IMAGE-BASED PASSWORD AUTHENTICATION

SYSTEM FOR AN ONLINE BANKING APPLICATION

AGBARA, NATHAN
Department of Computer Science, Cross River University Of Technology Calabar, Nigeria.
[email protected] +234 813 582 5903, +234 802 429 4941

Abstract

Authentication is the first line of defence against compromising confidentiality and integrity. Though traditional
login/password based schemes are easy to implement, they have been subjected to several attacks. As
alternative, token and biometric based authentication systems were introduced. However, they have not
improved substantially to justify the investment. Thus, a variation to the login/password scheme, viz. graphical
scheme was introduced. But it also suffered due to shoulder-surfing and screen dump attacks. In this work, we
introduce a framework of our proposed (IPAS) Implicit Password Authentication System, which is immune to
the common attacks suffered by other authentication schemes.

Keyword: Authentication, Implicit, Security, Banking, Attacks, Integrity, Defence.

Introduction

1.1 Background of Study

Text passwords remain ubiquitous, despite endless criticism. People consistently choose weak
passwords for many reasons; including users trying to manage on average 25 password-protected
accounts losing strategies include blaming users, and imposing complex password rules. Some claim
that choosing weak password is a rational economic response. Some argue that strong passwords are
nonessential for preventing automated online dictionary attacks. However implicit password
authentication system may be implemented in any client-server environment, where we need to
authenticate human as a client. During the time of registration, a user should pick some questions from
the database depending upon the level of security required and provide answers to the selected
questions. For every question the server may create an intelligent space using images, where the
answer to the particular question is implicitly embedded into images. During the time of
authentication, the server may pick one or more questions selected by the users at the time of
registration randomly. For each question, the server may choose an image randomly from the
authentication space and present it to the user. Using the stylus or the mouse, the user needs to navigate
the image and click the correct image.

Implicit password authentication system is immune to shoulder surfing and screen-dump

attack. The authentication information is presented to the user in an implicit form that can be
understood and decoded only by the legitimate user. The strength of Implicit password
authentication system depends on how effectively the authentication. Information is embedded
implicitly in an image and it should be easy to decrypt for a legitimate user and highly difficult for
a non-legitimate user. Traditional password based authentication schemes and Pass Point are special
cases of implicit password authentication system. The first idea for graphical passwords works by
allowing the user click, with a mouse or stylus, on a few chosen regions in an image that appeared on
the screen. If the correct regions were clicked in, the user is authenticated, otherwise the user is
rejected. There are some points to be discussed about the graphical password idea that is the creation
and learning of the graphical password because from a human viewpoint, the problem of creating a
password is making it memorable so that the user can retrieve it later. In a graphical password system, a
user choosing click locations in an image needs to choose memorable locations since there are two

Electroniccopy
Electronic copy available
available at:
at: https://ssrn.com/abstract=3154730
https://ssrn.com/abstract=3154730
 issues in memorability: the nature of the image itself and the sequence of click locations, the memory
because most existing graphical password systems can be classified as being based on either
recognition or cued recall. Recognition involves identifying whether one has encountered an item
before. In an implicit password system based on recognition, the user has to be able only to recognize
previously seen images. By contrast, pure recall is retrieval without external cues to aid memory, e.g.
remembering a textual password that one has not written down and the efficiency and perception of
efficiency are important in password systems because users want quick access to systems. Time to
input a highly practiced implicit password can be predicted by Fitts’ Law, which states that the time to
point to a target depends on the distance and size of the target.

1.2 Statement of the Problem

The password problem arises largely from limitations of humans’ long-term memory (LTM).
Once a password has been chosen and learned the user must be able to recall it to log in. Contrary to
this, the password faces a number of problems which include:

I. People regularly forget their passwords.

II. Conventional passwords have drawbacks from a usability standpoint, and these usability problems tend
to translate directly into security problems.
III. A further complication is that users have many passwords for computers, networks, and web sites. The
large number of passwords increases interference and is likely to lead to forgetting or confusing
conventional passwords.
1.3 Aim and Objectives of the Study

The system aims at introducing a framework of the proposed Implicit Password Authentication System
(IPAS), which is immune to the common attacks suffered by other authentication schemes and rely not
on precise recall but on recognition, to make the authentication task more reliable and easier for the
user as well as prevent users from choosing weak passwords.

The study seeks to achieve the following objectives:

 To develop a hard to crack or guess password system keeping it very easy & interactive for the user at
the same time.
 To develop 3-D Environment as a part of multifactor authentication system.
 To construct 3-D password by observing the actions and interactions of the user and by observing the
sequences of such actions.
 To provide authentication by comparing login input to the registration input.
 To provide a faster authentication even over a network despite supporting a huge database.
1.4 Scope of Study

The study encompasses the following; it entails assigning of images to answers textually supplied by
the user at the time of registration, it covers the designing of database that will accommodate users’
data and transactions. It also entails instant alert given to customers on successful completion of
registration.

1.5 Significance of Study

The significance of this study lies in the fact that IPAS provides a good alternative to graphical
password scheme, username and password scheme and the token and biometric based authentication
schemes. Graphical password scheme suffered from shoulder-surfing and screen dump attacks, the
traditional username and password scheme though easy to implement, have been subjected to several
attacks. Token and biometric-based systems that were introduced as alternative have not improved
substantially to justify the investment.

1.6 Definition of Terms

i. Authentication: Proof of the identity of a user logging into a system.

ii. Image-based Password Authentication System: The system under development.
iii. Login attacks: Fraudulent attempts to access the system.
iv. Security: The condition of not being threatened.

Electroniccopy
Electronic copy available
available at:
at: https://ssrn.com/abstract=3154730
https://ssrn.com/abstract=3154730
v. Usability: The degree to which a software application is easy to use with no specific training.
vi. Mobile Banking: Any form of banking transaction that has to do with mobile phones accessing the
network.
vii. Ubiquitous: Seeming to appear everywhere at the same time.
viii. Dictionary attack: In cryptanalysis and computer security, refers to a technique for defeating a cipher
or authentication mechanism by trying to determine its decryption key or passphrase by trying
hundreds or sometimes millions of likely possibilities, such as words in a dictionary.
ix. Client-Server: A system that involves an application (the client) requesting services from another
remote application (the server).
x. Shoulder Surfing attack: In computer security, refers to using direct observation techniques, such as
looking over someone’s shoulder to get information.
xi. Screen-dump attack: The act or process of printing or saving the graphical or textual data displayed
on a computer screen.
xii. Pass point: Is an authentication scheme

LITERATURE REVIEW

2.1. User Authentication

Authentication is the proof of the identity of a user logging into a system. According to
Takada and Koike (2003), user authentication is one of the important topics in information security to
protect user’s privacy. Computer security depends on trustworthy user authentication to a degree.
There are many authentication schemes in the current state. Some of them are based on user’s physical
and behavioural properties and some others are based on user’s knowledge such as textual and
graphical passwords. Moreover, there are some other important authentication models that are
based on what you have, such as smart cards. Among the various authentication designs, textual
password and token- based schemes, or the combination of both, are commonly applied. However,
as it is explained in the following, both authentication patterns are vulnerable to certain attacks.
Nowadays the most common computer authentication method to access computer networks and
systems is based on the use of alphanumerical usernames and passwords. Traditional strong password
schemes could provide with certain degree of security; however, the fact that strong passwords being
difficult to memorize often leads their owners to write them down on papers or even save them in a
computer file. As a result, security becomes greatly compromised. Conventional passwords have been
shown to have significant drawbacks. Users do not follow their requirements, for example; users tend
to pick passwords that can be easily guessed (weak password) or choose meaningful words from
dictionaries, which make textual passwords easy to break and vulnerable to dictionary or brute
force attacks. On the other hand, if a password is hard to guess, then it is often hard to remember.
Users have difficulty remembering a password that is long and randomly appearing. So, they create
short, simple, and insecure passwords that are susceptible to attack.

