Enhanced Virtual Password Authentication Scheme Resistant to Shoulder Surfing Biswas Gurung 1 , P.W.C. Prasad 1 , Abeer Alsadoon 1 , Amr Elchouemi 2 1 School of Computing and Mathematics, Charles Sturt University, Sydney, Australia 2 Walden University, Minneapolis, United States Abstract— A username and password based login mechanism is commonly used for authenticating a user in online environments. It is a popular scheme because it helps to balance the usability and security traits of the system. However, online environments and pervasive computing may bring many risks through adversaries. Shoulder-surfing attack is one of the risks where attacker observes the authentication process and captures the password of victims. This paper proposes a hybrid-based authentication scheme termed “Enhanced Virtual Password Authentication (EVPA)”. EVPA is designed to implement a virtual password mechanism to resist the shoulder surfing attacks. The virtual password mechanism requires a string part of password and a mathematical functional value to secure user passwords. The mathematical functional value keeps changing for each login session. This method uses a system generated random value and secret mathematical operation against the pre- selected secret number to obtain a mathematical functional value. Several experiments were conducted and the results demonstrate that systems are resilient to password attacks and usable for day to day purposes. Keywords— Virtual Password Authentication, Sholder Surfing, Authentication Scheme; Password I. INTRODUCTION Due to the rapid development of new technologies, a secured password has become indispensable to secure the information for users. Conventional password scheme is a widely used authentication technique where users log into the computer system using the usernames and passwords. The system authenticates users via user database and grants access to the system on the basis of authentication. This technique is useful in protecting user data as it allows only an authenticated user to access the system. However, this scheme is vulnerable to various types of attacks including shoulder-surfing attacks, key loggers, brute force attack, dictionary attack, spyware, eves dropping etc [1]. One of the conventional password schemes is a textual password. Users usually prefer short and simple passwords that are easy to recall. This makes it more insecure and susceptible to attack. Using a long and random password is secured but is an unfeasible approach as users need to remember longer and complex password characters. Graphical Password scheme has been proposed to address the problem. Graphical passwords are easy to recall and recognize. Considering the fact that graphics are easy to remember and that humans are the weakest bond in any authentication mechanism this scheme can deliver a decent bargain between usability and security [2]. Nonetheless, shoulder surfing risk is becoming more serious in such graphical passwords because of the visual interface. An intruder can easily capture graphical passwords through direct human observations or video surveillance. Shoulder-surfing is a known risk where an intruder observes or records the authentication session, thereby capturing the password [3]. In order to mitigate shoulder-surfing risk found in graphical password scheme, many approaches have been proposed. However, they still hold disadvantages in term of substantial usability, generally in time and effort to log in, making them less suitable for everyday authentication. Also, many of the schemes are traceable and can be exposed on continuous observations. Due to these substantial usability disadvantages, there is a strong need to propose an extended version of the authentication solution which can address the issue for everyday authentication purpose. This paper will review the current shoulder-surfing resistant scheme, their working mechanism and features. It focuses on identifying advantages and limitations from the system perspectives. Based on the limitations, it proposes a new hybrid solution termed “Enhanced Virtual Password Authentication (EVPA)” to address the issues persistent in current solutions. The discussion involves an introduction of characteristics of the components and how it operates including an example of working register and login. The paper is organized as follows. Section 2 provides literature review of the current solutions proposed to tackle shoulder-surfing attack. Section 3 explains in detail about the proposed hybrid solution and provides results and analysis of the proposed solution given in section 4. Finally, section 5 concludes the report suggesting limitation and future work possibilities. II. LITARETURE REVIEW This section will review the current shoulder-surfing resistant scheme along with their working mechanism, techniques, advantages, and limitations. In addition, the usability and user acceptance of those current solutions are analyzed. A. Existing solutions to the Shoulder-Surfing Risk Shoulder surfing attack is there since long time. Many techniques have been proposed to resist such attacks. This paper discusses sixteen techniques based on their functionalities and are presented in the following sections. 1) Recognition-based graphical Authentication scheme Liu [4] proposed a Novel Cued-recall Graphical Password inheriting the basic principle of Passpoint scheme introducing the ideology of image identification. It uses four pass images 2015 Second International Conference on Soft Computing and Machine Intelligence 978-1-4673-9819-0/15 $31.00 © 2015 IEEE DOI 10.1109/ISCMI.2015.37 134