Keyloggers are hardware or software tools designed to record user’s keyboard strokes. They are a threat during authentication as they can capture important information from the target computers through secret installation. They are largely undetected by most anti-virus software. To prevent key logger attacks, virtual on-screen keyboard with random keyboard arrangement is used. Unfortunately, the key loggers have improved tremendously. They take control of the personal computer and can capture every event and read the video buffer. By using cryptographically strong keys and passwords information can be delivered securely to the user’s computer. But humans may not have sufficient memory to remember cryptographically strong keys. This can be solved by introducing an intermediate device that bridges humans and user terminal. The proposed authentication scheme is a password-based authentication method using a randomized onscreen keyboard. The scheme utilizes a smartphone as the intermediate device which contains the keys required for decryption. The encrypted contents are encoded into QR (Quick Response) codes. QR codes can be scanned using the smartphone. The user owns a user id and a password. The user terminal will display a blank keyboard and the QR code which carries the encrypted random permutation of keyboard arrangement. The QR code will be decoded using the intermediate device. Looking at the keyboard arrangement in the intermediate device the user needs to click the buttons on the blank keyboard to input the password. The use of IMEI (International Mobile Equipment Identity) of the smartphone prevents the attackers from using any other phones for authentication even if he knows the user-id, password and the key for decryption.

QR code, password based authentication, smartphone, IMEI

[1] Seref Sagiroglu and Gurol Canbek, “Key loggers –Increasing threats to Computer Society and Privacy” IEEE TECHNOLOGY AND SOCIETY MAGAZINE | FALL 2009.
[2] Reza Jalili, “Secure Data Entry and Visual Authentication System and Method”, U.S Patent Appl No: 08/980,748, March 27 2001.
[3] Timothy William Cooper, “System and login resistance to compromise”, U.S Patent Appl No:12/070 627, June 2011
[4] Ramarao Pemmaraju, “Methods and apparatus for securing keystrokes from being intercepted between the keyboard and a browser” U.S Patent, Appl. No: 11/656,236, August 2007
[5] Stuart P. Goring, Joseph R. Rabaiotti and Antonia J. Jones,” Anti-key logging measures for secure Internet login: an example of the law of unintended consequences”, Computers and Security, February 2007
[6] McCune, J.M., Perrig, A. and Reiter, M.K. (2009)‘Seeing-Is-Believing: using camera phones for human- verifiable authentication’, Int. J. Security and Networks, Vol. 4, Nos. 1/2, pp.43–56
[7] DaeHun Nyang, Aziz Mohaisen, Jeonil Kang,” Key Logging-Resistant Visual Authentication Protocols” IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL.13, NO. 11, NOVEMBER 2014