68 International Journal of Communication Networks and Information Security (IJCNIS) Vol. 13, No. 1, April 2021 A Hybrid Graphical User Authentication Scheme in Mobile Cloud Computing Environments Khalil H. A. Al-Shqeerat 1 , and Khalil Ibrahim Abuzanouneh 2 1 Department of Computer Science, College of Computer, Qassim University, Buraydah, Saudi Arabia 2 Department of Information Technology, College of Computer, Qassim University, Buraydah, Saudi Arabia Abstract: User authentication is a critical security requirement for accessing resources in cloud computing systems. A text-based password is a standard user authentication way and it is still extensively used so far. However, textual passwords are difficult to remember, which forces users to write it down and compromise security. In recent years, graphical user authentication methods have been proposed as an alternative way used to verify the identity of users. The most critical challenges cloud-computing users face is to post their sensitive data on external servers that are not directly under their control and that can be used or managed by other people. This paper proposes a question-based hybrid graphical user authentication scheme for portable cloud-computing environments. The proposed scheme comprises advantages over both recognition- and recall-based techniques without storing any sensitive information on cloud servers. The experimental study and survey have been conducted to investigate the user satisfaction about the performance and usability aspects of the proposed scheme. The study results show that the proposed scheme is secure, easy to use, and immune to potential password attacks such as brute force password guessing attacks and shoulder surfing attacks. Keywords: Security, Cloud Computing, Authentication, Graphical Password, Recognition Technique, Recall Technique. 1. Introduction An authentication process is a critical security requirement for any remote system. It determines whether a user can access services or not. Nevertheless, most cloud computing systems still rely on the conventional alphanumeric password with its hashed value to authenticate an identity of a legitimate user and control his access to resources. A classical textual password has significant security and usability problems [1]. Attackers may guess or obtain the weak and short-length password using a variety of ways such as brute-force, dictionary, or any other password-cracking common attacks. Users can pick a complicated long-size password to avoid guessing attacks. However, the strong password is often hard to remember, which forces users to write it down on an external sheet or store it in their smartphones or into a computer file. Graphical-based passwords have been proposed as an alternative potential solution to overcome text-based problems, mainly because humans can better recognize and remember visual information than text-based string. Initially, the graphical password was presented in [2], in which an image appears on the screen, and the authentication server allows users to select a few predefined regions. Once users choose the correct regions, their identities will be verified successfully. A graphical-based password enables a user to remember a complex large-size space password. The space size of the graphical password is considerably higher than the conventional password due to a large number of possible images used [3]. Furthermore, the graphical password could also resist dictionary attacks, since it depends on the mouse input in place of the keyboard, as there are almost no searchable dictionaries already exist to launch dictionary attacks. Nevertheless, graphical-based passwords take more time than classical textual passwords since the user has to go through a long process by selecting many images or following a series of predefined points in order. Generally, graphical passwords are divided into two main categories, recognition-based and recall-based authentication techniques [4]. In recognition-based, a set of images is presented to users, in which the authentication is accomplished by prior detection and identification of the selected images during the registration phase. While, in recall-based, the user must re-submit something that he/she had picked in advance. For cloud computing authentication systems, graphical authentication problems must be addressed in-depth to overcome security and usability aspects to effectively secure cloud systems [5]. Many security flaws in web-based environments emerged when implementing graphical authentication systems [6]. The server could be secured in such web environments, while the client machine may have a set of potential security vulnerabilities that would breach the graphical authentication system. Moreover, some graphical authentication schemes use the same images for any feasible input, which makes them vulnerable to attackers [7]. For example, PassFace technique has a short-space password in which users often pick predictable and weak graphical passwords when selecting the same click points in the image. This paper aims to provide a reliable, easy to use, and secure authentication technique appropriate for mobile cloud computing environments. The proposed hybrid graphical user authentication scheme incorporates benefits over recognition-based and recall-based techniques without storing any confidential information on cloud computing servers. The rest of this paper is structured as follows. Section II covers some recent research literature related to the proposed authentication scheme. Section III elaborates on the design of the proposed work. Section IV analyzes the security features and usability of the proposed scheme. Section V implements the authentication scheme and discusses the results obtained by conducting an experimental study. 2. Literature Review Several of graphical-based authentication schemes have been suggested in the last decade. This section focuses on some research related to the proposed scheme.