Innovative and Secured User Authentication Methods ...

Innovative and Secured User Authentication Methods for Novice Visually Impaired users.

Gaurav Kumar Srivastava, Rajan Vaish, and Rahul Vaish

Abstract—Human Computer Interaction with its varied applications has drastically influenced the way people interact with Computer over the years. The stream of HCI which helps disabled users of any kind to access and work on Computer comes under the category of Accessibility. Accessibility is a science which studies the ability to access. In this paper, we will study an upcoming field under Accessibility which deals with Internet Access, called Web Accessibility. Concentrating on the access behavior and techniques of Visually Impaired people, we propose three new Authentication Methods on various online portals, which inhibit hacking of the account of novice users. The methods are based on the concept where user can confirm correct parameters entered before log in using Added fields, Smart Audible solutions and Keyboard free access techniques. Hence, saving server resources and increasing User Experience by hack free access.

Keywords: Visually Impaired, Accessibility, Web Accessibility, User Experience (UX), HCI, Authentication methods. I. INTRODUCTION

T

HE fields that together constitute HCI have maintained a long tradition of concern for access to computer systems by people with disabilities. However, in practice, much of the field's progress in this area has been slow. More often than not, the field's attention to this area has been an after-thought: Design and access has been based primarily on able-bodied populations rather than users who are disabled. Many countries enacted laws to ensure that people with disabilities have equal access to education, work, and functional independence. It has also become obvious that technology offers one promising way to achieve these goals. For example, in the United States, the Telecommunication Act of 1996 now requires that telecommunication systems be accessible to people with disabilities.

Manuscript received June 29, 2009. Gaurav Kumar Srivastava is an undergraduate student at Department of Computer Science & Engineering at Jaypee University of Information Technology, Waknaghat, Distt. Solan, Himanchal Pradesh, India; e-mail: gaurav.srivastava7@ gmail.com). Rajan Vaish is an undergraduate student at Department of Computer Science & Engineering at Jaypee University of Information Technology, Waknaghat, Distt. Solan, Himanchal Pradesh, India; e-mail: vaish.rajan @ gmail.com). Rahul Vaish is an undergraduate student at Department of Computer Science & Engineering at Lovely Professional University, Jalandhar, Punjab, India.; e-mail: [email protected]).

9781-4244-3941-6/09/$25.00 ©2009 IEEE

One area of particular concern for people with disabilities is the World Wide Web. At present, the Web is an overwhelmingly visual interface. People with certain forms of visual disabilities maybe be unable to read a graphic, or may be unable to operate a pointing device. Typically, these users prefer text-only browsers, which allow non-visual means of reading pages (or the ability to increase the display font to a needed size), and non-pointing means for selecting items. These text-only browsers are capable of ignoring a Web page's graphical content, and of presenting the textual material from a Web page in a usable alternate modality (e.g., Braille or voice) for the user. Blind computer users mainly rely upon screen-reader software, which describes the activity on the screen and reads the text in the various windows. It can take a while to wade through a strange site using Screen Readers. The screen reader's output can be sent to the computer's speakers as a synthesized voice or to a Braille display. The latter uses tiny push pins to create a pattern of raised dots that can be read by a moving finger. The primary usage of the Web for Visually Disabled Users is for emailing or searching information on Web. Almost all Web Sites/Portals require Login Account for access to information not available to guest users. User Authentication at the time of logging in is the prime concern. This paper concerns with User Authentication of the Novice Visually Impaired user in a more secured manner and faster than the present way. The proposed method confirms correct Username and Password entered before user logs in and request is sent to server. This method helps in making the account secure for the Blind Users as intruders cannot listen to the exact password while user can confirm his/her authenticity, at the same time it also saves Internet bandwidth as Verification/confirmation is done before request is send to server. A Survey was also conducted to test the usability of proposed method over the existing ones. The Survey was conducted on many Visually Impaired users who access computer or Internet frequently, at an exhibition organized by National Association for the Blinds (NAB-India) & Rehabilitation Society for the Visually Impaired (RSVI) at Lucknow, India. The survey results are used in the paper. Section II describes the present day implementation used by Visually Impaired users and in section III proposed methods are elaborated. Section IV deals with implementation of the proposed methods. The results by using the proposed method are discussed in section V.

