting images which they feel are linked to the person. If they manage to correctly guess, then this number will be noted down, else a maximum number of attempts will be recorded.

File manager

Attachment

Timestamp

Size