TECHNICAL FIELD
[0001] The present subject matter relates to computing devices and, particularly but not
exclusively, to user authentication in the computing devices.
BACKGROUND
[0002] Computing devices, such as laptops, computers, tablets, and mobile phones, have
seemingly become a ubiquitous part of today’s lifestyle. With advancements in technology, there
has been a vast improvement in capabilities and features of the computing devices, thus leading
to an increase in associated usages of the computing devices. For example, the computing
devices, such as smart phones are capable of recording images, videos and sound; transferring
and receiving files anywhere anytime over a communication network, and playing audio.
Further, users may create, save, edit, receive, and transfer documents having confidential and
private data using the computing devices. In order to protect their privacy, the users may desire
to prevent any unauthorized access to their computing devices and thus use various
authentication techniques to prevent such unauthorized access.
SUMMARY
[0003] This summary is provided to introduce concepts related to systems and methods
for user authentication. This summary is not intended to identify essential features of the claimed
subject matter nor is it intended for use in determining or limiting the scope of the claimed
subject matter.
[0004] In one implementation, system(s) and method(s) for user authentication are
described herein. According to the present subject matter, the system(s) implement the described
method(s) for this purpose, where the method(s) include ascertaining, in a login grid, a login
relative location coordinate for each image of a secret key based on location coordinates of the
secret key and a login set of images. The method further includes generating a login location key
based on the relative location coordinate of each image of the secret key and a login sequence
order, where the login sequence order indicates sequence of selection of images in the login set
of images. The method further comprises comparing the login location key with a partner
location key, where the partner location key includes relative location coordinates for each image
3
of the secret key. Further, the method comprises determining the user authentication as
successful if the login location key matches with the partner location key.
BRIEF DESCRIPTION OF THE FIGURES
[0005] The detailed description is described with reference to the accompanying figures.
In the figures, the left-most digit(s) of a reference number identifies the figure in which the
reference number first appears. The same numbers are used throughout the figures to reference
like features and components. Some embodiments of system and/or methods in accordance with
embodiments of the present subject matter are now described, by way of example only, and with
reference to the accompanying figures, in which:
[0006] Figure 1(a) illustrates a system for user authentication, according to an
embodiment of the present subject matter.
[0007] Figures 1(b)-1(e) illustrate exemplary registration and login girds for user
authentication by the system, according to an embodiment of the present subject matter.
[0008] Figure 2 illustrates a method for registering authentication parameters for user
authentication, according to an embodiment of the present subject matter.
[0009] Figure 3 illustrates a method for authenticating a user based on the authentication
parameters, according to an embodiment of the present subject matter.
[0010] It should be appreciated by those skilled in the art that any block diagrams herein
represent conceptual views of illustrative systems embodying the principles of the present
subject matter. Similarly, it will be appreciated that any flow charts, flow diagrams, state
transition diagrams, pseudo code, and the like, represent various processes which may be
substantially represented in computer readable medium and so executed by a computer or
processor, whether or not such computer or processor is explicitly shown.
DESCRIPTION OF EMBODIMENTS
[0011] The present subject matter relates to systems and methods for user authentication
in a computing device. The methods can be implemented in various computing devices, such as
laptops, computers, tablets, and mobile phones. Although the description herein is with reference
4
to mobile phones, the methods and systems may be implemented in other computing devices,
albeit with a few variations, as will be understood by a person skilled in the art.
[0012] Computing devices have nowadays become popular and important for the daily
activities of many users. Nowadays, users are increasingly relying upon these computing devices
as an integral tool for the performance of a wide-range of personal and work-related tasks. The
computing devices provide various functionalities including accessing and displaying websites,
sending and receiving e-mails, taking and displaying photographs and videos, playing music and
other forms of audio, etc. Documents and information thus obtained, using the above
functionalities, is also typically stored in the computing devices for easy access of the users.
Further, with increase in storage space, the computing devices are used by the users to store large
amount of data that may be personal and/or confidential to the user. The users may thus use
various authentication techniques to prevent unauthorized access of the data by unauthorized
users.
[0013] One of the conventional techniques for user authentication allows users to set a
login password for accessing the computing device. The login password is typically a 2-8 letter
alphanumeric code chosen by the user by while registering with a user authentication application
of the computing device. Once registered, the user may enter the login password every time the
user intends to access the computing device. Although, providing the login password may
prevent a stranger from accessing the computing device, a person known to the user may be able
to guess the login passwords as users typically set the login passwords using some information
closely related to them, such as date of birth or names of their close friends or relatives. Further,
a person may capture the login password by peeping over at a screen or keypad of the computing
device while the user is entering the login password.
[0014] Another conventional technique for user authentication allows the user to use a
graphical based authentication system for unlocking the computing device. For instance, a user
may draw a pattern, say, the numeral “7” on a grid of dots, or select few portions of an image for
setting a login key. Once registered, the user may use the login key, for example, draw the
pattern, or select the portions of the image for accessing the computing device. Although
guessing the pattern or the set of images may not be easy for other users, the authentication
systems are still prone to shoulder surfing attack as the login key may still be easily determined
5
by carefully observing the user while unlocking the computing device. Thus, any user who
intends to access the computing device may simply look at the user’s hand gestures or at the
screen each time the user unlocks the computing device. A careful observation of the unlocking
gesture over a period of time may enable an intruder to determine the login key of the computing
device, thus endangering security of the computing device.
[0015] In order to avoid the shoulder surfing attacks, the users generally either shield the
computing device or move to a secure location while unlocking the computing device. However,
shielding the computing device or moving to the secure location is neither convenient nor
feasible for the users all the time. Alternatively, few manufacturers provide the computing
devices with screens that prevent visibility of data when viewed at an inclination of more than a
predetermined angle, say, 25 degrees. Providing such screens may, however, reduce the quality
of display, and may thus not be preferred by the user.
