Project notebook
Colour base authentication system
Problem Specification
Most of the authentication systems in use today rely on text based authentication system such as passwords and personal identifier numbers (PINs). As the number of on-line services continues to increase in everyday life, the amount of passwords required for the authentication also continuous to rise. The burden on users to remember such an increasing number of passwords leads to poor and predictable choices to remember passwords. This presents a possible security risk that could put in danger users’ privacy, e.g., identity theft. For certain applications, research suggests that the use of colour could represent a more effective combination of both security and ease of use. This is due to the fact that humans tend to recognize colour that they can easily remember.
The project goal is to find the strengths and flaws of an authentication system using colour based keys. This project also includes the task of identifying and measuring several performance metrics of the new authentication system. This requires three main steps:
- Implement an experimental authentication system that uses colour based keys.
- Test the experimental system by conducting surveys with real users.
- Analyse the strengths and weaknesses of colour based authentication using the experimental results.
10 - 06 - 2010
According to project plan I have divided my work in five phases, so I started first phase which is background research.
Background Research
I started my research from authentication systems. I have gone through my preliminary and final reports of M580 unit and analysed the comments given by supervisor. I followed the tutorial provided by Mr Chi about context of authentication to refine my research about authentication systems.
Authentication Definition
Authentication can be defined as the process of verifying that someone is actually who they claim they are. In other words, authentication is the act of establishing or confirming something (or someone) as authentic, i.e., that claims made by or about the thing or the one are true. The authentication process can be divided in three phases: identification, authentication, and authorization. Users must first make some claim of their identity, provide evidence to validate this claim, and if successfully authenticated by the system, access rights are granted to the user.
Authentication is simply the process of establishing a level of confidence regarding a claim, used to provide a response to claimant. The claim could be any statement for examples, “This individual’s name is ‘Jabran B.’ “or “this child is more than 5 feet tall.” Both identifiers and attributes can be authenticated as the examples described.
There are three required participants for authentication:
• Claimant or Presenter
• Verifier
• Issuer (often same to Verifier)
A presenter presents credential issued by a third party “issuer” to a “verifier” who wishes to determine the reliability of those credentials. In some cases, one party may play two roles. For example the verifier and the issuer roles are often combined.
Authentication types
Authentication can be categorized using three cases:
• What you knows (e.g., a password, pass phrase, or personal identification number (PIN)).
• What you have (e.g., ID card, security token, software token, phone, or cell phone).
• What you are (e.g., fingerprint or retinal pattern, DNA sequence (there are assorted definitions of what is sufficient), signature or voice recognition, unique bioelectric signals, or another biometric identifier).
Hence, the authentication can take the form of one or more of the following as shown in below diagram
Often a combination of these methods is used, in which case the term two-factor authentication is used. A traditional example of this is the use of a bank card and a PIN at the ATM machines. In this case, two authentication types, which are a token-based type, i.e. the bank card and a knowledge-based type, i.e. the PIN number, have been combined together to yield a two-factor authentication system.
Risks of authentication
Many risks can be associated with authentication, some of these are listed as
Errors
Theft
Fraud
Population
Allocation
14 - 06 - 2010
Analysed the problems in existing authentication systems. I have gone through the different kind of researches to find strengths and flaws of different authentication systems.
Problems in Existing Authentication Systems
These days most common authentication system used is knowledge-based, of which the mostly used type is text-based authentication system. Although biometrics is a valuable authentication system, but it has a number of drawbacks such as that, it is difficult to change and maintain. In addition, many biometric systems require specialised devices and can be unpleasant to use. Additional hardware undoubtedly means additional cost, so it is difficult to use, in particular to the everyday users. On the other hand, many biometric authentications users tend to resist of their interfering and the effect on their privacy.
Token-based systems are, also, not perfect solutions for authentication. For token-based authentication you must need to install authentication server software and deploy the authentication software on every user's computer or mobile device. There's also the risk that the user can lose the external device. This can be financially costly because you'll need to replace lost external devices. However, the device is useless to a third party without the original user's authentication information.
Although knowledge based systems, such as passwords and PINs are easy to use, but they are also easy to be attacked. Attack can be a guess attack due to prediction of human behaviour or it can be a brute force attack by attempting many different passwords. As the complex and random passwords are more secure they are more difficult to remember.
Proposed countermeasures for authentication
If the password approach is to be replaced, then alternative means of authentication are clearly required. Surveys have shown that fundamentally different approaches are not gladly accepted by the user community, who for various reasons express a strong preference for the methods they already know. In addition, the financial cost associated with the introduction and maintenance of these other approaches will often preclude their adoption in many environments. For this reason, other approaches based upon secret knowledge, which do not incur any additional expenditure on hardware technologies, are considered desirable.
The solutions discussed so far have all been of a textual nature. However, given the transition to graphical user interfaces that has occurred during the last two decades, it is perhaps unsurprising that graphical authentication approaches have also arisen. For example, Blonder (1996) unproved a graphical password in which the user can select a number of areas in a picture as a password. The weakness of this technique was that the user had to recall the location and the order of the regions. In another alternative, proposed by Jermyn et al. (1999), the “password” method was realised as a simple picture drawn on a grid. Other variations include the recognition of previously seen images, with an example being the D ej a Vu system. Now a day’s focus is on colour based authentication.
17 - 06 - 2010
After completing the necessary research about authentication, I started to research about the tools to be used to develop system. I preferred PHP and MYSQL for implementation as I have studied in first semester so it is easy for me to work in these tools. I gathered all the material provided by David Nidzi to get help.
I also research about the design of system, like database design,interface design, information flow diagram, flow charts and use cases.
20-06-2010
Proposed Colour base authentication system
The existing colour base authentication system has some weak points, like some colours look similar, which can confuse the user. There also chances of some possible attacks, such as guessing the correct colour of user, observation attack, shoulder attack etc. These issues have been considered while building Colour Based Authentication system (CBA). Although, this project propose to build a CBA system for the university students to use login their library account, most specifically to use computer labs which should be secure but at the same time usable, it will not, however, aim to address all of the problems faced by old authentication systems.
The main purpose of this system is to make design user friendly and feasible for security purposes. Eliminating the attacks is the main focus of this system, generating colour set also is on high consideration. It makes difficult for users to share their pass-colour. The CBA system is designed for the login system that authenticates university students to use library accounts. This system helps the users to make fewer mistakes, prevent them to choose weak passwords and provide good experience.
Colour Set Generation and Selection
This section deals with another important part in the security of CBA - the selection of colours in a colour set. Colour set is a collection of ‘n’ colours arranged into ‘r’ rows and ‘c’ columns. It’s the good decision of the designers to choose ‘n’, ‘r’ and ‘c’. Several factors should be considered while choosing n, r and c. ‘n’ should be chosen such that it should increase the security of the system yet keeping the system user-friendly.
While ‘r’ and ‘c’ are chosen such that colour grid that appears to the user should not be visible in one eye-span i.e. a user must select colours from 3 different colour-sets. The system divides its users into three levels namely beginner, moderate and advanced (in hierarchy from lowest level to highest level). As the user proceeds up the hierarchy, it becomes difficult for the intruder to get his/her password. For example the system provides 3 colour sets and each set consist of 9 colours (i.e. 3 x9 = 27 colours) for a beginner from which he/she can select 1 colour (max.); for an intermediate level user, from which he/she can select 2 colours (max.) as his/her password while for advance user can select up to 3 colours.
