Beyond Passwords: A Multifactor Authentication

System with Graphical Authentication using

Dynamic Grid-Based OTPs
1†
V Senthil Adithya , Lisha Jain1† , N Harini 1*

1
Department of Computer Science and Engineering, Amrita School of
Computing, Amrita Vishwa Vidyapeetham, Coimbatore - 641112, India.

*Corresponding author(s). E-mail(s): n [email protected];

Contributing authors: [email protected];
[email protected];
†
These authors contributed equally to this work.

Abstract
The rise of online banking has heightened concerns about the effectiveness of cur-
rent authentication methods, as criminals exploit human behaviour rather than
technology to breach security. “Shoulder surfing” — observing PIN entry before
stealing a phone — is a common tactic leading to substantial financial losses. For
example, a man lost over £22,000 when attackers accessed his banking creden-
tials and OTPs using his compromised PIN [1]. In Hyderabad, Rachakonda police
arrested six individuals involved in a Rs. 4-crore insurance scam, using similar
tactics to steal login details [2]. Although there is literature on preventing shoul-
der surfing, persistent attacks reveal that secure OTP methods often compromise
usability. This paper proposes an image-based multifactor authentication (MFA)
system using an OTP grid. The grid incorporates registered images and decoys
to obscure unauthorized observation while allowing legitimate users to quickly
identify passwords, thus improving security and usability in mobile banking.

Keywords: OTP, Image based authentication, MFA, Graphical authentication

1
1 Introduction
The digital ecosystem and landscape are evolving rapidly to keep pace with advance-
ments in connectivity, communication infrastructure, and next-generation use cases.
To address these changes, it is essential to secure your existing network using a variety
of monitoring tools, authentication, and access control schemes.
In an era where online transactions and interactions have become integral to
daily life, the necessity for robust authentication mechanisms is paramount. Partic-
ularly within the realm of banking services, where sensitive financial information is
exchanged, the traditional reliance on passwords alone for user authentication has
proven increasingly susceptible to various security threats. The function of MFA goes
beyond adding another line of defence; it represents a dedication to flexibility and
toughness in the face of growing technological threats. This wider trend in the indus-
try shows how important it is to have strong security to protect our data.[3]
To address these concerns, this research paper introduces a novel Multifactor Authen-
tication (MFA) system for a wide variety of applications including the banking sector.
Traditional password-based authentication mechanisms, while providing a basic level
of security, often fall short in mitigating advanced threats. As such, the proposed
MFA system leverages the integration of image-based authentication alongside One-
Time Passwords (OTPs) to fortify the security posture of online banking platforms.
Graphical OTPs, which combine the intuitive nature of graphical passwords with the
dynamic security of one-time passwords, are increasingly recognized as essential for
contemporary security needs.
The proposed authentication system consists of two phases: the registration phase
and the login phase. In the registration phase, users select two images, to serve as visual
cues during subsequent authentication attempts. In the login phase, users are presented
with a grid of randomly generated images, among which their selected images are
strategically placed. Concurrently, a random number is generated for each row and
column within the grid, with two of these numbers corresponding to the characters of
the OTP. Crucially, the pre-selected images are positioned in either the row or column
associated with the OTP characters, where a non-blank number indicates the presence
of the OTP characters, while the other number corresponding to the cell is rendered
blank. Additional blanks are randomly mixed to confuse any possible shoulder surfing.
The uniqueness of the scheme lies in the innovative matrix organization, presented in
the login phase, that allows legitimate users to quickly and easily infer the password
at first glance, thereby enhancing usability, while simultaneously making it difficult to
decipher for unauthorized users.
With electronic banking becoming a more successful internet service, customers can
frequently carry out transactions with a smartphone (a personal dependable tool) [4].
This innovative approach not only enhances the security of online banking transactions
but also addresses the limitations of conventional single-factor authentication methods.
By incorporating visual cues and OTPs, the proposed system aims to thwart unau-
thorized access attempts, reduce the risk of fraud, mitigate threats such as shoulder
surfing and safeguard user privacy.

2
2 Literature Review
The traditional authentication methods have been proven to be vulnerable to dif-
ferent types of security attacks. The use of graphical passwords as an alternative to
textual passwords for user authentication can be an efficient strategy [5].

Alsaiari H. et al [6] examined e-banking login issues when hardware security tokens
are unavailable. Surveying 250 respondents in the UK and Saudi Arabia, aged
30-39, they found it inconvenient to carry multiple tokens. 57% preferred OTPs,
90% endorsed multifactor authentication. They proposed integrating authentication
methods for usability, suggesting combining OTPs with graphic-based techniques.
Authors in [7] devised a novel one-time password (OTP) generation technique reliant
on user identity, incorporating account credentials and timestamps. The approach
constructs a string for generating random permutations via one-way hashing, adapt-
able to various sizes. This method offers seamless integration into diverse online
authentication systems, facilitating enhanced security measures. According to the
authors of [8], graphical passwords, unlike TOTP(Time-based One-Time Password),
which rely solely on alphanumeric codes, offer users a more intuitive and user-friendly
authentication process. Furthermore, they can integrate multifactor authentication
components, furnishing an additional security layer compared to stand-alone TOTP.
Their solution obviates the necessity for periodic password regeneration, streamlining
user authentication while upholding robust security protocols.