[0016] According to an embodiment of the present subject matter, systems and methods
for user authentication are described herein. Examples of the computing device implementing the
systems and the methods include, but are not limited to, a stationary computing device, such as a
desktop computer, a workstation, a multiprocessor system, a network computer, a minicomputer,
and a server; and a mobile computing device, such as a hand-held device, a mobile phone, a
personal digital assistant (PDA), a smart phone, a laptop computer, and a tablet. The present
subject matter facilitates a user to use a set of images and its relative location coordinates as
login passwords for unlocking the system. Thus, instead of selecting the set of images while
unlocking the system, the user may select images corresponding to the relative location
coordinates of the set of images. The system thus facilitates the user to use a different login key
each time while unlocking the system, thus avoiding unauthorized access and shoulder surfing
attacks.
[0017] In accordance with the said embodiment, the system uses a technique of graphics
based authentication that allows the users to set a sequence of images as a secret key for user
authentication. For the purpose, the system initially provides a registration grid having a plurality
of images from which the user may select a first set of registration images. Examples of the
images include, but are not limited to, graphics, characters and numerals used in script of any
known language, and special characters. In one implementation, the user may select the first set
6
of registration images in a particular order of sequence, hereinafter referred to as a registration
sequence order. The system may subsequently generate a secret key based on the first set of
registration images and the registration sequence order.
[0018] For instance, in a registration grid having alpha-numeric characters of English
language and special characters, the user may select the characters “M”, “I”, and “G” as the first
set of registration images in the same sequence as listed here. The system may thus generate the
secret key “MIG” based on the first set of registration images and the registration sequence
order. Further, the secret key may have a secret key length equal to number of images selected in
the first set of registration images.
[0019] Further, the system may obtain a second set of registration images from among
the images provided in the registration grid. The second set of registration images has a
registration sequence length equal to number of images in the second set of registration images.
In one implementation, the registration sequence length may be equal to the secret key length
such that the second set of registration images includes an image corresponding to each image of
the first set of registration image. In another implementation, the registration sequence length
may be different from the secret key length. Subsequently, the system identifies relative location
coordinates for each image of the first set of registration images based on location coordinates of
the first and the second set of registration images. For the purpose, the system may designate
each image of the first set of registration images as origin, i.e., (0,0) coordinate on a X-Y axis
and determine the location coordinate of the corresponding image in the second set of
registration images on the X-Y axis based on distance between the corresponding images in the
first and second set of registration images. For instance, if the system obtains a second set of
registration images “1”, “2”, and “3” in the same sequence as given here, then the system may
obtain location coordinates for “1” by assuming “M” as origin on the X-Y axis.
[0020] The relative location coordinates thus obtained are used by the system to generate
a partner location key. In one implementation the partner location key is obtained based on the
registration sequence order such that the relative location coordinates are arranged in the same
sequence order in which the corresponding images of the first set of registration images are
arranged in the secret key. Further, the partner location key may have a length equal to the
registration sequence length. The system may then provide the partner location key to the user
7
for being used while unlocking the system. Further, the system may save the secret key, the
registration sequence order, the secret key length, the registration sequence length, and the
partner location key as authentication parameters.
[0021] Subsequently, when the user wishes to unlock the system for accessing data, the
system will provide a login grid having the plurality of images from which the user may select a
login set of images based on the secret key and the partner location key. In one implementation,
the plurality of images in the login grid may be arranged in a different sequence than in the
registration grid. Thus, in order to unlock the system the user may initially identify the secret key
in the login grid and then select the login set of images based on the relative location coordinates
such that for each image of the secret key, an image located at the relative location coordinate for
that particular image is selected. The images thus selected are received by the system as the login
set of images.
[0022] The system initially determines whether a login sequence length, i.e., the number
of images in the login set of images is equal to the registration sequence length. In case the login
sequence length is not same as the registration sequence length, the system may request the user
to provide the login set of images again. Otherwise, the system may determine login relative
location coordinates for each of the first set of registration images based on the location
coordinates of the login set of images and the first set of registration images in the login grid.
The system may further generate a login location key based on the login relative location
coordinates and sequence of selection of the login set of images. The system may further
determine whether the login location key is same as the partner location key or not. In case the
login location key matches with the partner location key, the user may be allowed to access the
system, otherwise the user may be asked to enter a new login set of images.
[0023] The present subject matter thus facilitates the user in using a different set of login
images while unlocking the system each time, thus avoiding the shoulder surfing related attacks.
Further, authenticating the user based on the relative location coordinates increases strength of
the authentication process as even if a person is able to guess the secret key based on personal
details of the user, the person may not be able to guess the relative location coordinates.
[0024] It should be noted that the description merely illustrates the principles of the
present subject matter. It will thus be appreciated that various arrangements may also be
8
employed that, although not explicitly described herein, embody the principles of the present
subject matter and are included within its spirit and scope. Furthermore, all examples recited
herein are principally intended expressly to be only for explanation purposes to aid the reader in
understanding the principles of the present subject matter, and are to be construed as being
without limitation to such specifically recited examples and conditions. Moreover, all statements
herein reciting principles, aspects, and embodiments of the present subject matter, as well as
specific examples thereof, are intended to encompass equivalents thereof. The manner in which
the methods shall be implemented onto various systems has been explained in details with
respect to the Figures 1-3. While aspects of described systems and methods can be implemented
in any number of different computing systems, transmission environments, and/or
configurations, the embodiments are described in the context of the following system(s).
[0025] Figure 1 (a) illustrates a system 102 for user authentication in a computing device,
in accordance with an embodiment of the present subject matter. Figures 1(b)-1(e) illustrate
exemplary registration and login grids for user authentication, in accordance with an
embodiment of the present subject matter. The system 102 described herein, can be implemented
in any computing device, comprising a variety of devices including, but not limited to, a
stationary computing device, such as a desktop computer, a workstation, a multiprocessor
system, a network computer, a minicomputer, and a server; and a mobile computing device, such
as a hand-held device, a mobile phone, a personal digital assistant (PDA), a smart phone, a
laptop computer, and a tablet.
[0026] In one implementation, the system 102 includes one or more processor(s) 104, I/O
interface(s) 106, and a memory 108 coupled to the processor(s) 104. The processor(s) 104 may
be implemented as one or more microprocessors, microcomputers, microcontrollers, digital
signal processors, central processing units, state machines, logic circuitries, and/or any devices
that manipulate signals based on operational instructions. Among other capabilities, the
processor(s) 104 is configured to fetch and execute computer-readable instructions stored in a
memory.