The colours selected to form a colour set:
1. Should not be easily describable
2. Should be easy to remember
3. Should be unique
4. Should be different
I have used a random display of colours within a colour set i.e. colours are arranged randomly and their position is no where related to previous colour set that was generated. Now move onto selection of colours. As mentioned earlier the user is first asked for username after which he/she is given the first colour set. Since the colours are arranged randomly, his password colour will appear in random position & not fixed position. Though the arrangement of the colour sets is same i.e. first Colour set Number 1 will appear to user followed by Colour Set 2 and so on. But colours within the colour set will shuffle every time. Considering the security aspect, the CBA system doesn’t change the mouse cursor when taken over any colour. Normally we see when you roll-over the mouse over some colour or link; it changes itself to a hand (in Microsoft Windows). Also there is no special mark on the colours that you have currently selected. This way, no third person will be able to make out the password.
Interface issues
Interface should be user friendly. As the existing system’s shows that there is no the pass-colour field, which is used to indicate that a colour has been chosen. Although most of the online respondent accepts the 27 colours set and the mouse click indicator that were used in the prototype. There are rooms for improvement for the interface. This is because many users think that the mouse clicks indicator field is rather confusing.
Experimental Setup to Analyse CBA
To analyze the system a single PC will be used to host the prototype to enable user to access Pass-Colour on the Internet. The online testing will also be available individually and different users can participate.
Description of prototype
Implementation of my proposed authentication method is almost completed. I have used PHP and MYSQL tools to implement the application. To test the prototype, users would have to access the URL given. Once the main page loads up, users will be asked to sign up. This is to enable them to create a user ID and pass-colour to login into the system. User can create any user ID as they wish as long as it not in used by other user. The system will force the user to use different user ID if the intended user ID was in used by other users. For pass-colour, users can choose any colour (can be more than one colour) as their pass-colour. Once users have successfully signed up, they will be directed to the login page. To test the prototype, users have to login using the same user ID and pass-colour created during the sign up session. Upon successfully logged in, users would be provided questionnaire to ask their perception towards pass-colour authentication.
Prototype design – Use case
The main purpose of a use case diagram is to show what system functions are performed for which actor. Roles of the actors in the system can be described.
Use case- register new user
When user will click on register this use case will be started.
| User Request |
System Response |
| This use case starts when the user access the URL given and clicks “Register” link to register with the system. |
The system opens the registration form |
| The user on the opening of the form inserts the values(User name and pass-colour) in the given fields and clicks the “Submit” button. |
The system receives the input and validate the user by checking unique user name. |
Use case- Login Registered User:
This use case starts when the “Student” wants to log into the system. The purpose of this use case is to authenticate students with the system. Therefore Student must be registered with the system before, if successful the student gets authenticated.
| User Request |
System Response |
| Student enter his login information i.e. user name and pass-colour and click on login button. |
System check if name exist response is ok, if not found student will be asked to re-enter name. System also check pass-colour if it is ok user gets authentication to use the system. |
Implementation of the system
First of all I installed the required software, Xampp and Dreamveavor
It took about two weeks to implement this authentication system.
Code for the application
Login Page
Login page is made very simple, user will be shown username and pass-colour fields and block of colours to select their pass colours.
<?php include("config.php"); ?>
<?php
$message="";
if(isset($_GET['logout']))
{
unset($_SESSION['loggedin']);
unset($_SESSION['username']);
unset($_SESSION['colour']);
}
if(isset($_POST['form_action']) && $_POST['form_action']=='post')
{
$query=sprintf(
"SELECT * FROM users WHERE username='%s'",
mysql_real_escape_string($_POST['User_ID'])
);
$result=mysql_query($query);
if(!$result)
{
$message="Invalid Username, Password or Color selection.";
}
else
{
$record=mysql_fetch_object($result);
if($record && $record->colour==($_POST['Color_1'] . $_POST['Color_2'] . $_POST['Color_3']))
{
$_SESSION['loggedin']=$record->id;
$_SESSION['username']=$record->username;
$_SESSION['colour']=$record->colour;
header("location:dashboard.php");
}
else
{
$message="Invalid Username, Password or Color selection.";
}
}
//print_r($record);
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Pass-Colour Authentication System</title>
<script type="text/javascript" language="javascript1.1" src="js/common.js"></script>
<link href="css/common.css" rel="stylesheet" type="text/css" />
</head>
<body onload="clearColors();">
<?php if($message!="") echo("<h2 style='color:red'>$message</h2>"); ?>
<form action="index.php" method="post" onsubmit="MM_validateForm('User ID','','R','Password','','R');return document.MM_returnValue" >
<input type="hidden" name="form_action" value="post" />
<input type="hidden" name="Color 1" id="Color 1" value="" />
<input type="hidden" name="Color 2" id="Color 2" value="" />
<input type="hidden" name="Color 3" id="Color 3" value="" />
<input type="hidden" name="color_slot" id="color_slot" value="1" />
<h2 style="color:green">Colour based Authentication System for University of Portsmouth Library</h2>
<table width="320" border="0" cellspacing="2" cellpadding="2">
<tr>
<td colspan="2">Do not have account? <a href="signup.php">Sign up here!</a></td>
<td> </td>
</tr>
<tr>
<td colspan="2"><b>Please Login Here:</b></td>
<td> </td>
</tr>
<tr>
<td>User Name:</td>
<td><input type="text" name="User ID" id="User ID" value="" /></td>
</tr>
<tr>
<td> </td>
<td><input type="submit" value="login" /></td>
</tr>
<?php include("color-boxes.php"); ?>
<tr>
<td> </td>
<td>
<br />
<input type="submit" value="Login" />
</td>
</tr>
</table>
</form>
</body>
</html>
Registration page
<?php include("config.php"); ?>
<?php
$message="";
if(isset($_POST['form_action']) && $_POST['form_action']=='post')
{
$query=sprintf(
"SELECT count(id) AS records FROM users WHERE username='%s'",
mysql_real_escape_string($_POST['User_ID'])
);
$result=mysql_query($query);
$record=mysql_fetch_object($result);
if($record->records==0)
{
$query="
INSERT INTO
users
(
username,
colour
) VALUES (
'%s',
'%s'
);
";
$query=sprintf(
$query,
mysql_real_escape_string($_POST['User_ID']),
mysql_real_escape_string($_POST['Color_1'] . $_POST['Color_2'] . $_POST['Color_3'])
);
mysql_query($query);
header('location:confirmation.php');
break;
}
else
{
$message="Username already exists";
}
//print_r($record);
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Pass-Colour Authentication System</title>
<script type="text/javascript" language="javascript1.1" src="js/common.js"></script>
<link href="css/common.css" rel="stylesheet" type="text/css" />
</head>
<body onload="clearColors();">
<?php if($message!="") echo("<h2 style='color:red'>$message</h2>"); ?>
<form action="signup.php" method="post" onsubmit="MM_validateForm('Name','','R','User ID','','R','Password','','R','Color 1','','R');return document.MM_returnValue" >
<input type="hidden" name="form_action" value="post" />
<input type="hidden" name="Color 1" id="Color 1" value="" />
<input type="hidden" name="Color 2" id="Color 2" value="" />
<input type="hidden" name="Color 3" id="Color 3" value="" />
<input type="hidden" name="color_slot" id="color_slot" value="1" />
<h2 style="color:green">Sign up for Colour based Authentication System for University of Portsmouth Library</h2>
<table width="320" border="0" cellspacing="2" cellpadding="2">
<tr>
<td colspan="2"><b>Signup Here:</b></td>
<td> </td>
</tr>
<tr>
<td colspan="2">Use the following form to sign up. All fields are required.</td>
<td> </td>
</tr>
<tr>
<td>User Name:</td>
<td><input type="text" name="User ID" id="User ID" value="" maxlength="30" /></td>
</tr>
<?php include("color-boxes.php"); ?>
<tr>
<td> </td>
<td>
<br />
<input type="submit" value="Signup" />
</td>
</tr>
</table>
</form>
</body>
</html>
Sign up confirmation code
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Pass-Colour Authentication System</title>
<link href="css/common.css" rel="stylesheet" type="text/css" />
</head>
<body>
<h2 style='color:green'>Thankyou for siggning up!</h2>
<b><a href="index.php">Click Here</a> to login.</b>
</body>
</html>
Colour box
This code generates colour sets.