Birget and Dawei et al. (2006) opined that Textual-based password authentication scheme tend
to be more vulnerable to attacks such as shoulder-surfing, hidden camera, spy ware attacks and key-
loggers. Moreover, the alphanumeric characters and authentication methods based on passwords and
PINs (knowledge-factor authenticators) hold several problems and still must rely on the limitation of
human’s capacity of recollection. Forcing the user to memorize different passwords or carrying around
different tokens is another sensitivity of traditional methods. Smart cards or tokens can be stolen. On
the other hand, many biometric authentications have been proposed; however, users tend to resist
using biometrics because of their intrusiveness and the effect on their privacy. Moreover,
biometrics cannot be revoked. To address this problem, some researchers have developed
authentication methods that use pictures as passwords and introduced it as possible alternative
solutions to text-based scheme. On the other hand, knowing that human beings are predominant
visual creatures, many researchers have investigated or developed graphical password schemes
recently.

Graphical passwords have been designed to try to make passwords more memorable and
easier for people to use, to create and, therefore, more usable and secure. Many available graphical

Electronic copy available at: https://ssrn.com/abstract=3154730

passwords have a password space that is less than or equal to the textual password space.
Using a graphical password, users click on images to authenticate themselves rather than type
alphanumeric strings. This method has been categorized to recognition-based (image selection
and click-based) and recall-based. Usability and security should be considered simultaneously to
achieve a good authentication system. Usability features are ease of use, ease to create, ease to
memorize, ease to learn and satisfaction of the overall system design and layout. User friendliness in
both recognition and selection of pass objects from the given images, familiarization or a
lengthy password setup process can be counted under usability. Common security attacks like
brute-force search, spy ware, shoulder surfing, social engineering and forgery. Problems like
requiring a large image database, uneasy to repeat mouse clicking at the same position, as well
as images being too simple to cause collisions on points selected for different users, storage
efficiency as all images are created when needed. Rather than optimizing the password space
and the strength against brute force attacks because proposed graphical passwords are mostly
vulnerable to shoulder-surfing overcoming this issue without adding any extra complexity into
the authentication procedure is researcher’s goal these days. Simply adopting graphical password
authentication also has some drawbacks therefore some hybrid schemes based on graphic and text
were developed. Moreover, image based authentication is considered as a promising alternative to
traditional textual password for mobile devices, to achieve better trade-off between usability and
security. However, previous proposals of graphical password have the limitation of limited entropy.
Achieving higher security with compromising user-friendliness for mobile application scenarios
and obtaining a significant improvement in terms of system security (both password entropy and
shoulder-surfing attacks) are important objectives.

Furthermore, there are many authentication schemes that are currently under study and
they may require additional time and effort to be applicable for commercial use.

2.2. Biometric-Based Authentication

(Kim 1995) states that Biometric authentication verifies a user based on the user’s properties;
the system can only work if it recognizes the user. To do so, users are required to participate in an
enrolment process beforehand. In which, the system captures the users’ biometric data to create a
digital template and stores the template in a database. To authenticate, the user presents his/her
biometrics. The verification is essentially pattern recognition by acquiring the user’s biometric data,
extracting features from the collected data, and comparing the features against the template in the
database. Biometric authentication verifies a user based on the user’s properties; the system can only
work if it recognizes the user. To do so, users are required to participate in an enrolment process
beforehand. In which, the system captures the users’ biometric data to create a digital template and
stores the template in a database. To authenticate, the user presents his/her biometrics. The verification
is essentially pattern recognition by acquiring the user’s biometric data, extracting features from the
collected data, and comparing the features against the template in the database. Biometric
authentication has been adopted for banking interfaces. Integration of fingerprint authentication into
ATMs is feasible. Although ATMs with fingerprint verification are not common, they have been put
into practical use. Besides fingerprints, other biometrics has been proposed for ATM verification. Iris
verification is one of the possibilities, and it has already been piloted in ATMs.

(Jain et al 2000 and Brostoff et al 2000) conducted usability studies of biometric verification
at the ATM interface. Their initial study shows biometrics technology has usability issues, but
successful login experiences can influence user opinion and confidence in using the technology in the
future. They further conducted a field trial study, their results show over 90% of the interviewees were
satisfied with iris verification, and would prefer it over PIN authentication. However, it is arguable
their result may not apply in the developing world. Many people from the developing world are less
experienced with biometric authentication; the lack of understanding of biometrics may influence those
people’s opinion of adoption. Any software has its own merits and demerits. Though the biometric
system is designed to provide the best office security, there are even chances of errors to occur.

2.2.1. Recognition Errors Faced with Biometric System

Electronic copy available at: https://ssrn.com/abstract=3154730

 The two basic recognition errors found in biometric is the ‘false accept rate’ (FAR) and the ‘false reject
rate’ (FRR).

False Accept – When a non-matching pair of biometric data is wrongly accepted as match by the
system it is then a ‘false accept’.

False Reject – When a matching pair of biometric data is wrongly rejected as non-match by the
system, it is then a ‘false reject’.

The measure to lower any one of the errors automatically increases the other error rate. But, most of the
biometric systems operate at a low FAR than FRR.

2.2.2 Biometric is Non-Economical

Biometrics like iris, face and fingerprint recognition is a better option for security system, but
unfortunately the means for acquiring it is neither convenient nor affordable.

2.2.3 A Biometric can be Copied

Finding a copy of an individual’s biometric is not a hard task nowadays. There are incidents where a
person takes another person’s fingerprint for illegal usage. There are also devices that can capture iris
images of a person from a video camera, so that it can be duplicated and used. Voice recognition
biometric system is also very expensive and not sufficiently reliable. As it is difficult to implement, it
suffers from many disadvantages. The issue with biometrics is mainly because, when an individual’s
biometrics has been compromised, then it is the same way maintained by the system forever. As the
authentication method of the biometrics is completely relied on a specific central database and graphic
templates, they are many possibilities of errors to occur. Even after facing such issues, most
entrepreneurs still prefer biometrics for their office security, for its easy access and mass management.
They feel it is comparatively a better option than locks and passwords. Kim (1995).

2.3. Token-Based Authentication

The concept of token-based authentication consists of two steps. Initially, the system assigns
each legitimate user with a token, and the tokens are assumed to be used only by the assigned users.
The system verifies a user based on the user’s possession of a valid token. The system is not
responsible for checking the legitimacy of the token holder; instead the responsibility of keeping the
token protected belongs to the assignees. The process of key ignition for a vehicle for example,
regardless of the identity of the driver, as long as the person uses the correct key to start the vehicle, the
engine will run. A good example of a token-based payment system is Octopus card in Hong Kong. It is
a contactless payment system where a user places an RFID card over the reader to conduct payment.
The system employs the single-factor token authentication strategy, which is based on the presentation
of the RFID card. Although using such strategy increases usability, as no prior enrolment and no
memorability are required, however, the system cannot verify the user if the token is not presented.
Therefore, the user has to remember to carry the token. A token can be stolen and used by others. To
reduce the possibility of illegal access, a system can employ a strategy called two-factor authentication;
the system requires the user to perform multiple authentications during login. This strategy is most
commonly used with the combination of a token and a password. Renaud, (2009).