[0027] The I/O interface(s) 106 may include a variety of software and hardware
interfaces, for example, interfaces for peripheral device(s), such as a keyboard, a mouse, and an
external memory. Further, the I/O interfaces 106 may facilitate multiple communications within
9
a wide variety of protocol types including, operating system to application communication, inter
process communication, etc.
[0028] The memory 108 can include any computer-readable medium known in the art
including, for example, volatile memory, such as static random access memory (SRAM) and
dynamic random access memory (DRAM), and/or non-volatile memory, such as read only
memory (ROM), erasable programmable ROM, flash memories, hard disks, optical disks, and
magnetic tapes.
[0029] Further, the system 102 may include module(s) 110 and data 112. The modules
110 and the data 112 may be coupled to the processor(s) 104. The modules 110, amongst other
things, include routines, programs, objects, components, data structures, etc., which perform
particular tasks or implement particular abstract data types. The modules 110 may also be
implemented as, signal processor(s), state machine(s), logic circuitries, and/or any other device
or component that manipulate signals based on operational instructions.
[0030] In another aspect of the present subject matter, the modules 110 may be
computer-readable instructions which, when executed by a processor/processing unit, perform
any of the described functionalities. The machine-readable instructions may be stored on an
electronic memory device, hard disk, optical disk or other machine-readable storage medium or
non-transitory medium. In one implementation, the computer-readable instructions can be also
be downloaded to a storage medium via a network connection.
[0031] In an implementation, the module(s) 110 includes a registration module 114, an
authentication module 116, and other module(s) 118. The other module(s) 118 may include
programs or coded instructions that supplement applications or functions performed by the
system 102. The data 112 includes registration data 120, authentication data 122, and other data
124. The other data 124 amongst other things, may serve as a repository for storing data that is
processed, received, or generated as a result of the execution of one or more modules in the
module(s) 110. Although the data 112 is shown internal to the system 102, it may be understood
that the data 112 can reside in an external repository (not shown in the figure), which may be
coupled to the system 102. The system 102 may communicate with the external repository
through the I/O interface(s) 106 to obtain information from the data 112.
10
[0032] As previously described, the system 102 is configured to authenticate a user based
on a sequence of images and relative location coordinates of each of the images such that while
accessing the system 102, the user may select images corresponding to the relative location
coordinates of the sequence of images. The system 102 thus makes the user use a different login
key for authentication each time, thus avoiding shoulder surfing attacks and unauthorized access
of the system 102. For the purpose, the system 102 is configured to generate graphics based
authentication grids 126 as illustrated in figure 1 (b) having a plurality of images from which the
user may select the sequence of images. Further, in order to ensure that the user uses a different
login key for authorization, the system 102 is configured to generate different set of
authentication grid such that the plurality of images are provided in a different sequence for each
instance of registration and authentication. For the sake of explanation, and not as a limitation,
the authorization grids may be referred to as registration grids during a registration process and
as login grids during a user authentication process at the time of user access.
[0033] In order to use the method of authentication in accordance with said embodiment,
the user may initially register with the system 102 for user authentication. In one
implementation, the registration module 114 is configured to provide a registration grid having
the plurality of images to the user for registering with the system 102 for user authentication. The
registration module 114 may initially generate the registration grid using a set of images saved in
the registration data 120. Examples of the images include, but are not limited to, graphics,
characters and numerals used in script of any known language, and special characters. In one
implementation, the registration module 114 may randomly select the plurality of images from
among the images saved in the registration data 120 for generating the registration grid. In one
example the registration module 114 may select only a particular type of images, say, a plurality
of graphics for generating a registration grid. In another example, the registration module 114
may select a combination of different type of images, say, a combination of characters, numerals,
graphics, and special characters for generating a registration grid. For instance, the registration
module 114 may generate registration grids 126-1 and 126-2 as shown in the figure 1(b).
[0034] Upon generation, the registration module 114 may provide the registration grid to
the user for selecting a first set of registration images. For instance, the registration module 114
may display the registration grid on a display screen (not shown in the figure) of the system 102.
The user may then select the first set of registration images from the registration grid using an
11
input modality, such as touch sense or a keypad provided by the system 102. The user may
subsequently indicate the registration module 114 of the selection, for example, by pressing or
touching a confirm button provided by the system 102. Upon receiving the indication from the
user, the registration module 114 may save the first set of registration images in the registration
data 120. Further, the registration module 114 may determine a registration sequence order for
the first set of registration images based on the sequence of selection of the images, i.e., the
sequence in which the user had selected the first set of registration images.
[0035] The registration module 114 may then generate a secret key based on the first set
of registration images and the registration sequence order, such that the images in the secret key
are arranged in accordance with the registration sequence order. Further, the registration module
114 may determine a secret key length of the secret key based on number of images of the first
set of registration images. Thus, if a user selects eight images, the registration module 114 may
determine the secret key length to be eight. As will be appreciated by a person skilled in the art
the registration module 114 may be configured to allow set a minimum or a maximum value for
the secret key length based on user inputs or preconfigured rule.
[0036] For example, when provided with a registration grid 128 as illustrated in figure
1(c), the user may select the images “T”, “R”, “I”, “C”, and “K” as the first set of registration
images in the same order in which the letters are listed here. Upon receiving the first set of
registration images, the registration module 114 may determine the registration sequence order
based on the order in which the user selected the images. The registration module 114 may
subsequently generate the secret key as “TRICK”. Further, the registration module 114 may
determine the secret key length as five.
[0037] The registration module 114 may subsequently determine a relative location
coordinate for each of the first set of registration images. For the purpose, the registration
module 114 may initially obtain a second set of registration images having a registration
sequence length equal to number of images in the second set of registration images. In one
implementation, the registration sequence length may be same as the secret key length. In one
embodiment, the registration module 114 may be configured to randomly select the second set of
registration images from the plurality of images. In another embodiment, the registration module
114 may be configured to obtain the second set of registration images based on an input from the
12
user. In said embodiment, the registration module 114 may ask the user to select the second set
of registration images from the registration grid upon selection of the first set of registration
images. Based upon the user selection, the registration module 114 may determine the second set
of registration images. In yet another embodiment, the registration module 114 may be
configured to obtain the second set of registration images based on one or more preconfigured
rules.