<tr>
<td>Pass-Colors:</td>
<td>
<img id="slot_1" src="images/trans.gif" width="20" height="20" style="margin:1px;border:solid;border-width:1px;border-color:black;" />
<img id="slot_2" src="images/trans.gif" width="20" height="20" style="margin:1px;border:solid;border-width:1px;border-color:black;" />
<img id="slot_3" src="images/trans.gif" width="20" height="20" style="margin:1px;border:solid;border-width:1px;border-color:black;" />
</td>
</tr>
<tr>
<td> </td>
<td><input type="button" value="Clear Selected Colors" onclick="clearColors();" /></td>
</tr>
<tr>
<td> </td>
<td>
<br />
Please click on the color below.
</td>
</tr>
<tr>
<td > </td>
<td >
<?php
$colors=array();
$colors[0]="5D8AA8";
$colors[1]="E32636";
$colors[2]="ED3CCA";
$colors[3]="9966CC";
$colors[4]="FFBF00";
$colors[5]="0000FF";
$colors[6]="008000";
$colors[7]="8DB600";
$colors[8]="FBCEB1";
$colors[9]="00FFFF";
$colors[10]="4B5320";
$colors[11]="3B444B";
$colors[12]="007FFF";
$colors[13]="66FF00";
$colors[14]="FDEE00";
$colors[15]="6E7F80";
$colors[16]="000000";
$colors[17]="ffffff";
$colors[18]="DFFF00";
$colors[19]="00008B";
$colors[20]="FBAED2";
$colors[21]="20B2AA";
$colors[22]="69359C";
$colors[23]="FF6700";
$colors[24]="704214";
$colors[25]="933D41";
$colors[26]="4682B4";
shuffle($colors);
$count=9;
echo ("<div id='palet1'style='display:inline' >");
foreach($colors as $color)
{
if($count%9==0 && $count>9)
{
echo"</div>";
echo ("<div style='display:none' id='palet".($count/9)."' >");}
echo("<a href=\"javascript:selectColor('#" . $color . "');\">");
echo("<img src='images/trans.gif' width='70' height='70' style='background-color:#" . $color . ";margin:1px;border:solid;border-width:1px;border-color:black;' alt='" . $color . "' title='" . $color . "' />");
echo("</a>");
++$count;
}
echo"</div>";
echo ("<input type='button' id='next' value='Show Next' onclick='shownext()' />");
echo ("<input type='button' id='back' value='Show Previous' onclick='showprevious()' style='display:none' />");
?>
</td>
</tr>
After user successful logged in next page comes dashboard showing the options for logout and update profile.
<?php include("config.php"); ?>
<?php include("security.php"); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Pass-Colour System</title>
<link href="css/common.css" rel="stylesheet" type="text/css" />
</head>
<body>
<h2 style='color:green'>Logged in for Colour based Authentication System for University of Portsmouth Library</h2>
<b><a href="index.php?logout">Click Here</a> to logout.</b>
<br />
<br />
Username: <?php echo($_SESSION['username']); ?><br /><br></br>
<a href="profile.php">Click Here</a> to update your profile.
</body>
</html>
10 - 07 - 2010
Questionnaire
I have designed questionnaire to conduct the survey with real user for testing the experimental system. I have attached the file of my questionnaire.
14 - 07 - 2010
Meeting with supervisor
Discuss about the authentication method which I have designed for my my experiment. I also described my proposed experiment and design and implementation of my prototype.
I show my questionnaire to supervisor for approval and it is remarked ok with a little changes in the format of couple of questions. There was also detailed discussion about the hypothesis I write about the experiment.
15 - 07 - 2010
Hypothesis
The data collected from questionnaire and user testing will be analyzed and evaluated to show the descriptive analysis. The data analysis focuses on the user acceptance of the Pass-Colour authentication, the pass-colour memorability, and constructive suggestions such as colour issues and interface issues to improve the prototype in the future. Some of the questions, which will be asked during the survey, are mentioned below and what will be response of users is also hypothesised. The questionnaire is divided into four parts i.e. colour selection, Feasibility of the CBA system, comparison with other authentication systems and assessing the issues related with system.
Colour selection
This part is very important to know the choice of users to select their pass-colours. To find the options given by respondents will give an idea what kind of colours should be used to improve the system. The format of this part is given in attached file.
I prefer to choose identical colors.
It is suspected that most of the people will be disagree with this statement. As the system requires the student to select their pass-colour from the colour-set, it would be difficult for them to pick their pass colours as many colours are similar to each other. If a student registered with the system with three pass-colours selecting from three different colour-sets then there is big chance of selecting incorrect pass-colour for login if they are identical.
I prefer to choose contrast colors.
However, opposite to the above statement majority of the students will be strongly agreed with this assumption. If a student registered with three pass-colors which are contrast to each other for example white, black and red, it will be easy for him/her to select those colours for login.
I prefer to choose colors based on pattern.
The hypothesis discovered that most participants tend to choose colours based on patterns and not colours. This means that participants choose colours on the same row or column in order to memorize easily. But the problem with such a system would be the security, if anyone have look at your pass-colour while you selecting for login can guess your pass-colour. And also if the colours are at fixed place students can describe to their friends, so they can use their accounts which is illegal. So, to solve these problems, the arrangement of the colour should be in random order.
I prefer randomly generated color.
It is expected that less than 50 % user would like the arrangement of the colours be in random order as it could be difficult for them to find their exact colour. This percentage will increase when the users will do some practice to be well known with the system and also if the users are given the description about the security problems with pattern based system.
What amount of the colours should be given to choose your pass-colour?
Important issue is to select the amount of colours that the users want to be able to choose for their password. To resolve that issue, this question is included in the survey to take the opinion of the users and it is expected that results will be evenly split between 12, 24 and 48 colours. Only a few numbers of the respondents would like to have as many as 216 colours to choose from. The reason is that users would like to have more choices of colours but not too many because then it would be too confusing.
How many colors you prefer to choose for you pass-color?
