Abstract This paper proposes a Personal Identification Number (PIN) number based authentication scheme named User Transformed PIN (UTP). It introduces a simple cognitive process with which users may transform their PIN numbers into a dynamic one-time number. PIN numbers are widely used for the purpose of user authentication. They are entered directly and reused several times. This makes them vulnerable to many types of attacks. To overcome their drawbacks, One Time Password (OTPs) are combined with PIN numbers to form a stronger two-factor authentication. Though it is relatively difficult to attack OTPs, nevertheless OTPs are not foolproof to attacks. In our proposed work, we have devised a new scheme that withstands many of the common attacks on PIN numbers and OTPs. In our scheme, users will generate the UTP with the help of a visual pattern, random alphabets sequence and a PIN number. Because the UTP varies for each transaction, it acts like an OTP. Our scheme conceals PIN number within the UTP so that no direct entry of PIN number is required. The PIN number could be retrieved from the UTP by the authenticator module at the server. To the best our knowledge, this is the first scheme that facilitates users to transform their PIN numbers into a one-time number without any special device or tool. Our scheme is an inherently multi-factor authentication by combining knowledge factor and possession factor within itself. The user studies we conducted on the prototype have provided encouraging results to support the scheme’s security and usability.

References

[1] Bonneau J., Preibusch S., and Anderson R., “A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs,” in Proceedings of International Conference on Financial Cryptography and Data Security, Kralendijk, pp. 25-40, 2012.

[2] De Luca A., Hertzschuch K., and Hussmann H., “ColorPIN: Securing PIN Entry Through Indirect Input,” in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, Atlanta, pp. 1103-1106, 2010.

[3] Dhamija R., Tygar J., and Hearst M., “Why phishing works,” in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, Montréal, pp. 581-590, 2006.

[4] Dmitrienko A., Liebchen C., Rossow C., and Sadeghi A., “On the (in) Security of Mobile Two- Factor Authentication,” in Proceedings of International Conference on Financial Cryptography and Data Security, Christ Church, pp. 365-383, 2014.

[5] Fraser E., “The Failure of Public Wifi,” Journal of Technology Law and Policy, vol. 14, no. 2, pp. 161, 2009.

[6] Grier C., Tang S., and King S., “Secure Web Browsing with the OP Web Browser,” IEEE Symposium on Security and Privacy, Oakland, pp. 402-416, 2008.

[7] Jim T., Swamy N., and Hicks M., “Defeating Script Injection Attacks with Browser-Enforced Embedded Policies,” in Proceedings of the 16th International Conference on World Wide Web, Banff, pp. 601-610, 2007.

[8] Kwon T. and Na S., “TinyLock: Affordable Defense against Smudge Attacks on Smartphone Pattern Lock Systems,” Computers and Security, vol. 42, pp. 137-150, 2014.

[9] Kwon T. and Na S., “SwitchPIN: Securing Smartphone PIN Entry with Switchable Keypads,” in Proceedings of IEEE International Conference on Consumer Electronics, Las Vegas, pp. 23-24, 2014.

[10] Kwon T. and Na S., “SteganoPIN: Two-Faced Human-Machine Interface for Practical Enforcement of PIN Entry Security,” IEEE Transactions on Human-Machine Systems, vol. 46, no. 1, pp. 143-150, 2016.

[11] Lee M., “Security Notions and Advanced Method for Human Shoulder-Surfing Resistant PIN-Entry,” IEEE Transactions on Information Forensics and Security, vol. 9, no. 4, pp. 695- 708, 2014.

[12] Leung C., “Visual Security is Feeble for Anti- Phishing,” in Proceedings of 3rd International Conference on Anti-Counterfeiting, Security, and Identification in Communication, Hong Kong, pp. 118-123, 2009.

[13] Li Y. and Zhang S., “Securing Credit Card Transactions with One-Time Payment Scheme,” Electronic Commerce Research and Applications vol. 4, no. 4, pp. 413-426, 2006.

[14] Mulliner C., Borgaonkar R., Stewin P., and Seifert J., “SMS-based one-Time Passwords: Attacks and Defense,” in Proceedings of International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Berlin, pp. 150-159, 2013.

[15] Nyang D., Mohaisen A., and Kang J., “Keylogging-Resistant Visual Authentication Protocols,” IEEE Transactions on Mobile Computing, vol. 13, no. 11, pp. 2566-2579, 2014.

[16] Perković T., Čagalj M., and Saxena N., “Shoulder-Surfing Safe Login in A Partially Observable Attacker Model,” in Proceedings of International Conference on Financial Cryptography and Data Security, Tenerife, pp. 351-358, 2010.

[17] Por L., “Frequency of Occurrence Analysis Attack and its Countermeasure,” The International Arab Journal of Information Technology, vol. 10, no. 2, pp. 189-197, 2013.

[18] Raddum H., Nestås L., and Hole K., “Security Analysis of Mobile Phones Used As OTP Generators,” in Proceedings of Information UTP: A Novel PIN Number Based User Authentication Scheme 913 Security Theory and Practices. Security and Privacy of Pervasive Systems and Smart Devices, Passau, pp. 324-331, 2010.

[19] Rajarajan S., Maheswari K., Hemapriya R., and Sriharilakshmi S., “Shoulder Surfing Resistant Virtual Keyboard for Internet Banking,” World Applied Sciences Journal, vol. 31, no. 7, pp. 1297-304, 2014.

[20] Reis C., Dunagan J., Wang H., Dubrovsky O., and Esmeir S., “BrowserShield: Vulnerability- Driven Filtering of Dynamic HTML,” ACM Transactions on the Web, vol. 1, no. 3, pp. 11, 2007.

[21] Roth V., Richter K., and Freidinger R., “A PIN- Entry Method Resilient Against Shoulder Surfing,” in Proceedings of the 11th ACM Conference on Computer and Communications Security, Washington, pp. 236-245, 2004.

[22] Shi P., Zhu B., and Youssef A., “A PIN Entry Scheme Resistant to Recording-Based Shoulder- Surfing, ” in Proceedings of the 3rd International Conference on Emerging Security Information, Systems and Technologies, Athens, pp. 237-241, 2009.

[23] Shi P., Zhu B., and Youssef A., “A Rotary PIN Entry Scheme Resilient to Shoulder-Surfing, ” in Proceedings of the International Conference for Internet Technology and Secured Transactions, London, pp. 1-7, 2009.

[24] Vaidya B., Park J., Yeo S., and Rodrigues J., “Robust One-Time Password Authentication Scheme Using Smart Card for Home Network Environment,” Computer Communications, vol. 34, no. 3, pp. 326-336, 2011.

[25] Von Ahn L., Blum M., Hopper N., and Langford J., “CAPTCHA: Using Hard AI Problems for Security,” in Proceedings of International Conference on the Theory and Applications of Cryptographic Techniques, Warsaw, pp. 294- 311, 2003. Srinivasan Rajarajan received his M.Tech(CSE) from SASTRA University, Thanjavur in 2006. He is presently pursuing PhD at SASTRA University, India. He is an Assistant Professor at the same university. His areas of research interest include computer security, user authentication, e-banking and graphical passwords. Ponnada Priyadarsini received her Ph.D from NIT, Trichy in the year 2009. Her research areas include algorithms, computational complexity, information security and graph theory.