2.4. Knowledge-Based Authentication

The use of secret knowledge for authentication is not a new concept. Indeed, it was used before
computers are existed. In ancient time, Julius Caesar used a key cryptography technique, called Caesar
cipher, to communicate with his generals. He used a key to cipher messages; the key is essentially the
secret knowledge. Although the example above is for cryptography, the main concept of using a
password for protection remains the same; without the correct secret knowledge, it is difficult to gain
access to the system and its information. Nevertheless, there are also flaws in knowledge-based
authentication. Usability and security problems arise because passwords are expected to comply with
two conflicting requirements, but meeting those requirements is almost impossible. The requirements
are identified by Wiedenbeck et al (2005):

 Passwords should be easy to remember; authentication should be executable quickly and easily by
humans.

Electronic copy available at: https://ssrn.com/abstract=3154730

 Passwords should be secure; they should look random and hard to guess; they should be changed
frequently, and should be different on different accounts for the same user; they should not be written
down or stored in plain text.

In computing systems, a secure authentication system requires strong passwords to prevent attacks.
Ideally, a strong password is highly randomized. However, “human beings being what they are, there is
a strong tendency for people to choose relatively short and simple passwords that they can remember”.
This means there is a conflict in satisfying those requirements. To increase password memorability,
suggest a method of using the pass phrase approach for password generations. For example, using the
phrase “My sister Peg is 24 years old” and choosing the first letters of each word, the password would
be “MsPi24yo”. Although this approach helps users to choose password that are harder to guess with a
mnemonic phrase, this method is only suitable for alphanumerical passwords; the approach cannot be
applied for PIN selections, as logical phrases are seldom made up of numbers only. An alternative to
simple passwords is cognitive passwords, also known as semantic passwords Instead of requesting a
user to present a password; the system asks a set of questions and authenticates the user based on the
semantic answers. This solution improves memorability by asking questions that the user has already
known. However, this solution suffers the same problem as normal syntactic passwords: the user’s
details are predictable, especially if the attacker knows the user well. Sabzevar and Stavrou (2008).

2.5. Graphical Password

The most common computer authentication method is to use alphanumerical usernames and
passwords. This method has been shown to have significant drawbacks. For example, users tend to
pick passwords that can be easily guessed. On the other hand, if a password is hard to guess, then it is
often hard to remember. To address this problem, some researchers have developed authentication
methods that use pictures as passwords. We explore an approach to user authentication that generalizes
the notion of a textual password and that, in many cases, improves the security of user
authentication over that provided by textual passwords. A graphical password serves the same purpose
as a textual password, but can consist, for example, of handwritten designs, possibly in addition to text.
More generally, graphical passwords can be used whenever a graphical input device, such as a
mouse, is available. The work proposed a password scheme in which the user is presented with a
predetermined image on a visual display and required to select one or more predetermined
positions on the displayed image in a particular order to indicate his or her authorization to access
the resource. The main motivation for graphical passwords is the hypothesis that people are better at
remembering images than artificial words. Visual objects seem to range over a much larger set of
usable passwords. For example we can recognize the people we know from thousands of faces.
This fact was used to implement an authentication system. As another example, a user could choose
a sequence of points in an image as a password; this leads to a vast number of possibilities, if
the image is large and complex, and if it has good resolution Birget and Dawei et al. (2006).

2.6. Issues in Online Banking and Authentication

A bank is a secured place where valuables and money are kept for safety. A bank renders
services to customer based on demand. Banking becomes online whenever these requested services are
rendered over a network without the physical presence of the bank staffs.

According to Smith (1998, as cited in Ikwebe, 2010) a complete banking system should be able to
render all forms of services to a customer wants and should have all products that customers are willing
to buy at any particular time.

Damcey (2002, as cited in Ikwebe, 2010), a banking system should be able to carry out online real time
services using a particular network to enhance speed couple with enough staff. A banking system is
basically a Transaction processing system (TPS); these are computerised information systems that keep
track of the transaction consummated by customers and transaction needed to conduct business.
Clifford, Sawyer and Coulthard (1998) state the features of T.S.P as:

 Input: The inputs of the system are transaction data, for example cash paid to bank account by
customers and inventing levels.
 Output consists of processed transaction like cash paid to customers, loan disbursed.

Electronic copy available at: https://ssrn.com/abstract=3154730

The transaction processing system deals with servicing of customers and these consists of the
following: Teller Menu, Customer Service Menu, Fund Transfer Menu, Authorizers menu, ATM.

Due to the sensitivity of the banking transactions (which is even more vulnerable since financial
transactions are now consummated online), it is imperative to have, not just an effective authentication
system but one which is strong and highly reliable. Today’s online banking systems enjoy a number of
authentication systems; some effective some, not enough to justify the investment. The most common
of them is the traditional alphanumeric password authentication system. (Lashkari and Towhidi, et al.
2009) Traditional alphanumeric passwords are always vulnerable to guessing and dictionary attack.
There may even be a rogue program that may record the key strokes and publish it on a remote website.
In order to overcome the key logger based attacks, newer banking systems may show a graphical
keyboard and the user has to press the correct password using “mouse clicks”. This may also be
defeated if the attacker uses a screen capture mechanism, rather than using a key logger. Since new
video-codec is providing higher compression ratio, an attacker may use a screen capture program and
record a short video clip and send it to a remote server for publishing. So, as an alternative, a token
based authentication method may be used either as a stand-alone authentication or used in addition to
the traditional alphanumeric password. But this technology is not pervasive. The user may have to carry
a trusted token card reader. With unknown token readers, a user may not be aware whether they are
using a trusted legitimate reader or using an un-trusted one that may clone the token (similar to the
recent ATM card scam).

Although image based authentication systems reviewed in our study address most of the threats, still
they suffer from the following attacks: replay, Shoulder-surfing, and recording the screen. One may
argue that replay attack can be prevented using encryption and tamper-proof time stamps, and physical
shoulder-surfing may be known to the user as this process is invasive. However, due to the availability
of high-bandwidth to mobile devices and light-weight, high-efficient video codecs, a rogue program
may still capture and publish remotely. Since the entire image based password schemes known to us
use static passwords, the recorded movie may be replayed and with some human-interaction, the user’s
password may be decoded. Birget, J. C., H. Dawei, et al. (2006).

Electronic copy available at: https://ssrn.com/abstract=3154730

 RESEARCH METHODOLOGY/SYSTEM DESIGN

3.0 Research Methodology

The methodology employed for the development of the system under study is the Waterfall
Model.

The waterfall model is a type of methodology used to describe the process for building
information systems, intended to develop information systems in a very deliberate, structured and
methodical way, reiterating each stage of the life cycle.

The system under development is one that bothers on security and thus, the need for a robust
and comprehensive analysis, cutting across all stakeholders of the case study upon which this security
will be applied (which in this case, is an online banking system). The system development went
through a number of phases such as: planning, analysis, design, and implementation, of which out of all
the design methodologies, the waterfall model is well suited.

With the Waterfall Model, we got a clear idea on what should be or shouldn’t be built. Since
we already have an idea on the problems that should be answered, the problem definition, analysis,
design and implementation were done following the waterfall model. The goal is clear and could be
implemented on time.

With the Waterfall Model, program built will have a clear documentation of development,
structure and even coding. In case there are problems once the program is adopted for public use, we
will always have the documentation to refer to when we need to look for any loopholes. Instead of
testing it over and over again which will stop the implementation for a while, we will just look at the
documentation and perform proper maintenance program. This means Waterfall Model will breathe
more life to the program. Instead of frustrating developers in guesswork if something goes wrong,
Waterfall model will make sure everything goes smoothly. It will also be a tool for maintenance,
ensuring the program created will last for a long time.

3.1 System Analysis

System analysis has to do with determining the information needs of an organisation and how
best to tackle the needs through the use of computers and compatible resources. It involves selective
procedures aimed at producing systems that are superior to the existing systems in terms suitability,
technicality and economy. It comprises of investigation of the present system, definition of the new
system and establishment of constraints. In order to carry out proper analysis and design, the researcher
adopted the objected model.

