Design, Analysis, and Implementation of a Two-factor Authentication Scheme using Graphical Password

Full Text (PDF, 621KB), PP.39-51

Views: 0 Downloads: 0


Khaja Mizbahuddin Quadry 1,* A Govardhan 2 Mohammed Misbahuddin 3

1. JNTUK, Andhra Pradesh, India

2. JNTUH, Telangana State, India

3. C-DAC, Bangalore, Karnataka, India

* Corresponding author.


Received: 19 Sep. 2020 / Revised: 8 Oct. 2020 / Accepted: 30 Oct. 2020 / Published: 8 Jun. 2021

Index Terms

Graphical Password, Two-factor Authentication, e-commerce, Smart Card, Stolen-verifier Attack


With the increase in the number of e-services, there is a sharp increase in online financial transactions these days. These services require a strong authentication scheme to validate the users of these services and allow access to the resources for strong security. Since two-factor authentication ensures the required security strength, various organizations employ biometric-based or Smart Card or Cryptographic Token-based methods to ensure the safety of user accounts. But most of these methods require a verifier table for validating users at a server. This poses a security threat of stolen-verifier attack. To address this issue, there is a strong need for authentication schemes for e-services that do not require a verifier table at the server. Therefore, this paper proposes the design of an authentication scheme for e-services which should be resistant to various attacks including a stolen verifier attack. The paper will also discuss: 1) The proposed scheme analyzed for security provided against the known authentication attacks 2) The concept implementation of the proposed scheme.

Cite This Paper

Khaja Mizbahuddin Quadry, A Govardhan, Mohammed Misbahuddin, "Design, Analysis, and Implementation of a Two-factor Authentication Scheme using Graphical Password", International Journal of Computer Network and Information Security(IJCNIS), Vol.13, No.3, pp.39-51, 2021. DOI: 10.5815/ijcnis.2021.03.04


