2022 IEEE NIGERCON

A Three-Step One-Time Password, Textual and

2022 IEEE Nigeria 4th International Conference on Disruptive Technologies for Sustainable Development (NIGERCON) | 978-1-6654-7978-3/22/$31.00 ©2022 IEEE | DOI: 10.1109/NIGERCON54645.2022.9803122

Recall-Based Graphical Password for an Online

Authentication
Haruna Adamu Abdulmalik Danlami Mohammed Solomon Adelowo Adepoju
Department of Computer Science Department of Computer Science Department of Computer Science
Federal University of Technology, Federal University of Technology, Federal University of Technology,
Minna Minna Minna
Minna, Nigeria Minna, Nigeria Minna, Nigeria
[email protected] [email protected] [email protected]

Abisoye Opeyemi Aderiike

Department of Computer Science
Federal University of Technology,
Minna
Minna, Nigeria
[email protected]

Abstract—Text passwords are the most extensively used To address the struggle with alphanumeric authentication,
technique of computer authentication. This approach has been a significant variety of graphical password schemes have been
found to have several flaws. Users, for example, typically select devised and tested [3]. The prevalence of graphical passwords
passwords that are simple to guess. A difficult-to-guess can be explained by the fact that pictures, rather than strings
password, on the other hand, is also difficult-to-remember. of characters, are easier to recall [4]. Graphical passwords are
Textual passwords are vulnerable to brute-force and keylogger passwords that are made up of pictures or drawings. Because
attacks. Graphic passwords have been proposed in the literature people remember pictures better than text, graphical
as a possible replacement for alphanumerical passwords, based passwords are easier to remember. They are also more
on the assumption that people remember pictures better than
resistant to brute-force attacks because the search space is
text. Existing graphical passwords, on the other hand, are
vulnerable to a shoulder surfing assault. To solve these security
practically infinite. In conclusion, graphical passwords are a
flaws, this paper proposes an authentication method for online superior option for memorability and usability than text-based
applications that uses a combination of one-time passwords, passwords [5].
textual, and graphical passwords. The efficacy of the One of the shortcomings of using a graphical password
recommended solution was confirmed by usability testing and system is the likelihood of shoulder surfing [6]. A graphical
security analysis procedures. A total of thirty participants took passcode could be physically seen, particularly in public
part in the system evaluation. The security assessment found places, and if the adversary has a clear visual of the passcode
that the proposed system meets all its primary security
being inserted numerous times, they can easily crack it, which
requirements. The proposed system was found to be simple to
use, friendly, and secure throughout the usability test. When
is a severe flaw [7]. Another drawback of using a graphical
compared to traditional authentication solutions, this study password is that it is susceptible to guessing. Just like with a
exhibited greater usability and security. textual password, if the user simply registers a brief and
predictable password, the chances of it being guessable grow
Keywords—Textual Password, One-Time Password, [1]. Some researchers have proposed the use of passwordless
Graphical Password, Shoulder Surfing, Key-logging use cases like fingerprint verification [8]. However, if one of
the fingers is used as a password, for instance, and it is
I. INTRODUCTION compromised, it cannot be used again since altering a
User authentication is a method for a device to confirm the fingerprint is nearly impossible, therefore it is irreversibly
identity of a person connecting to network resources. Textual compromised. There are several ways to avoid keyloggers,
passwords are the most often used form of authentication for shoulder surfing, and guessing attacks, but none of them are
all websites and applications. Textual passwords are made up sufficient in and of themselves. A combination of strategies
of a string of letters and numbers, with or without special must be employed to effectively eliminate the problem [9].
characters or integers. Users can usually log into several This study uses a combination of one-time passwords, textual
accounts with just one username and password [1]. They are and graphical passwords to combat shoulder-surfing, replay,
not, however, fully safe. As a result, strong passwords with and key-logging assaults. As a result, the research's main
numbers, uppercase, and lowercase letters should be used. contributions are as follows:
These textual passwords are then considered strong enough to 1. Development of a secure one-time password system.
survive brute force attacks. On the other side, a strong textual
password is difficult to memorize and recall. Password replay 2. Development of a secure textual password
and keylogger attacks are also possible with textual passwords authentication system.
[2]. 3. Development of a secure graphical password
authentication system.