3.1.1 Fact Findings

In order to ensure that the system will meet management and user’s needs once implemented, the
researcher conducted a thorough data collection process using the methods of observation and
interview.

(a) Observation Method: This is a method of gathering data by watching behaviour, events or noting the
physical characteristics in their natural setting. Observations can be direct or indirect. Observation is
direct when the observer watches interactions, processes or behaviours as they occur. Indirect
observations are when the observer watches the results of interactions, processes or behaviours.
Observation is applied when trying to understand an ongoing process, when gathering data on
individual behaviours or interactions between people. Observation is also employed when the observer
wishes to know about a physical setting and when obtaining data from individuals is not a realistic
option.
Observation method of data collection offers certain advantages by collecting data when and where an
event or activity is occurring. Also, the observation method does not rely on people’s willingness or
ability to provide information and offers the observer the opportunity to see directly what people do
rather than relying on people.

Electronic copy available at: https://ssrn.com/abstract=3154730

(b) Interview Method: This is a verbal questioning whereby the interviewer initiates a conversation for
the purpose of obtaining a research-relevant information and focused him on the content specified by
the research objectives of description and explanation. The major functions of interview technique are
description and exploration. It is descriptive when the information received provides insight into the
social reality. In exploration function, the interview provides insight into unexplored dimensions of the
problem.

3.1.2 Analysis of the Existing System

The traditional username/password or PIN based authentication scheme is an example of the

“what you know type”. This is a simple system where a user presents a user ID and a password to the
system. If the user ID and password match with the one stored on the system, then the user is
authenticated. A user may have many accounts on many computers. He has to remember many
passwords. As an alternative to the traditional password based scheme, the biometric system was
introduced. Jackson, (2006).

This relies upon unique features unchanged during the life time of a human, such as finger
prints, iris etc. Biometrics, it is the application of statistical analysis to identify individuals through
their biological or physiological characteristics, is emerging as a key aspect in new security systems.
Using biometrics, it is possible to avoid pitfalls encountered with traditional security systems where
users are required to keep information, such as passwords, safe (Anil et al 1997). Biometric
authentication systems may be very safe and secure and reliable but these systems are costly and need
additional hardware and software support. These systems are difficult to change and maintain.
Deploying such systems for internet may be very complex and not suitable.

Graphical-based password techniques have been proposed as a potential alternative to text-

based techniques, supported partially by the fact that humans can remember images better than text. In
general, the graphical password techniques can be classified into two categories: recognition-based and
recall based graphical techniques. In recognition-based systems, a group of images are displayed to the
user and an accepted authentication requires a correct image being clicked or touched in a particular
order. In recall-based systems, the user is asked to reproduce something that he/she created or selected
earlier during the registration phase. Recall based schemes can be broadly classified into two groups,
pure recall-based technique and cued recall-based technique (Sudhakar et al 2013).

3.1.3 Disadvantages of the Existing System

 Alphanumeric passwords are used widely, they have problems such as being hard to remember,
vulnerable to guessing, dictionary attack, key-logger, shoulder-surfing and social engineering.

 The major problem of biometric as an authentication scheme is the high cost of additional
devices needed for identification process.

 Although a recognition-based graphical password seems to be easy to remember, which

increases the usability, it is not completely secure. It needs several rounds of image recognition for
authentication to provide a reasonably large password space, which is tedious.
3.2 Proposed System Analysis

In our work, our proposed (IPAS) may also be implemented in any client-server environment,
where we need to authenticate a human as a client (IPAS will not work in machine-to-machine
authentication). We also assume that the server has enough hardware resources like RAM and CPU.
This is not un-realistic as high-end servers are becoming cheaper day-by-day. We specially focus only
on “what you know” types of authentication, in every “what you know type” authentication scheme we
are aware of, the server requests the user to reproduce the fact given to the server at the time of
registration. This is also true in graphical passwords such as Pass Point. In IPAS for banking, we
consider the piece of information i.e. Password as known to the server at the time of registration and at
the time of authentication, the user gives this information in an implicit form that can be understood
only by the server. The server presents a number of standard questions. During the time of registration,
a user should supply answers to each of the questions from the server (depending upon the level of
security required). For example, questions could come in the following form:

The maker of your first car?

Electronic copy available at: https://ssrn.com/abstract=3154730

 The city you love to visit or visited?

Date of birth?

For each question, the server may create an intelligent authentication space using images, where the
answers to the particular question for various users are implicitly embedded into the images. During the
time of authentication, the server may pick one or more questions answered by the users at the time of
registration randomly. For each chosen question, the server may choose an image randomly from the
authentication space and present it to the user as a challenge. Using the stylus or the mouse, the user
needs to navigate the image and select the right answer.

3.3 Proposed System Modeling

In object-oriented development, both the problem in the problem domain and the solution in the
solution space are described in terms of objects. In the solution, these objects normally become classes.
As the requirements and design phases of software development progress, the objects switch from
being representations of the things in the problem domain to being programming structures in the
software.

Object-oriented software development is different from conventional software. There are many benefits
to object-oriented development. Amongst which are simplification of requirements, design, and
implementation. These benefits are achieved by modelling the problem domain with objects that
represent the important entities, by encapsulating the functions with the data, by reusing objects within
a project and between projects, and by having a solution that is much closer intellectually to the
problem. The Unified Modeling Language (UML) id the standard notation for object oriented models.

3.3.1 Use Case Diagrams

A use case diagram is part of the UML set of diagrams. It shows the important actors and functionality
of a system. Actors are represented by stick figures and functions by ovals. Actors are associated with
functions they can perform. The functions in the ovals are methods of the classes in the object model.
Below is the use case diagram for the proposed system.

Implicit Password Authentication System

Electronic copy available at: https://ssrn.com/abstract=3154730

 Figure 1: System Use Case Diagram

3.3.2 System Sequence Diagram

Electronic copy available at: https://ssrn.com/abstract=3154730

Sequence diagrams are used to display the interaction between users, screens, objects and entities
within the system. It provides a sequential map of message passing between objects over time. In most
cases, these diagrams are placed under Use Cases in the model to illustrate the use case scenario; how a
user will interact with the system and happens internally to get the work done.

Sequence diagrams in UML show how objects interact with each other and the order those interactions
occur. It is important to note that they show the interactions occur. It is important to note they show the
interactions for a particular scenario. The processes are represented vertically and interactions are
shown as arrows.

The aim of a sequence diagram is to define event sequences which would have a desired outcome. The
focus is more on the order in which message occur than on the message itself. However, the majority of
sequence diagrams will communicate what messages are sent and the order in which they tend to occur
(Atsa’am 2014). Figure 2 shows the sequence diagram of the proposed system.

Electronic copy available at: https://ssrn.com/abstract=3154730

 Figure 2: System Sequence Diagram

Electronic copy available at: https://ssrn.com/abstract=3154730

3.3.3 Activity Diagram

Activity diagrams are graphical representations of workflows of stepwise activities and actions with
support for choice, iteration and concurrency. In the Unified Modeling Language, activity diagrams are
intended to model both computational and organisational processes. Activity diagrams depict the
overall flow of control. Activity diagrams are constructed using rounded rectangles to represent actions,
diamonds for decisions, bars to represent the start (split) or end (join) of concurrent activities; a black
circle to represent the start of the workflow and an encircled black circle to represent the end (final
state). Arrows run from the start towards the end and represent the order in which activities happen.
The figure below shows the activity diagram of the proposed system (Atsa’am 2014).

