Vol.7 (2017) No. 3 ISSN: 2088-5334 A Pattern-Based Password Authentication Scheme for Minimizing Shoulder Surfing Attack M I Awang # , M A Mohamed * , R R Mohamed # , A Ahmad # , N A Rawi # * Faculty of Informatics and Computing, Universiti Sultan Zainal Abidin, Besut Campus, 22200 Terengganu, Malaysia E-mail: isa@unisza.edu.my, mafendee@unisza.edu.my, khairani@unisza.edu.my # Department of System and Networking, Universiti Tenaga Nasional, 43000 Kajang, Selangor, Malaysia E-mail: rajina@uniten.edu.my # Department of Computer Science, National Defence University of Malaysia, 57000 Sungai Besi, Kuala Lumpur, Malaysia E-mail: arniyati@upnm.edu.my Abstract— The user usually uses a password to avoid the attacks like a dictionary attack, brute force attack and shoulder surfing attack which is the famous attack nowadays. The shoulder surfing attack is a direct observation technique by watching over the user’s shoulder when they enter their password to get information. The most common authentication method used by the user is textual password. But, the textual password has many disadvantages because it is vulnerable to attack as it tends to shoulder surfing attack. In this project, a pattern-based password authentication will develop to overcome this problem. Using this scheme, the user needs to select the type of pattern that they like during registration. To log in to their account, the user needs to enter the password in the form of the textual password in ordering manner based on a pattern that they choose during registration. The text password grid presented with a different style as it filled with random objects whether characters, numbers or images. This method is suitable to minimizing shoulder surfing attack as it can improve the security of user’s password and they can efficiently login to the system. Keywords— user authentication; shoulder surfing; pattern-based; grid selection; recall based I. INTRODUCTION Authentication is the process where the identity of a person or a thing is verified. It is also the way for confirming the truth whether the attribute of data claimed by an entity is valid or not. Some also define authentication as a process in which the proof of identity provided is compared with the file stored the database of users’ information within a computing system [1]. During verification, the system compares the stored credential that user chooses during the registration with the credential that they enter during the login session. If the entered credential matches with the one stored in the database, the process completes, and the user gains the authorization to access the system. Simply put, authentication is the process of verifying if the individual is the person that they claimed to be based on the capability of the authentication system. There are three types of authentication technique [2]. The first type of authentication is accepting the proof of identity given by a trusted person who has evidence of the said character the originator. The second type of authentication is comparing the attributes of the object itself to what is known about objects of that origin. The third type of authentication relies on documentation or other external affirmations [3]. In general, we can categorize user authentication according to three sects that are token-based, biometric- based and knowledge-based as in Fig. 1. A security token is a small piece of hardware device that one needs to carry with in order to get authorized access to a network service. The device can be in any form such as a key card, smart card or can be embedded into other entity such as a key fob. This token offers an extra level of security via a method called two-factor authentication [4], wherein a user is accommodated with a personal identification number (PIN) that authorizes them as the owner of that specific device. The device displays a number which uniquely identifies the user to the service, allowing one to log in. The identification number for each user is renewed on the predetermined periodical basis. The use of tokens has many benefits compared to traditional methods in that it is self- contained and possesses all the information required for authentication. This is great for scalability as it frees the server from having to store session state. Moreover, using token-based security, we can further refine user access 1049 brought to you by CORE View metadata, citation and similar papers at core.ac.uk provided by International Journal on Advanced Science, Engineering and Information Technology