Internet-enabled-services are a part of everyone's day to day life, right from online banking, bill payment, trading and purchase to tracking information, enterprise data banks and social networking. Internet-enabled-services have a strong presence and provide convenience which makes them indispensable.
Internet-enabled-services like online banking, trading and purchase require users to register with these services by creating an account and selecting a password for accessing each of these services. Using the account ID and password, users can access the privileged/sensitive information and perform the desired transactions.
The account ID and password are allotted to each user to ensure that the privileged information of users is secure. However, the alphanumeric password though being the most popular and economical authentication method, compromises a lot on security as most of the passwords are weak passwords. Users select passwords which are easy to remember and recall, and which are often combinations of proper nouns like names of their acquaintances, popular words and are therefore prone to dictionary attacks or brute force attacks and very easy for attackers to guess. Further, if the length of the password is increased for security reasons, users tend to write them down resulting in breach in the end.
In addition, policies of certain systems require users to frequently change their passwords, which make them hard to remember and again, users often write down their passwords which often leads to password theft.
When dealing with online security one has to also deal with attacks such as Phishing and MITM (Man in the middle) attacks.
Phishing attacks are attacks where a user creates a site website which appears similar to a legitimate website. But when the user accesses the legitimate website he/she is presented the phishing website where the user thinking that it is legitimate enters his/her login credentials and the attacker gets access to the users' credentials and privileged information in real time.
In MITM attacks; the attacker has a secure connection with the legitimate website and the user. When the user enter his account ID, the attacker forwards the ID to the legitimate website and receives an indicator, typically an image and some text, and duplicates it and presents it to the user. The user thinking it's a legitimate site enters his credentials/privileged information which is then available to the attacker.
The privileged information can include user's credit card/debit card details, online banking login details, trading account details and the like which on going in the wrong hands may burden users with huge financial losses. Therefore, secure authentication and back end secured authorization systems are becoming the need of the hour to secure the transactions of users.
To overcome the aforementioned shortcomings of the conventional authentication systems, biometric password provide the best remedy. As biometric validates the true identity of a user and no two users can have the same biometric signature. However, biometric systems are expensive to implement and if hacked, users completely loses their identity. Hence, most users and BFI (Banking & Financial Institutes) do not want to introduce biometric for Internet based transactions as one of the approved challenge. However, biometric may prove its usefulness in corporate world and at Governmental entry access process.
There have been various attempts in the prior art to overcome the phishing and MITM attacks without the need of deploying expensive biometric systems.
Particularly, US/2006/0206918 discloses a system and method for input of a password which has unique non-descriptive graphical features using unique text-based characters via a wireless telecommunication device. The keys of the device are assigned unique non descriptive graphical features which appear on the screen when the keys are pressed and authenticated by the disclosed system.
The non descriptive graphical password disclosed by this patent application only relies on two dimensions of the graphical password i.e. non descriptive features and sequence of selection. Moreover, there is only a single level of authentication and the graphical password is not encrypted hence can be hacked easily.
Further, US/2009/00210939 discloses a graphical password authentication method which is based on sketches drawn by a user. The method extracts a template edge orientation pattern from an initial sketch of the user and an input edge orientation pattern from an input sketch of the user, compares the similarity between the two edge orientation patterns and makes an authentication decision based on the similarity.
This disclosure as well provides a non-descriptive password which is based on only two dimensions i.e. a pre-determined sketch and edge orientation. Additionally, the authentication process is restricted to wireless telecommunication device.
Therefore, it is felt that there is a clear need for a system which provides a robust authentication system which:                provides a multidimensional graphical password to increase the strength of the password;        provides encryption of the graphical password for added security; and        provides authentication to be carried out on any customer owned telecommunication/electronic device.        