978-1-6654-7978-3/22/$31.00 ©2022 IEEE

Authorized licensed use limited to: Dayananda Sagar University. Downloaded on March 27,2024 at 05:49:05 UTC from IEEE Xplore. Restrictions apply.
2022 IEEE NIGERCON

The remainder of the paper is organized as follows: A

synopsis of recent password authentication research is
presented in the second section. Section 3 explains the study's
approach. The results of the experiment, as well as the
conclusions obtained, are discussed in Section 4. Section 5
summarizes the findings and considers potential future
projects.
II. RELATED WORKS
To prevent shoulder surfing attacks, [10] recommended
using a graphical password authentication (GPA) system. The
proposed system combined textual and graphical passwords,
removing the requirement for complex textual passwords that
may be difficult to remember. Instead, with the graphical
password in place, users can use any textual password. The
type of graphical password method used in this study,
however, was not mentioned. Furthermore, the usability of the
suggested solution was not assessed.
A GPA scheme was suggested by [11]. This scheme was
based on the finest existing features, such as distorted images,
hash index, and loci metrics, as well as visual encryption
algorithms and additional naive features, to protect against
well-known threats such as brute-force, guessing, sniffing,
hidden camera, shoulder surfing, and phishing. The paper's
weakness, however, is that no assessment metric was used to
evaluate the system's performance.
Fig. 1 Proposed System
E-commerce authentication issues was solved by [12]
using GPA. This paper proposes a modified Inkblot The three-process combination mechanism was
authentication mechanism. In the Inkblot authentication implemented serially to improve the password resistant given
system, images are employed as a trigger for text password that a user or attacker cannot have access to the next password
entering. During password generation, users can choose from phase without been verified in the previous password phase.
a sequence of inkblots and type in the first and last letter of the
phrase that best represents the inkblot. These pairs of letters A. Registration phase
make up the user's password. Users can utilize the inkblot to The registration phase consists of three main processes:
construct their own login. The drawback of this inkblot textual password, One-Time Password (OTP) and graphical
authentication mechanism is that users are limited to a small password implementation.
number of password alternatives.
• Process 1: Textual Password Registration- In this
A three-layer recall GPA technique with three layers of phase the user is asked to input their email, full name,
verification was proposed by [13]. The proposed recall-based password and confirm password.
authentication method improved on the Pass-Go approach,
which featured secret questions, responses, and backdrop • Process 2: OTP Authentication- The OTP
images. The suggested solution, known as CRS, consists of authentication phase deals with the generation of OTP
three components that work together to assure password by the system. This generated OTP is sent the inputted
security. The secret question and the text-based answer are the email from the textual password registration phase.
focus of the first part of the authentication phase. The second Then, the user is asked to input the OTP for
half focuses on choosing a picture based on recognition, and verification. If the OTP is wrong user is denied access
the third piece focuses on creating a password using an easy- to the next phase, otherwise the user is granted access
to-remember artwork. The problem of this method is that to the graphical password phase.
while using sketching to construct a password, it is possible
• Process 3: Graphical Password implementation- A
for individuals to forget their stroke order.
2 × 2-image grid is now displayed to the user from
III. METHODOLOGY which the user clicks on one point of the image. After
that, the user must choose another image and click on
This section provides an overview of the methods utilized the two-image grid that has been formed. After that,
to conduct the research. Fig . 1 illustrates the proposed the user must choose another image and click on the
solution, which is explored in greater depth in this section. 2 × 2 grid that has been formed.
Textual, one-time password, and graphical password are the
three authentication modalities used in the proposed system, B. Login Phase
in that sequence. After a user registers, the user can then login to gain access
to the system. The steps involved the login phase is discussed
below.
• Process 1: Textual Password Authentication:
During the login phase, the user registered password