[0038] Further, in one implementation, the second set of registration images may be
selected such that each image of the second set of registration is different from a corresponding
image in the first set of registration images. A corresponding image in the first set of registration
image for a particular image of the second set of registration image may be understood as the
image that is at a same position in the sequence of selection as is the particular image. For
example, the corresponding image for an image selected at a third position in the second set of
registration number, will be the image at third position in the first set of registration images.
Further, in said implementation, the registration sequence length may be same as the secret key
length.
[0039] For instance, for the previous example of selecting TRICK as the secret key, the
registration module 114 may obtain images “1”, “W”, “O”, “J”, and “$” as a second set of
registration images in the same order in which the letters are written here as indicated in a
registration grid 130-1 of the figure 1(c).
[0040] In another implementation, the second set of registration images may be selected
such that for at least one image of the first set of registration images the second set of registration
images includes more than one corresponding image. For instance, for the previous example of
selecting TRICK as the secret key, the registration module 114 may obtain images “1”, “)”, “W”,
“O”, “J”, and “$” as a second set of registration images in the same order in which the letters are
written here as indicated in a registration grid 130-2 of the figure 1(c). As will be understood, the
registration sequence length may be different from the secret key length in said implementation.
Further, in such a case, the registration module 114 may be configured to request the user to
indicate for each image of the first set of images, the corresponding image in the second set of
registration images in order to determine the image for which two corresponding images are
provided so as to determine the correct relative location coordinates for each image.
13
[0041] In yet another implementation, the second set of registration images may be
selected such that at least one image of the second set of registration images is same as the
corresponding image in the first set of registration images the includes more than one
corresponding image. For instance, for the previous example of selecting TRICK as the secret
key, the registration module 114 may obtain images “1”, “W”, “O”, “C”, and “$” as a second set
of registration images in the same order in which the letters are written here as indicated in a
registration grid 130-3 of the figure 1(c). Further, in said implementation, the registration
sequence length may be same as the secret key length.
[0042] In yet another implementation, the second set of registration images may be
selected such that for at least one image of the first set of registration images no corresponding
image is selected in the second set of registration images. For instance, for the previous example
of selecting TRICK as the secret key, the registration module 114 may obtain images “1”, “W”,
“J”, and “$” as a second set of registration images in the same order in which the letters are
written here as indicated in a registration grid 130-4 of the figure 1(c). Further, in said
implementation, the registration sequence length may be different from the secret key length.
Furthermore, in such a case, the registration module 114 may be configured to request the user to
indicate for each image of the first set of images, the corresponding image in the second set of
registration images in order to determine the image for which no corresponding image is
provided so as to determine the correct relative location coordinates for each image.
[0043] The registration module 114 may then determine the relative location coordinates
for each of the first set of registration image by determining distance between location
coordinates of corresponding images in the first set of registration images and the second set of
images. For the purpose, the registration module 114 may assume the registration grid as an X-Y
plane with each image acting as one unit spacing or coordinate of the X-Y axis. In order to
determine the relative location coordinate for an image of the first set of registration images, the
registration module 114 may designate the particular image as origin, i.e., (0,0) coordinate on the
X-Y axis of the plane and determine the location coordinate of the corresponding image in the
second set of registration images.
[0044] For instance, in the previous example of the registration grid 130-1, the
registration module 114 may assume the registration grid 130-1 as a 2-dimensional graph.
14
Further, in order to determine the relative location coordinate for the image “T”, the registration
module 114 may designate the image “T” as origin and assign the location coordinates (0,0) to
the location of “T” in the registration grid 130. The registration module 114 may subsequently
ascertain “1” as the corresponding image, in the second set of registration images, for the image
“T” and determine the location coordinate of “1” with “T” as origin. Thus, in the given example,
the registration module 114 may determine (2,-1) as the location coordinate of “1”. Similarly the
registration module 114 may determine location coordinates of the images “W”, “O”, “J”, and
“$” by assigning the images “R”, “I”, “C”, and “K”, respectively, as the origin. The registration
module 114 may subsequently assign the location coordinates of the second set of registration
images as the relative location coordinates for the corresponding image of the first set of
registration image. Thus, in the above example, the registration module 114 may (2,-1), (-1,-1),
(0,-1), (1,1), and (3,-3) as the relative location coordinates for the images “T”, “R”, “I”, “C”, and
“K”, respectively.
[0045] Similarly, in the previous example of the registration grid 130-2, the registration
module 114 may determine (2,-1), (2,-3), (-1,-1), (0,-1), (1,1), and (3,-3) as the relative location
coordinates for the images “T”, “R”, “I”, “C”, and “K”, respectively. Further, in the previous
example of the registration grid 130-3, the registration module 114 may determine (2,-1), (-1,-1),
(0,-1), (0,0), and (3,-3) as the relative location coordinates for the images “T”, “R”, “I”, “C”, and
“K”, respectively. Furthermore, in the previous example of the registration grid 130-4, the
registration module 114 may determine (2,-1), (-1,-1), (1,1), and (3,-3) as the relative location
coordinates for the images “T”, “R”, “C”, and “K”, respectively.
[0046] The registration module 114 may further generate a partner location key based on
the registration sequence order and the relative location coordinates such that the relative
location coordinates are arranged in the same sequence order in which the corresponding images
of the first set of registration images are arranged in the secret key. For instance, in the previous
example, the registration module 114 may generate “(2,-1)(-1,-1)(0,-1)(1,1)(3,-3)” as the partner
location key. Further the partner location key may have a length equal to the registration
sequence length. The registration module 114 may then save the partner location key, the secret
key, the registration sequence order, the registration sequence length, and the secret key as
authentication parameters in the registration data 120. Further, the registration module 114 may
provide the partner location key to the user for being used while unlocking the system 102. The
15
user may subsequently use the partner location key and the secret key for unlocking the system
102 such that instead of selecting the images of the secret key in a login grid, the user may select
images corresponding to the relative location coordinates of the secret key, in accordance with
the partner location key. The user thus needs to remember both the partner location key for
unlocking the system 102.