[1] Gi-Chul Yang. “PassPositions: A Secure and User-Friendly Graphical Password Scheme” 4th International Conference on Computer Applications and Information Processing Technology (CAIPT) 2017.
[2] Mudassar Ali Khan, Muhammad Khurram Khan, Mohsen Guizani, and Kamran Ahmad Awan. “G-RAT | A Novel Graphical Randomized Authentication Technique for Consumer Smart Devices” IEEE Transactions on Consumer Electronics. DOI
10.1109/TCE.2019.2895715, IEEE.
[3] Yung-Cheng Lee; Geeng-Kwei Chang; Wen-Chung Kuo; Jung-Lu Chu, “Improvement on the dynamic ID-based remote user authentication scheme”, International Conference on Machine Learning and Cybernetics, Vol. 6, Issue 12-15, ‘08, Pg 3283 – 3287.
[4] Ya-Fen Chang; Chin-Chen Chang; Yu-Wei Su; “A Secure Improvement on the User-friendly Remote Authentication Scheme with no Time Concurrency Mechanism” in the proceedings of 20th International Conference on Advanced Information Networking and Applications, AINA 2006, Volume 2, April 2006, Pg 18-20.
[5] Bin B. Zhu, Jeff Yan, Guanbo Bao, Maowei Yang, and Ning Xu ‘Captcha as Graphical Passwords—A New Security Primitive Based on Hard AI Problems’ ieee transactions on information forensics and security, vol. 9, no. 6, june 2014.
[6] Bruce Schneier, Applied Cryptography, 2nd edition. John Wiley & Sons, 1996
[7] C.C. Lee, M.S. Hwang, and W.P. Yang, “A flexible remote user authentication scheme using smart cards,” ACM Operating systems review, Vol. 36, No. 4, 2002, pg. 23-29.
[8] Das M. L., Saxena A. and Gulati V. P., “A dynamic ID based remote user authentication scheme”, IEEE Trans. Consumer Electronics, May, vol.50, No. 2, 2004, Pg. 629 -631.
[9] H. M. Sun, “An efficient remote user authentication scheme using smart cards,” IEEE Transactions on Consumer Electronics, vol. 46, no. 4, 2000, Pg. 958–961.
[10] H. Y. Chien, J. K. Jan, and Y. M. Tseng, “An efficient and practical solution to remote authentication: smart card,” Computers & Security, vol. 21, no. 4, 2002, pp. 372–375.
[11] Liao, C. C. Lee and M. S. Hwang "Security Enhancement for a dynamic ID-based remote user authentication scheme" Proceedings of the national conference on Next Generation Web Services Practices (NWeSP'05) 2005.
[12] Jian Li Lan-Lan Hu, “Improved Dynamic ID-Based Remote User Authentication Scheme Using Smart cards”, in the proceedings of 4th IEEE International Conference on Wireless Communications, Networking and Mobile Computing, 2008.
[13] Misbahuddin M, Ahmed M.A, Rao A.A, Bindu C.S, Khan M.A.M, “A Novel Dynamic ID-Based Remote User Authentication Scheme”, in the proceedings of Annual IEEE Indicon Conference, Delhi, 2006.
[14] Mohammed Misbahuddin; Mohammed Aijaz Ahmed; M.H. Shastri, “A Simple and Efficient Solution to Remote User Authentication Using Smart Cards”, in the proceedings of IEEE International Conference on Innovations in IT (IIT ‘06), Dubai, 2006.
[15] Omar Cheikrouhou, Manel Boujelben, Anis Koubaa, Mohamed Abid, Attacks and Improvement of “Security Enhancement for a Dynamic ID-based Remote User Authentication Scheme”, in the proceedings of IEEE International Conference on Computer Systems and Applications, 2009.
[16] Shengbao Wang, Zhenfu Cao, and Feng Cao, “Efficient Identity-based Authenticated Key Agreement Protocol with PKG Forward Secrecy”, International Journal of Network Security, Vol.7, No.2, Sept. 2008, Pg.181–186.
[17] Deepak Soni, Nishchol Mishra, “Multilevel Authentication based Data Security and Verification over Cloud Computing”, International Journal of Education and Management, Vol.7, No.5, PP.56-68, 2017.
[18] Safiia Mohammed, Michael Hegarty, “Evaluation of Voice & Ear Biometrics Authentication System”, International Journal of Education and Management, Vol.7, No.4, pp.29-40, 2017.
[19] Wang Binjuna,Wei,Yangb,Yang, Yanyanc,Han Jia, “Design and Implementation of Anti-phishing Authentication System”, International Journal of Wireless and Microwave Technologies,Vol.1, No.6, PP.38-45, 2011.
[20] Ugochi Oluwatosin Nwokedi, Beverly Amunga Onyimbo and Babak Bashari Rad, “Usability and Security in User Interface Design:A Systematic Literature Review”, International Journal of Information Technology and Computer Science,Vol.8. No.5, pp.72-80, 2016.
[21] Yan-yan Wang, Jia-yong Liu, Feng-xia Xiao, Jing Dan, “A More Efficient & Secure Dynamic Id-Based Remote User Authentication Scheme”, Computer Communications, Vol 32, Issue 4, March 2009, Pg 583-585.
[22] Reshma, G. Shivaprasad. “Research and Development of User Authentication using Graphical Passwords: A Prospective Methodology” International Journal of Innovative Technology and Exploring Engineering (IJITEE) ISSN: 2278-3075, Volume-8 Issue-9S3, July 2019.
[23] Gaurav Varshney 1, Manoj Misra, Pradeep Atrey. “A New Secure Authentication Scheme for Web Login Using BLE Smart Devices” International Conference on Engineering, Technology and Innovation (ICE/ITMC) Annual IEEE International Conference on Pervasive Computing and Communications (PerCom) 2017.
[24] B. Harish Goud, Indurthi Ravindra Kumar. “A Shoulder Surfing Resistant Graphical Authentication System” International Journal of Engineering and Techniques - Volume 4 Issue 1, Jan – Feb 2018.
[25] Khazima Irfan, Agha Anas, Sidra Malik, Saneeha Amir. “Text based Graphical Password System to Obscure Shoulder Surfing” Proceedings of 15th International Bhuban Conference on Applied science and Technology (IBCAST) - January 2018.
[26] Ian Mackie (B) and Merve Yıldırım. “A Novel Hybrid Password Authentication Scheme Based on Text and Image” IFIP International Federation for Information Processing 2018 Published by Springer International Publishing AG, part of Springer Nature 2018. F. Kerschbaum and S. Paraboschi (Eds.): DBSec 2018, LNCS 10980, pp. 182–197, 2018.
[27] Suliman A. Alsuhibany. “Usability and shoulder surfing vulnerability of pattern passwords on mobile devices using camouflage patterns” Journal of Ambient Intelligence and Humanized Computing 2019© Springer-Verlag GmbH Germany, part of Springer Nature 2019.
[28] Nida Asma, Hafez Syed Ahmed qasmi, “Conundrum-Pass, A New Graphical Password Approach” 2nd International Conference on Communication, Computing, and Digital systems C-CODE,2019.
[29] Syed Akram, Mohammed misbahuddin, and G.Varaprasad “A Usable and Secure Two-Factor Authentication Scheme Information Security Journal: A Global Perspective, volume 21, issue 4, January 2012, pp 169-182.
[30] Mohammed Misbahuddin, P. Premchand, A. Govardhan, “A User Friendly Password Authenticated Key Agreement For Web Based Services”, IEEE explore, 2009.
[31] Sreeja C.S., Mohammed Misbahuddin, “A secure image-based authentication scheme Employing DNS crypto and steganography” wci '15: third international symposium on women in computing and informatics kochi india august, 2015.
[32] Nikita Zujevs, “Authentication by Graphical Passwords Method Hope”, 978-1-7281-2138-3/19/$31.00 ©2019 IEEE.
[33] Xian Chu” PassPage: Graphical Password Authentication Scheme Based on Web Browsing Records” International Conference on Financial Cryptography and Data Security FC 2020: Financial Cryptography and Data Security pp 166-176.
[34] SaifulAzad, “A Secure Hybrid Authentication Scheme Using Passpoints and Press Touch Code”,
[35] Bilal Eid “A New Password Authentication Mechanism Using 2D Shapes “2018 8th International Conference on Computer Science and Information Technology (CSIT) ISBN: 978-1-5386-4152-1.
[36] Shraddah M.Gurav “Graphical Password Authentication Cloud securing scheme”2014 International Conference on Electronic Systems, Signal Processing and Computing Technologies
[37] Mohammad Misbahuddin, A User Friendly Password Authenticated Key Agreement for Multi Server Environment International Conference on Advances in Computing, Communication and Control (ICAC3’09).