Authentigraph - graphical authentication, verification and data entry

To use the configuration tool, select 'Sign In'  and use the guest login and password.

Introduction
Authentigraph was originally developed in 2003 to provide a simple secure authentication method for online environments. Given the majority of online authentication consists of a login and a password, the primary goal was to develop new forms of authentication that overlay existing models whilst providing improved levels of security with low implementation and management costs.

Since the initial prototype, the potential of the method has been identified and led to a number of studies that have examined the design and implementation options (Pierce et al. 2004b) and usability and user acceptance issues.  Based on this research, Authentigraph has since been expanded to facilitate data entry, data validation and improved, flexible image generation options. It has been developed to provide a variety of simple, secure graphical data collection scenarios that can integrate into existing architectures.

The Concept
Authentigraph is based around the concept that a user can identify characters and symbols from the screen by selecting them with a mouse. This is achieved by removing the need for keyboards to enter and collect data.  ASCII codes are not used during the authentication, data entry and data verification process and therefore not transferred between the client and server (Pierce et al., 2004b).  This eliminates the requirement for text based information being collected on the client and sent to the server.

Authenigraph has the potential to eliminate the possibility of spyware and Trojans relaying password strings to remote servers, reduce the capture and alteration of data and provide a secure method to present and validate data entered without the need to use external mechanisms such as SMS, that are outside the domain of the online environment.

To illustrate how Authentigraph works, the following outlines the use of Authentigraph as an authentication tool.

How it works
When a client requests an authentication session with the server, an image is generated based on the associated process parameters.The image is a collection of characters randomly placed within the image. The characters may be alphabetic or symbols.  Each image for each authentication session that is generated will place the characters in different positions and if required, backgrounds, gradients, ghosting and other visual complexity is added to the image. 

The co-ordinates of each character rendered to the image is stored on the server in the form of a rectangle that defines the position on the image the character was drawn along with a unique session id to identify which image the client was sent. 

The image is returned to the client and rendered to the browser according to the applications requirements. The user then selects the characters from the screen with the mouse. Each mouse click co-ordinates are stored on the client in the order they were collected.

When the user has completed selecting the information, the browser packages up the co-ordinates and returns them to the server. The server then processes each co-ordinate set received and attempts to map each point to a rectangle and subsequently retrieve the character that was originally drawn on the screen.

The server builds a character string in the order dictated by the co-ordinates returned and then either uses the character string to check authentication data, verify a predetermined string or uses the string as data entry for any purpose. Regardless of the application, the information collected on the client, sent to the server and processed is complex, variable given the image is different each time and far more secure than text based collection and transmission.

 Why use Authentigraph
The fundamental difference between this approach and many other approaches currently being used is the data transferred to the server is a collection of (x,y) co-ordinates that represent the mouse clicks collected on the client. The data has no correlation to any ASCII characters and subsequently very difficult to interpret in any meaningful way. The image delivered to the client is different for each authentication session. This means that each time the same information is selected from the image, the data co-ordinates that are collected and sent to the server will be different.

It is acknowledged that this method does not prevent the image and co-ordinates from being captured and coordinates mapped back to the image and the characters identified. To do this manually would be time consuming. To automate this process using a computer would require that OCR be performed on the image and rectangle co-ordinates collected. Using the ghosting would add complexity to this process as the OCR would need to identify which rectangles and associated characteristics contain the characters that the client was identifying and selecting.

The co-ordinates would then need to be mapped to the rectangles to determine the character selected and a character string formed. This must be done for each image generated and each data entry session conducted as the images and associated data is different each time. Authentigraph has been developed to enable the method used to generate the image to be adjusted on the fly. This provides an added requirement for any automated process to adapt to the change making the OCR even more complex and time consuming.

Authentigraph is not the perfect solution. It is however, simple to use, implement and manage. It does provide added security compared to text based data collection, many scamble pads and image based data collection tools currently employed within in major financial institutions within Australia.