ABSTRACT: There are a large number of Internet users around the world. Our software applications deal with sensitive as well as private information which must be saved from misuse by some malicious users and their attacks. Hence authentication is a very important technique by which the system can identify the type of users.There are many authentication schemes available among which password based authentication is most used as it is cost effective and secure. The classical PIN entry mechanism is widely used because of its ease of usability and security, but it often leads to shouldersurfingattack in which a user can record the login session and retrieve the user original PIN for misuse in future. Based on the information available to the user the login methods can be categorized into fully observable and partially observable. In fully observable attack the user can fully observe the entire login procedure and in partially observable attack the user can partially observe the login session. The existing Color Pass methodology provides onetime pass paradigm corresponding to four color PINs in which the user gets four challenges for which the user enter response to each challenge. Its easy to use and doesnt require any additional knowledge. This method leads to drawback as the user uses the headphones to get the color values. Sometimes the headphones will not work properly or the user does not have the clarity in hearing, this leads to the poor understanding of the challenge values. Here 0-9 Feature tables are generated which increases the user response time. To overcome the disadvantage in the proposed method Multi Color Pass system the color values will be received via mobile phone. Instead of Feature
In shouldersurfing safe login, proposed by Perkovic et al  user does not provide any numbers instead of that they will be provided by the directions. Here the user remembers the five digit PIN numbers and the system throws values to the user with respect to the table and keypad consists of arrows. SSSL gives a robust solution to the shouldersurfingattack. However, in SSSL the existence of co-relation between digits can be observed by a clever attacker and he may use it to guess the PIN.
The biggest threat nowadays that requires the user to have a password for their account is shouldersurfingattack . Shouldersurfing is an attack which can be performed by the unauthorized user to obtain the authorized user’s password by watching over the user’s shoulder when he enters his password . This attack is usually effective in crowded places because it is easy to observe someone without been suspicious as they are filling in their password field. The shouldersurfingattack can occur in the events when the user enters their PIN at an automated teller machine or enter a password at a cybercafe, public and university libraries. Besides, shouldersurfing can also be done at a distance using some tools like binoculars or other vision-enhancing devices. Also, some inexpensive and simple devices also can be used to make this attack such as using an illegally installed tiny camera to observe data entry.
Web application and mobile application are used widely in everywhere with various devices. This evolution is very useful but also increases probability leaking a password through shouldersurfing attacks. In this attack, attacker can observe directly or by external recording devices or video capturing are used for collecting password. To overcome this we proposed a system that provides pair base method and graphical password based on pass matrix concept to resist shouldersurfingattack. Pass Matrix is considered a novel and easy-to-use graphical password authentication system, which can effectively improve shoulder-surfing attacks. In graphical password where users click on images to authenticate themselves. Experimental result show that, the proposed system achieves better resistance to shouldersurfing attacks while maintaining usability.
No special mathematical knowledge is required to use our scheme. Thus the scheme can be easily used by any type of users which widens the scope of applicability of our scheme. However one problem associated with our scheme is that scheme cannot be used by color blind people. As the scheme is based on colors only, Except this limitation our methodology is quite powerful against attacks such as guessing PIN, shouldersurfingattack, side channel attack and yet provides a simple to use interface which consumes a very low login time. 5. C ONCLUSIONS
The shouldersurfingattack in an attack that can be performed by the adversary to obtain the user's password by watching over the user's shoulder as he enters his password. As conventional password schemes are vulnerable to shouldersurfing, Sobrado and Birget proposed three shouldersurfing resistant graphical password schemes. Since then, many graphical password schemes with different degrees of resistance to shouldersurfing have been proposed, and each has its pros and cons. seeing that most users are more familiar with textual passwords than pure graphical passwords.
Author presents a novel graphical password design in this paper. It rests on the human cognitive ability of association- based memorization to make the authentication more user-friendly, comparing with traditional textual password. Based on the principle of zero-knowledge proof protocol, we further improve our primary design to overcome the shoulder- surfingattack issue without adding any extra complexity into the authentication procedure. System performance analysis and comparisons are presented to support our proposals.