Authorized licensed use limited to: Dayananda Sagar University. Downloaded on March 27,2024 at 05:49:05 UTC from IEEE Xplore. Restrictions apply.
2022 IEEE NIGERCON

and email must be submitted which is compared with , = − −1 , (1)

the email and password stored in the database. If email
and password match, then the user is allowed to move The function Truncate transforms an HMAC-SHA-1 value
to the next step. to a HOTP value. The values of the Key (K), Counter (C), and
Data are hashed high-order byte first. The HOTP method was
• Process 2: OTP Authentication: in this step the user selected because, unlike public key systems, the hash
is asked to supply the OTP that was generated and sent functions employed by HOTP are generated and verified
to their registered email address. If a wrong OTP is quickly, and HMAC provides comparable security to digital
supplied then, access is denied. However, if the OTP signatures, despite the fact that digital signatures are bulkier
is correct the user is given access to the next than HMACs.
authentication process.
E. Recall-Based Graphical Password (Cued Click Point)
• Step 3: Graphical Password Authentication - In this technique, the system gives users some pointers to
Twelve photos are displayed after the OTP dosage is help them precisely reproduce their passwords. These hints
authenticated. The user is asked to choose one of the will display in the picture as hot spots [16]. To register as a
photos on the screen. When a user clicks on a picture, passcode, the user must choose one of these regions, and then
a 2 × 2 grid containing sections of the selected image select the same region in the same sequence to log into the
is presented. For successful authentication, the user is system. In this study, a recall-based technique called Cued
expected to click on the grid in the image. If the first Click Points (CCP) was used for user authentication. CCP
attempt fails, the user is prompted to start over. users select a single point on each photo instead of many
C. Textual Password Authentication points on a single photo. It contains cued-recall and visual
indicators that alert valid users if they input their most
A textual password is a chunk of encrypted data that is
previous click-point incorrectly. It also complicates hotspot
used to validate a user's identity. It is commonly a string of
analysis assaults [17]. Cued recall of one point on each of the
alphabet, digits, or other symbols. Passwords used to be
different photos appears to be simpler than memorizing an
required to be recalled, but with the substantial number of
ordered series of different points on one image, which is a
password-protected services that the average individual uses,
usability advantage of CCP.
it's impossible to remember unique passwords for every site
[1]. Shoulder-surfing, brute-force attacks, covert camera F. Evaluation Metrics
attacks, and malware attacks are all possible with textual
1) Usability testing: The practice of evaluating software
passwords [2]. In this study, a minimum of 6 characters was
required as textual passwords. These characters can be by putting it through its trials with real-world users is known
uppercase, lowercase, numbers, or special characters, but as usability testing. Users are used to confirm that the system
there was not restriction to their combinations. The user is satisfies the stated requirements. As part of the usability
allowed to use a single character type such as only numbers or metric, the login success rate, creation time, and login time
combination of characters such as combining lowercase, were all assessed.
numbers and uppercase. The user was allowed this flexibility 2) Security Analysis: The suggested system was
given that the proposed system is protected by two additional evaluated based on its resistance to four common attacks:
layers of passwords (OTP and graphical passwords). For hidden camera, shoulder surfing, guessing, and key-logging.
enhanced security the textual password was stored in the
database in an encrypted form using the PHP password_hash IV. RESULTS AND DISCSSION
function which is a strong one-way hashing algorithm. During This section details the proposed system's implementation,
the registration process to ensure that the entered password including registration and login procedure screenshots. It also
matches, the confirm password field was created. details all of the tests carried out to assess the proposed
D. One-Time Password (OTP) system.
An OTP is a one-time password that is automatically The first step of authentication, that is textual password is
generated and utilized to authenticate users for a single shown in Fig. 2 and 3. Fig. 2 is the signup page where the user
transaction or login session. A fixed password is insecure registers their full name, email address and password. Fig. 3 is
compared to an OTP. To add an extra layer of security, OTPs the first login page where the user inputs their registered email
can be used instead of or in addition to verification login and password. On clicking on the login button, the supplied
credentials. OTP techniques frequently use pseudo- email and password is verified with the ones stored in the
randomness and cryptographic hash functions to generate a database.
shared key or seed, that can be utilized to extract a value but
are hard to reverse, making it hard for an attacker to obtain the
data used for the hash. The unexpected and unique nature of
the pseudo-random value prevents password repeat attempts
[14]. In this study the hash-based message authentication
codes (HMAC) one-time password (HOTP) was used for OTP
generation. The HOTP approach uses a growing counter value
and a fixed symmetric key that is only known by the token and
verification service [15]. The HMAC-SHA-1 technique is
used to generate the HOTP value. Since the outcome of the
HMAC-SHA-1 computation is 160 bits, the value was
shortened to make it easier for the user to input using the
formula in equation 1.