Figure 3: Activity Diagram

Electronic copy available at: https://ssrn.com/abstract=3154730

 3.3.4 Advantages of the Proposed System

 The strength of IPAS depends greatly on how effectively the authentication information is embedded
implicitly in an image and it should be easy to decrypt for a legitimate user and highly fuzzy for a non-
legitimate user.
 No password information is exchanged between the client and the server in IPAS, since the
authentication information is conveyed implicitly.
3.4 System Design
3.4.1 Output Design
Output is the most important task of any system. These guidelines apply for the most part to
both paper and screen outputs. Output design is often discussed before other feature of design because,
from the customer’s point of view, the output is the system.

Output may be designed to aid future change by stressing formless reports, defining field size
for future growth, making field constants into variables, and leaving room on review reports for added
ratios and statistics. Figure 4 below, presents a design of the output of the system after a user has
completed his/her registration successfully.

Figure 4: Output design of User’s home page

Electronic copy available at: https://ssrn.com/abstract=3154730

 The user home page is the first page that would be seen immediately a user successfully logs into the
system. It contains the menu that the user can use to navigate to various pages. It welcomes the user
and displays some personal details of the user which the user can update if he so wish.
3.4.2 Input Design
The input design is the link between the user and the information system. It comprises
procedures for data preparation and the developing specification and those steps are necessary to put
transaction data into a usable form; for processing can be achieved by inspecting the computer to read
data from a written or printed document or it can occur by having people keying the data directly into
the system. The design of input system focuses on controlling the errors, controlling the amount of
input required, avoiding delay, avoiding extra steps and keeping the process simple. The input is
designed in such a way so that it provides ease of use while retaining the privacy and security. Input
Design considered the following things:

 What data and how much data should be given as input?

 How the data should be coded or arranged?
 The dialog to guide the operating personnel in providing input.
 Methods for preparing input validations and steps to follow when error occur
The figure 5 and 6 below, show the set of data that will be requested as inputs from the user at the time
of registration and at the time of authentication.

Electronic copy available at: https://ssrn.com/abstract=3154730

 Figure 5: Input design for Registration

The registration page is the sign up page, the user who visits this page intends to sign up to the IPAS
system. The user supplies his primary details including his address, qualification and security
questions.

Electronic copy available at: https://ssrn.com/abstract=3154730

 Figure 6: Input design for login information

The login information page is also part of the registration process, on this page the user enters his user
ID and supply answers to the security questions provided by the system in order to be able to use the
system.

3.4.3 Database/File Design

Data modelling is performed during the initial phases of the database development process.
The data model focuses mainly on what information should be stored in the database. The information
needed to build the data model is gathered during the requirement analysis. A comprehensive data
model should take into account the current and future needs of an organization in order to support the
business process within an organization.

To develop an effective web- based Authentication system (that is implicit password) for
Financial Resource Management; we must maintain accurate and up to date information about financial
institutions and their prospective jobs as well as up-to-date images of answers to the security questions.

In order to accommodate the above requirements, a data model must be designed that captures
the essential entities and relationship that are present in an Authentication system for banking. An
Entity Relationship Diagram (ERD) gives a graphical representation of the tables (entities) in the
database and the relation between them. Lingareddy (2007).

Electronic copy available at: https://ssrn.com/abstract=3154730

 Figure 7: Entity-Relation Diagram

In the Relational Database model, each of the entities including the Associate entities is
transformed into a table. The attributes (fields) of each of the entities for the ERD shown in Figure 7
are as follows.

Electronic copy available at: https://ssrn.com/abstract=3154730

 Table 1: Registration Table

FIELD DATA
S/NO. LENGTH CONSTRAINTS
NAME TYPE
1 Userid Varchar 45 Not null

2 Acctno Varchar 45 Null

3 Fname Varchar 45 Null

4 Lname Varchar 45 Null

5 Dob Varchar 45 Null

6 Sex Varchar 45 Null

7 Age Varchar 45 Null

8 Qualification Varchar 45 Null

9 Email Varchar 45 Null

10 Street Varchar 45 Null

11 City Varchar 45 Null

12 State Varchar 45 Null

13 Phoneno Varchar 45 Null

14 Dateregistered Varchar 45 Null

15 Accttype Varchar 45 Null

16 Branchname Varchar 45 Null

The registration table stores the registration details of a new user, this table stands strategically
important because of every user of the IPAS system must register with the system and as such, their
details must be captured in this table.

Electronic copy available at: https://ssrn.com/abstract=3154730

Table 2: Users Table

S/NO FIELD DATA LENGTH CONSTRAINTS

NAME TYPE
1 Userid Varchar 45 Not null
2 Category Varchar 45 Null
3 question1 Varchar 45 Null
4 ans1 Varchar 45 Null
5 question2 Varchar 45 Null
6 ans2 Varchar 45 Null
7 question3 Varchar 45 Null
8 ans3 Varchar 45 Null
9 image1 Blob Null
10 image2 Blob Null
11 image3 Blob Null
12 wrongimage1 Blob Null
13 wrongimage2 Blob Null
14 wrongimage3 Blob Null
15 ans1breed Varchar 45 Null
16 ans2model Varchar 45 Null
17 ans3model Varchar 45 Null

The users table keeps the login details of every user’s of the system (admin and client inclusive), this
table is also very important because every user of the system must have his details stored here. The
users table holds the user’s User ID, Category and answers to the system’s security question that will
be use as login credentials for the IPAS system.

Table 3: Fund Transfer Table

S/NO FIELD DATA LENGTH CONSTRAINTS

NAME TYPE
1 Fromacctno Varchar 45 Not null
2 Toacctno Varchar 45 Null
3 Amount Varchar 45 Null
4 Transferdate Varchar 45 Null

As the name suggest, the fund transfer table hold records of transaction consummated by the user with
the banking system. The table holds the source account number, destination account number, amount
and the transfer date. With these details, reference could be made to the table in case of any financial
complications.

Electronic copy available at: https://ssrn.com/abstract=3154730

Table 4: Loan Application Table

S/NO FIELD NAME DATA LENGTH CONSTRAINTS

TYPE
1 Applicationid Varchar 45 Not null
2 Fname Varchar 45 Null
3 Lname Varchar 45 Null
4 Loandescription Varchar 45 Null
5 Loantype Varchar 45 Null
6 Maxloanvalue Varchar 45 Null
7 Occupation Varchar 45 Null
8 Maxmonthlyins Varchar 45 Null
9 Rateofinterest Varchar 45 Null

The loan application table holds records of user’s applying for loan, details ranging from his first name,
last name to his occupation, loan value, rate of interest and his monthly instalment are stored in this
table.

Table 5: Cheque Book Application Table

S/NO FIELD DATA LENGTH CONSTRAINTS

NAME TYPE
1 Acctno Varchar 45 Not null
2 Fname Varchar 45 Null
3 Lname Varchar 45 Null
4 Accttype Varchar 45 Null
5 Branchname Varchar 45 Null
6 Orderofbooks Varchar 45 Null
7 Dateapplied Varchar 45 Null

The cheque book application table holds records of user’s applying for cheque book, this table stores
the user’s account number, name, the order of books and the date applied. It is from this table that the
admin can access user’s application and approve application for cheque book.

Table 6: Deposit Table

S/NO FIELD DATA LENGTH CONSTRAINTS

NAME TYPE
1 Tellerid Varchar 45 Not null
2 Customername Varchar 45 Null
3 Acctno Varchar 45 Null
4 Currentdate Varchar 45 Null
5 Acctntype Varchar 45 Null
6 Amount Varchar 45 Null
7 Amounttype Varchar 45 Null

Deposit table stores details of deposit made by users; at the time deposit, the user supplies name,
account number, amount and the amount type (cash or cheque), all of this details are stored in the
deposit table.