This data will indicate the number of maximum colours that can be considered as memorable by the respondent. After analyzed all the pass-colour that has been registered or created in the CBA system database, most of the online respondents who will test the prototype would use one colour as password. May be due to the just come across the system and fill the questionnaire. This will be change once the system is implemented. It is expected that choosing three colours would be the ideal for authentication and also easy to remember as well.
Respondents also would be agree that more colour to choose is better since this is similar to having a larger space password which will make it harder for attacker to guess or brute force the pass-colour.
Feasibility of the system
This is second part of the questionnaire which is designed to take the opinions of users about the system compatibility and feasibility.
Colour Base Authentication System is feasible to use
From the previous researches it can be expected that about 65 percent of the users would be agree that it is feasible to use colour as authentication. Most of them would like pass-colour because they feel that it is more secure and easy to memorize. In contrast, only 35% of the respondent will feel that it is not feasible to use colour as password. Some of the reasons for this rejection may be that they felt that the traditional method is more secure and it is easier to remember. They also argue that attacker will have easier way to crack the pass-colour.
Further improvements can be made to make it more feasible.
It is supposed that some of the respondents would be agree with this statement even if they are agree with the above statement. There will be 25% of the respondent who would say that pass-colour is feasible if further improvement is carried out to improve it.
Some of the suggestions given would be to provide more colours to choose, provide some association between colour and other symbol or images and a very good suggestion is to mix both the use of text and colour as authentication. So it is hypothesised that majority of the respondents will be agree that there are potential for the use of colours as authentication. 25% of the respondents agreed that with further improvement of the current prototype, pass-colour could be more memorable than using text-based password
Memorizing color is more convenient as compared to text based password.
One of the main objectives that the research is trying to find out is whether users feel that memorizing colour is more convenient compare to the traditional way of memorizing text. Although 65% of the respondent agrees that colour can be used as authentication, 75% of the respondent will still says that it is easier to remember text-based password rather than colour. Only a few number of the respondent will says that it is easier to remember colours.
This could be due to some habits that we are already used to so it takes time to introduce new changes. We also believe that there are some association between those who like pass-colour with how the brain works such as they are more of a right brain person but further testing needs to be carried in order to prove that.
CBA is an interesting way of authentication
This is very important to take the opinion of users about their interest in new authentication system. Every student will have their own experience but it will be interesting for majority of students to use CBA. The students who succeeded in performing their authentication are likely to find this interesting and those who fail may not agree with this.
As it is expected that success rate of authentication will be 96 % , it can be hypothesised that about 95 % user take this as an interesting authentication system.
Comparison with other authentication systems
This is most important and critical part of the questionnaire. In this section we compare CBA system with other authentication systems regarding different aspects i.e. authenticated, convenient and time efficient.
Which authentication method is more authenticated? Rank from 1 (more authenticated) to 4 (less authenticated).
| Authentication Method |
Order |
| CBA |
3 |
| Username + Password |
2 |
| PIN and Bank Card |
1 |
| Card swiping |
4 |
As the ranking in order column shows that most of the student will put the CBA at the 3rd number. The reason for this is that all of the students are confident about their bank accounts where they are using PIN and Bank card and also as already mentioned that password is traditional way of authentication, it will also get the priority over CBA system.
Which authentication method is most convenient? Rank from 1 (most convenient) to 4 (least convenient).
| Authentication Method |
Order |
| CBA |
2 |
| Username + Password |
1 |
| PIN and Bank Card |
4 |
| Card Swipe |
3 |
It is expected that CBA will be at number 2 and password at number 1. This is because students will be was for the students to use password but CBA will also be considered as better than PIN and Card Swipe as it will create some interest, so some of the students would say CBA most convenient.
Which authentication method is time efficient? Rank ordering from 1 (fastest) to 4 (slowest).
| Authentication Method |
Order |
| CBA |
4 |
| Username + Password |
2 |
| PIN and Bank Card |
3 |
| Card Swipe |
1 |
It is expected that CBA will be at the bottom and Card Swipe at number 1 because just taking finger prints is easy as students do not need to use any keyboard just touch card on the reader. On the other side recognising the colours will take some time to select correct colours..
Assessing color selection issues
This part assesses some issues which might be the reason that some students do not like CBA. This part is very important to improve the system.
The colours were identical
As we use large number of colours in colour-set, it will confuse the users to see their pass-colours at login stage. So, it is expected that high number of students will be agree with this statement if they fail to login.
I did not find colours which I want to select
Everyone have different choice of colours, if someone like a colour to select at registration time and that colour is not in colour-set. It will take long time for user to find that colour and session may be expired for registration. Even it is not so special case but I hope that many students will be agree with this statement who failed in registration.
Colours changed positions in Colour-set
This is the main function of CBA to randomize the colours in colour-set every time it is displayed. As it is necessary for security purpose of CBA, it is expected that a few students will be agree with this statement.
Are you agree with CBA system to be used for library system?
It is expected that most of the students will be agree with this statement. They will be confident enough to use CBA for security purpose and also its feasibility of use. The students cannot write down the pass-colour or describe to the friends, which increase their trust to use CBA system
21 – 07 - 10
I researched about the questionnaire and go through the “power of survey design“again to refine questionnaire and I made the necessary changes in the format of questions.
The qualities of a good questionnaire
No survey can achieve success without a well-designed questionnaire. There are no hard-and-fast rules about how to design a questionnaire, but there are a number of points that are keep in mind while designing a questionnaire:
1. A well-designed questionnaire should meet the research objectives. This may seem obvious, but many research surveys skip important aspects due to poor preparatory work, and do not effectively search particular issues due to poor understanding. To a certain degree some of this is usual. Every survey is bound to leave some questions unanswered and provide a need for further research but the objective of good questionnaire design is to 'minimize' these problems.
2. It should obtain the most complete and accurate information possible. The questionnaire designer needs to ensure that respondents fully understand the questions and are not likely to refuse to answer, lie to the interviewer or try to conceal their attitudes. A good questionnaire is organized and worded to encourage respondents to provide accurate, unbiased and complete information.
3. A well-designed questionnaire should make it easy for respondents to give the necessary information and for the interviewer to record the answer and it should be arranged so that sound analysis and interpretation are possible.
4. It would keep the interview brief and to the point and be so arranged that the respondent(s) remain interested throughout the interview.
Time savings and data quality control
The more complex the questionnaire, the more difficult it is to estimate the exact timing of survey completion. Many factors influence the sequential implementation of the survey. Apart from some important features such as the length of questionnaire, the size and composition of the sample, and the number of interviewer, some other important factors are considered while designing questionnaire. For example, well design of questionnaire definitely impacts the timing of interview.
The appropriate use of skipping patterns and clarity of definition and sentences will not only speed up the interview process but also ensure accurate data. The quality of interviewers is another factor influencing the timely completion of survey. This survey will be conducted in the library with real users to get high cooperation and complete interview in short time.
Improving question design
This is one of the important steps to improve the quality of survey data. There are two basic rules which are used to design questionnaire relevancy and accuracy. The relevancy is achieved by recognizing the questions, by knowing the objectives of questions and the type of information needed. A question is accurate if it collects the information required in a reliable and valid manner. Respondent will not be asked something he does not understand clearly.
Question wording
Because of the unique needs of each question, there is no theory on question wording. However, four criteria are considered while wording any question: brief, objective, simple, and specific (or BOSS).
