A Graphical PIN Authentication Mechanism with Applications to Smart Cards and Low-Cost Devices

  • Luigi Catuogno
  • Clemente Galdi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5019)


Passwords and PINs are still the most deployed authentication mechanisms and their protection is a classical branch of research in computer security. Several password schemes, as well as more sophisticated tokens, algorithms, and protocols, have been proposed during the last years. Some proposals require dedicated devices, such as biometric sensors, whereas, others of them have high computational requirements. Graphical passwords are a promising research branch, but implementation of many proposed schemes often requires considerable resources (e.g., data storage, high quality displays) making difficult their usage on small devices, like old fashioned ATM terminals, smart cards and many low-price cellular phones.

In this paper we present a graphical mechanism that handles authentication by means of a numerical PIN, that users have to type on the basis of a secret sequence of objects and a graphical challenge. The proposed scheme can be instantiated in a way to require low computation capabilities, making it also suitable for small devices with limited resources. We prove that our scheme is effective against “shoulder surfing” attacks.


Smart Card Success Probability Authentication Scheme Authentication Protocol Wrong Answer 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Weinshall, D.: Cognitive authentication schemes safe against spyware (short paper). In: IEEE Symposium on Security and Privacy, pp. 295–300. IEEE Computer Society, Los Alamitos (2006)Google Scholar
  2. 2.
    Golle, P., Wagner, D.: Cryptanalysis of a cognitive authentication scheme (extended abstract). In: IEEE Symposium on Security and Privacy, pp. 66–70. IEEE Computer Society, Los Alamitos (2007)Google Scholar
  3. 3.
    Anderson, R.J.: Why cryptosystems fail. Commun. ACM 37, 32–40 (1994)CrossRefGoogle Scholar
  4. 4.
    Steiner, J.G., Neuman, B.C., Schiller, J.I.: Kerberos: An authentication service for open network systems. In: USENIX Winter, pp. 191–202 (1988)Google Scholar
  5. 5.
    Haller, N.M.: The S/KEY one-time password system. In: Proceedings of the Symposium on Network and Distributed System Security, pp. 151–157 (1994)Google Scholar
  6. 6.
    McDonald, D.L., Atkinson, R.J., Metz, C.: One time passwords in everything (OPIE): Experiences with building and using stronger authentication. In: Fifth USENIX UNIX Security Symposium, Salt Lake City, Utah(USA) (1995)Google Scholar
  7. 7.
    Juels, A., Weis, S.A.: Authenticating Pervasive Devices with Human Protocols. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 293–308. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. 8.
    Juels, A.: Minimalist cryptography for low-cost rfid tags. In: Blundo, C., Cimato, S. (eds.) SCN 2004. LNCS, vol. 3352, pp. 149–164. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  9. 9.
    Lamport, L.: Password authentification with insecure communication. Commun. ACM 24, 770–772 (1981)CrossRefGoogle Scholar
  10. 10.
    Matsumoto, T., Imai, H.: Human Identification through Insecure Channel. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 409–421. Springer, Heidelberg (1991)CrossRefGoogle Scholar
  11. 11.
    Wang, C.H., Hwang, T., Tsai, J.J.: On the Matsumoto and Imai’s Human Identification Scheme. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 382–392. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  12. 12.
    Matsumoto, T.: Human-computer cryptography: An attempt. In: ACM Conference on Computer and Communications Security, pp. 68–75 (1996)Google Scholar
  13. 13.
    Hopper, N.J., Blum, M.: A Secure Human-Computer Authentication Scheme. In: Carnagie Mellon University Technical Report. Vol. CMU-CS-00-139 (2000)Google Scholar
  14. 14.
    Hopper, N.J., Blum, M.: Secure Human Identification Protocols. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 52–66. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  15. 15.
    Katz, J., Shin, J.S.: Parallel and Concurrent Security of the HB and HB +  Protocols. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 73–87. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  16. 16.
    Grady, C.L., Mcintosh, A.R., Rajah, M.N., Craik, F.I.M.: Neural correlates of the episodic encoding of pictures and words. Proc. Natl. Acad. Sci. USA 95, 2703–2708 (1998)CrossRefGoogle Scholar
  17. 17.
    Blonder, G.E.: Graphical passwords. Lucent Technologies Inc, Murray Hill, NJ (US), US Patent no. 5559961 (1996)Google Scholar
  18. 18.
    Perrig, A., Song, D.: Hash visualization: A new technique to improve real-world security. In: Proceedings of the 1999 International Workshop on Cryptographic Techniques and E-Commerce (1999)Google Scholar
  19. 19.
    Dhamija, R., Perring, A.: Déjà vu: A user study using images for authentication. In: IX USENIX UNIX Security Symposium, Denver, Colorado (2000)Google Scholar
  20. 20.
    Jensen, W., Gavrila, S., Korolev, V., Ayers, R., Swanstrom, R.: Picture password: a visual login technique for mobile devices. In: National Institute of Standards and Technologies Interagency Report, vol. NISTIR 7030 (2003)Google Scholar
  21. 21.
    Jensen, W.: Authenticating users on handheld devices. In: Proceedings of Canadian Information Technology Security Symposium (2003)Google Scholar
  22. 22.
    Real User Coorp.: Pass faces (1998),
  23. 23.
    Jermyn, I., Mayer, A., Monrose, F., Reiter, M.K., Rubin, A.D.: The design and analysis of graphical passwords. In: Proceedings of the 8th USENIX security Symposium, Washington DC (1999)Google Scholar
  24. 24.
    Sobrado, L., Birget, J.C.: Graphical password. The Rutgers Scholar, an electronic Bulletin for undergraduate research 4 (2002)Google Scholar
  25. 25.
    Wiedenbeck, S., Waters, J., Sobrado, L., Birget, J.C.: Design and evaluation of a shoulder-surfing resistant graphical password scheme. In: Proceedings of Advanced Visual Interfaces AVI 2006, Venice, ACM Press, New York, NY (2006)Google Scholar
  26. 26.
    Roth, V., Richter, K., Freidinger, R.: A pin-entry method resilient against shoulder surfing. In: CCS 2004: Proceedings of the 11th ACM conference on Computer and communications security, pp. 236–245. ACM Press, New York (2004)Google Scholar
  27. 27.
    University of British Columbia (Ubcsat, the stochastic local search sat solver),
  28. 28.
    Kumar, M., Garfinkel, T., Boneh, D., Winograd, T.: Reducing shoulder-surfing by using gaze-based password entry. In: Symposium On Usable Privacy and Security (SOUPS) (2007)Google Scholar
  29. 29.
    Suo, X., Zhu, Y., Owen, G.S.: Graphical passwords: a survey. In: Proceedings of 21st Annual Computer Security Application Conference (ACSAC 2005), December 5-9, 2005, Tucson AZ (US), pp. 463–472 (2005)Google Scholar
  30. 30.
    Graphical Password Project: Fa1ces (1998),

Copyright information

© IFIP International Federation for Information Processing 2008

Authors and Affiliations

  • Luigi Catuogno
    • 1
  • Clemente Galdi
    • 2
  1. 1.Dipartimento di Informatica ed ApplicazioniUniversità di SalernoFisciano (SA)Italy
  2. 2.Dipartimento di Scienze FisicheUniversità di Napoli ”Federico II”, Compl. Univ. Monte S.AngeloNapoli (NA)Italy

Personalised recommendations