Electronic copy available at: https://ssrn.com/abstract=3154730

Table 7: Loan Sanction Table

S/NO FIELD DATA LENGTH CONSTRAINTS

NAME TYPE
1 issueid Varchar 45 Not null

2 applicationid Varchar 45 Null

3 fname Varchar 45 Null

4 lname Varchar 45 Null

5 loanamount Varchar 45 Null

6 rateofinterest Varchar 45 Null

7 monthlyins Varchar 45 Null

8 dateissued Varchar 45 Null

This table keeps records of users whose loan request has been sanctioned. This table is of great
importance to this system; when the user checks to see if his request for loan has been sanctioned, the
details comes from this table (if at all his request has been sanctioned).
3.4.4 Functional Decomposition Diagram

Functional decomposition is a business analysis technique for breaking down a “business operation”
into functional components. A functional Decomposition Diagram (FDD) shows a hierarchical
organisation of the business functions that comprise the business operation. It does not show the
sequence of events.

Functional decomposition is most commonly used during the analysis phase of a project to produce
functional decomposition diagrams as part of the functional requirements document. It can also be used
during the planning, analysis and design phases of a project to help clarify business operations. Below
is the functional decomposition diagram of the proposed system Lingareddy (2007).

Electronic copy available at: https://ssrn.com/abstract=3154730

 Figure 8: Functional Decomposition Diagram

Electronic copy available at: https://ssrn.com/abstract=3154730

3.5 Algorithm for the Proposed System

According to Thomas et al., (2009), when an algorithm is associated with processing information, data
is read from an input source, written to an output device, and/or stored for further processing. Saved
data is regarded as part of the internal state of the entity performing the algorithm. Because an
algorithm is a precise list of precise steps, the order of computation is always critical to the functioning
of the algorithm. Instructions are usually assumed to be listed explicitly, and are described as starting
“from the top” and going “down to the bottom”, an idea that is described more formally by flow of
control.

Following is the new system’s algorithm

Input URL;

If URL == true;

THEN GOTO homepage();

If Signup != null

THEN GOTO Registration();

GOTO LoginInformation();

GOTO UploadImage();

GOTO Welcomepage();

End if

If Signin != null

If username == true && password == null;

THEN GOTO admin();

GOTO viewloanrequest() ||

GOTO sanctionloan() ||

GOTO deposit() ||

GOTO viewaccountholders() ||

GOTO issueloan() ||

GOTO logout()

ELSE

GOTO securityquestionpage()

If answer == true;

THEN GOTO user();

GOTO viewaccountstatement() ||

GOTO applyloan() ||

GOTO viewloansanction() ||

GOTO transferfund() ||

Electronic copy available at: https://ssrn.com/abstract=3154730

 GOTO requestchequebook() ||

GOTO changepassword() ||

GOTO logout();

ELSE

OUTPUT error message;

GOTO Securityquestionpaege();

End if

End if

End if

End if

3.6 Description of Modules

Figure 9: Represents the architecture of an extended Implicit Password Authentication System. It

consists of Five Modules. They are,

 Client
 Server
 Image generation
 Authentication
 Transaction
The proposed system efficiently handles the security issues. The entire processing of the system is
depicted through the architecture phase. The flow for the entire process is manipulated. The proposed
system fits itself perfectly by improving the efficiency of the password and also makes the
authentication more safe and secure. The extended IPAS makes the transactions more convenient by
presenting the password more securely. This depicts itself a perfect authentication scheme and the
chances of fraudulent and hacking are much reduced.

Electronic copy available at: https://ssrn.com/abstract=3154730

 Figure 9: IPAS Architecture

3.6.1 Client

This module plays a vital role in this project because this is deviated from normal
registration process. Because in this module, the client will register all his authentication
information along with his user name, ID, age, sex, mobile number, address along with security
questions. All the information is stored in the main server for authentication.

3.6.2 Server

Electronic copy available at: https://ssrn.com/abstract=3154730

 Server acts as the main resource for the client. Server is responsible for maintaining all the client
information. Server will generate a random image and the image is generated according to the answers
made by the user during the registration process. Server will finally authenticate the user.

3.6.3 Image Generation

A set of images are generated by the server based on the answers made by the user during the
registration period. One relevant image is displayed in a random pattern and other set of irrelevant
images along with the encrypted data. User will select the correct image by proper judgment of correct
answer with respect to the answers made during the registration period.

3.6.4 Authentication

The User ID is verified in the registration process and the image verification is done by the server,
based on the answers made by the user during the registration period. One relevant image is displayed
in a random pattern and other set of irrelevant images along with the encrypted data. After random
number or session key verification, the user is allowed for further process.

3.6.5 Transaction

If the client completes all of the authentication process then the system allows the user to continue
his transaction like deposit, withdraw, mini statement and so on. The IPAS is being implemented
for a banking system (BS), base on that we specify two users of the BS:

Client

 View account statement

 Transfer fund
 Apply for loan
 View sanctioned loan
 Request chequebook
 Change password
 Logout
Admin

 View all account holders

 View request for loan
 Sanction loan
 Deposit
 Loan repayment
 Logout
3.7 System Development Technologies
To implement any web-based application a web server is required. A web server is a piece of software
that manages web pages and makes them available to the ‘client’ browser via a local network or over
the Internet. The web server can be accessed remotely or locally. There are many web servers available
such as Apache, Internet Information Services IIS, Netscape Web Server, JBoss Application Server,
GlassFish and so on.

By typing a URL (Uniform Resource Locator) into the address box of the browser the communication
between a browser and a web server is started. Each conversation consists of two pieces:

 A request for information from the browser software and

 A response from the server addressed by the URL.
For the implementation of this application, JBoss version 4.2.2.GA is used as web server.

3.7.1 JBoss

JBoss is in an open-source alternative to commercial offerings from IBM WebSphere, Oracle BEA
services, and SAP NetWeaver, developed by the JBoss Group. JBoss is a freeware server that houses an
implementation of the Enterprise Java Bean EJB 1.1 (and parts of 2.0) specification. It is similar to
Sun’s J2EE Reference Implementation, but the JBoss core server provides only an EJB server.

Electronic copy available at: https://ssrn.com/abstract=3154730

 The JBoss applications server is a J2EE platform for developing and deploying enterprise Java
applications, Web applications and services, and portals. J2EE allows the use of standardized modular
components and enables the Java platform to handle many aspects of programming automatically.

JBoss contains a JMS (Java Message Service) provider called JBossMQ. JBossMQ is fully JMS API-
compliant and can be used for standalone JMS clients. JBossMQ has a number of configuration files.
JBoss is licensed under the GNU Lesser General Public License (LGPL).

3.7.2 J2EE

In this work, the Java 2 platform enterprise edition (J2EE) was used. Java 2 platform, Enterprise
Edition (J2EE) defines the standard for developing multi-tier enterprise applications. The platform
selection depends on many factors, available system infrastructure, project timelines, project budget
and most importantly platform technologies.

The J2EE platform takes advantage of the many features of the Java platform standard edition (J2SE)
such as “write once, run anywhere” portability, JDBC API for database access. CORBA technology for
interacting with existing enterprise resources and a security model that protects data even in the internet
application.

J2EE consist of a set of openly developed specifications that are available free for anyone to implement
on any platform. As a result, an ecosystem comprising hundreds of vendors is thriving on J2EE
platform today, ecosystem multiple vendors providing J2EE middleware has another benefit, faster
innovation, all vendors contribute their technological ideas to the Java that furthers the J2EE platform
through standardization.

J2EE ensures, friendly platform. Most of the open source projects use Java as a language and platform
for development and deployment. Today’s enterprise gain competitive advantage by quickly
developing and deploying custom application that provides unique business services. Portability and
scalability are also important for long-term viability.