In our proposed system in order to provide more security to the existing authentication methods, in each page where all images within each category are shown, the false image (not my password) is added automatically. This image can be replaced with one of the images in each category. Since the user is aware of the selected image in each category, if the known image is available, he can pick out the correct image, otherwise, he takes the false image. In order to make the process to be more complex for the attacker, a random category will be added between selected categories. In this example, since the pet category was not selected by the user as part of his password in the registration step, he must select the false image to ignore this category. However, this category can be considered as the real image category by an attacker who watches the user authentication process, since the user selected an image from this category. After the graphical password will be validated, then the system will automatically direct the user to the appropriate web page (user profile). To this end, it can prevent shoulder-surfingattack by pretending that the selected image (false image) is one of the images that user selected as his password.
From the above literature surveys, we have came to conclusion that there are many attacks taking place regarding the authentication process of the existing system.So we come up with the new authentication system which includes cued click point algorithm to resist shouldersurfingattack based on image password selected by user from image grid and image point is stored in the form of rows and coloumns as password ..
Our proposed idea of login gives you the user- friendly authentication system. The system provides the login indicator from the numeric values 0 to 9. Using the proximity sensor and holding the screen using hands to see the indicator to avoid the shouldersurfingattack. After seeing the indicator, the user moves to the authentication activity, there the image uploaded by the user will be loaded and above the image the numeric numbers will scattered throughout the screen. If you touch the single numeric value and drag it. The whole scattered numbers will be moved with respective to the numeric value that you are dragging. You can drag any of the number and you should place your indicator on the image password position you selected during registration.
In this paper we had studied different textual and graphical methods of preventing shouldersurfingattack. From Table III, it is seen that the time required to enter the PIN using this Textual methods is little more as compared to the time required to enter the graphical methods. Because textual methods is based on computations, where Mod 10 method takes more time for login than Mod 10 table method and Color pass method because Mod 10 is fully math oriented but Mod 10 table and Color pass method are user friendly and takes less login time for login compared to Mod 10 method. Graphical methods, BW method have several drawbacks, such as round redundancy, unbalanced key press, recording non- resilience the more strengthened TictocPIN method requires smaller number of rounds than original BW method.
The main aim of this project is to prevent human shouldersurfingattack and to establish a secure transaction by implementing the color matching algorithm. When a user enters a personal identification number(PIN) as a numeric password in mobile or stationary systems, including smart phones, tablet computers, automated teller machines (ATM), and point of sale (PoS) terminals, bank lockers, online net banking sites a direct observation attack based on shouldersurfing becomes great concern. The PIN entry can be observed by nearby adversaries, more effectively in a crowded place. Since the same PIN is usually chosen by a user for various purposes and used repeatedly, a compromise of the PIN may cause the user a great risk.
intruder can scrutinizethe password by recording the authentication session orthrough direct surveillance when any user is perform login to his account. Even though there are some of the graphical password that procedures resistant to the shouldersurfingattack, but they also have their own downside like usability issues or consuming additional time for user to login or having some tolerance levels  in them also. Along with this issues, the cost of installing the graphical password scheme is much more as compared to our traditional text based scheme.
Traditionally, picture-based password color coding systems employ password objects (pictures/icons/symbols) as input during an authentication session, thus making them vulnerable to “shoulder-surfing” attack because the visual interface by function is easily observed by others. Recent software-based approaches attempt to minimize this threat by requiring users to enter their passwords indirectly by performing certain mental tasks to derive the indirect password, thus concealing the user’s actual password. However, weaknesses in the positioning of distracter and password objects introduce usability and security issues. In this paper, a new method, which conceals information about the password objects as much as possible, is proposed. Besides concealing the password objects and the number of password objects, the proposed method allows both password and distracter objects to be used as the challenge set’s input. The correctly entered password appears to be random and can only be derived with the knowledge of the full set of password objects. Therefore, it would be difficult for a shoulder-surfing adversary to identify the user’s actual password. Simulation results indicate that the correct input object and its location are random for each challenge set, thus preventing frequency of occurrence analysis attack. User study results show that the proposed method is able to prevent shoulder-surfingattack.
