WO2016055835A1 - Graphical passwords system and a method for authenticating a user of a computer system - Google Patents

Graphical passwords system and a method for authenticating a user of a computer system Download PDF

Info

Publication number
WO2016055835A1
WO2016055835A1 PCT/IB2014/065166 IB2014065166W WO2016055835A1 WO 2016055835 A1 WO2016055835 A1 WO 2016055835A1 IB 2014065166 W IB2014065166 W IB 2014065166W WO 2016055835 A1 WO2016055835 A1 WO 2016055835A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
storage unit
symbols
codes
stored
Prior art date
Application number
PCT/IB2014/065166
Other languages
French (fr)
Inventor
Nikita Zujevs
Original Assignee
Nikita Zujevs
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nikita Zujevs filed Critical Nikita Zujevs
Priority to PCT/IB2014/065166 priority Critical patent/WO2016055835A1/en
Publication of WO2016055835A1 publication Critical patent/WO2016055835A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/36User authentication by graphic or iconic representation

Definitions

  • the invention relates to systems and methods of authenticating users of electronic devices and computer systems.
  • a method for graphical image authentication comprising the steps of: generating a one-time password by generating an authenticating reference code that is displayed in a dynamic graphical arrangement of at least two images wherein each image has a corresponding access code that is displayed to the user, wherein the dynamic graphical arrangement of images comprises: at least one image selected from an authenticating category of graphical images, wherein the authenticating category of graphical images is preselected by the user from a plurality of different image categories and the specific image for each category is chosen randomly from a plurality of images for the specific category, and at least one image selected from a non-authenticating category of graphical images; presenting the dynamic graphical arrangement of images to a user; receiving as input from the user one or more access codes corresponding to images from the authenticating category of graphical images; and comparing one or more access codes received from the user to the authenticating reference code to authenticate the user.
  • the aim of the invention is to overcome the drawbacks of the prior art and to offer an improved graphical passwords system and the method.
  • the set aim is achieved by the offered system and method, where the method for authenticating a user of a computer system comprising a server A, a server B; the computer system operating an access device D having a display, a means for inputting information, the method comprising: (i) storing at least one set (Si, S 2 , ... S n ) of symbols in the storage unit of the server B, each set of symbols representing different category of symbols; (ii) storing the selected password in a storage unit of the server A; the selected password being a graphical password comprising one or more password elements sequentially selected from at least one set (Si, S 2 , ...
  • the offered method and system allow to safely protect users' accounts and passwords from shoulder surfing and man-in-the-middle attack.
  • Fig.l shows algorithm of generation of sets of unique codes by the system for authenticating a user of a computer system according to one embodiment of the invention
  • Fig. 2A and 2B - show examples of grid of images representing combinations of symbols randomly selected from one or more sets (Si, S 2 , ... S n ) of symbols and displayed on a display of the access device D of the system for authenticating a user of a computer system;
  • Fig. 3 shows another example of one combination of symbols randomly selected from one or more sets (Si, S 2 , ... S n ) of symbols and displayed on a display of the access device D of the system for authenticating a user of a computer system.
  • the system for authenticating a user comprises operably connected a server A, a server B, and at least one access device D having a display, a means for inputting information.
  • the computer system can be remote from the access device D.
  • the access device D can be a tablet, a desktop or a laptop computer, a smartphone, a point of sale terminal or a similar device configured to be connected to a wide area network, personal area network, local area network or campus area network.
  • Display and means for inputting information may be separate devices, such as display and input device and may be integrated one into another; display and means for inputting information may be also as one touch sensitive screen.
  • the server B comprises at least one set (Si, S 2 , ... S n ) of symbols, preferably three or more, stored in its storage unit, where each set of symbols represents different category of symbols.
  • each set of symbols represents different category of symbols.
  • the symbol under the present invention can be alpha-numeric element, color, image.
  • the server A comprises users' passwords, each of said passwords being a graphical password comprising one or more password elements sequentially selected from at least one set (S I, S2, ... Sn) of symbols stored in the storage unit of the server B.
  • the password is selected from three or four sets of symbols, each set of symbols representing different category of symbols.
  • the server B is configured to generate images, each image representing a combination of symbols randomly selected from at least one set (Si, S 2 , ... S n ) of symbols.
  • the server B is configured to generate said images so that each of said images does not contain repeating symbols. However symbols may repeat on different pictures.
  • "combination of symbols" means that symbols from one or more sets (Si, S 2 , ... S n ) of symbols can be located next to each other, be graphically integrated one into another, or combined together in other way, e.g. such as shown in Fig. 2A-2B, 3.