Authorized licensed use limited to: Dayananda Sagar University. Downloaded on March 27,2024 at 05:49:05 UTC from IEEE Xplore. Restrictions apply.
2022 IEEE NIGERCON

physically tested by researchers as they acted as intruders in

these scenarios. The system was tested by 30 users. The users
were within the age range of 18 to 35 years old. The users
consist of 18 males and 12 females. Five users were master’s
degree students, while the remaining 25 users were
undergraduate students. These volunteers were randomly
selected to test the system. Two testing procedures was
carried out. Firstly, the users were asked to use the system
without been trained and secondly the users were asked to test
the system after been trained on how to use the system.
1) Usability Testing and Security Analysis: The extent to
Fig. 3 Textual Password Login which a product allows individual users to fulfill their
Fig. 2 Textual Password
Registration Page
Page specified goals efficiently, successfully, and satisfactorily in
the particular context is referred to as usability. When
The second step which is OTP authentication is presented developing a good graphical password strategy that meets the
in Fig. 4. The user is required to input the OTP code sent to demands and requirements of its users, usability is a crucial
their registered email. If the OTP code matches the sent OTP, thing to consider. This section defines and describes the
then the user is allowed access to the last authentication phase primary usability aspects utilized in graphical passwords.
displayed in Fig. 5. Fig. 5 is the graphical password These characteristics of usability are discussed in further
authentication page, which displays 11 images for users to depth farther down.
choose from. After selecting an image, that image is then
divided into four parts as shown in Fig. 6. • Easy to remember: This implies that the system
should provide passwords that are simple to remember.
• Easy to Use: This refers to the system's capacity to
provide a good password-creation environment.
• Easy to Create: Means users can simply construct
graphical passwords when the registration process is
straightforward.
• Easily Executed: When the registration and login
process is broken down into basic steps, people can
easily perform the algorithm.
Fig. 4 OTP Verification Page Fig. 5 Graphical Password Page • Nice and Simple Interface: It emphasizes on the
user's interactions in addition to making the interface
Fig. 6 shows four sub-images of the selected image. The pleasant. A nice and simple interface's purpose is to
user is required to select one of these four sub-images. After make user interactions as efficient and simple as
clicking on one of the sub-images, the user is asked to select possible.
another image from the eleven initial images. The second
selected image is then divided into four sub-images and the • Creation Time: How long does it take an average user
user is prompted to select from these sub-images to finish the registration process?
• Login Time: How long does it take an average user to
finish the login process?
• Login Succes Rate: the percentage of users that
completed the login job successfully.
The system's usability testing based on the eight defined
features and security analysis based on four common attacks
are presented in Table 1.