[0047] For instance, in the previous example, the user will need to remember the secret
key “TRICK” as well as the partner location key “(2,-1)(-1,-1)(0,-1)(1,1)(3,-3)” in order to be
able to unlock the system 102. Thus, while unlocking the system 102, the user may initially
identify the images “TRICK” in the login grid and then select images based on the partner
location key “(2,-1)(-1,-1)(0,-1)(1,1)(3,-3)” such that for each image of the secret key, an image
located at the relative location coordinate for that particular image is selected.
[0048] For instance, in order to access a document, the user may try unlock the system
102, for example, a mobile phone by pressing an unlock button of the system 102. On receiving
such unlock request, the system 102 may initially determine whether the user is an authenticated
user or not. For the purpose, the authentication module 116 may provide the login grid to the
user. In one implementation, the login grid includes the same set of plurality of images that were
provided in the registration grid. For the purpose, the authentication module 116 may access the
registration data 120 to obtain the plurality of images used by the registration module 114.
Further, the registration module 114 may be configured to generate the login grid such that the
plurality of images is randomly arranged in an arrangement different from the arrangement used
in the registration grid.
[0049] For instance, in the previous example of the registration grid 128 generated by the
registration module 114, the authentication module 116 may generate a different login grid, such
as login grids 132 illustrated in figure 1(d) for each instance of user authentication. As illustrated
in the figure 1(d), each of the login grids 132 has the same set of plurality of images arranged in
a different manner.
[0050] The authentication module 116 may then provide the login grid to the user for
selecting a login set of images. For instance, the authentication module 116 may display the
login grid on the display screen of the system 102. The user may then select the login set of
16
images from the login grid based on the secret key and the partner location key. The user may
subsequently indicate the authentication module 116 of the selection.
[0051] For instance, on being provided the login grid 132, say, a login grid 132-1, the
user may initially identify the secret key “TRICK” and then determine, for each image of the
secret key, an image corresponding to the relative location coordinates. For example, for the
image “T” the user may determine that the image “9” corresponds to the relative location
coordinate (2,-1). The user may similarly determine the images “$”, “(“, “)”, and “^” as images
corresponding to relative location coordinates of the images “R”, “I”, “C”, and “K”, respectively.
Similarly, on being provided a login grid 132-2, the user may determine the images “9”, “7”,
“Z“, “J”, and “S” as images corresponding to relative location coordinates of the images
“T”,“R”, “I”, “C”, and “K”, respectively. Further, for the partner location key determined in
accordance with the registration grids 130-2, 130-3, and 130-4, the user may select the login set
of images based on the rules used for selecting the second set of registration images.
[0052] Upon receiving the login set of images, the authentication module 116 may save
the login set of images in the authentication data 122. Further, the authentication module 116
may determine a login sequence length of the login set of images such that the login sequence
length is equal to the number of the images of the login set of images. The authentication module
116 may then compare the login sequence length with the registration sequence length. In case
the login sequence length is not same as the registration sequence length, the authentication
module 116 may determine the user authentication to be unsuccessful and ask the user to reselect
the login set of images.
[0053] In case the login sequence length is same as the registration sequence length, the
authentication module 116 may continue with user authentication based on the login set of
images. Further, the authentication module 116 may determine login sequence order for the login
set of images based on the sequence of selection of the images, i.e., the sequence in which the
user had selected the login set of images. The authentication module 116 may then determine a
login relative location coordinate for each of the first set of registration images based on location
coordinates of the first set of registration images and the login set of images in the login grid. For
the purpose, the authentication module 116 may assume the registration grid as a 2-dimensional
graph with each image acting as one unit spacing or coordinate of the X-Y axis. The
17
authentication module 116 may then use the same process as followed by the registration module
114 for identifying the relative location coordinates by designating each image as origin, i.e.,
(0,0) coordinate on the X-Y axis and determining the location coordinate of the corresponding
image in the login set of images.
[0054] For instance, in the previous example of login grid 132, authentication module
116 may assume the login grid 132, say, the login grid 132-2 as a X-Y plane with the image “T”
as origin. The authentication module 116 may subsequently ascertain “9” as the corresponding
image, in the login set of images, for the image “T” and determine the location coordinate of “9”
with “T” as origin. Thus, in the given example, the authentication module 116 may determine
(2,-1) as the location coordinate of “9”. Similarly the authentication module 116 may determine
location coordinates of the images “7”, “Z”, “J”, and “S” by assigning the images “R”, “I”, “C”,
and “K”, respectively, as the origin. The authentication module 116 may subsequently assign the
location coordinates of the login set of images as the login relative location coordinates for the
first set of registration image. Thus, in the above example, the authentication module 116 may
determine (2,-1), (-1,-1), (0,-1), (1,1), and (3,-3) as the login relative location coordinates for the
images “T”, “R”, “I”, “C”, and “K”, respectively.
[0055] The authentication module 116 may subsequently generate a login location key
using the login relative location coordinates and the login sequence order. The authentication
module 116 then save the login location key in the authentication data 122. Further, the
authentication module 116 may determine whether the login location key matches with the
partner location key or not. The authentication module 116 may determine the user to be
authentic in case the login location key matches with the partner location key and thus authorize
the user to unlock the system 102.
[0056] For instance, in the previous example of the login grid 132-2, the authentication
module 116 may generate “(2,-1)(-1,-1)(0,-1)(1,1)(3,-3)” as the login location key and compare it
with the partner location key “(2,-1)(-1,-1)(0,-1)(1,1)(3,-3)” saved in the registration data 120.
Thus, in the present case the authentication module 116 may ascertain the login location key to
be same as the partner location key and allow the user to unlock the system 102.
[0057] In case the login location key does not match with the partner location key, the
authentication module 116 may determine the user authentication to be unsuccessful and ask the
18
user to select a new login set of images. For instance, in the previous example, if the user selects
an image “%” instead of the image “9” as the first image of the login set of images, then the
authentication module 116 will determine the login relative location of the image “T” as (2,0).