Prior weak
30 - 07 - 2010
After discussion with Mr. Chi I made some changes in application I designed. the main problem I was facing about the colour displayed as I proposed to show in three different colour sets but It was only showing in one eye span. So I successfully achieved my required application. There were also some other changes suggested by supervisor to make it easier for the user to give quick response. As I used some other fields for registering a user like, First name, last name, email ID etc. so, I removed all these fields to save the time. Other things I removed from the system were the option for updating the profile and telling the user its security level.
30 - 07 - 2010
I went to university for web hosting but unfortunately today lab was closed at 12 : 30 pm and I was bit late.
After that I went in Library to take the prints of Questionnaire.
I have attached file of Questionnaire.
01 - 08 - 2010
Upload survey on
Survey Monkey to get help from the remote respondents. The link of this survey is given below.
Click here to take survey
02 - 08 - 2010
Today again try too meet someone in university to upload system on web but did not find right person. I met Mr Arrow, told me that Mr Philip is responsible for web hosting and he is on vacations.
03 - 08 - 2010
Finally, I uploaded the system on website so that respondent can easily access this authentication system.
The URL is given below:
http://demos.timeslot.biz/pass-colour/
04 - 08 - 2010
I started survey with real users.
06 - 08 - 2010
Today I went library but did not find any respondent then I went Portland building where open access is shifted. I successful conducted survey with four students.
13 - 08 - 2010
So far I have conducted survey with 34 students by visiting different departments of university and library.
17 - 08 - 2010
After conducting survey with 45 people I started to enter data into a sheet
22 - 08 - 2010
Summary of the Survey results
Colour Selection
The survey results show that there are only 37% of surveyed students who are agree or strongly agree that they prefer to choose identical colours. As the identical colors confuse the students 42% are disagree or strongly disagree with the statement that “I prefer to choose identical colors”. 21% remaining respondents are neutral to this statement. While in the next statement interestingly 69% of the users are agree or strongly agree which states that, “I prefer to choose contrast colours”. There are only 11% user who are disagree or strongly disagree and remain 20% are had no preference.
A majority of the users about 55% agreed or strongly agree to the statement, “I prefer to choose colors based on pattern”. 23% are disagree or strongly disagree and remaining 22 % are neutral in this statement. There are only 38% user who are agree or strongly agree for the randomly generated colors. 42% of the respondents are disagree or strongly disagree with the statement “I prefer randomly generated colors” and remaining 20% had no preference.
An interesting result to view is that there are equal preferences 42% of 12 and 24 to be the total number of colors given to choose pass-color. There are only 12% users who want 48 total number of colors and remaining 5 % want as much as 216 colors. Most of the users about 47% prefer to select three colors for the authentication and 29% want to select two colors. There are only 11% for one and 13% for four colors options.
Overall, students prefer to choose contrast colors that are pattern based so they can easily remember their pass-color. They do not want a large number of colors to be displayed that can be confusing and users prefer to select three of them for their authentication.
Feasibility of the System
A visible majority of 60% are agree or strongly agree with the statement that color base authentication is feasible to use. Only 18 % users are disagree with this statement and remaining 24% are neutral. More than that about 70% users agreed or strongly agreed that further improvements can make it more feasible. Interestingly, there is no one who is disagree with this statement and 30% have no preference.
Most of the users about 49% are agree or strongly agree with statement “Memorizing color is more convenient as compared to text based password”. Only 30% are disagree and remaining 21 % are neutral with this statement. A big percentage of 74% users were seen who found CBA an interesting way of authentication. There are only 14% users disagreed or strongly disagreed with the statement that “CBA is an interesting way of authentication” and remaining 12% had no preference.
Results show that CBA is a feasible authentication system and it can be better with further improvements. It is also considered more convenient to memorize than traditional passwords and also interesting to use.
Comparison with other authentication systems
Almost all of the mentioned authentication methods got the same preference in the case of feasibility of the authentication systems as 28% users selected CBA, 27 % PIN and bank card, 24% Card swiping and 20% username and password. But if you see CBA is considered most authenticated while username and password is the least authenticated.
Most of the respondents about 44% gave priority to Biometrics as a most convenient authentication. On the second rank was password 29% at third CBA 20 % and PIN and bank card at number four 7%. In the time efficiency again Biometric was ranked one by 56% users and CBA by 34%. Only 7% and 4% users ranked password and PIN and bank card respectively.
However, CBA is most authenticated than other methods but is not considered convenient more than others. Most of the users gave second rank for the time efficiency.
Assessing color selection issues
Most of the users about 51% are agree or strongly agree with the statement “I have problem with identical colors”. Only 15% are disagreed and 24% are neutral on this statement. Some 19% users are agree or strongly agree about the statement “I did not find the color which I want to select”, 50% are disagree or strongly disagree and 31% have no preference. 47% of the respondents are agree or strongly agree with the statement “I feel difficulty with the Colours changing their positions in color-set”, only 17% are disagree and remaining 36% are neutral.
A clear majority of about 54% users recommended color base authentication system to be implemented in library. 24% selected no and 22% don’t know about the implementation in library.
27 - 08 - 2010
Data Analysis
Selection of pass-colors
This section discusses about the choice of users to select their pass-colors. The users have given different feed backs about colors selection criteria for their authentication which are very important to analyze.
Findings
The survey results show that there are only 37% of surveyed students who like to choose identical colors. It has been conducted that majority of the survey participants avoid selecting identical colors and they prefer to choose contrast colors as they are easy to recognize. Furthermore, it was also noticed that users have not preferred randomly generated colors, as this confuse the users to select correct colors. 69% users like to have colors at their fixed positions every time they see the color-set. A brief description about the results is given in the below diagram.
UNIQUE COLORS
There are different techniques that users have used while selecting their pass-colors. Most of the students selected colors which are unique in the color-set. For example, there is only one black color in the color set so mostly users selected this color as compare to other colors as there are some other colors which are little matching to each other. This result can be compare to the way users choose text based password. They select passwords which are easy to remember, while they avoid difficult one.
Comparison with text based password
Unique colors are very important for the successful authentication for the users in color based authentication. Meaningful and interesting key inputs are very important for the usability success on both kinds of the authentication systems; the text password based one and the color based one. In text password systems, mostly users choose passwords which are either of personal meanings to them, such as their pet animals, or passwords that they understand what they mean. For example, there are more chances of choosing “cat” as a password the choice of “g2hbb33bv4d” which has no meaning.
The same applies to color-based systems, as the results show that black color is selected many times more than blue because there are two blue colors light and dark on the other hand there is only one black color in the color set. So the users have selected black color for the successful authentication as it is easy to recognize. Since only contrast colors are allowed in color-set, users still look for the most unique ones, at least the most charming to them.
It is interesting to note that while some of the users prefer their 3 pass-colors to look identical to each other, but they like them to look different and unique from the rest of the colors.
However, the majority of the users are nervous about selecting the identical pass-colors since they believe that it would be easier for an attacker to guess them. Many users commented that in the color-set of 27 colors there are only 5 such colors which looks more unique, as mostly students are selecting their pass-colors from these 5 colors the hacker would guess that 3 pass-colors combination would be from those 5 colors.