II. PRESENT IMPLEMENTATION This section provides a generic introduction to the present implementation techniques used for user authentication. While User Authentication requires two text boxes, one for Username and the other for password. Screen Reader reads out the Username, character by character as they are entered. As it reads out each character the Visually Impaired user gets to know that whether he/she has entered username correctly or not. The usage of screen reader makes it easy for the intruder to know the exact Username and hence makes hacking easy . In case of email id it is not important to hide username as email id is known to every one. But in crucial applications like Net Banking, Demat Account, Credit Card etc. it is necessary to hide the Username also. While entering the password, Screen Reader reads “star” for every character entered. So the intruder is not able to get the actual password but this method gives hint like no. of characters entered. The Intruder can see what the user is typing as he/she is a novice user. Thus knowing number of characters and a few characters of password aids hacking. Besides hacking there is one more important aspect. After entering the username and password, the User does not know whether he/she has entered a right password or not; although he/she is sure about the Username. User thus guesses the character on keyboard while entering the password . In Survey every surveyee mentioned that they do 100% guesswork while entering the password. A few experienced users find keyboards slightly familiar but they also need to guess. One of the surveyee told that when they start using keyboard, they visualize an image of the keyboard in their mind and then guess accordingly. He mentioned that when he started using the keyboard, if he finds ‘A’ he guessed that the next key will be ‘B’. But on a ‘QWERTY’ keyboard the key next to ‘A’ is ‘S’. This shows the amount of error while guessing. Even more importantly in continuous attempts user might not enter the same keys again and again. So this is a problem that needs consideration. Now after entering the Username and Password when user presses “Enter”, the request is forwarded to the server. The two main problems with this implementation for novice blind users are: 1) Firstly, when user presses “Enter” the request is send to the server and if wrong, it wastes some of bandwidth. As, while entering the password user is not able to hear what he/she is entering , so he/she tends to make mistakes . And every time he/she enters the password, the request is forwarded to the server and the server checks whether the Username and Password match. If they don’t then the User gets a ‘Beep’ but every time the server is involved to Authenticate User. This waste a lot of time, increase the network traffic and more importantly waste internet bandwidth. 2) Secondly, many systems like Net Banking, Credit Card, Demat Account only allows three attempts before the user is required to renew the authentication key. This helps to prevent attackers getting into a system using guesswork. So every time user attempts to use his/her account he/she is prone to commit mistakes and thus

resulting in Blocking of the account. As these are some of the very important things, so frequent blockage of the account will create a lot of problems. So these are the problems for which solutions are provided by the proposed methods. The proposed methods are elaborated to deal each problem one by one.

Fig.1 Present day Implementation of User Authentication.

III. PROPOSED METHODS This paper proposes three ideas that can be implemented to overcome shortcomings of the present day implementations. The ideas are as: A. Idea 1: Dual Password Box based User Authentication A user gets one user name text box and two password text boxes. The user types in user name which is audible and thus gives him/her the idea of keys on keyboard. After that, user types in the password which is not at all audible. After this the user moves to third text box which is again for password. It is for confirming the password i.e. the user types in password twice before login-in successfully. While typing the password second time, if there is a key which mismatches with last password entered, a "beep" will be heard and the user is asked to re-enter the set of passwords since he/she might have entered wrong key in any of two text boxes. User type: Experienced/Novice who has some command over keyboard keys. Password Audible: No The following figures explain the two scenarios more appropriately. Fig. 2 signifies the situation when password entered in both the text boxes match. Now on pressing “Enter” the request will be forwarded to the server.

Fig.2 Proposed User Authentication Idea 1 when both Password text boxes match.

While Fig. 3 signifies the situation when the two password text boxes does not match and a beep is heard. User needs to re-enter password in both the text boxes. Thus the password is checked for errors before the request is forwarded to the server. Thus solving the problem of wastage of bandwidth and Authenticating at the same time .

The beauty of this method is that by keeping things audible, user tests that he/she has entered right Username and Password combination before pressing Login button, without revealing the password. The password won't be heard key by key, rather after entering password and pressing tab, the system will match the combination of password entered and username, if successful, it will read crypted/mapped password, i.e. “abacu”, rather than real password which was entered i.e. “password”. User type: Novice Password Audible: Yes (Cryptic, as per mapping).