  • the server B is configured to generate images so that each image represents a combination of nonrepeating symbols randomly selected from each set (Si, S 2 , ... S n ) of symbols stored in the storage unit of the server B.
  • the server B is also configured to generate images so that each image contains from two to four combinations of randomly selected symbols.
  • the server A is configured to analyse whether the received selected image(s) contain all password elements stored in its storage unit and whether said password elements were obtained in the same sequence as they are stored in the storage unit. Further the server A is configured to authenticate a user (or confirm user's authentication) if the sequentially obtained selected image(s) contain all password elements stored in the storage unit of the server A and if said password elements were obtained in the same sequence as they are stored in its storage unit.
  • a request for generating images is sent from the access device D to the server B.
  • the server B generates a number of images, each image representing a combination of symbols randomly selected from at least one set (Si, S 2 , ... S n ) of symbols.
  • the server B Preferably the server B generates a number of images, each containing from two to four combinations of randomly selected non-repeating symbols from each set (Si, S 2 , ... S n ) of symbols.
  • the generated images are then sent from the server B to the access device D, where they are displayed on the display.
  • the system is configured to display on a display of the access device D said generated images, preferably a grid of said generated images, allowing user to select and, using means for inputting information, input the selected one or more image (for successful authentication the user should select one containing element of a password).
  • Several grids of different images are preferably sequentially displayed, so that each time the grid of images is displayed, the user is allowed to input image or use "refresh" function causing server B generating and sending another number of images, which are then displayed on the display of the access device D.
  • the system is configured so that the process of generating and displaying number of images and inputting an image is repeated until the user sends a command to the access device to send to the server A the image(s) selected by the user using the means for inputting information.
  • the server A analyses whether the received selected image(s) contain stored in its storage unit password elements and whether said password elements were obtained in the same sequence as they are stored in the storage unit. If the sequentially obtained selected image(s) contain password elements stored in the storage unit of the server A and if said password elements were obtained in the same sequence as they are stored in its storage unit, the server A authenticates the user (or confirms user's authentication).
  • server A and server B can be one and the same server or subsystem configured to perform functions of the servers A and B according to the present invention.
  • a unique code e.g. alpha-numeric or numeric, is assigned to each symbol of the sets (Si, S 2 , ... S n ) of symbols stored in the storage unit of the server B.
  • the sets (Si, S 2 , ... S n ) of symbols are stored together with associated with them said unique codes in the storage unit of the server B.
  • the access device D is operably connected with converting means for converting said unique codes to the respective symbols and selected symbols into the respective unique codes.
  • the converting means are connected to storage unit C comprising the same vocabulary as the storage unit of the server B, i.e.
  • the storage unit of the server A contains codes of the respective symbols of the users' passwords.
  • the server B instead of images the server B generates sets of said codes representing a combination of symbols randomly selected from the set or sets (Si, S 2 , ... S n ) of symbols described above. The possible algorithm of generation of randomly selected symbols is shown in Fig. 1. The generated sets of codes are then sent from the server B to the access device D.
  • the converting means convert said sets of unique codes to the respective images, which are displayed on the display of the access device D, allowing user inputting image or use "refresh" function causing the server B generating and sending another set of unique codes, which are then converted by the converting means into images and displayed on the display of the access device D.
  • the system is configured so that the process of generating the sets of codes, their conversion into images, displaying number of images and inputting an image is repeated until the user sends a command to the access device to send to the server A request for authentication.
  • Converting means convert combination of symbols selected by user using the means for inputting information to sets of unique codes according to the vocabulary stored in the storage unit C.
  • the converted sets of unique codes are then sent to the server A, which analyses whether the received selected codes contain stored in its storage unit codes corresponding to password elements and whether said codes were obtained in the same sequence as they are stored in the storage unit. If so - the server A authenticates the user (or confirms user's authentication).
  • the server A and server B can be one and the same server or subsystem configured to perform functions of the servers A and B according to the present embodiment.
  • the server A, B and the access device D are integrated into one device.