Finding
Identical key inputs are of more concern in the color-based authentication systems rather than the text based passwords. In color-based systems, as the survey results show that the usability is greatly enhanced where the color selection are contrast enough; however this is not the case in the text-based systems. If a user has selected the password “asd123”, the user has to type that password in the password field. So user can easily enter password using keyboard, he/she does not need to identify from any character set.
Evaluation
From the above examples, it can be concluded that while the identical colors can create a problem to recognize the correct colors, text based passwords, on the other hand, are not suffered in such problems. Therefore, it can be rightly stated that the ‘too’ similar colors are only issue in recognition-based systems. Eliminating such identical key inputs is, therefore, an important factor for the success of recognition based systems, such as the color-based or the image-based systems.
The data collected from the survey also confirms that users are not willing to pick identical colors for their pass-colors. The table below shows the number as well the percentage of participants who prefer identical and contrast colors.
|
Participants (%) |
Participants |
Total Participants |
| I prefer to choose identical colors |
37% |
17 |
45 |
| I prefer to choose contrast colors |
69% |
31 |
45 |
These are two different questions in survey to get more accurate feedback from the users as some user had no preference in the first statement “I prefer to choose identical colors” but they were agree or strongly agree with next statement “I prefer to choose contrast color”. That’s why you can see that there is little difference in number of participants in first and second statement and total number of participants.
Randomization of the colors
This another feature of the color base authentication system to randomize the pass colors every time they are displayed. The reason for this is to increase the security as already described. Survey response about the statement “I prefer to randomly generated colors” is not good because users had problems to recognize their pass-colors, as this was the new authentication system for them. On the other hand 55% users like to have pattern based colors.
Comparison with text password
This feature of randomization differentiates the CBA system from text based passwords. It is considered more secure, for example if you type password sitting in library thee is chance that somebody sitting next to you see your finger movements on the keyboard and he/she succeeded to hack your password. On the other hand there is no such a chance in CBA as colors are displayed randomly and divided into three color-set. The intruder can not see the colors in one eye span also changing their positions every time makes it difficult to guess the pass-color. For example if hacker see user selects any color and he/she tries to guess but may be that color is not in that position or color-set.
Findings
The survey results show that most of the users are not happy with the randomization of the colors because it is not feasible for them to find their pass-color as they keep on changing positions which confuse the users. But there were some students who really appreciate this feature. Thus, users need to be given more awareness as it is essential for security point of view.
Evaluation
From the above discussion it can be concluded that users only dislike randomization because of recognition problem. But it can be easy for them if they do some practice, for example my favorite color is red and I have selected that color as one of my pass-color. After registration first time I tried to login into my account it was difficult for me to find that color because at the registration time it was in first color-set and when I was looking for login I found that color in third color-set. So, it took some time to find but next time I found this color in less time and now I just skim the colors and within seconds I can find all of my pass-colors.
The data collected from the survey shows that users are reluctant to the randomization of the colors in the color-sets. The table below shows the number as well the percentage of participants who prefer colors showed on patterns and randomly generated colors.
|
Participants (%) |
Participants |
Total Participants |
| I prefer the colors based on pattern |
55% |
25 |
45 |
| I prefer randomly generated colors |
38% |
17 |
45 |
Total amount of colors
Another question asked was the amount of colors that the users want to be able to choose for their password. This question consists of four options i.e. 12, 24, 48 and 216. An interesting result to view is that there are equal preferences 42% of 12 and 24 to be the total number of colors given to the user to choose pass-color as shown in below figure. There are only few users who want to have 48 and 216 colors.
Finding
The result suggests that users do not like to have more choices of colors as it would be too confusing.
Evaluation
Respondents also agree that more color to choose is better since this is similar to having a larger space password which will make it harder for attacker to guess or brute force the pass-color. But the drawback of many colors like the 216 colors set (please refer to figure below) was users have difficulties to distinguish the colors.
Based on figure, the color looks identical and it is harder to distinguish them. That’s the reason CBA system is designed with 27 colors to keep it easy for the users to identify their pass-colors.
Comparison with text based password
The large amount of colors is not good idea for the successful authentication for the users in color based authentication. Specific key inputs are very important for the usability success on both kinds of the authentication systems; the text password based one and the color based one. In text password systems, mostly users choose alphabetic passwords there are few users who add numeric and symbols in their password because of feasibility to use. Users can use repeatedly some characters, uppercase and lowercase of 26 alphabetic characters. For example, I would prefer to select password “
JabranButt” rather than “hgusd$%&97|\” because of feasibility to recall it. If I use some symbols and number it would be difficult for me to remember and I used some mix of uppercase and lowercase and also repeat some characters to enhance security.
The CBA system is also designed in such a way that it is not only feasible to use but also secures. As result shows that users don’t like a large amount of colors therefore, only 27 colors used in CBA system to make it feasible. On the other hand there is no restriction to repeat a color, for example users can select color combination like black, blue and black or in any order same like text passwords as in above example some characters are repeated. To enhance the security also colors are divided into three color sets and randomized as discussed before, which make the sense as we use upper and lower letters in passwords.
Number of colors chosen as a pass-color
The survey also collected the number of color chosen by the respondent to see the minimum and maximum number of colors clicked. This data indicate the number of maximum color that can be considered as memorable by the respondent. From figure we can see that most of the respondents about 47% choose three colors which is the maximum limit for the pass-color. There are only about 12% users for each who select 1 and 4, and remaining 29% users like to have 2 colors as their pass-color.
Findings
Although the results of the survey show that mostly users want to select 3 colors for their authentication but during the test of the experimental system most of the users select only one color. After analyzed all the pass-color that has been registered or created in the CBA system database, most of the respondents (50%) who tested the prototype had used one color. This is due to the just testing of the system for the survey purpose this may cause user to not properly try the prototype and as a result, most respondents who were asked to try out the pass-color only choose one color.
Evaluation
From the results it can be concluded that recognizing 3 colors is not difficult, it is suitable number of colors for usability. Respondents also agree that more color to choose is better since this is similar to having a larger space password which will make it harder for attacker to guess or brute force the pass-color. As the maximum length of pass-color is 3 but no restriction, users can also select 1 or 2 colors as well. If we compare this feature with the passwords, we can see that there are some websites which require entering password of minimum 6 characters or adding some numbers and symbols, which looks uncomfortable. Here, in the CBA system choice of length given to the user make it more feasible.
Overall, from this part of the survey we can conclude that users prefer to choose contrast colors that are pattern based so they can easily remember their pass-color. They do not want a large amount of colors to be displayed that can be confusing them to recognize their pass-colors and users prefer to select three of them for their authentication.
01- 09 - 2010
2. Feasibility of the system
This section evaluates the feasibility of the CBA system, is there any need of further improvements, and whether memorizing the colors is convenient to users and also users taking interest in this authentication system.
Findings of this section
The survey results show a visible majority of 60% users who say that CBA is feasible authentication system. Although, its big achievement of CBA system that a big percentage of users like it but surprisingly there are 70% users who want further improvements in the system. Most of the users about 50% are agree that memorizing color is more convenient as compared to text based password and high percentage of the users about 75% take CBA as an interesting way of authentication. More detail of the results is given in the below diagram.