The login location key in that case would be “(2,0)(-1,-1)(0,-1)(1,1)(3,-3)” and would thus not
match with the partner location key “(2,-1)(-1,-1)(0,-1)(1,1)(3,-3)”, resulting in an unsuccessful
user authentication.
[0058] Further, in one embodiment, the login grid generated by the authentication
module 116 may be such that according to the partner location key the relative location
coordinates for an image of the secret key may lie outside the login grid itself. For instance, in
login grids 134-1, 134-2, and 134-3, hereinafter collectively referred to as login grid 134, as
illustrated in figure 1(e), the relative location coordinates for the images “T”, “I”, and “K” of the
secret key “TRICK” lie outside the login grid 134. In such a case, the authentication module 116
is configured to use a cycle around technique according to which if a point on an axis falls
outside the login grid, then the remaining points on that axis may be mapped from the opposite
end of the grid so that the point falls within the login grid.
[0059] For instance, as illustrated in the figure 1(e), the relative location coordinate (2,-1)
falls outside the login grid 134. As can be seen, the coordinate (2,-1) is falling outside because
the image “T” is at the bottom most line in the grid and thus neither the user nor the
authentication module 116 may be able to locate the negative y-axis (-ve Y axis) in the login grid
134. In such a case, the user and the authentication module 116 may cycle around the axis and
continue the -ve Y axis from opposite end of the login grid 134, i.e., from the image “B”. Thus,
with “T” as the origin, the -ve Y axis may begin from top most row and continue till the second
last row of the login 134, as illustrated in the login grid 134-1. Thus, in such a case the user and
the authentication module 116 may determine the image “9” to correspond to the relative
location coordinate (2,-1) of the image “T”.
[0060] Similarly, as illustrated in the login grid 134-2, the X axis and -ve Y axis have
been cycled around in order to accommodate, within the login grid 134, the points on these axes
that were falling outside. Thus, the image “Z” may be determined as the image corresponding to
the relative location coordinates of the image “I”. Further, the image “V” may be determined as
19
the image corresponding to the relative location coordinate of the image “K”, as illustrated by the
login grid 134-3.
[0061] Using cycle around technique allows the authentication system 116 to randomly
arrange the plurality of images without any limitation of ensuring that the relative location
coordinates are within the login grid, thus reducing any possible delay in providing the login grid
to the user. Thus, as shown by the exemplary registration grids 132-1 and 132-2 the login set of
images selected by the user is different for each instance of user authentication, thus facilitating
the user in avoiding the shoulder surfing and other similar attacks on the system 102. Since an
imposter trying to unlock the system 102 has to know both the secret-key and the partner
location key, the imposter who shoulder surfs may not be able unlock the system 102 as the
images provided by the fraud imposter will not provide the correct partner location key. Thus,
the proposed system 102 is more secure and robust to shoulder surfing compared to the
conventional systems.
[0062] Further, in another embodiment, the authentication module 116 may be
configured to provide some part of the partner location key while displaying the login grid to the
user. For instance, the authentication module 116 may provide “x” coordinates for all the relative
coordinates of the images of the secret key, thus facilitating the user in easy recall of the partner
location key.
[0063] In yet another embodiment, the authentication module 116 may be configured to
dynamically generate and provide the partner location key to the user while displaying the login
grid to the user. The user, in such a case may be asked to identify and provide the login set of
images based on the partner key location displayed along with the login grid.
[0064] In yet another embodiment, the authentication module 116 may be configured to
provide a dynamic real-time login grid by modifying the plurality of images in the login grid
such that images in the login grid change each time an image is selected by the user while
selecting the login set of images. In such a case, the authentication module 116 is configured to
include in a new login grid at least that image from the secret key for which the user needs to
select the corresponding image of the login set of images from the new login grid thus generated.
[0065] Figure 2 and 3 illustrate methods 200 and 300 for user authentication, according
to an embodiment of the present subject matter. The order in which the method 300 is described
20
is not intended to be construed as a limitation, and any number of the described method blocks
can be combined in any order to implement the methods, or any alternative methods.
Additionally, individual blocks may be deleted from the methods without departing from the
spirit and scope of the subject matter described herein. Furthermore, the methods can be
implemented in any suitable hardware, software, firmware, or combination thereof.
[0066] The methods may be described in the general context of computer executable
instructions. Generally, computer executable instructions can include routines, programs, objects,
components, data structures, procedures, modules, functions, etc., that perform particular
functions or implement particular abstract data types. The methods may also be practiced in a
distributed computing environment where functions are performed by remote processing devices
that are linked through a communications network. In a distributed computing environment,
computer executable instructions may be located in both local and remote computer storage
media, including memory storage devices.
[0067] A person skilled in the art will readily recognize that steps of the methods 200 and
300 can be performed by programmed computers and communication devices. Herein, some
embodiments are also intended to cover program storage devices, for example, digital data
storage media, which are machine or computer readable and encode machine-executable or
computer-executable programs of instructions, where said instructions perform some or all of the
steps of the described methods. The program storage devices may be, for example, digital
memories, magnetic storage media, such as a magnetic disks and magnetic tapes, hard drives, or
optically readable digital data storage media. The embodiments are also intended to cover both
communication network and communication devices configured to perform said steps of the
exemplary methods.
[0068] Figure 2 illustrates the method 200 for registering authentication parameters for
user authentication, according to an embodiment of the present subject matter.
[0069] At block 202, a registration grid having a plurality of images is provided. In one
implementation, a system, such as the system 102 is configured to provide the registration grid to
a user of the system for registering authentication parameters for user authentication. For the
purpose, the plurality of images is initially obtained from a set of images comprising of graphics,
21
characters, numerals, special characters, and combinations thereof. The images are then
randomly arranged to generate the registration grid.
[0070] At block 204, a secret key is generated based on a first set of registration images
and a registration sequence order. In one implementation, the user may select the first set of
registration images from among the plurality of images and indicate the system of the selection.