Fig.3 Proposed User Authentication Idea 1 when both Password text box do not match.

B. Idea 2: Audible Mapped Authentication Method In this method user is provided two text boxes one for Username and the other for Password. As the user enters his/her username and presses TAB, the system/website/application will search within database using Ajax, that whether this username exists or not. The Username is audible and read character by character by the Screen Reader. If the Username is not valid a “beep” is heard. The password will be mapped to a certain word at the time of “Sign-up” by the User. Like the user can map its Password which is “password “to “abacu”. One important thing here is that this cryptic/mapped word is set by the user and when user enters the correct password he/she expects to listen the mapped word, and not the exact password. When the user enters the password, using Ajax the combination of username and password is authenticated. If they match, it reads the cryptic form of password (or mapped version) , as for Password “password”, it reads the set string i.e. “abacu”. Since the user is expecting to hear “abacu” so he/she is sure that he/she has entered right username and password before pressing final “Enter”. The following figure shows the implementation of the proposed method. The figure shows that when the user enters the correct username and then the correct password’s mapped word is heard which “abacu” is in this case.

C. Idea 3: User Authentication method using new OnScreen Keyboard This is for novices, who are still learning and have slow typing speed. In this method, the user gets only two text boxes, one for username and the other for password. As the user enters his/her user name which is audible and then as he/she moves on password text box, an on-screen Keyboard appears which is blacked out i.e. no one can see it. The user now enters his/her password using mouse. This helps user a lot as he/she can enter the password comfortably at a slow speed using Blacked out on-screen Keyboard, without using real-keyboard and hence giving no chance to hacker (shoulder attack) to guess, what button he/she is entering. The important thing here is that, key hits are audible but to enforce security that others cannot hear the password, only one audio port is activated otherwise hacker may insert headphone and listen to the password entered. Even though the Keyboard is blacked out, the GUI plays very important role. During survey, on user experience/ behavior we were told that user is heavily dependent on Keyboard and seldom uses mouse, due to complexity of current GUI and guess work involved. To over come the issue, the On screen keyboard will be with minimal keys giving users 2 options: 1) On Screen QWERTY Keyboard: This Keyboard will contain the keys as per normal QWERTY keyboard but only those keys will be available that are used in Authentication i.e. in Username and password.

Fig.5 On-Screen QWERTY Keyboard

User type: Experienced Password Audible: Yes. Fig.4 Proposed User Authentication Idea 2 when both Username and password text boxes match.

2) On Screen Serial order Keyboard: With speech on hover feature, user will get to know the

key his/her mouse is over, before pressing button. Left click of mouse will hit the key, while right click of mouse will inform about the keys in its vicinity ,i.e. top, down, left, right, top-left, top-right, down-left, down right(which can also be accessed using arrow keys on keyboard too). Once, user gets idea of his/her current position (the keyboard will occupy full screen, to make buttons larger and give user more space to move),he/she can simply traverse entire keyboard using only ARROW KEYS, hence giving user again choice to choose between mouse and keyboard (with just arrow keys helping accessing entire keyboard).The division of keyboard with 10 keys per row, will help mapping/visualizing the same better in user’s mind, and using numbers, alphabets, special characters easily.

WebAnywhere application is an Open Source Online Screen Reader which requires no installation and works on any computer running on any Operating System i.e. it is machine independent. Its design has carefully considered independence from a particular web browser or plugin. To facilitate its use on public systems with varying capabilities and on which users may not have permission to install arbitrary components, functionality that would require these have been moved to a remote server. The web application can also play sound by using several sound players available in different web browsers [5]. This is easily available on the following Uniform Resource Locator through Internet:”http://webanywhere.cs.washington.edu/wa.php ” for direct usage. Since testing of the implementations is on Local computer so it is required to be installed on Localhost. As by default Localhost is set as PHP Proxy, so to enable this it is required to comment the following in the code from http://webanywhere.googlecode.com/files/wa.0.02.zip : show_report(array('which' => 'index', 'category' => 'error', 'group' => 'url', 'type' => 'external', 'error' => 1));