TABLE I. USABILITY TESTING AND SYSTEM ANALYSIS

Attributes [12] [18] Proposed

System
Fig. 6 Grid of Selected Image
Prevents hidden Yes No Yes
camera attacks
A. System Evaluation Security Prevents shoulder Yes No Yes
In this study two types of evaluation (usability testing and Analysis surfing attacks
Prevents guessing No No Yes
security analysis) were conducted. The usability test was attacks
implemented using a questionnaire which was issued to the Prevents keylogger No Yes Yes
users after they used the system. The users were timed to get attacks
the login and creation time. For the security analysis, the Easy to remember Yes No Yes
hidden camera, shoulder surfing, and guessing attacks was Easy to Use Yes Yes Yes

Authorized licensed use limited to: Dayananda Sagar University. Downloaded on March 27,2024 at 05:49:05 UTC from IEEE Xplore. Restrictions apply.
2022 IEEE NIGERCON

Easy to Create Yes No Yes REFERENCES

Usability Easily Executed Yes Yes Yes
features [1] A. Fulkar, S. Sawla, Z. Khan, and S. Solanki, “a Study of
Nice and Simple Yes Yes Yes Graphical Passwords and Various Graphical Password
Interface Authentication Schemes,” World Research Journal of Human-
Creation Time - 94.08 73 Seconds Computer Interaction ISSN: 2278-8476, vol. 1, no. 1, pp. 4–8,
Seconds 2012.
Login Time - 57.40 46 Seconds [2] R. S. Yenape and A. Waghmare, “Three Way Graphical
seconds Password Authentication,” Iarjset, vol. 4, no. 4, pp. 155–157,
Login Success rate - 90.38% 90% 2017, doi: 10.17148/iarjset/nciarcse.2017.45.
[3] R. S. Jadhav, D. K. Chandole, M. D. Wani, S. R. Kuslkar, K. G.
Shinde, and M. S. Dighe, “Graphical Password Authentication
Table I shows that the suggested system is immune to assaults System,” International Journal of Latest Technology in
such as concealed cameras, shoulder surfing, guessing, and Engineering, Management & Applied Science, vol. 3, no. 3, pp.
key-loggers. While [12] is prone to hidden camera, shoulder 64–68, 2014.
surfing and resistant to guessing, and keylogger attacks. [18] [4] D. Kadu and S. Therese, “Different Graphical Password
Authentication Techniques,” no. March, pp. 56–58, 2017.
is resistant to hidden camera, shoulder surfing, guessing, but [5] A. Vaddeti, D. Vidiyala, V. Puritipati, R. B. Ponnuru, J. S. Shin,
prone to keylogger attack. However, the proposed system is and G. R. Alavalapati, “Graphical passwords: Behind the
resistant to hidden camera, shoulder surfing, guessing, and attainment of goals,” Security and Privacy, vol. 3, no. 6, p. e125,
keylogger attacks. Nov. 2020, doi: 10.1002/SPY2.125.
[6] M. O. Kenneth and S. M. Olujuwon, “Web Application
The registration and login were tested by trained and Authentication Using Visual Cryptography and Cued Clicked
untrained users. It was noticed that as users were trained the Point Recall-based Graphical Password,” Journal of Computer
creation and login time got reduced from 111 seconds for Science Research, vol. 3, no. 3, Aug. 2021, doi:
10.30564/jcsr.v3i3.3535.
creation time to 73 seconds and from 82 seconds to 46 seconds [7] A. Ometov, S. Bezzateev, N. Mäkitalo, S. Andreev, T. Mikkonen,
for login time. The high value of login and creation time and Y. Koucheryavy, “Multi-factor authentication: A survey,”
achieved by the proposed system is due to the time spent by Cryptography, vol. 2, no. 1, pp. 1–31, 2018, doi:
users in accessing their emails to retrieve the OTP code. 10.3390/cryptography2010001.
Before the users were trained the login success rate was about [8] A. T. B. Jin, D. N. C. Ling, and A. Goh, “Biohashing: two factor
authentication featuring fingerprint data and tokenised random
85%. Nonetheless this value increased to 90% after they were number.,” Pattern recognit., vol. 37, no. 11, pp. 2245–2255, Nov.
trained. The high login success rate shows that the users of this 2004, doi: 10.1016/j.patcog.2004.04.011.
