Abstract

Current authentication systems suffer from many weaknesses. Textual passwords

are commonly used; however, users do not follow their requirements. Users tend to

choose meaningful words from dictionaries, which make textual passwords easy to

break and vulnerable to dictionary or brute force attacks. Many available graphical

passwords have a password space that is less than or equal to the textual password

space. Smart cards or tokens can be stolen. Many biometric authentications have

been proposed; however, users tend to resist using biometrics because of their

intrusiveness and the effect on their privacy. Moreover, biometrics cannot be

revoked. In this paper, we present and evaluate our contribution, i.e., the 3-D

password. The 3-D password is a multifactor authentication scheme. To be

authenticated, we present a 3-D virtual environment where the user navigates and

interacts with various objects. The sequence of actions and interactions toward the

objects inside the 3-D environment constructs the user’s 3-D password. The 3-D

password can combine most existing authentication schemes such as textual

passwords, graphical passwords, and various types of biometrics into a 3-D virtual

environment. The design of the 3-D virtual environment and the type of objects

selected determine the 3-D password key space.

 Acknowledgement
As I write this acknowledgement, I must clarify that this is not just a formal acknowledgement
but also a sincere note of thanks and regard from my side. I feel a deep sense of gratitude and
affection for those who were associated with this seminar. Without their co-operation and
guidance this seminar could not have been conducted properly.

I am also indebted to my friends and family for their constant support and their priceless reviews
which helped me to take this seminar to its current level.

<Your Name>
 TABLE OF CONTENTS

Abstract i
1. 3D passwords 1
1.1. Introduction 1
1.1. Related Works 4
1.2. Scheme 6

1.2.1. Overview 6

1.2.2. Selection and Inputs 8

1.2.3. 3-D virtual Environment Design Guidelines 9
1.2.4. Applications 12
1.3. Security Analysis 13
1.3.1. Password Space Size 14
1.3.2. Password Distribution Knowledge 16
1.3.3. Attacks and Countermeasures 17
1.4. Experimental results 20
1.4.1. Experimental Virtual 3D environment 20
1.4.2. User Study 21

2. Literature Review 22
3. Conclusion and Future work 23
References 25
 INTRODUCTION
The dramatic increase of computer usage has given rise to many security concerns. One major
security concern is authentication, which is the process of validating who you are to whom you
claimed to be. In general, human authentication techniques can be classified as:

Textual Password
Knowledge Based -
What you KNOW
Graphical Password
ATM cards

Human Authentication Token Based -What Keys

techniques you HAVE

ID cards

Fingerprints,
Palmprints

Biometrics - What
Hand geometry
you ARE

Face, Iris, Voice,

Retina recognition
Figure 1 – Human Authentication Techniques - Classification

Textual passwords

Recall-based techniques require the user to repeat or reproduce a secret that the user created before.
Recognition based techniques require the user to identify and recognize the secret, or part of it, that
the user selected before. One of the most common recall-based authentication schemes used in the
computer world is textual passwords. One major drawback of the textual password is its two
conflicting requirements: the selection of passwords that are easy to remember and, at the same time,
are hard to guess.
 [2]
Klein collected the passwords of nearly 15 000 accounts that had alphanumerical passwords, and
he reached the following observation: 25% of the passwords were guessed by using a small yet well-
6
formed dictionary of 3 X 10 words. Furthermore, 21% of the passwords were guessed in the first
[2]
week and 368 passwords were guessed within the first 15 min. Klein stated that by looking at these
results in a system with about 50 accounts, the first account can be guessed in 2 min and 5–15
[2]
accounts can be guessed in the first day. Klein showed that even though the full textual password
14
space for eight-character passwords consisting of letters and numbers is almost 2 X 10 possible
passwords, it is easy to crack 25% of the passwords by using only a small subset of the full password
space. It is important to note that Klein’s experiment was in 1990 when the processing capabilities,
memory, networking, and other resources were very limited compared to today’s technology.

Graphical passwords

Various graphical password schemes have been proposed. Graphical passwords are based on the idea
that users can recall and recognize pictures better than words. However, some of the graphical
password schemes require a long time to be performed. Moreover, most of the graphical passwords
can be easily observed or recorded while the legitimate user is performing the graphical password;
thus, it is vulnerable to shoulder surfing attacks. Currently, most graphical passwords are still in their
research phase and require more enhancements and usability studies to deploy them in the market.

Biometrics

Many biometric schemes have been proposed; fingerprints, palmprints, hand geometry, face
recognition, voice recognition, iris recognition, and retina recognition are all different biometric
schemes. Each biometric recognition scheme has its advantages and disadvantages based on several
factors such as consistency, uniqueness, and acceptability. One of the main drawbacks of applying
biometrics is its intrusiveness upon a user’s personal characteristic. Moreover, retina biometrical
recognition schemes require the user to willingly subject their eyes to a low-intensity infrared light. In
addition, most biometric systems require a special scanning device to authenticate users, which is not
applicable for remote and Internet users.