  • the server A, B and the access device D optionally also the storage unit C and the converting means, are integrated into one device.
  • a non-transitory storage medium having stored thereon instructions that, when executed by a processor of an electronic device, causes the electronic device to perform a method for authenticating a user of a computer system as set forth in this description.
  • the invention can be used for authenticating users of electronic devices and computer systems e.g. in different online services, such as webmail, internet forums, web based databases, online banking, for unlocking a smartphone and other.
  • online services such as webmail, internet forums, web based databases, online banking, for unlocking a smartphone and other.
  • the system for authenticating a user of a computer system comprising an access device D having a display, a means for inputting information, a server comprising subsystem A and subsystem B.
  • the subsystem B comprising three sets of symbols (Si, S 2 , S 3 ), Si being set of colours: white, red, blue, green, violet, yellow and pink; S 2 - set of geometrical shapes: circle, square, triangle, trapezium, pentagon, cross and rhomb; S 3 - figures from 0 to 9.
  • the subsystem A comprising passwords selected by each registered user of the system, each of said passwords being symbols from each sets of symbols (Si, S 2 , S 3 ); for instance: user one: red, square, 1; user two: green cross, 0.
  • the subsystem B On user's command frontend of application running on the access device D requests the subsystem B to generate images.
  • the subsystem B generates four images, each representing a combination of nine symbols randomly selected from each set (Si, S 2 , S 3 ) of symbols: (1) green square with figure 2, blue circle with figure 4, red triangle with figure 9; (2) violet circle with figure 5, white trapezium with figure 3, green cross with figure 8; (3) pink square with figure 1, white pentagon with figure 7, yellow cross with figure 9; (4) blue trapezium with figure 6, violet rhomb with figure 5 and pink pentagon with figure 7 (Fig. 2A).
  • Grid of said generated images is sent to the access device D and displayed on its display.
  • Frontend of application running on the access device D requests the subsystem B to generate another grid of images.
  • the generated images are displayed on the display of the access device D (Fig. 2B).
  • Frontend of application running on the access device D again requests the subsystem B to generate another grid of images.
  • the generated images are displayed on the display of the access device D; the user one selects an image containing third element of his password - figure 1. If user does not see element of his password on any of the images displayed, he presses refresh button or in other pre-determined way sends a request to the subsystem B to generate another four pictures with randomly selected symbols as described above.
  • all images selected by the user are sent from the access device D to the subsystem A.
  • the subsystem A analyses whether picture one received contains red, picture two - square and picture three - 1. If so - authenticates the user; if not - refuses to authenticate.
  • This system provides sufficient protection from "shoulder surfing" for the users' account and passwords.
  • the system for authenticating a user of a computer system comprising a converting means, an access device D having a display, a means for inputting information, a server A, a server B and a storage unit C.
  • the server B comprising three sets of symbols (Si, S 2 , S 3 ), Si being set of colours: white, red, blue, green, violet, yellow and pink; S 2 - set of geometrical shapes: circle, square, triangle, trapezium, pentagon, cross and rhomb; S 3 - figures from 0 to 9.
  • the server B further comprising unique codes assigned to each symbol of the sets (Si, S 2 , S 3 ) of symbols stored in the storage unit of the server B (see Table 1-3).
  • the storage unit C comprises the same three sets of symbols (Si, S 2 , S 3 ) and associated with them unique codes as the ones stored in the server B.
  • the server A comprises codes corresponding to passwords selected by each registered user of the system; for instance: user one: 20, 200, 8; user two: 40, 600, 9.
  • the converting means are adapted for converting said unique codes to the respective symbols (e.g. codes "20, 200, 8" to red, square, 1) and selected symbols into the respective unique codes.
  • the access device D sends a request to the server B to generate codes.
  • the server B generates four sets of codes, each representing a combination of nine symbols randomly selected from each set (Si, S 2 , S 3 ) of symbols: (1) 247, 135, 320; (2) 154, 416, 641; (3) 278, 512, 660; (4) 433, 754 and 572.
  • the server B sends to the access device D said generated sets of codes, where converting means convert the received sets of codes into the respective images, by obtaining the respective images corresponding to the sets of codes from the storage unit C; displaying grid of said images on the display of the access device D.
  • the process of selection is as set forth in the example 1.
  • the converting means convert images selected using the means for inputting information to sets of corresponding unique codes, obtaining the respective unique codes from the storage unit C. Further said converted codes are sent from the access device D to the server A, which analyses whether the received codes contain the same number and all stored in its storage unit codes and whether said codes were obtained in the same sequence as they are stored in the storage unit. If so - authenticates the user; if not - refuses to authenticate.
  • This system provides sufficient protection both from “shoulder surfing” and “man-in-the-middle attack” for the users' account and passwords.

