Improved keylogging and shoulder-surfing resistant visual two-factor authentication protocol

Designing a secure user authentication method that involves human in the authentication procedure is a challenging problem. Due to their high user convenience, the password is the most widely used means of authentication. However, passwords are vulnerability to compromise by disclosure using various forms of information tapping like Keylogging, phishing attack, human shoulder-surfing and camera-based recording. This paper starts with an analysis of a previous attempt that proposes two visual authentication protocols to enhance password authentication. These protocols were based on the use of user-driven visualization utilizing two-dimensional barcode and smartphones. Even though the two protocols resist some known types of attacks, our analysis reveals serious shortcomings. The first protocol is not secure against theft of a smartphone. Both protocols are not secure against shoulder surfing, camera-based recording and phishing attacks. In this paper, the deficiencies of the original scheme are demonstrated, then a two-factor authentication scheme that eliminates these deficiencies is presented. A prototype of the proposed scheme is implemented and a secured virtual on-screen keyboard (SVOSK) comprising dynamic emoticon keyboard layout is also proposed. Formal security proof and usability analyses show that the proposed scheme is secure, efficient and has a high level of usability.