Fig.6 On-Screen Special Order Keyboard

User type: Novice Password Audible: Yes. D. Idea 4: Optimal Solution / Combination of Best Features In this, the best features of the 3 ideas can be combined to form the best solution /optimal solution. The combinations can be: 1) The Idea3 can be combined with Idea1 to get good results. As the novice user uses On-Screen Keyboard to enter the password, the password will not be audible but at the same time the user will get two password boxes and the password will be confirmed before request is send to the server as in Idea1. This will thus remove the constraint of keeping only one audio port activated at a time. 2) The Idea3 can also be combined with Idea2 to remove audible password feature of Idea3. As in Idea2 the actual password is mapped with an alias and when the user enters the correct password, Screen Reader reads out the alias and thus confirming the user that he/she has entered the correct password. Thus by combining these ideas best /optimal results can be obtained. IV.

After above said steps, the WebAnywhere Screen Reader is installed on local computer and ready to test through localhost. A. Compatibility Since, the application is developed using Open Source and Web standard tools, this makes it platform independent. For extreme testing, the application was tested and also found compatible with XO (Educational laptops) from One Laptop Per Child Association, Inc. (OLPC – MIT Media Labs). It is a U.S. non-profit organization set up to oversee the creation of an affordable educational device for use in the developing world. The Fig.7 is a screen shot of the implementation of proposed ideas on XO.

IMPLEMENTATION

The proposed ideas are implemented using advanced technologies which include following: 1) jQuery 2) XHTML 3) JavaScript 4) PHP Beside these technologies, WebAnywhere is used to test the running implementation of the proposed ideas.

Fig.7 Implementation as run on XO.

Web Accessibility Initiative’s (WAI) responsibility is to develop guidelines and techniques that describe accessibility solutions for Web software and Web developers. These WAI guidelines are considered as the international standard for Web accessibility.

On 11 December 2008 W3C announced a new standard that will help Web designers and developers create sites that better meet the needs of users with disabilities and older users. Drawing on extensive experience and community feedback, Web Content Accessibility Guidelines (WCAG) 2.0 improves upon W3C's groundbreaking initial standard for accessible Web content, applies to more advanced technologies, and is more precisely testable. These standards were kept in background while developing the application. V. RESULTS & DISCUSSIONS An authentication mechanism should be totally accessible, totally memorable and secure the system completely.

Fig.8 Accessibilty.

Fig.8 depicts the various aspects of Accessibility, which reflects how easy it is for users to use a system with a particular authentication mechanism. Each dimension reflects a different aspect of the accessibility of the mechanism. The first measure reflects the expectations of the mechanism in terms of extra software, hardware or technical expertise. Since time to authenticate is a strong predicator in determining whether a mechanism is acceptable to users or not the second measure reflects this. The third measure reflects accessibility with respect to users with disabilities. [4] The overall deficiency ( n ) value for accessibility is given by using the following formula[4]:

n = ( x2 + y 2 + z 2 )

Authentication like Gmail on 512 kbps Internet speed with the help of Mozilla Firefox 1.5 plug-in (Load Time Analyzer), we found the time required was 1.6 seconds to load the user’s home page. The methods proposed above will not only save this time, but server resources from the other end. The methods prove to be very handy when it comes to login websites where number of correct attempts is crucial. The application was tested on WebAnywhere, so as to increase the accessibility of the application, as WebAnywhere is a web-based screen reader that can be used by blind individuals to access the web from almost any computer that has both an Internet connection and audio output [5][6]. Thus, the implementation proposed will be accessible by any Visually Impaired user where ever he/she likes, in turn increasing accessibility of User Authentication method [7]. Internet speeds in Developing countries is very less compared to the First world countries, which is why application should have a less load time. In January 2000 there were about 72.4 million hosts on the Internet. [Internet Software Consortium, Redwood City, California, USA] . For a long time the number of hosts has doubled every year, but it seems that the growth rate is slowing down actually. But the distribution of hosts by countries and regions hasn't changed much in this period. The Third World is still participating with a mere three per cent, while the United States gets about 72 per cent of all internet hosts,[8] thereby raising mirror issues. Since numbers of broadband connections are very less in Developing countries like India, African countries so it is important to deal with the issue of saving the excess bandwidth wasted in Normal authentication methods. This problem is solved using the proposed methods by changing the way User is authenticated.