Abstract

The invention relates to systems and methods of authenticating users of electronic devices and computer systems. The method comprises: storing at least one set (Si, S2,... Sn) of symbols in the storage unit of the server B; storing the selected password in a storage unit of the server A; the selected password being a graphical password comprising one or more password elements sequentially selected from at least one set (Si, S2,... Sn) of symbols stored in the storage unit of the server B; generating by the server B one or more images, each representing a combination of symbols randomly selected from one or more sets (Si, S2,... Sn) of symbols; sending to the server A the image(s) selected by a user using the means for inputting information; analysing by the server A whether the received selected image(s) contain the same number and all password elements stored in its storage unit and whether said password elements were obtained in the same sequence as they are stored in the storage unit; authenticating the user if the sequentially obtained selected image(s) contain the same number and all password elements stored in the storage unit of the server A and if said password elements were obtained in the same sequence as they are stored in the storage unit of the server A.

Description

Graphical passwords system and a method for authenticating a user of a computer system
Field of invention
The invention relates to systems and methods of authenticating users of electronic devices and computer systems.
Background Art
Security of data and user authentication is an important component of currently deployed security infrastructures. Typically used passwords and PIN codes have a number of drawbacks. Short and simple passwords are easy to remember, but are not safe enough. Complex passwords are more secure, but are difficult to remember. This disadvantage of user authentication systems can be solved by replacing authentication systems with typical alphanumeric passwords with systems using graphical passwords comprising images, which can be easily recognized by the user (R. Dhamija et. al. Deja Vu: A User Study Using Images for Authentication. Proceedings of the 9th USENIX Security Symposium. 2000).
There was made a number of more or less successful attempts to solve this issue.
There is known a method for generating a secret value (EP2386974 Al) comprising the steps of displaying an initial image comprising a plurality of graphical elements having at least two variants; receiving user input to select a variant of graphical elements, thereby generating a modified image; and generating the secret value from the selected variants of the graphical elements.
There is known a graphical password arrangement (US5559961 A), which displays a predetermined graphical image and requires a user to "touch" predetermined areas of the image in a predetermined sequence, as a means of entering a password.
There is known a method for graphical image authentication (US8117458 B2) comprising the steps of: generating a one-time password by generating an authenticating reference code that is displayed in a dynamic graphical arrangement of at least two images wherein each image has a corresponding access code that is displayed to the user, wherein the dynamic graphical arrangement of images comprises: at least one image selected from an authenticating category of graphical images, wherein the authenticating category of graphical images is preselected by the user from a plurality of different image categories and the specific image for each category is chosen randomly from a plurality of images for the specific category, and at least one image selected from a non-authenticating category of graphical images; presenting the dynamic graphical arrangement of images to a user; receiving as input from the user one or more access codes corresponding to images from the authenticating category of graphical images; and comparing one or more access codes received from the user to the authenticating reference code to authenticate the user.
There is known a method for graphical image authentication (US2007277224 Al) comprising the steps of: generating at least one dynamic graphical arrangement of images having: at least one image selected from an authenticating category of graphical images; and at least one image selected from a non-authenticating category of graphical images, each image having a corresponding access code; presenting the dynamic graphical arrangement of images to a user; receiving as input from the user the series of one or more access codes corresponding to images from the authenticating category of graphical images; and comparing the series of one or more access codes to an authenticating reference code to authenticate the user.
The disadvantage of the known prior art methods is relatively insufficient security. Most of them are vulnerable to man-in-the-middle attack, or to shoulder surfing, or screen captures attacks, which after some analysis of the screenshots allows to realize the graphical passwords.
Brief summary of the invention
The aim of the invention is to overcome the drawbacks of the prior art and to offer an improved graphical passwords system and the method.
The set aim is achieved by the offered system and method, where the method for authenticating a user of a computer system comprising a server A, a server B; the computer system operating an access device D having a display, a means for inputting information, the method comprising: (i) storing at least one set (Si, S2, ... Sn) of symbols in the storage unit of the server B, each set of symbols representing different category of symbols; (ii) storing the selected password in a storage unit of the server A; the selected password being a graphical password comprising one or more password elements sequentially selected from at least one set (Si, S2, ... Sn) of symbols stored in the storage unit of the server B; (iii) sending from the access device D to the server B a request for generating images; (iv) generating by the server B one or more images, each representing a combination of symbols randomly selected from one or more sets (Si, S2, ... Sn) of symbols; (v) sending from the server B to the access device D said generated images; displaying said images on the display of the access device D; (vi) sending from the access device D to the server A the image(s) selected by a user using the means for inputting information; (vii) analysing by the server A whether the received selected image(s) contain the same number and all stored in its storage unit password elements and whether said password elements were obtained in the same sequence as they are stored in the storage unit; (viii) authenticating the user if the sequentially obtained selected image(s) contain the same number and all stored in the storage unit of the server A password elements and if said password elements were obtained in the same sequence as they are stored in the storage unit of the server A. Other embodiments are also further disclosed.
The offered method and system allow to safely protect users' accounts and passwords from shoulder surfing and man-in-the-middle attack.
Short description of drawings
Fig.l (continued on 4 pages) shows algorithm of generation of sets of unique codes by the system for authenticating a user of a computer system according to one embodiment of the invention;
