SLGP Header

Defending Shoulder Surfing Attacks in Secure Transactions using Multi Color Technique

IJCSEC Front Page

To improve security of the various devices, the graphical password is memorable authentication method for authorization. When a user enters a personal identification number (PIN) as a numeric password in mobile or stationary systems, the shoulder surfing attack becomes great concern. To prevent shoulder surfing attack and to establish a secure transaction between the mobile app and server by implementing the Multi color Technique. In Multi color method, every numeric key is visually split into two halves and each half filled with two distinct colors simultaneously; so there exist four color groups on the numeric keypad and two colors for every numeric key. This method will significantly more secure and usable than previous proposals.
Keywords: Authentication, Personal Identification Number, Shoulder Surfing Attack, Validation, Hash function.
Authentication is the process of confirming the identification of the person or thing. In private and public computer networks, authentication is usually done through the use of passwords. Passwords are used in, Logging into accounts, emails, Accessing applications, Networks, Web sites, workstations, etc. The most widely used authentication techniques are, Token based authentication (Ex. Key cards, band cards, smart card), Biometric based authentication (Ex. Fingerprints, iris scan, facial recognition), and Knowledge based authentication (Ex. Text-based passwords, picture-based passwords).
Password is a covert (word or string) of characters that is used for user authentication to prove his identity and gain access to resources. Two types of Passwords are, Alpha Numeric Password and Graphical Password. Alpha Numeric Password Ideally, the user should combine upper and lower case letters and digits, which should be at least 8 characters. This password should not be a word that can be found in a dictionary or public directory. But two conflicts requirement of the Alpha numeric password is Easy to remember and Hard to guess. But most of the user tends to ignore the second requirement which leads to frail passwords. Numerous solutions have been proposed to avoid this issue. Graphical password is one of the solutions.
Graphical Password
Graphical password is an authentication system that works by the user select password using the images, in a specific order, presented in a graphical user interface. For this reason, the graphical-password technique is sometimes called as graphical user authentication. It is more difficult to break graphical passwords using the traditional attack methods such as, brute force attack, spyware or dictionary attack. An Example of a system that uses an image on the screen and lets the user chooses a password by some clicks. These clicks are the "password", and the user has to click closely to these points again in order to complete the authentication. Such passwords are easier to remember & hard to guess. Two types of Graphical password are, Recall Based Techniques and Recognition Based Techniques. In Recall Based Technique, A user is asked to reproduce something that the user created or selected earlier during the registration stage. In Recognition Based Techniques, A user is accessible with a set of images and the user passes the authentication by recognizing and identifying the images that selected during the registration stage. One of the covert passwords is Personal Identification Number.
Personal Identification Number
A personal identification number(PIN) as a 4 digit numeric password in mobile or stationary systems, including smart phones, tablet computers, automated teller machines (ATM), and point of sale (PoS) terminals, a direct observation attack based on shoulder surfing becomes great concern. The PIN entry can be observed by nearby adversaries, more effectively in a crowded area. Usually the same PIN is chosen by a user for various purposes and used repeatedly; a compromise of the PIN may cause the user a great risk. To cope with this problem, which is between the user and the system, cryptographic prevention techniques are hardly applicable because human users are limited in their capacity to process information. Instead, there have been alternative approaches considering the asymmetry between the user and the system.


  1. Mun-Kyu Lee, “Security Notions and Advanced Method for Human Shoulder-Surfing Resistant PIN-Entry,” In Ieee Transactions On Information Forensics And Security,VOL. 9, NO. 4, APRIL 2014, pp. 1556-6013.
  2. A. D. Luca, E. von Zezschwitz, L. Pichler, and H. Hussmann, “Using fake cursors to secure on-screen password entry,” in Proc. CHI, 2013, pp. 2399–2402.
  3. A. D. Luca, K. Hertzschuch, and H. Hussmann, “ColorPIN: Securing PIN entry through indirect input,” in Proc. CHI, 2010, pp. 1103–1106.
  4. M. Kumar, T. Garfinkel, D. Boneh, and T. Winograd, “Reducing shoulder-surfing by using gaze-based password entry,” in Proc. SOUPS, 2007, pp. 13–19.
  5. S. Wiedenbeck, J. Waters, L. Sobrado, and J.-C. Birget, “Design and evaluation of a shoulder-surfing resistant graphical password scheme,” in Proc. AVI, 2006, pp. 177–184.
  6. D. Davis, F. Monrose, and M. K. Reiter, “On user choice in graphical password schemes,” in Proc. 13th Conf. USENIX Security Symp., 2004, pp. 151–164.
  7. D. S. Tan, P. Keyani, and M. Czerwinski, “Spy-resistant keyboard: More secure password entry on public touch screen displays,” in Proc. 17th Austral. Conf. Comput. Human Interaction OZCHI, 2005, pp. 1–10.
  8. C. S. Kim and M.-K. Lee, “Secure and user friendly PIN entry method,” in Proc. 28th Int. Conf. Consum. Electron., 2010, p. 5.1–1.
  9. Q. Yan, J. Han, Y. Li, J. Zhou, and R. H. Deng, “Designing leakage resilient password entry on touchscreen mobile devices,” in Proc.ASIACCS, 2013, pp. 37–48.
  10. A. Bianchi, I. Oakley, and D. S. Kwon, “Counting clicks and beeps:Exploring numerosity based haptic and audio PIN entry,” Interact.Comput., vol. 24, no. 5, pp. 409–422, 2012.
  11. A. Bianchi, I. Oakley, V. Kostakos, and D. S. Kwon, “The phone lock: Audio and haptic shoulder-surfing resistant PIN entry methods for mobile devices,” in Proc. TEI, 2011, pp. 197-200.
  12. Andrea Bianchi, Ian Oakley, Dong Soo Kwon, “The Secure Haptic Keypad: A Tactile Password System,” in CHI 2010 Input, Security, and Privacy Policies April 10–15, 2010, Atlanta, GA, USA.
  13. W. Moncur and G. Leplâtre, “Pictures at the ATM: Exploring the usability of multiple graphical passwords,” in Proc. CHI, 2007, pp. 887–894.
  14. R. Biddle, S. Chiasson, and P. C. van Oorschot, “Graphical passwords: Learning from the first twelve years,” ACM Comput. Surveys, vol. 44, no. 4, article 19, pp. 1–41, 2012.