(1)

The maximum value for n is ¥3 =~1.73. [4] In this implementation value of x=.33 since we require extra software only no hardware, y=0 since the proposed mechanism is not at all time consuming and z=.33 since the proposed mechanism excludes only users with cognitive disabilities. Thus overall deficiency (n) is .467 which is approximately 27% which means the proposed mechanism is only 27% deficient on the aspect of accessibility. Thus the proposed method is very good on accessibility aspect. While testing the load time of Portals/Services requiring

Fig.9 Distribution of Internet users in the world in March 2000 according to NUA estimates.

Fig.9 clearly makes out a point that the number of internet users in developing countries contributes almost negligible percentage in world’s total number. This implementation promises to increase the accessibility to the third world as it is compatible with OLPC.

Surveys were conducted to test the feasibility and usage of the propose methods, where 95% of 20 Visually Impaired Internet users surveyed agreed with the fact that security is required for novices because it takes a lot of time to get used to the keyboard. One of the surveyee told that it took 21 days and 8 hours daily, training to get some command over general computer usage (MS-Word, and basic Internet). So, helping Novices to get a secured access to their Accounts is very much required. Thus these methods propose a good, secured and fast access to novices of their accounts. We interviewed Dr. U. N. Sinha, Professor at University of Lucknow, India who is himself Blind since birth and he agreed that the concepts incorporated in this paper will definitely help the novices and promote more and more Visually Impaired users to use Internet. A. Sources of Survey: 1) State School for Blinds, Lucknow, India (Surveyed 10 High School students in March'09). 2) Conference by National Association for the Blind (NAB India) on June9'09 in Lucknow, India. 3) Conference by Rehabilitation Society for the Visually Impaired (RSVI - surveyed 10 attendees) on June'09 in Lucknow, India. REFERENCES [1] [2] [3]

[4] [5]

[6] [7] [8]

Michael J. Muller, Cathleen Wharton, William J. McIver, Jr. , and Lila Laux , Toward an HCI Research and Practice Agenda Based on Human Needs and Social Responsibility. © Copyright ACM 1997. Kranich, N. (1995). The Internet, access and democracy: Ensuring public places on the information superhighway. New York: Open Magazine. A De Angeli, L Coventry, G I Johnson, and M Coutts. Usability and user authentication: Pictorial passwords vs. PIN. In P.T.McCabe, editor, Contemporary Ergonomics 2003, pages 253–258. Taylor & Francis, London, 2003. Karen Renaud , Quantifying the Quality of Web Authentication Mechanisms A Usability Perspective. Journal of Web Engineering, 2003. Jeffrey P. Bigham, Craig M. Prince and Richard E. Ladner, “WebAnywhere: A Screen Reader On-the-Go.”, W4A2008 Technical, April 21-22, 2008, Beijing, China. Co-Located with the 17th InternationalWorldWideWeb Conference. Jeffrey P. Bigham, Anna C. Cavender, Jeremy T. Brudvik, Jacob O. Wobbrocky and Richard E. Ladner , “WebinSitu: A Comparative Analysis of Blind and Sighted Browsing Behavior”. Craig M. Prince, “Addressing Performance and Security in a Screen ReadingWeb Application that Enables Accessibility Anywhere”. University of Washington Seattle, WA, 98195 USA Uwe Afemann, Computer Center of the University of Osnabrück, Germany, “Internet and Developing Countries - Pros and Cons”, International Workshop Social Usage of Internet in Malaysia March 22 - 25, 2000. Gaurav Kumar Srivastava is currently an undergraduate student in Computer Science and Engineering at Jaypee University of Information Technology. His research interests include Image Processing , Human Computer Interaction and Interconnection Networks.

Rajan Vaish is an undergraduate student at Department of Computer Science & Engineering at Jaypee University of Information Technology, Waknaghat, Distt. Solan, Himanchal Pradesh, India

Rahul Vaish is an undergraduate student at Department of Computer Science & Engineering at Lovely Professional University, Jalandhar, Punjab.