CBA is feasible to use
From the results, generally, 60% of the respondents agree that it is feasible to use color as authentication. Most of them would like pass-color because they feel that it is more secure and easy to memorize. In contrast, only 18% of the respondents feel that it is not feasible to use color as a password. Some of the reasons for this rejection may be that they felt that the traditional method is more secure and it is easier to remember. They also argue that attacker will have easier way to crack the pass-color.
Further improvements in CBA
Further analysis of the feedback allows us to identify that 70% users agree that further improvements can make it more feasible. This is very interesting result there are some respondents who agree upon its feasibility but they still want some improvements to make CBA more feasible. Some of the suggestions given were to provide more colors to choose, provide some association between color and other symbol or images and a very good suggestion is to mix both the use of text and color as authentication. Some users also complain about the interface that all colors should be in one block not in three different color-sets. The table below shows the number as well the percentage of participants who agree with the feasibility of the system and who want further improvements.
|
Participants (%) |
Participants |
Total Participants |
| CBA is feasible to use |
60% |
27 |
45 |
| Further improvements can make it more feasible |
70% |
32 |
45 |
Evaluation
It can be deduced from the results that color base authentication is feasible to use in sense of usability and security as well. As CBA use 3 key inputs which is easy for the users to remember. The interface of the system is so simple that everyone who tries first time can easily understand it. There is no restriction that user must select 3 colors, 1 or 2 colors are also accepted to the CBA system to provide more convenient way to use the system. On the other hand 3 pass-colors represent reasonable security level.
As the results show that there is a big ratio of the users who want further improvements. They gave different comments about this. Most of the users want color name mentioned with the color when they bring cursor on the color, so that they can easily find their color while many users don’t want this because of security problems. Most of the suggestion given by the respondents can be considered but as mentioned before that some users want colors in one block, it can breach the security as system is not only feasibly but also provide the security.
Comparison with text based password
One of the main objectives that the research is trying to find out is whether users feel that memorizing color is more convenient compare to the traditional way of memorizing text. Although 60% of the respondent agrees that color can be used as authentication, but 49% of the respondent agree that color is easy to remember than passwords. Results show that still there are some user who feel that memorizing password is easy as compare to color even they consider CBA a feasible authentication system. On the other hand there are only 30% users who say that memorizing text password is easy to remember than color.
This could be due to some habits that we are already used to so it takes time to introduce new changes. We also believe that there are some associations between those who like pass-color with how the brain works such as they are more of a right brain person.
Finding
The results show that it is easy for the users to recognize their colors. This result is beyond my expectation, as it was expected that 75% users will say that text password is easy to remember than colors. There are few users who still thinking that text password is easy to remember.
CBA is an interesting way of authentication
This question was included in the survey to take the opinion of users about their interest in new authentication system. Every user have their own experience but majority of the users 74% found CBA as an interesting way of authentication. There are only 14% users who disagree to this statement.
Finding
Although, a big majority of the users take interest in CBA but expectation was more than this. The reason may be that the students who succeeded in performing their authentication are likely to find this interesting and those who fail are not taking interest in this system. The table below shows the number as well the percentage of participants who think that memorizing color is more convenient as compared to text password and participants who take interest in CBA.
|
Participants (%) |
Participants |
Memorizing color is easier than password |
| 49% |
22 |
45 |
CBA is an interesting way of authentication |
| 74% |
33 |
45 |
Evaluation
The result shows that most of the users prefer color on password in case of memorizing. As the text passwords totally depend on recall, color base systems depend on the recognition and the recall. They depend on recognition in sense that system shows pass-color in the color-set and user required to identify the correct pass-colors after recognizing them from all colors. And they depend on recall in the sense that users recall their colors when they need to perform authentication which make it easier for the users to memorize. Also memorizing 3 colors does not put much load on users memory as compared to text passwords.
Although, using the CBA system was the first time experience still it can be stated that majority of the surveyed find that memorizing colors is more convenient than text passwords. Despite all of this users also find CBA easy to use and users also find more fun to use this system compared to password based systems. A clear majority of the people found that CBA if an interesting way of authentication.
05 - 09 - 2010
Comparison with other authentication systems
In this section CBA system is compared with other authentication systems which are very common these days to assess the usability. The users were asked to order four authentication methods in terms of their feasibility, ease of use and time efficient. The authentication methods are chosen such that almost all participants experienced them before. The authentication methods are:
1. Color based Authentication System
2. User name and password
3. PIN and Bank Card
4. Swipe cards
The traditional username and password system is a common authentication method that the students use several times a day. For example, when they log in to use any computer in the university, or when they log in to their students portals or when they check their emails or when they use online purchasing web sites.
Indeed every student has a bank account, since it is needed for every student, and thus they must all have used and experienced with a bank card and a PIN (Personal Identification Number), such as when they carry out a transaction at an automatic teller machine (ATM).
Swipe card is another authentication method; this is implemented at the entrance of library. Everyone who use library must swipe card to enter, this means that all the users are also known about this system.
5.3.1 Comparison about authentication
A majority of the respondents think that CBA is more authenticated between the four. Users were given these four systems to order from 1(more authenticated) to 4 (least authenticated). CBA system was rated at first and second rank by 28% users each. Same about 27% consider that PIN and bank card is more authenticated ranking at first and second place each. Interestingly username and password is considered as the least authenticated system of the four while swipe card is placed at number three by the respondents. A clear description of the result is given in below diagram.
5.3.1.1 Finding
It can be conducted from the results that there is not a clear majority of anyone but majority of users trust on CBA as authenticated system as most of them ranked 1 and 2. Swipe card on other hand if you see at the chart ranked at number four by the majority of users and also at number one by average number of users.
5.3.1.2 Evaluation
CBA is considered as the best authentication system of four mentioned above. This is because in CBA users need to recognize their color instead any other things which neither can be stolen from the user like cards and nor it can be easily hacked like passwords. Swiping card is totally dependent on the piece of card if you lost somewhere or someone stolen from you he/she can use easily as there is no PIN or password to be used. On the other hand if bank card is lost or someone stolen from you, there are more chances that he/she succeeded to enter correct PIN and take all of your money. Because there are only ten digits and total four of them will be used for your PIN as everybody knows about this system. So there is more probability of security violation as compared to CBA system as there are total 27 colors and nobody knows about how many colors have you selected for your pass-color.
The results show that username and password is considered as the least authentication system. Because this is the most common system and there are more incidents users have seen about password hacking. Passwords are also vulnerable by different kind of attacks like guess, shoulder and dictionary attacks. But CBA is less vulnerable by these attacks as in this system mouse is used for the input rather than keyboard, so there is no chance of dictionary attack. Also colors are generated randomly to secure from shoulder surfing attack and colors are also not easy to guess as well.
5.3.2 Comparison about ease of use
Survey results show that only 20% users think that CBA is convenient to use while 42% rate in second place. A big majority of users about 44% consider swipe card as the most convenient system of the four. There are 29% users who rank username and password at number one and only 7% who think that bank card and PIN are easy to use. The given below char gives the detailed information about result.
5.3.2.1 Findings
Overall about 80% users think that CBA is not easy to use on the other hand 42% respondents place it at second rank which confuse while analyzing these results. Any way swipe card is considered as the easiest system about 44% users placed this system at rank one. Second easiest system is username and password and bank card and PIN is placed at number four.