The secret key is subsequently generated by arranging the first set of registration images in the
order of their selection as indicated by the registration sequence order. Further, the secret key
may have a secret key length equal to number of images in the first set of registration images.
[0071] At block 206, a second set of registration images having a registration sequence
length is obtained. In one implementation, the second set of registration images may be randomly
selected from the plurality of images, for example, by the system 102. In another
implementation, the second set of registration images may be obtained based on one or more
preconfigured rules. In yet another implementation, the second set of registration images may be
obtained from the user. In said implementation, the user may select the second set of registration
images from the registration grid upon selection of the first set of registration images. Further,
the second set of registration images may be selected such that each image of the second set of
registration images is different from a corresponding image in the first set of registration images.
[0072] At block 208, a relative location coordinate for each of the first set registration
images is determined based on location coordinates of the first set of registration images and the
second set of registration images. In one implementation, the relative location coordinate is
determined based on distance between corresponding images in the first and second set of
registration images in the registration grid. For the purpose, each of the first set of registration
images is designated as origin of an X-Y plane, where each of the plurality of images
corresponds to a unit spacing of the X-Y plane. Further, for each image of the first set of
registration images, location coordinates of the corresponding image in the second set of
registration images is ascertained in the registration grid based on distance between the image
and the corresponding image in the X-Y plane. Further, for each of the first set of registration
images, the location coordinate of the corresponding image is designated as the relative location
coordinate.
22
[0073] At block 210, a partner location key is generated based on the relative location
coordinates and the registration sequence order. In one implementation, the relative location
coordinates of each of the first set of registration images is arranged in the sequence indicated by
the registration sequence order to obtain the partner location key. Further, length of the partner
location key will be same as the registration sequence length, i.e., equal to the number of images
in the partner location key or the second set of registration images.
[0074] At block 212, the partner location key, the secret key, the secret key length, the
registration sequence length, and the registration sequence order is saved as authentication
parameters.
[0075] Figure 3 illustrates the method 300 for authenticating a user based on the
authentication parameters, according to an embodiment of the present subject matter.
[0076] At block 302, a login grid having a plurality of images is provided. In one
implementation, a system, such as the system 102 is configured to provide the login grid to a
user of the system for entering authentication parameters for user authentication while unlocking
the system. For the purpose, the plurality of images is initially obtained from a set of images
comprising of graphics, characters, numerals, special characters, and combinations thereof. The
images are then randomly arranged to generate the login grid. In one implementation, the images
may be arranged in a different order than the order used in the registration grid.
[0077] In one embodiment, the plurality of images in the login grid may be modified
each time a user selects an image from the login grid for providing the login set of images such
that images in the login grid change each time an image is selected by the user while selecting
the login set of images. In such a case, a new login grid having the modified plurality of images
may include at least that image from the secret key for which the user needs to select the
corresponding image of the login set of images from the new login grid thus generated. In
another embodiment, a part of the partner location key may be provided to the user for selecting
the login set of images based on the partner location key.
[0078] At block 304, a login set of images is received from a user. In one
implementation, the user may select the login set of images from among the plurality of images
and indicate the system of the selection. On receiving the login set of images, the system may
determine a login sequence length of the login set of images based on the number of images in
23
the login set of images. In one embodiment, a partner location key may be dynamically
generated and provided to the user while displaying the login grid to the user. The user, in such a
case may be asked to identify and provide the login set of images based on the partner key
location displayed along with the login grid.
[0079] At block 306, a determination is made to ascertain whether the login sequence
length is equal to a registration sequence length. The registration sequence length is the length of
a partner location key selected by a user for user authentication and is equal to number of images
in the partner location key. If the system 102 determines that the login sequence length is
different, i.e., not equal to the registration sequence length, which is the 'No' path from the block
306, the user authentication is determined to be unsuccessful and the user is requested to provide
a new login set of images that may be received by the system at block 304.
[0080] In case at block 306 it is determined that the login sequence length is same, i.e.,
equal to the registration sequence length, which is the 'Yes' path from the block 306, a login
relative location coordinate is ascertained for each image of the secret key at block 308. In one
implementation, the relative location coordinate for each of the image is determined based on
location coordinates of each image of the secret key and the corresponding image of the login set
of images. For the purpose, each image of the secret key is designated as origin of an X-Y plane,
where each image corresponds to a unit spacing of the X-Y plane. Further, for each image of the
secret key, location coordinates of the corresponding image in the login set of images is
ascertained in the login grid based on distance between the image and the corresponding image
in the X-Y plane. Further, for each image of the secret key, the location coordinate of the
corresponding image is designated as the login relative location coordinate.
[0081] At block 310, a login location key is generated based on the relative location
coordinates of each image of the secret key and a login sequence order. In one implementation,
the relative location coordinates of each image of the secret key is arranged in the sequence
indicated by the registration sequence order to obtain the login location key.
[0082] At block 312, a determination is made to ascertain whether the login location key
matches with a partner location key. The partner location key includes relative location
coordinates for each image of the secret key determined during a registration process. If the
system 102 determines that the login location key is different, i.e., it does not match with the
24
partner location key, which is the 'No' path from the block 312, the user authentication is
determined to be unsuccessful and the user is provided a new login grid having the plurality of
images at block 302.
[0083] In case at block 312 it is determined that the login location key is same, i.e., it
matches with the partner location key, which is the 'Yes' path from the block 312, a user
authentication is determined to be successful at block 314.
[0084] Although embodiments for methods and systems user authentication have been
described in a language specific to structural features and/or methods, it is to be understood that
the present subject matter is not necessarily limited to the specific features or methods described.
Rather, the specific features and methods are disclosed as exemplary embodiments for user
authentication.

I/We claim:
1. A method for user authentication, the method comprising:
determining, in a login grid, a login relative location coordinate for each image of
a secret key, the login relative location coordinate being determined based on location
coordinates of each image of the secret key and location coordinates of a corresponding
image in a login set of images;
generating a login location key based on the relative location coordinate of each
image of the secret key and a login sequence order, wherein the login sequence order
indicates sequence of selection of images in the login set of images;
comparing the login location key with a partner location key, wherein the partner
location key includes relative location coordinates for each image of the secret key; and
ascertaining the user authentication to be successful for the login location key
matching with the partner location key as a result of comparing.
