Web applications widely use text passwords to confirm people‟s identity. However, investigations reveal text passwords have many problems and that there is a need for alternative solutions. For instance, users often forget their passwords, choose passwords which are easy-to-guess or vulnerable to cracking tools. Further, people write passwords down and/or share them with others. In addition, phishing attacks (using fraudulent websites to steal users‟ credentials) continue to cost millions of dollars every year. During the second half of 2009, the Anti-Phishing Working Group (APWG) reported 126,697 unique phishing attacks worldwide. As such, one of this research‟s objectives is to investigate public awareness of, and attitude towards, text password security and usability supported by surveying both up-to-date literature and users. The aim of this research is to develop an alternative solution using visual passwords (VPs) to authenticate users on web applications and investigate its security and usability. A VP can be many things: a set of images used as a login portfolio, click-points inside images or a doodle (signature) drawn by a user. Since text passwords are favoured for their usability over tokens and biometrics, the research scope has been set to investigate alternative ideas which do not require resources additional to standard computer devices used to sustain human-computer interactions, such as mouse and keyboard. VPs have the potential to develop an alternative solution within this scope. A comprehensive survey of the VP schemes found in the literature is conducted followed by a security and usability evaluation in which click-based systems are selected as the most suitable approach to achieve the aims and objectives of this research. Click- iii based systems are VP authentication schemes in which the VP is a sequence of click-points performed on one or more images. Further, user perceptions were investigated to study their acceptance of various authentication mechanisms and techniques. A novel click-based scheme is presented and developed throughout the research to introduce and investigate novel ideas to maintain security and usability simultaneously. It can resist multiple phishing and shoulder-surfing attacks without revealing the full user credentials. Further, the layout is designed to prevent MiTM attacks, also known as the second generation of phishing attacks. The VP is hashed to resist database attacks and the password space is extremely large compared to text passwords to resist brute force attacks. It has dual cues to maintain memorability and password recall is easy even when it is system-generated. Usability is considered through observation and laboratory studies to meet the requirements of HCI-Sec (Secure Human-Computer Interactions) aiming to present a secure scheme people can actually use.
| Identifer | oai:union.ndltd.org:bl.uk/oai:ethos.bl.uk:570944 |
| Date | January 2011 |
| Creators | al-Khateeb, Haider |
| Publisher | University of Bedfordshire |
| Source Sets | Ethos UK |
| Detected Language | English |
| Type | Electronic Thesis or Dissertation |
| Source | http://hdl.handle.net/10547/142229 |
Page generated in 0.0025 seconds