Fig. 2A and 2B - show examples of grid of images representing combinations of symbols randomly selected from one or more sets (Si, S2, ... Sn) of symbols and displayed on a display of the access device D of the system for authenticating a user of a computer system;
Fig. 3 shows another example of one combination of symbols randomly selected from one or more sets (Si, S2, ... Sn) of symbols and displayed on a display of the access device D of the system for authenticating a user of a computer system.
Detailed description of the invention
The system for authenticating a user comprises operably connected a server A, a server B, and at least one access device D having a display, a means for inputting information. The computer system can be remote from the access device D.
The access device D can be a tablet, a desktop or a laptop computer, a smartphone, a point of sale terminal or a similar device configured to be connected to a wide area network, personal area network, local area network or campus area network. Display and means for inputting information may be separate devices, such as display and input device and may be integrated one into another; display and means for inputting information may be also as one touch sensitive screen.
The server B comprises at least one set (Si, S2, ... Sn) of symbols, preferably three or more, stored in its storage unit, where each set of symbols represents different category of symbols. In this description under the term„symbol" means different types of graphical elements or features. For instance, the symbol under the present invention can be alpha-numeric element, color, image.
The server A comprises users' passwords, each of said passwords being a graphical password comprising one or more password elements sequentially selected from at least one set (S I, S2, ... Sn) of symbols stored in the storage unit of the server B. Preferably the password is selected from three or four sets of symbols, each set of symbols representing different category of symbols.
The server B is configured to generate images, each image representing a combination of symbols randomly selected from at least one set (Si, S2, ... Sn) of symbols. According to one embodiment the server B is configured to generate said images so that each of said images does not contain repeating symbols. However symbols may repeat on different pictures. In this description "combination of symbols" means that symbols from one or more sets (Si, S2, ... Sn) of symbols can be located next to each other, be graphically integrated one into another, or combined together in other way, e.g. such as shown in Fig. 2A-2B, 3. Preferably the server B is configured to generate images so that each image represents a combination of nonrepeating symbols randomly selected from each set (Si, S2, ... Sn) of symbols stored in the storage unit of the server B. Preferably the server B is also configured to generate images so that each image contains from two to four combinations of randomly selected symbols.
The server A is configured to analyse whether the received selected image(s) contain all password elements stored in its storage unit and whether said password elements were obtained in the same sequence as they are stored in the storage unit. Further the server A is configured to authenticate a user (or confirm user's authentication) if the sequentially obtained selected image(s) contain all password elements stored in the storage unit of the server A and if said password elements were obtained in the same sequence as they are stored in its storage unit. For authenticating a user a request for generating images is sent from the access device D to the server B. The server B generates a number of images, each image representing a combination of symbols randomly selected from at least one set (Si, S2, ... Sn) of symbols. Preferably the server B generates a number of images, each containing from two to four combinations of randomly selected non-repeating symbols from each set (Si, S2, ... Sn) of symbols. The generated images are then sent from the server B to the access device D, where they are displayed on the display.
The system is configured to display on a display of the access device D said generated images, preferably a grid of said generated images, allowing user to select and, using means for inputting information, input the selected one or more image (for successful authentication the user should select one containing element of a password). Several grids of different images are preferably sequentially displayed, so that each time the grid of images is displayed, the user is allowed to input image or use "refresh" function causing server B generating and sending another number of images, which are then displayed on the display of the access device D. The system is configured so that the process of generating and displaying number of images and inputting an image is repeated until the user sends a command to the access device to send to the server A the image(s) selected by the user using the means for inputting information.
When a user finished inputting the selected one or more images and sent a command from the access device D to the server A, the server A analyses whether the received selected image(s) contain stored in its storage unit password elements and whether said password elements were obtained in the same sequence as they are stored in the storage unit. If the sequentially obtained selected image(s) contain password elements stored in the storage unit of the server A and if said password elements were obtained in the same sequence as they are stored in its storage unit, the server A authenticates the user (or confirms user's authentication).
According to another embodiment the server A and server B can be one and the same server or subsystem configured to perform functions of the servers A and B according to the present invention.
According to the preferred embodiment a unique code, e.g. alpha-numeric or numeric, is assigned to each symbol of the sets (Si, S2, ... Sn) of symbols stored in the storage unit of the server B. According to this embodiment the sets (Si, S2, ... Sn) of symbols are stored together with associated with them said unique codes in the storage unit of the server B. Hereto the access device D is operably connected with converting means for converting said unique codes to the respective symbols and selected symbols into the respective unique codes. The converting means are connected to storage unit C comprising the same vocabulary as the storage unit of the server B, i.e. unique codes and associated with them symbols of the sets (Si, S2, · · · Sn) of symbols stored in the storage unit of the server B. The storage unit of the server A contains codes of the respective symbols of the users' passwords. In this embodiment instead of images the server B generates sets of said codes representing a combination of symbols randomly selected from the set or sets (Si, S2, ... Sn) of symbols described above. The possible algorithm of generation of randomly selected symbols is shown in Fig. 1. The generated sets of codes are then sent from the server B to the access device D. The converting means convert said sets of unique codes to the respective images, which are displayed on the display of the access device D, allowing user inputting image or use "refresh" function causing the server B generating and sending another set of unique codes, which are then converted by the converting means into images and displayed on the display of the access device D. As in previous embodiment the system is configured so that the process of generating the sets of codes, their conversion into images, displaying number of images and inputting an image is repeated until the user sends a command to the access device to send to the server A request for authentication.
