Traditional user authentication methods have existed for several decades. There are three main techniques (or a combination thereof) for user authentication: 1) knowledge based methods which are based on what a user knows or remembers 2) token-based methods which allow user access according to what a user has in their physical possession; and 3) biometric methods which are based on unique physical features of the user.
Biometric Authentication
Biometric Authentication is the automated recognition of people via distinctive anatomical and behavioral traits. Biometric authentication uses human biological signatures including fingerprint, voice print, facial heat print, iris scan etc. to authenticate a user. Although biometrics can be effective for user identification, biometric methods are difficult to implement and require specialized devices or software to capture and convert biometric information. Capture of the biometric traits may be expensive or inappropriate for specific types of devices or applications. The human aging process contributes to changing biometric signatures that can influence the authentication success rate. Also, because of its relative newness to the authentication market, it has not been tested for long periods to determine if methods are effective as user biologic conditions change over time, e.g. finger prints, etc.
Token or RFID
Token, RFID or near field authentication is based on what authorized users have in their possession to transmit PIN or password information. This is often accomplished through a dedicated ID card with readable magnetic strip, radio frequency identification (RFID) chip or other near field communication device (NFC).
These methods of authentication can be an issue if the devices emitting the codes are misplaced or stolen. However, most token-based authentication systems also use knowledge-based authentication to prevent impersonation through theft or loss of the token. An example is automated teller machine (ATM) authentication, which requires a combination of a token (e.g., a bank card) and secret knowledge based, recall method of authentication, e.g., PIN code.
Knowledge Based Authentication
Traditional knowledge based authentication uses something that the authorized user knows either through recalling (recall), cued recalling or recognizing (recognition) authentication information. Recall based authentication is rendered most often in the form of an alpha-numeric password or Personal Identification Number (PIN) that a user recalls during an authentication session. Given the password, or PIN, is based on a large number of upper and lower case alpha-numeric characters, the passwords can be secure and used to authenticate the authorized user with little fear of the password being hacked through brute force algorithms or other methods.
There are limitations and weakness with traditional alpha-numeric PINs and passwords. First, weak, less complex passwords can be subject to dictionary or brute force attacks. Complex alpha-numeric passwords are difficult to remember especially if not used on a frequent basis. Incorrect password input results in lock outs or pauses in access causing user frustration and potential negative impacts to work output in a networked environment. Second, these passwords at times are not “random” and often are built leveraging decipherable terms like D.O.B.s (dates of birth), children's names, maiden names, pet names, etc. This makes passwords less than random and have higher probabilities for hacker guessing access. Another practical weakness is that users often record or write passwords down thus diminish the strength of the complex, alpha-numeric password to the level of how well the user has hidden the password in written form.
Passwords can be stolen through shoulder surfing or attacks such as man-in-the-middle where passwords are intercepted in a communication element and reused to assume identities. Devices such as camera phones or other recording device, e.g. security cameras, can record passwords that are input during authentication through keyboards or other input devices. Most secure sources prompt users to change passwords periodically. This can increase the probability of lock outs through users remembering old passwords instead, or increase risk of users writing down or recording passwords instead of memorizing the current password.
Recognition Based Passwords
There are dozens of recognition based graphical authentication methods. Recognition based graphical passwords can provide benefits over these current authentication methods depending on the device, situation and level of password strength required.
There is a fundamental difference between recall-based authentication systems, such as text passwords, and recognition-based ones, such as photographic authentication. Recall based methods use a unique piece of knowledge, i.e., the password, to perform the authentication process, while recognition based methods use a challenge-response sequence and prompt for the correct authentication response, i.e., selecting one memorable image from a set of random images. Research has proven it is easier to recognize content than to recall the same content without an aided prompt.
Graphical Image Based Authentication
Recognition based passwords such as graphical image passwords offer a more memorable and secure alternative to traditional alpha-numeric PINS and passwords. Graphical passwords use pictures or images instead of letters or numbers. Research has shown that pictures and images are more memorable to humans than letters and numbers.
The selection method itself can also cause issues with authentication in recall based approaches. The need for repeated taps (e.g. on a touch screen), drawn lines and shapes, connecting of images/dots or user drawn images can cause smudge marks which provide an indication of the graphical password or digits used in a PIN. Even with these more graphical approaches, users tend to limit the alpha-numeric character set used, or the drawing process can be less efficient and open to potential error. For example, some of the tap points are distinctive features in the image and tend to be selected as components ahead of non-distinctive features.
There is a growing problem with password theft when hackers send an email notification suggesting an issue or update to a secure account is required and offer a fake or duplicate log in screen. This practice is called “phishing”. When users input password and PIN information into the fake screen during the phishing session, the program can capture the authorized users account number and password indicated through recording input information or mouse clicks.
Another concern is discernible differences in photos that can be assessed for likelihood of selection as the secret graphical image. In one embodiment, no manual filtering or editing of the user-provided image sets need be performed. User's images can be copied from their pre-existing private collection. Many photographs in a personal database are similar and therefore hard to distinguish, or are duplicates or unrecognizable thus require some sort of management method to normalize or edit the graphical images.
Graphical methods are in use where a user draws a “secret shape” referred to in the art as drawing a secret (DAS) on a touch sensitive screen. The method captures the movement of the users input method, e.g. finger or stylus, and compares it to the movement recorded in the registration process. The user can select any combination of pixels available on the screen as the password. However, in practice users tend to draw images consisting of a small number of continuous lines or known objects, e.g. square, circle, triangle. Guessing from all possible starting points, and examining all lines emanating from those start points is manageable with low password strength.
Some other graphical methods require users to memorize the image during the setup or registration phase so as to be able to recognize them later during an authentication session. These methods require a training or education phase to generate the graphical password and then provide an immediate test component to ensure that the user has memorized his password. This process can be more effective if the user is allowed to select memorable, relevant images making recall easier during authentication.