2. The method as claimed in claim 1, wherein the determining further comprises:
designating, each image of the secret key as origin of an X-Y plane;
ascertaining, in the login grid, location coordinates of a corresponding image of
the login set of images based on distance between the image and the corresponding image
in the X-Y plane, wherein each image corresponds to a unit spacing of the X-Y plane;
and
determining, for each image of the secret key, the location coordinate of the
corresponding image as the login relative location coordinate of the image.
3. The method as claimed in claim 1 further comprising:
providing the login grid having a plurality of images to a user; and
receiving the login set of images selected from among the plurality of images,
wherein the login set of images has a login sequence length equal to number of images
in the login set of images.
4. The method as claimed in claim 3 further comprising:
comparing the login sequence length with a registration sequence length, wherein
the registration sequence length is equal to length of the partner location key; and
determining the user authentication to be unsuccessful for the login sequence
length being different from the registration sequence length.
26
5. The method as claimed in claim 3, wherein the providing the login grid comprises
modifying the plurality of images in the login grid each time a user selects an image from
the login grid for providing the login set of images.
6. The method as claimed in claim 3 further comprising providing a part of the partner
location key to the user for selecting the login set of images based on the partner location
key.
7. The method as claimed in claim 1 further comprising:
generating the partner location key during the user authentication; and
providing the partner location key to the user for selecting the login set of images
based on the partner location key.
8. A method for registering authentication parameters for a user, the method comprising:
providing a registration grid having a plurality of images to a user;
generating a secret key based on a registration sequence order and a first set of
registration images selected from among the plurality of images, wherein the
registration sequence order indicates sequence of selection of images in the first set of
registration images, and wherein the secret key has a secret key length equal to number
of images in the first set of registration images;
determining a relative location coordinate for each of the first set of registration
images based on location coordinates of the first set of registration images and location
coordinates of a second set of registration images;
generating a partner location key based on the relative location coordinate of each
of the first set of registration images and the registration sequence order; and
saving the partner location key, the secret key, the secret key length, and the
registration sequence order as authentication parameters for registering the user.
9. The method as claimed in claim 8, wherein the determining further comprises:
designating, for each of the first set of registration images, the image as origin of
an X-Y plane;
ascertaining, in the registration grid, location coordinates of a corresponding
image of the second set of registration images based on distance between the image and
the corresponding image in the X-Y plane, wherein each of the plurality of images
corresponds to a unit spacing of the X-Y plane; and
27
designating, for each of the first set of registration images, the location coordinate
of the corresponding image as the relative location coordinate of the image.
10. The method as claimed in claim 8 further comprising obtaining the second set of
registration images, selected from among the plurality of images, wherein number of
images in the second set of registration images is equal to the secret key length.
11. The method as claimed in claim 10, wherein the obtaining comprises receiving the
second set of registration images from the user.
12. The method as claimed in claim 10, wherein the obtaining comprises selecting the second
set of registration images from among the plurality of images.
13. A system (102) comprising:
a processor (104);
a registration module (114) coupled to the processor (104), the registration
module (114) configured to:
generate a secret key based on a registration sequence order and a first set
of registration images selected from among a plurality of images, wherein the
registration sequence order indicates sequence of selection of images in the first
set of registration images, and wherein the secret key has a secret key length equal
to number of images in the login set of images;
determine a relative location coordinate for each image of the secret key
based on location coordinates of each image of the secret key and a second set of
registration images; and
generate a partner location key based on the relative location coordinate of
each image of the secret key and the registration sequence order; and
an authentication module (116) coupled to the processor (104), the authentication
module (116) configured to:
determine, in a login grid, a login relative location coordinate for each
image of the secret key, wherein the login relative location coordinate is
determined based on location coordinates of the secret key and location
coordinates of a login set of images;
28
generate a login location key based on the relative location coordinate of
each image of the secret key and a login sequence order, wherein the login
sequence order indicates sequence of selection of images in the login set of
images; and
compare the login location key with the partner location key for user
authentication.
14. The system (102) as claimed in claim 13, wherein the authentication module (116) is
further configured to determine the user authentication to be successful for the login
location key matching with the partner location key.
15. The system (102) as claimed in claim 13, wherein the authentication module (116) is
further configured to determine the user authentication to be unsuccessful for the login
location key being different from the partner location key.
16. The system (102) as claimed in claim 13, wherein the authentication module (116) is
further configured to:
provide the login grid having the plurality of images to a user;
receive the login set of images selected from among the plurality of images,
wherein the login set of images has a login sequence length equal to number of images
in the login set of images;
compare the login sequence length with a registration sequence length, wherein
the registration sequence length is equal to length of the partner location key; and
determine the user authentication to be unsuccessful for the login sequence length
being different from the registration sequence length.
17. The system (102) as claimed in claim 13, wherein the authentication module (116) is
further configured to:
designate each image of the secret key as origin of an X-Y plane;
ascertain, in the registration grid, location coordinates of a corresponding image
of the login set of images based on distance between the image and the corresponding
image in the X-Y plane, wherein each image corresponds to a unit spacing of the X-Y
plane; and
determine, for each image of the secret key, the location coordinate of the
corresponding image as the login relative location coordinate of the image.
29
18. The system (102) as claimed in claim 13, wherein the registration module (114) is further
configured to:
designate each image of the first set of registration images as origin of a X-Y
plane;
ascertain, in the registration grid, location coordinates of a corresponding image
of the second set of registration images based on distance between the image and the
corresponding image in the X-Y plane, wherein each of the plurality of images
corresponds to a unit spacing of the X-Y plane; and
determine, for each of the first set of registration images, the location coordinate
of the corresponding image as the relative location coordinate of the image.
19. The system (102) as claimed in claim 13, wherein the registration module (114) is further
configured to obtain the second set of registration images, selected from among the
plurality of images, wherein number of images in the second set of registration images is
equal to the secret key length.
20. The system (102) as claimed in claim 13, wherein the plurality of images is one from a
group comprising of graphics, characters, numerals, special characters, and combinations
thereof.