ShoulderSurfingattack is a direct observation approach where the shoulder surfer steals the user's Personal Identification Number (PIN), passwords by looking over his shoulder. [2,3] It commonly happens in public transports while the victim is commuting which involves a smart phone in almost all cases. A good example is shouldersurfing at ATMs, a crime in which a suspect watch over the victim's shoulder as he punches in his PIN number. The ATM screen asks for another transaction when the customers complete theirs. Some customers fail to notice the prompt and walk away leaving it on the screen. In this way, the thief enters the stolen PIN and pretends to be the user. But the phenomenon of shouldersurfing is not widely known.  Users tend to use the strategies such as hiding the device screen, shielding the device with their hand etc. However, by observing, one cannot get a hold with most of the victim’s detailed biodata such as information about his relationships, sexual preferences, interests, hobbies, and login data. Hence, the damage shouldersurfing can cause is widely unknown. .
pattern based password. These patterns based authentication system is vulnerable to shouldersurfingattack as well as the Smudge Attacks. The attacker can easily get the password pattern by observing the smudge left on the touch screen. Defining bad and easily crackable password and/or login using password in insecure environment mainly causes loopholes in password authentication security. There is a need of secured password authentication system which overcomes the drawbacks of existing text and image based password schemes. To overcome these problems biometrical password scheme is introduced. In biometric password authentication system user voice, retina, thumbprint, face are used as a passwords. There are various types of biometric sensors which as able to authenticate user. Such schemes are secured but hardware specific. Special sensor devices are required for authentication. It is impractical to have such authentication system to regular web based resources and such system installation and maintenance is costly. This proposed work provides a graphical authentication system. This system is able to restrict shouldersurfingattack. To resist shouldersurfingattack it uses session password technique. In session password user will add new password at every login attempt. The added password is valid for only single login session. Pass-matrix technique is proposed in this work. This technique uses pass-point clicking. This technique uses more than one image as a password. For every image it defines the click points as a pass-square. If user is not being able to click on correct pass square then system displays a wrong image for next pass input. This wrong image is treated as a warning to the user. To define session password for pass square click, a hint is provided to the user. Based on the given hint user will select the password for that session.
To pave the way for significantly more secure future regarding authentication systems and defeating possible and common threats, so many suggestions have been proposed in different forms. Each one has its own advantages and disadvantages while achieving a good trade-off between perfect security and usability is always hard. Typically, shouldersurfing attacks are classified into two categories. There is no special equipment most of times in the first type which is called weak shouldersurfingattack while in the second type a strong shouldersurfingattack with the help of equipment like cameras would help attackers to record hands movements or mouse clicks for later use (Wu, Lee, Lin, & Wang, 2014). The proposed system main focus is to battle with malicious software and the two types of shouldersurfing attacks. Experiments have shown that in different scenarios bystanders were not able to grab the second-pass as client click different positions with a hidden cursor. In the future work, experiments can be extended to several bystanders and more complicated scenarios while it perhaps requires some considerations to be applied to the system to make it more robust in those conditions. Performance of system under heavy load, different internet speed at client side must be considered as well. In addition, other factors that may influence the performance should be investigated precisely.
ShoulderSurfing is using direct observation techniques, such as, looking over someone's shoulder, to get information. ShoulderSurfing is an effective way to get information be it in a user‟s home while he works on his personal computer or in a public place which is more prone to ShoulderSurfingattack. ShoulderSurfing can also be done long distance with the aid of binoculars or other vision-enhancing devices . The increase in number of laptop and personal digital assistant (PDA) usage has greatly increased the danger of unauthorized observation of authentication procedures. The users have become more prone to password theft due to such kind of sneaking. Especially when the users are moving around it is difficult for them to keep a strict vigilance on their surroundings. One should remain cautious of his/her surroundings if he/she is authenticating by the traditional authentication methods prone to ShoulderSurfing.
Graphical passwords are more vulnerable to shouldersurfing attacks than conventional textual passwords; research has been done to study the difficulty of cracking graphical passwords. Because graphical passwords are not widely used in practice, there is no report on real cases of breaking graphical passwords. Here we briefly exam some of the possible techniques for breaking graphical passwords and try to do a comparison with text-based passwords. The intruder captures the password either by direct observation or by using hidden cameras. Many shouldersurfing resistant techniques have been proposed and each technique has its own way in providing security against shouldersurfingattack.