5.3.2.2 Evaluation
There are many reasons that CBA is not considered to be easy. The most important point is that all of the respondents used CBA first time and many of them had some problem while recognizing their pass-colors. Some users failed their authentication due to unrecognized pass-colors. This might be the cause that some users did not think CBA as most convenient system. As shown in the results that swipe card is the easiest system of four. The reason is that in this system users don’t need to use any keyboard or mouse for inputs, rather just swipe card on the reader and users get authentication. So it’s so simple and easy way of authentication.
Bank card and PIN is considered as the least convenient method. Because users have to enter card in machine and after that they need to enter PIN as well. So users are using two different kinds of inputs that might be the cause that it not considered the easy one. Although 20 % of the users found that the CBA system is easy to use, however they still believe that password is easier to use than CBA. In username and password system users are only required to input their user name and password, whereas in the color base authentication system the users are required to recognize their pass-colors for a successful login.
5.3.3 Comparison about time efficiency
The survey data shows that CBA system is at second fastest system of four, as about 34% users place it at first rank and 22% at second. Card swipe is considered the most time efficient system; a big majority of the users about 54% place it at first rank. There are only 7% users who think password as fastest system and 4% who selected bank card and PIN. Detail of results is given in below chart.
5.3.3.1 Findings
It can be concluded from the survey results that although the idea of using colors as a password is relatively new, most of the respondent think CBA is faster than text based passwords. Overall CBA is ranked as second fastest authentication system of four by the users. A majority of respondents consider Swipe card the fastest system.
5.3.3.2 Evaluation
Surprisingly, results show that CBA is faster than text base passwords. The participants did not take long time to check the colors. They just took a quick look at the color-set and they were able to recognize their colors correctly, even this data was selected after a one time experience with CBA system. It is expected that the users get more experience with the system and selecting their 3 pass-colors, they would skim through the color-set more quickly to verify if their pass-color is displayed in that color-set.
As the text based passwords depend on recall rather than recognition and users need to input correct password to get authentication rather than identifying the input keys. When user enters password he/she needs to be careful about every character to get successful authentication, if they try to enter passwords quickly it might be wrong passwords. Also there is need to use shift key, numeric and symbol keys in most of the cases, so it takes some time to enter the correct passwords. On the other hand this is not case with CBA system, users can quickly skim the colors and with few clicks of mouse he/she can select correct pass-colors and succeeded in authentication, which takes less time compare to text based passwords.
Overall, it can be concluded from the whole discussion about this section that CBA is most authenticated system of the four mentioned and relatively, it is considered convenient system. CBA is also time efficient, more details of this section are given in below table the users gave second rank for the time efficiency.
| Subject |
CBA |
Username + Password |
PIN + Bank Card |
Swipe Card |
| Authentication |
13 Participants (28%) |
9 Participants (20%) |
12 Participants (27%) |
14 Participants (24%) |
| Ease of Use |
9 Participants (20%) |
13 Participants (29%) |
3 Participants (7%) |
20 Participants (44%) |
| Time Efficient |
15 Participants (34%) |
3 Participants (7%) |
2 Participants (4%) |
25 Participants (56%) |
The number and percentage of the participants who ranked one to each authentication system
5.4 Assessing color selection issues
This section is included in the questionnaire to assess some issues raised be the users. It is very important to highlight the reasons that create any problem for users, so that when CBA system is reconfigured these issues pointed out by the students should be resolved.
The survey data shows that a majority of the users about 51% had the problem with identical colors and 47% of the users raised issue of feeling difficulty with randomly generated colors. There are only 19 % users who complaint that there is not a colors which they want to select for their pass-color. For detailed description of the results please refer to below diagram.
5.4.1 Finding
A majority of users have problem with identical colors and changing their positions in color-set
5.4.2 Evaluation
Although it is tried to keep identical colors out but still there are some colors which are little matching to each other. These colors are kept in color-set for the security purpose as too contrast colors are easy to hack. For example, someone sitting with you can easily see the colors you select if they are contrast. If they are a bit similar it will be very difficult for someone to guess after looking at what you selected. The main reason for this problem faced by the users is that they had first experience with CBA system. Many students who failed to login in first try because of not able to select correct colors, they registered again and this time they were more careful about the selection of colors, this time they were successfully authenticated.
Although there are many different colors in the color-set but there are some students who want some different colors of their choice. If we compare this result with the question where total number of colors is asked, we find that there is same percentage of respondents wanted 216 total numbers of colors. This means that there are few users who like to have big choice of colors so that they can find their favorite color.
Randomization of the colors is very important function of the CBA system. The reason for this is already explained in first section of the questionnaire. As the CBA system is designed in a way that colors keep changing their positions to improve the security level. But the results show that many users have problem with this. Again the reason is first time experience of the users with CBA system and it is hoped that when the students are used to this system they will not feel any problem. The table given below shows the number as well the percentage of participants who raised these issues.
|
Participants (%) |
Participants |
Total Participants |
| I have problem with identical colors |
51% |
23 |
45 |
| I did not find color which I want to select |
19% |
9 |
45 |
| I feel difficulty with colors changing their positions in color-sets. |
47% |
21 |
45 |
5.5 Would you recommend CBA system to be implemented in library?
This is the last question of the questionnaire to take opinion of the students that CBA system should be implemented in library or not. Survey results show a clear majority of the users about 54% who recommend CBA system to be implemented in university library. This percentage can go up if the students get enough experience with CBA system. There are only 24% users who did not recommend implementation of CBA system in library, they still think that traditional system “username and password” is better. The main reason for this is that some users did not take interest in CBA and also some users want to share their passwords with friends which are not possible in CBA system. There are 22% users who choose the option “I don’t know as shown in below chart.
Overall, it can be concluded that it is good idea to implement CBA system in library as results show that most of the users are in the favor of this system. And those who oppose, they just need some practice and description about the advantages of CBA to take interest in this system. There also need some changes in the system to attract more users as many of them gave comments about this.
5.6 Comments
Users were given free space at the end of the questionnaire to give comments if they would like. Many users left comments, some of them which are considered as important one are highlighted below:
1. It is hard to characterize colors which have similar shades, choosing color password is easy, but remembering it is hard. ( Vaibhav Avhad/ECE)
2. It is unique and a good idea for authentication and seems secure as passwords can be stolen, this method seems innovative. (Lawrence/ECE)
3. Please choose the colors which are normally used all the times. (Ming Jien Tai/Civil Engineering)
4. Each color should be numbered in case if you forget your pass-colors, you can write down a number code when you sign up. (Mathew Courtnell/ Creative Technologies)
5. It could be more feasible if colors are not of the same shape. (Ali Najam/ECE)
6. CBA is best as this colors phenomenon is quite observable in nature and always close to me. (Mansoor Khatak/ SLAS)
7. CBA system is convenient system in order to remember – more interesting. (Ahmed alwaal/ Civil Engineering)
8. Higher the range of colors more confusing it is, for instance it is easier to recognize only one type of green instead of light green or dark green. (Salim Abdulkareem/ ECE)
07 - 09 - 2010
Report writing
09 - 09 - 2010
Report formatting
13 - 09 - 2010
Booking for bindin
14 - 09 - 2010
Today I take prints and give for binding
17 - 09 - 2010
Final day of submition
File manager