proposed system are more likely to remember their [9] C. Santwana, “Hypervisor based Mitigation Technique for
passwords. Based on the usability features the proposed Keylogger Spyware Attacks,” International Journal of Computer
system takes shorter time to register and login than the system Science and Information Technologies, vol. 5, no. 2, pp. 1867–
1870, 2014.
proposed by Mackie[18] The proposed system is highly usable
[10] S. Abhijith, S. Sam, Sreelekshmi K U, and T. T. Samjeevan,
than previous systems. The proposed system is limited to the “Web based Graphical Password Authentication System,”
availability of users having access to emails and this can cause International Journal of Engineering Research & Technology ,
delay to the authentication process. vol. 9, no. 7, pp. 29–32, 2021, [Online]. Available: www.ijert.org
[11] [11] A. Vaddeti, D. Vidiyala, V. Puritipati, R. B. Ponnuru,
V. CONCLUSION AND FUTURE WORK J. S. Shin, and G. R. Alavalapati, “Graphical passwords: Behind
the attainment of goals,” Security and Privacy, vol. 3, no. 6, 2020,
In this study, user authentication for online application doi: 10.1002/spy2.125.
access was accomplished using textual, OTP, and recall-based [12] [12] A. H. Shnain and S. H. Shaheed, “The use of graphical
graphical password techniques. The user authentication password to improve authentication problems in e-commerce,”
procedure is made up of the registration and login phases. The AIP Conference Proceedings, vol. 2016, no. September, 2018,
doi: 10.1063/1.5055535.
registration procedure employs OTP to validate the user's [13] [13] B. Togookhuu and J. Zhang, “New Graphic Password
email address, collects the user's text password, and captures Scheme Containing Questions-Background-Pattern and
the user's graphical password in a sequential order. The login Implementation,” in Procedia Computer Science, 2017, vol. 107,
step validates a user's identification by using the provided pp. 148–156. doi: 10.1016/j.procs.2017.03.071.
email, password, OTP, and graphical password sequence to [14] S. Ma et al., “An empirical study of SMS one-time password
authentication in android apps,” in PervasiveHealth: Pervasive
enable access to an online application. Finally, to provide a
Computing Technologies for Healthcare, Dec. 2019, pp. 339–
solution for user authentication for online applications, a 354. doi: 10.1145/3359789.3359828.
three-step authentication technique was adopted. [15] H. Parmar, N. Nainan, and S. Thaseen, “GENERATION OF
Authentication employing these combined mechanisms SECURE ONE-TIME PASSWORD BASED ON IMAGE
provided a greater and more reliable level of security than AUTHENTICATION,” Computer Science & Information
conventional textual and graphical password systems, which Technology , vol. 07, no. 1, pp. 195–206, 2012, doi:
10.5121/csit.2012.2417.
are prone to shoulder surfing attacks. [16] P. G. Panduranga Rao, “A Study of Various Graphical Passwords
The study made use of the cued click point recall-based Authentication Schemes Using Ai Hans Peter Wickelgren
Approach,” IOSR Journal of Computer Engineering, vol. 10, no.
graphical password technique for authentication. For future 6, pp. 14–20, 2013, doi: 10.9790/0661-1061420.
work other graphical password methods such as the [17] V. Moraskar, S. Jaikalyani, M. Saiyyed, J. Gurnani, and K.
recognition-based authentication can be used in combination Pendke, “Cued Click Point Technique for Graphical Password
with text, and OTP password. Authentication,” vol. 3, no. 1, pp. 166–172, 2014.
[18] I. Mackie and M. Yıldırım, “A Novel Hybrid Password
Authentication Scheme Based on Text and Image,” in 32nd
Annual IFIP WG 11.3 Conference, DBSec 2018, 2018, pp. 1–16.

Authorized licensed use limited to: Dayananda Sagar University. Downloaded on March 27,2024 at 05:49:05 UTC from IEEE Xplore. Restrictions apply.