The security of J2EE model designed to support single sign-on access to application service make the
language suitable for this research work since it concern with financial record. Component developers
can specify the security requirement of a component at the method level to ensure that only user with
appropriate permission can access the operation. The following were the reason why J2EE was chosen

i. It is modular in nature
ii. It is graphical oriented
iii. It is excellent in handling database
iv. It makes the program to be user friendly and easy to access.
3.7.3 MySQL

MySQL is a software package that enables the creation, maintenance and management of
database. MySQL is a Structured Query Language (SQL) based, client/server relational database. Each
of these terms describes a fundamental part of the architecture of MySQL Server.

Database: A database is a storage place for data. The user runs an app location that accesses
data from the database and presents it to the user in an understandable format.

Relational database: There are different ways to organize data in a database but relational
databases are one of the most effective. Relational database systems are an application of mathematical
set theory to the problem of effectively organizing data. In a relational database, data is collected into
tables (called relations in relational theory).

Structured Query Language (SQL): There are several different languages that can be used
to manipulate relational databases. The most common of the languages is SQL. The American National
Standards Institute (ANSI) and the International Standards Organization (ISO) have defined standards
for SQL. Data within a database can be retrieved via SQL that is based on Relational Algebra.

Electronic copy available at: https://ssrn.com/abstract=3154730

 Client/Server: In a client/server system, the server is a relatively large computer in a central
location that manages a resource used by many people. When individuals need to use the resource, they
connect over the network from their computers, clients, to the server.

MySQL’s specific design goals were speed, robustness and ease of use. To improve the
performance, MySQL was made as a multi-threaded database engine. A multi-threaded application
performs many tasks at the same time as if multiple instances of that application were running
simultaneously. Multi-threaded applications have a lower overhead cost, when compared with multi
processed databases.

In being multi-threaded, MySQL has many advantages. A separate thread handles each
incoming connection with an extra thread that is always running to manage the connections. Multiple
clients can perform read operations simultaneously, but while writing, only the clients that need access
to the data being updated are held. Even though the threads share the same process space, they execute
individually. Because of this separation, multiprocessor machines can spread the thread across many
CPUs as long as the host operating system supports multiple CPUs. Multithreading is the key feature to
support MySQL’s performance design goals and this is the core feature around which MySQL is built.
MySQL has other features but the most attracting features are cost and performance. Lingareddy
(2007).

Electronic copy available at: https://ssrn.com/abstract=3154730

 RESULTS, DISCUSSIONS AND CONCLUSION

4.1 Implementation

Implementation is the stage of the project when the theoretical concept is turned out into a working
system. Thus implementation is considered as the most critical stage in achieving a successful
new system and in giving the user, confidence that the new system will work and be effective. The
implementation stage involves careful planning, analysis of the existing system and it’s
constraints on implementation, designing of methods to achieve changeover and evaluation of
changeover methods. It is also at this stage that documentation is done in order to put into writing all
stages of how the system works. User by reading such document should be able to use the system
comfortably.

It is necessary to ensure that the propose system reaches it stated objectives. It is also essential to
ascertain the flexibility and reliability of the system being developed before it is put to use. This is
necessary to find out any weakness or error that can be inherent in the system and making modification
where necessary.

4.2 Program Testing and Results

At this stage, the hardware and software which make up the system is tested and thoroughly checked
for errors and compatibility.

4.2.1 Program Testing

Testing is the process of running a system with the intention of finding errors. Testing enhances the
integrity of a system by detecting deviations in design and errors in the system. Testing aims at
detecting error-prone areas. This helps in the prevention of errors in a system. Testing also adds value
to the product by conforming to the user requirements.

The main aim of testing is to detect errors and error prone areas in a system. Testing must be thorough
and well-planned. A partially tested system is as bad as an untested system. And the price of an
untested and under-tested system is high. The implementation is the final and important phase. It
involves user-training, system testing in order to ensure successful running of the proposed system. The
user tests the system and changes are made according to their needs. The testing involves the testing of
the developed system using various kinds of data. While testing, errors are noted and corrections are
made. The various parts tested are registration of new user, supplying answers to the security question
and login to performing financial transactions.

4.2.2 Result Discussion:

Based on the testing carried out, the system was able to meet the expected requirements such as
allowing new user registration, accepting user’s answers to security question and generating login
images accordingly, allowing user login into the system and performing financial transactions like
applying for loan, sanctioning loan, transferring of funds and making deposit.

4.3 System Setup Requirements

This involves the software and hardware required to make the information system function effectively.
Software is a collection of programs or instructions written in any computer language, which enables
flexibility to do whatever the user wants.

4.3.1 Hardware Requirements:

The new system has been designed to run on a computer system with;

 Intel Duel Core Processor (1.6 GHz)

 60 GB Hard Disk

Electronic copy available at: https://ssrn.com/abstract=3154730

  1 GB Flash Drive
 LCD Colour Monitor
 Optical Mouse
 512 Mb RAM.
4.3.2 Software Requirements:
The software requirements for running the new system include:
 Windows XP.
 Java Development Kit (JDK )
 MySQL
 Mozilla Firefox, Google chrome, Opera and Internet Explorer
 JBoss Server Version 4
4.4 System Change Over

The system changeover has to do with the procedure used in changing from the old to the new system.
The method of change over used here is parallel conversion. In parallel conversion, the new system is
implemented gradually over a period of time. The entire implementation process is broken down into
different process. This phase ensures that the new system is fully in perfect operation before discarding
the old one completely.

4.5 Documentation

This phase has to do with the instructions or manual to users on how to run the program for its
workability. User documentation simply describes how a program is used. Typically, the user
documentation describes each feature of the program and assists the user in realizing these features. A
good user document can also go so far as to provide thorough troubleshooting assistance. It is very
important for user documents to not be confusing, and for them to be up-to-date. User documents need
not be organised in any particular way, but it is very important for them to have a thorough index.
Consistency and simplicity are also very valuable. User documentation is considered to constitute a
contract specifying what the software will do. After the software components have been installed, the
following steps must be followed:

Step 1: Enter the web address of the bank: www.ipasforbanking.com

Step 2: As a new user, click the sign up button to register with the IPAS system, supply your personal details
and proceed by clicking next button. Your userid will be automatically forwarded to your mobile via a
sms from the IPAS system

Step 3: On the login information page, supply your userid and provide answers to the security questions that
will come your way. The system automatically generate image for the answers provided

Step4: Now login into the system using your userid and your security answers which will be entered implicitly
this time around

Step 5: On your homepage, you can perform any of your regular banking transactions.

Step 6: To change your password, click the Update Password menu.

4.6 System Functionalities

The various interfaces of the new system and their functions are presented as follows;

Electronic copy available at: https://ssrn.com/abstract=3154730

Home Page

The home page is the first page the user visits as he access the site, the page has menus for easy user
navigation of the system, and it also provides a kind of a description of what the software is all about
with images for easy comprehension.

Figure 10: Homepage interface

Electronic copy available at: https://ssrn.com/abstract=3154730

Registration Page

The registration page is where user registration is done. On this page, the user enters his primary details
as requested by the system to be able to use the system; details such as name, address, date of birth,
academic qualification, sex, email, etc. are requested by the system. Figure 11 shows the interface of
the page.

Figure 11: Registration Page interface

Login Information Page

Electronic copy available at: https://ssrn.com/abstract=3154730

On the login information page, the user is expected to provide answers to security questions that will be
posed to him by the system. His answers to this questions stands as his login credentials whenever he
demands access to the site in subsequent visit. The interface is given in figure 12 below:

Figure 12: Login Information page interface

Image Upload Page

Electronic copy available at: https://ssrn.com/abstract=3154730

On the image upload page, the user uploads the corresponding image of his answers entered in the
previous page, with this images, he will be able to complete his authentication process. After entering
the specified number of images required, the page request the user to confirm the authenticity of the
information entered before proceeding to finish registration. This is shown in figures 13 and 14 below.

