Networking in computer science is simply the connection of multiple electronic devices known as nodes for the purpose of exchanging information and this concept was groomed out of the need for man to connect and share information (which may be in the form of voice, video or data). The largest network in the world is the Internet and is described as a collection of vast mixture of networks in terms of topologies, architecture and communication technologies which however, utilizes a common set of protocols to offer certain services. In short, it is termed the network of networks (Ciubotaru & Muntean, 2013; Forcht & Fore, 1995). The Internet has aided in many major advancement and development today in our society. There has been an alarming rate of internet users from 400 million in 2000 to more than 3 billion internet users in 2015 (International Telecommunication Union, 2015).
Many organizations utilize the World Wide Web (www), one of the major and widely used service of the Internet to share information. The World Wide Web (www) is an information space in which relevant items, known as resources (e.g. image, audio, video or any other file), are identified by global identifiers called Uniform Resource Identifiers (URI) (Berners-Lee, et al., 2004); in 2001 Google, a multinational technology company announced it provided customers direct ac1cess to 3 billion web documents on the Internet (Googlepress, 2001).
This technical wizardry of communication around the world has begotten the proliferation of computers and other ubiquitous devices since the 1960s and with it, a demand for organization to protect their digital information from unauthorized users and provide services to authorized users. The concern to protect information is a product of the Internet being a fully decentralized network and depends on voluntary cooperation between the thousands of network administrators throughout the world to provide individuals with access to this network of tremendously varied resources. Thus, the Internet is a public network owned by no one and sensitive information should be made exclusive to only the rightful recipient (Forcht & Fore, 1995; Menezes, Van Oorschot & Vanstone, 1997).
Furthermore, by the very nature of the Internet, access is very easy, attracting individuals of different kind and with different aim. While some individuals are aimed at sharing information others tend to conduct malicious activities. As a result, information security is of great importance to any service provider. Information security can be described as actions that implement services which assure adequate protection for information systems used by or hosted within an organization. From the description, services are technical or managerial methods used with respect to the information being protected. Information systems are computer systems or communication systems that handle the information being protected, and protection implies the conjunction of integrity, confidentiality, authenticity, and availability (Shimeall & Spring, 2014).
Confidentiality, availability, data integrity and authentication are few of the major security features provided by information security in ensuring the reliability of information. The importance of each of these varies depending on the type of organization (e.g. confidentiality will be of most importance to the military). Authentication is related to identification and it is the most fundamental procedure to ensure security and provide access to sensitive web resources to users over the Internet. The most utilized and popular authentication method is the Text-based password authentication which requires a valid user I.D. (Identity) and password in other to prevent unauthorized access (Liao & Lee, 2010; Menezes et al, 1997). This mechanism is easy and inexpensive to implement; however, this static password comes with major security drawbacks. For example, users tend to implement easy to guess password, use the same password in multiple accounts, write the passwords or store them on their machines making it susceptible to numerous attacks including dictionary attack, brute force attack, phishing attack, shoulder surfing etc. (Prakash, Infant & Shobana, 2010).
This trivial password mania by users has become a bedrock for computer hackers/crackers and therefore, the focus of this work is to create a platform to enable users to generate a stronger password that is easy to remember and implement but difficult for unauthorized personnel.
Over the years, other authentication methods have been developed which involves the use of secondary object (token based authentication) or biometric system (biometric based authentication) (Abdulkader, Ayman & Mostafa, 2015). Though more secured, these methods require more infrastructure/equipment.
Since the mid-1990s, several graphical based password schemes have been developed aimed at strengthening security and enhancing the password memorability. (Alsaiari, Papadaki, Dowland & Furnell, 2016). Graphical password is based on the use of images/pictures rather than text. The idea of graphical password has stirred several experiments, theories and assumptions showing that presenting items as pictures is easier to remember than presenting items as words. Thus, the pictures superiority effect appears to significantly increase memorability. (Paivio, 1991; Standing, Conezio & Haber, 1970). Graphical based password provides some benefits such as enlarging the passwords space (in some graphical authentication), reducing choice of trivial passwords, and making it difficult to share and write passwords (Golofit, 2007). However, this method is still vulnerable to various types of attacks especially shoulder-surfing (Biddle, Chiasson & Oorschot, 2011). In addition, in some graphical schemes, users have to browse through the entire set of images/pictures/objects, pictures have larger size than text, and therefore the server is expected to allocate a reasonable amount of space in storing these pictures. (Wiedenbeck, Waters, Birget, Brodskiy & Memon, 2005).
Therefore, this research proposes a graphical authentication that increases memorability, resistant to shoulder surfing, aid in searching and requires no upload of pictures/images during registration and authentication.
The main objective of this study is to develop a secure graphical authentication for web based applications. The specific objectives are to:
- present a comparative analysis of existing graphical authentication technique;
- design a shoulder surfing resistant graphical technique for generating user’s graphical password;
- perform a One-Time password challenge response for every authentication and
- evaluate the password space, entropy and resistance to shoulder surfing attack.
Storing of user’s credentials, handling of the One-Time password and performing authentication was done by the application suite, WAMP (Windows Apache MySQL PHP). The scheme was evaluated using magic triangle evaluation.
This research provides a graphical environment to assist users in implementing a robust password and increase memorability, optimize storage utilization capacity of the server makes it impractical to share password, therefore immune to phishing attacks and contributes to the existing solutions which researchers have developed in mitigating attacks such as dictionary, brute force, and most especially shoulder surfing attack.
The study focused on the development of an authentication scheme for identification and authorization of users in accessing web systems/applications, particularly, on the interface that interacts with the user in generating unique passwords. In addition, given the size of the image (in terms of height and width) utilized for this research, a device of very large screen size of about 650 by 450 pixels is used in order to provide the full description of the work. The research will cover the aspect of user registration and authentication.