Converting means convert combination of symbols selected by user using the means for inputting information to sets of unique codes according to the vocabulary stored in the storage unit C. The converted sets of unique codes are then sent to the server A, which analyses whether the received selected codes contain stored in its storage unit codes corresponding to password elements and whether said codes were obtained in the same sequence as they are stored in the storage unit. If so - the server A authenticates the user (or confirms user's authentication). The server A and server B can be one and the same server or subsystem configured to perform functions of the servers A and B according to the present embodiment.
According to one embodiment the server A, B and the access device D, optionally also the storage unit C and the converting means, are integrated into one device.According to yet another embodiment there is offered a non-transitory storage medium having stored thereon instructions that, when executed by a processor of an electronic device, causes the electronic device to perform a method for authenticating a user of a computer system as set forth in this description.
The invention can be used for authenticating users of electronic devices and computer systems e.g. in different online services, such as webmail, internet forums, web based databases, online banking, for unlocking a smartphone and other.
Examples of implementation of the invention
Example 1
The system for authenticating a user of a computer system comprising an access device D having a display, a means for inputting information, a server comprising subsystem A and subsystem B. The subsystem B comprising three sets of symbols (Si, S2, S3), Si being set of colours: white, red, blue, green, violet, yellow and pink; S2 - set of geometrical shapes: circle, square, triangle, trapezium, pentagon, cross and rhomb; S3 - figures from 0 to 9. The subsystem A comprising passwords selected by each registered user of the system, each of said passwords being symbols from each sets of symbols (Si, S2, S3); for instance: user one: red, square, 1; user two: green cross, 0.
On user's command frontend of application running on the access device D requests the subsystem B to generate images. The subsystem B generates four images, each representing a combination of nine symbols randomly selected from each set (Si, S2, S3) of symbols: (1) green square with figure 2, blue circle with figure 4, red triangle with figure 9; (2) violet circle with figure 5, white trapezium with figure 3, green cross with figure 8; (3) pink square with figure 1, white pentagon with figure 7, yellow cross with figure 9; (4) blue trapezium with figure 6, violet rhomb with figure 5 and pink pentagon with figure 7 (Fig. 2A).
Grid of said generated images is sent to the access device D and displayed on its display. The user one selects first image as it contains red colour. Frontend of application running on the access device D requests the subsystem B to generate another grid of images. The generated images are displayed on the display of the access device D (Fig. 2B). The user one selects first image as it contains square. Frontend of application running on the access device D again requests the subsystem B to generate another grid of images. The generated images are displayed on the display of the access device D; the user one selects an image containing third element of his password - figure 1. If user does not see element of his password on any of the images displayed, he presses refresh button or in other pre-determined way sends a request to the subsystem B to generate another four pictures with randomly selected symbols as described above. When the pre-set number of pictures, corresponding to number of elements of the password, are selected by the user, all images selected by the user are sent from the access device D to the subsystem A. The subsystem A analyses whether picture one received contains red, picture two - square and picture three - 1. If so - authenticates the user; if not - refuses to authenticate.
This system provides sufficient protection from "shoulder surfing" for the users' account and passwords.
Example 2
The system for authenticating a user of a computer system comprising a converting means, an access device D having a display, a means for inputting information, a server A, a server B and a storage unit C. The server B comprising three sets of symbols (Si, S2, S3), Si being set of colours: white, red, blue, green, violet, yellow and pink; S2 - set of geometrical shapes: circle, square, triangle, trapezium, pentagon, cross and rhomb; S3 - figures from 0 to 9. The server B further comprising unique codes assigned to each symbol of the sets (Si, S2, S3) of symbols stored in the storage unit of the server B (see Table 1-3).
Table 1 Table 2 Table 3
Figure imgf000009_0002
Figure imgf000009_0003
Figure imgf000009_0001
The storage unit C comprises the same three sets of symbols (Si, S2, S3) and associated with them unique codes as the ones stored in the server B.
The server A comprises codes corresponding to passwords selected by each registered user of the system; for instance: user one: 20, 200, 8; user two: 40, 600, 9. The converting means are adapted for converting said unique codes to the respective symbols (e.g. codes "20, 200, 8" to red, square, 1) and selected symbols into the respective unique codes.
On user's command the access device D sends a request to the server B to generate codes. The server B generates four sets of codes, each representing a combination of nine symbols randomly selected from each set (Si, S2, S3) of symbols: (1) 247, 135, 320; (2) 154, 416, 641; (3) 278, 512, 660; (4) 433, 754 and 572. The server B sends to the access device D said generated sets of codes, where converting means convert the received sets of codes into the respective images, by obtaining the respective images corresponding to the sets of codes from the storage unit C; displaying grid of said images on the display of the access device D. The process of selection is as set forth in the example 1.
The converting means convert images selected using the means for inputting information to sets of corresponding unique codes, obtaining the respective unique codes from the storage unit C. Further said converted codes are sent from the access device D to the server A, which analyses whether the received codes contain the same number and all stored in its storage unit codes and whether said codes were obtained in the same sequence as they are stored in the storage unit. If so - authenticates the user; if not - refuses to authenticate.
This system provides sufficient protection both from "shoulder surfing" and "man-in-the-middle attack" for the users' account and passwords.