Figure 13: Interface of the Image Upload Page

Electronic copy available at: https://ssrn.com/abstract=3154730

Figure 14: Interface of the Image Upload Summary

Electronic copy available at: https://ssrn.com/abstract=3154730

User Welcome Page

Successful authentication of a user ushers the user to the user home page where the user can now
actually access functions provided by the banking system. This page displays the users’ details and
provide a means of modification of details should the need arise. The interface of the page is presented
below by figure 15:

Figure 15: Welcome Page interface

Electronic copy available at: https://ssrn.com/abstract=3154730

Login Page

The focus of the IPAS system is on the authentication and hence the importance of the login page. On
this page, the user supplies his userID then move to the next phase of authentication after the userID
has been validated, he is now faced with security questions which he is to answer implicitly in form of
image on the assumption that he is familiar with the images of the answers he supplied textually during
the registration process. The interfaces are presented in figures 17, 18, 19 and 20 below:

Figure 16: Interface of the user login page

Electronic copy available at: https://ssrn.com/abstract=3154730

Figure 17: Security question page interface

Electronic copy available at: https://ssrn.com/abstract=3154730

Figure 18: Interface of the next phase of the security question

Electronic copy available at: https://ssrn.com/abstract=3154730

Figure 19: Interface of another security question page

Electronic copy available at: https://ssrn.com/abstract=3154730

Figure 20: Next phase of the security question

Electronic copy available at: https://ssrn.com/abstract=3154730

4.7 Summary

In summary, this project work deals with the evaluation of previous authentication system used by
financial institutions. It also considered the effects and disadvantages of this new authentication system.
It went further to examine its storage method and based on the findings, the need for the development
of this scheme was also looked into and this called for the old scheme’s examination which was looked
into. As it goes on, the need for suitable programming language also arose and after much analysis of
the project and its design. A choice of programming language was made, Java 2 Enterprise Edition
(J2EE), structured query language which was the database platform were used.

4.8 Conclusion

Implicit password is a more secure compared with the existing system. This system can be
implemented in places where security is poor or additional security is needed. This concept can be
used extensively in the field of banking since transactions are prone to more fraudulent.
Hacking of password is impossible because password can be hacked but the implicit password cannot
be hacked; only the legitimate user identifies the implicit password. Also, text passwords can be
retrieved through techniques like key logger, shoulder surfing and screen dump and so on. But, implicit
password cannot be retrieved since trial and error methods can’t be applied on it. The reference
observations clearly state that passwords face a number of issues regarding their security and those
issues can be resolved in this study.

4.9 Recommendations

Having seen the problems encountered in using the old authentication systems, it is strongly
recommended that financial institutions should employ this system of authentication as it has dynamic
benefits of which it is usable and reliable. Images are currently implemented in this system. In future,
all types of digital objects can be implemented depending upon the usability. This system is currently
tested in banking applications. We intend to extend the application to other types of fields too. The
system accommodates only new customers of the bank; we intend to extend the system to cover
existing customers.

Electronic copy available at: https://ssrn.com/abstract=3154730

 REFERENCES

Anil K., Jain Lin Hong, Sharath P., Andruud B. (1997).

An Identity-Authentication System Using Fingerprints. Retrievedfrom
http://citeseer.ist.psu.edu/viewdoc/summary;jsessionid=44A8D6891E44B4ECEFD7C056D30ADDCF?
doi=10.1.1.389.4975
Birget, J. C., H. Dawei, et al. (2006).
Graphical passwords based on robust discretization. Information Forensics and Security, IEEE
Transactions on 1(3): 395-399. Retrieved from
http://ieeexplore.iee.org/xpl/login.jsp?tp=$arnumber=1673401$url=https%3A%2F%2F2.zoppoz.workers.dev%3A443%2Fhttp%2Fieeexplore.ieee.o
rg%2Fxpls%2Fabs_all.jsp%3Farnumber%3D1673401
Brostoff, S. And Sasse, M.A. (2000).
Are Passfaces More Usable than Passwords: A Field Trial Investigation. In People and Computers
XIV-usability or else: proceedings of HCI 2000 (Bath, u.k.). Springer Verlag. Retrieved from
http://discovery.ucl.ac.uk/19830/
Clifford, S., Hutchison; Sawyer, S. C.; Coulthard, G. (1998).
Computers, Communications, and Information: a user’s introduction. Boston: Irwin/McGraw-Hill.
Don Atsa’am, (2014).
Using Unified Modelling Language (UML) Tools in System Analysis and Design. Sure Prints, Makurdi
– Benue State.
H. J. Kim, (1995).
Biometrics, is it a viable proposition for identity authentication and access control. Computers and
Security, vol. 14, pp. 205-214. Retrieved from
http://www.sciencedirect.com/science/article/pii/016740489597054E
Ikwebe , M. A. (2010).
The Design of Database to Manage Customer’s Accounts (a case study of UBA). Department of
Mathematics, Statistics and Computer Science. Federal University of Agriculture, Makurdi – Benue
State.
Lashkari, A. H., F. Towhidi, et al. (2009).
A Complete Comparison on Pure and Cued Recall-Based Graphical User Authentication Algorithms.
Computer and Electrical Engineering, 2009. ICCEE '09. Second International Conference. Retrieved
from
http://www.researchgate.net/publication/202406201
Lee Jackson. (2006).
Analysis of Image-Based Authentication and its Role in Security Systems of the Future. Department of
Internet Computing, Napier University. Retrieved from http://www.soc.napier.ac.uk/~bill/
R.V.Sudhakar et al., (2013).
Improving Login Authorization by Providing Graphical Password (Security). Int. Journal of
Engineering Research and Applications ISSN: 2248-9622, Vol. 3, Issue 6, Nov-Dec 2013, pp.484-489.
Retrieved from
http://www.ijera.com/papers/
Renaud, K. (2009).
On user involvement in production of images used in visual authentication. . Vis. Lang. Comput. 20(1):
1-15. Retrieved from
http://www.freepaperdownload.us/1749/Article6329204.htm
S. Wiedenbeck, J. Waters, J.C. Birget, A. Brodskiy, N. Memon, (2005).
Authentication Using Graphical Passwords: Effects Of Tolerance And Image Choice'', Symposium on
Usable Privacy and Security (SOUPS), 6-8 July 2005, at Carnegie-Mellon Univ., Pittsburgh.
Retrieved from
http://www.dl.acm.org/citation.cfm?id=1073002
Sabzevar, A.P. & Stavrou, A., (2008).
Universal Multi-Factor Authentication Using Graphical Passwords”, IEEE International Conference on
Signal Image Technology and Internet Based Systems (SITIS). Retrieved from
http://www.academia.edu/2000720/user-Friendly_Considerations_within_Multi-factor_Authentication
Soumya R. Lingareddy, (2007).
The Design and Implementation of Human Resource Management. Retrieved from
http://www.iusb.edu/
Takada, T. and H. Koike (2003).

Electronic copy available at: https://ssrn.com/abstract=3154730

Awase-E: Image-Based Authentication for Mobile Phones Using User’s Favorite Images. Human-
Computer Interaction with Mobile Devices and Services, Springer Berlin/Heidelberg. 2795: 347-351.
Retrieved from
http://www.link.springer.com/book/10.1007/b12029
Thomas H. C., Charles E., (2009).
Introduction to Algorithms. 3rd Edition, MIT Press.

Electronic copy available at: https://ssrn.com/abstract=3154730