IPAS: Implicit Password Authentication System Sadiq Almuairfi Dept. of Computer Science and Computer Engineering La Trobe University, 3086, Melbourne, Australia sadiqjafar@students.latrobe.edu.au Parakash Veeraraghavan and Naveen Chilamkurti Dept. of Computer Science and Computer Engineering La Trobe University, 3086, Melbourne, Australia {p.veera, n.chilamkurti}@latrobe.edu.au Abstract— Authentication is the first line of defense against compromising confidentiality and integrity. Though traditional login/password based schemes are easy to implement, they have been subjected to several attacks. As an alternative, token and biometric based authentication systems were introduced. However, they have not improved substantially to justify the investment. Thus, a variation to the login/password scheme, viz. graphical scheme was introduced. But it also suffered due to shoulder-surfing and screen dump attacks. In this paper, we introduce a framework of our proposed (IPAS) Implicit Password Authentication System, which is immune to the common attacks suffered by other authentication schemes. Keywords-Authentication; Graphical Password; Security; Mobile Banking. I. INTRODUCTION Authentication is a process of determining whether a particular individual or a device should be allowed to access a system or an application or merely an object running in a device. This is an important process which assures the basic security goals, viz. confidentiality and integrity. Also, adequate authentication is the first line of defense for protecting any resource. It is important that the same authentication technique may not be used in every scenario. For example, a less sophisticated approach may be used for accessing a “chat server” compared to accessing a corporate database. Most of the existing authentication schemes require processing both at the client and the server end. Thus, the acceptability of any authentication scheme greatly depends on its robustness against attacks as well as its resource requirement both at the client and at the server end. The resource requirement has become a major factor due to the proliferation of mobile and hand-held devices. Nowadays with the use of mobile phones, users can access any information including banking and corporate database. In this paper, we specifically target the mobile banking domain and propose a new and intelligent authentication scheme. However, our proposal can also be used in other domains where confidentiality and integrity are the major security requirements. The rest of the paper is organized as follows: Section 2 deals with various authentication schemes, and their advantages and disadvantages. In section 3, we mention the main problems of the existing schemes. In Section 4, we present our proposal and discuss its strengths and weaknesses compared with the existing schemes. Section 5 deals with conclusion and future directions. II. VARIOUS AUTHENTICATION SCHEMES There are several authentication schemes available in the literature. They can be broadly classified as follows:  What you know  What you have and  What you are The traditional username/password or PIN based authentication scheme is an example of the “what you know type”. Smartcards or electronic tokens are examples of “what you have type of authentication” and finally biometric based authentication schemes are examples of the “what you are” type of authentication. Some authentication systems may use a combination of the above schemes. In this paper, we focus only on “what you know” types of authentication. Although traditional alphanumeric passwords are used widely, they have problems such as being hard to remember, vulnerable to guessing, dictionary attack, key-logger, shoulder-surfing and social engineering [1]. In addition to these types of attacks, a user may tend to choose a weak password or record his password. This may further weaken the authentication schemes. As an alternative to the traditional password based scheme, the biometric system was introduced. This relies upon unique features unchanged during the life time of a human, such as finger prints, iris etc. The major problem of biometric as an authentication scheme is the high cost of additional devices needed for identification process [2]. The false-positive and false- negative rate may also be high if the devices are not robust. Biometric systems are vulnerable to replay attack (by the use of sticky residue left by finger on the devices), which reduces the security and usability levels. Thus, recent developments have attempted to overcome biometric shortcomings by introducing token-based authentication schemes. Token based systems rely on the use of a physical device such as smartcards or electronic-key for authentication purpose. This may also be used in conjunction with the 2011 Workshops of International Conference on Advanced Information Networking and Applications 978-0-7695-4338-3/11 $26.00 © 2011 IEEE DOI 10.1109/WAINA.2011.36 430