Claims

Claims
1. A method for authenticating a user of a computer system comprising a server A, a server B; the computer system operating an access device D having a display, a means for inputting information, the method comprising:
(i) storing at least one set (Si, S2, ... Sn) of symbols in the storage unit of the server B, each set of symbols representing different category of symbols;
(ii) storing the selected password in a storage unit of the server A; the selected password being a graphical password comprising one or more password elements sequentially selected from at least one set (Si, S2, ... Sn) of symbols stored in the storage unit of the server B;
(iii) sending from the access device D to the server B a request for generating images;
(iv) generating by the server B one or more images, each representing a combination of symbols randomly selected from one or more sets (Si, S2, ... Sn) of symbols;
(v) sending from the server B to the access device D said generated images; displaying said images on the display of the access device D;
(vi) sending from the access device D to the server A the image(s) selected by a user using the means for inputting information;
(vii) analysing by the server A whether the received selected image(s) contain the same number and all password elements stored in its storage unit and whether said password elements were obtained in the same sequence as they are stored in the storage unit;
(viii) authenticating the user if the sequentially obtained selected image(s) contain the same number and all password elements stored in the storage unit of the server A and if said password elements were obtained in the same sequence as they are stored in the storage unit of the server A.
2. The method according to claim 1, wherein a unique code is assigned to each symbol of the sets (Si, S2, ... Sn) of symbols stored in the storage unit of the server B; where the computer system further comprising converting means for converting said unique codes to the respective symbols and selected symbols into the respective unique codes, said converting means being operably connected with the access device D and with a storage unit C, the method comprising the steps: (i) storing at least one set (Si, S2, ... Sn) of symbols together with associated with them said unique codes in the storage unit of the server B, each set of symbols representing different category of symbols;
(ii) storing in the storage unit C the same sets of symbols together with associated with them said unique codes as in the storage unit of the server B;
(iii) storing codes corresponding to the selected password in a storage unit of the server A; where the selected password is a graphical password comprising one or more password elements sequentially selected from at least one set (Si, S2, ... Sn) of symbols stored in the storage unit of the server B;
(iv) sending from the access device D to the server B a request for generating sets of codes;
(v) generating by the server B sets of said codes representing a combination of symbols randomly selected from the set or sets (Si, S2, ... Sn);
(vi) sending from the server B to the access device D said generated sets of codes; converting the received sets of codes into the respective images by the converting means obtaining the respective images corresponding to the sets of codes from the storage unit C; displaying said images on the display of the access device D;
(vii) converting by the converting means images selected using the means for inputting information to sets of corresponding unique codes, obtaining the respective unique codes from the storage unit C; sending from the access device D to the server A the converted unique codes;
(viii) analysing by the server A whether the received codes contain the same number and all codes stored in its storage unit and whether said codes were obtained in the same sequence as they are stored in the storage unit;
(ix) authenticating the user if the sequentially obtained codes contain the same number and all codes stored in the storage unit of the server A and if said password codes were obtained in the same sequence as they are stored in the storage unit of the server A.
3. The method according to claim 1 or 2, wherein at the step (iv) the server B generates a number of images, each containing from two to four combinations of randomly selected non-repeating symbols from each set (Si, S2, ... Sn) of symbols.
4. A system for authenticating a user of a computer system comprising: a server A, a server B, at least one access device D having a display and a means for inputting information; the access device D is configured to accesses a service made available by the servers A and B, each comprising a storage unit; where the server B comprises at least one set (Si, S2, ... Sn) of symbols stored in its storage unit, where each set of symbols representing different category of symbols; the server A comprises users' passwords, each of said passwords being a graphical password comprising one or more password elements sequentially selected from at least one set (Si, S2, ... Sn) of symbols stored in the storage unit of the server B; the server B is configured to generate images, each image representing a combination of symbols randomly selected from at least one set (Si, S2, ... Sn) of symbols; the server A is configured to analyse whether the received selected image(s) contain the same number and all password elements stored in its storage unit and whether said password elements were obtained in the same sequence as they are stored in the storage unit; the server A is also configured to authenticate a user or confirm user's authentication if the sequentially obtained selected image(s) contain the same number and all password elements stored in the storage unit of the server A and if said password elements were obtained in the same sequence as they are stored in its storage unit; the system is configured to allow sending from the access device D to the server B request for generating images, sending from the server B to the access device D generated images, displaying said images on the display of the access device D and sending from the access device D to the server A the image(s) selected by a user using the means for inputting information.
5. The system according to claim 4, wherein the server B is configured to generate a number of images, each containing from two to four combinations of randomly selected non-repeating symbols from each set (Si, S2, ... Sn) of symbols.
6. The system according to claims 4 or 5, further comprising a storage unit C and converting means operably connected to the storage unit C and the access device D, where the storage unit of the server the B comprises at least one set (Si, S2, ... Sn) of symbols and unique codes assigned to each symbol of the sets (Si, S2, ... Sn) of symbols stored in the storage unit of the server B; the server A comprises codes corresponding to the selected passwords; the storage unit C comprising the same sets of symbols together with associated with them said unique codes as the storage unit of the server B; the server B is configured to generate sets of said codes representing a combination of symbols randomly selected from the set or sets (Si, S2, ... Sn); the server A is configured to analyse whether the received codes contain the same number and all codes stored in its storage unit and whether said codes were obtained in the same sequence as they are stored in the storage unit; the server A is also configured to authenticate a user or confirm user's authentication if the sequentially obtained codes contain the same number and all codes stored in the storage unit of the server A and if said password codes were obtained in the same sequence as they are stored in the storage unit of the server A; the system is configured to allow sending from the access device D to the server B request for generating sets of codes, sending from the server B to the access device D said generated sets of codes, converting the received sets of codes into the respective images by the converting means obtaining the respective images corresponding to the sets of codes from the storage unit C, displaying said images on the display of the access device D, converting by the converting means images selected using the means for inputting information to sets of corresponding unique codes, obtaining the respective unique codes from the storage unit C; sending from the access device D to the server A the converted unique codes.
7. The system according to claims 4, 5 or 6, wherein the server A and server B is one and the same server or subsystem configured to perform functions of the servers A and B.
8. The system according to any claim 7, wherein server A, B and the access device D, optionally also the storage unit C and the converting means, are integrated into one device.
9. A non-transitory storage medium having stored thereon instructions that, when executed by a processor of an electronic device, causes the electronic device to perform a method for authenticating a user of a computer system as per any preceding claims 1-3.
PCT/IB2014/065166 2014-10-09 2014-10-09 Graphical passwords system and a method for authenticating a user of a computer system WO2016055835A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/IB2014/065166 WO2016055835A1 (en) 2014-10-09 2014-10-09 Graphical passwords system and a method for authenticating a user of a computer system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/IB2014/065166 WO2016055835A1 (en) 2014-10-09 2014-10-09 Graphical passwords system and a method for authenticating a user of a computer system

Publications (1)

Publication Number Publication Date
WO2016055835A1 true WO2016055835A1 (en) 2016-04-14

Family

ID=55652637

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2014/065166 WO2016055835A1 (en) 2014-10-09 2014-10-09 Graphical passwords system and a method for authenticating a user of a computer system

Country Status (1)

Country Link
WO (1) WO2016055835A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109788481A (en) * 2019-01-25 2019-05-21 刘美连 A kind of method and device for preventing from illegally accessing monitoring
US11425121B2 (en) 2020-12-15 2022-08-23 International Business Machines Corporation Generating an evaluation-mask for multi-factor authentication

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030210127A1 (en) * 2002-05-10 2003-11-13 James Anderson System and method for user authentication
US20130021249A1 (en) * 2004-12-16 2013-01-24 Pinoptic Limited User validation using images

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030210127A1 (en) * 2002-05-10 2003-11-13 James Anderson System and method for user authentication
US20130021249A1 (en) * 2004-12-16 2013-01-24 Pinoptic Limited User validation using images

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109788481A (en) * 2019-01-25 2019-05-21 刘美连 A kind of method and device for preventing from illegally accessing monitoring
CN109788481B (en) * 2019-01-25 2021-12-28 中科大路(青岛)科技有限公司 Method and device for preventing illegal access monitoring
US11425121B2 (en) 2020-12-15 2022-08-23 International Business Machines Corporation Generating an evaluation-mask for multi-factor authentication

Similar Documents

Publication Publication Date Title
Gurav et al. Graphical password authentication: Cloud securing scheme
Sreelatha et al. Authentication schemes for session passwords using color and images
US8875264B2 (en) System, method and program for off-line two-factor user authentication
US20050193208A1 (en) User authentication
US20120005483A1 (en) Method for Image-Based Authentication
US11354396B2 (en) Authentication systems using sequences of tile selections from a grid
Almuairfi et al. IPAS: implicit password authentication system
US20140359299A1 (en) Method for Determination of User's Identity
TWI540874B (en) Identity authentication method, device and system
CN111143812B (en) Login authentication method based on graphics
Saeed et al. A hybrid graphical user authentication scheme
CN106997432A (en) Picture password authentication method and picture password authentication device
WO2016055835A1 (en) Graphical passwords system and a method for authenticating a user of a computer system
KR20130085566A (en) Apparatus and method of authentifying password using captcha
Othman et al. Directional Based Graphical Authentication Method with Shoulder Surfing Resistant
CN107169341A (en) Picture password generation method and picture password generating means
Ahsan et al. Graphical password authentication using images sequence
Anand et al. Security analysis and implementation of 3-level security system using image based authentication
Aldwairi et al. Multi-factor authentication system
Rao et al. Improved session based password security system
Alsaiari et al. A review of graphical authentication utilising a keypad input method
Rajavat et al. Textual and graphical password authentication scheme resistant to shoulder surfing
Behl et al. Multi-level scalable textual-graphical password authentication scheme for web based applications
EP4258142A1 (en) Method for validating user authentication in information systems
Songcuan et al. Jumbled passsteps: a hotspot guessing attack resistant graphical password authentication scheme based on the modified passmatrix method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14903795

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14903795

Country of ref document: EP

Kind code of ref document: A1