Reference [9] introduced a non-biometric multifactor authentication (MFA) system

using image identification and pre-configured relationships with the people in those
pictures. It relies on user memory for authentication elements, contrasting with
graphical schemes offering memorability through visual cues. However, a drawback
is the potential susceptibility to familial breaches due to identifiable image relations.
The system proposed in [10] generates five different images and a five-bit OTP, the
system prompts users to click on specific points corresponding to the OTP value
(1 or 0). However, this approach may be too confusing for non-technical users to
remember, and the sequential generation of five images could potentially irritate
the user. In the proposed scheme of [11], a sequence of points is to be selected to
authenticate with the addition of a tolerance area to enhance usability. This adap-
tation seeks to alleviate recognition errors and streamline password input. However,
it is crucial to acknowledge potential trade-offs, as an expanded tolerance area may
inadvertently weaken security, increasing susceptibility to shoulder surfing attacks.
Balancing usability and security remains paramount in designing and implementing
such authentication mechanisms.

A novel scheme is proposed in [5] to address weaknesses in current graphical and

textual password systems. It utilizes a combination of image clicks and textual keys
for user authentication. The system displays a slide show of images for a limited
time. Users must click on specific pre-defined areas within these images during reg-
istration and authentication. The number of clicks can be adjusted based on the
desired security level. Additionally, users enter a text key along with each click to

3
enhance security against shoulder surfing attacks. But, traversing through multiple
images in regular intervals is time-consuming and a hassle for users to enter a key
after each iteration. Further, there needs to be an optimal fault tolerance algorithm
since the touch area needs to be of a reasonable size for genuine users to authenticate
themselves. Williamson J. et al [12] review authentication methods, emphasizing
multifactor authentication’s (MFA) ascendancy in bolstering security. It advocates
MFA’s gradual adoption as a standard practice, anticipating its prevalence akin to
username-password pairs. Despite occasional challenges, MFA emerges as a superior
alternative, pivotal for fortifying user account security amid evolving cyber threats.
In [13], a method is described for generating OTPs using images. Users register with
an ID and PIN, select an image, which is resized, converted to grayscale, and edge-
detected. Coordinates with intensity 1 are used to calculate distances, normalized,
and duplicates removed. The remaining values are used to generate OTPs. Requiring
users to select and upload images for each transaction may be inconvenient, nega-
tively affecting the user experience.

Reference [14] suggests a graphical authentication method where the user enters a
keyword according to which images are generated. From these, two images are to be
chosen and remembered. During authentication, among a grid of images, the user
selects the chosen one, which splits into 5x5 tiles each with 2-digit numbers on them.
This process happens again and the user must remember the 4-digit number. The
above process is repeated once more. The registration method where images are
generated according to user keyword leads to unnecessary computational and storage
overload. Making the user remember 2 sets of 4-digit OTP also leads to cognitive
overload to users. The proposed method in [15] adds security to authentication by
ID cards and QR codes. The authors propose multiple levels of security, by adding
biometric checks and encrypted OTP displayed as QR code. The fifth and final level
of authentication consists of the user selecting 2 chosen images in the correct order.
While this system enhances the security of the process, it is still cumbersome for the
user to go through multiple levels of security.

Summary of Findings:
The Internet is an indispensable platform for business and social interactions. The
rapid growth of the Internet of Things and services shows that more physical items in
our daily lives can be networked, enhancing their manageability via Internet services.
This exposure, along with privacy and the value of the information they hold, has
led to a surge in security threats and violations. The present sophistication level of
hackers, coupled with the limitations of current schemes, demands authentication
solutions to evolve beyond single-factor methods.
Current authentication schemes are vulnerable to shoulder surfing, breaches by
known individuals, and are computationally heavy, making them less efficient and user-
friendly. These schemes often require users to remember complex patterns and manage
cumbersome multi-step authentication processes, which reduces user adoption.

4
 S. Reference Method/ Advantages Disadvantages Proposed System’s
No Technique Solution
1 Carrillo- Image Provides Susceptible to By using a
Torres et recognition memorabil- breaches from predefined image
al.[9] by ity through known people. pool rather than
uploading personal Tedious to personal associations
personal connections upload proper and uploads, the risk
images and uses non- images. of security breaches
assigning biometric by known people is
relation- factors reduced.
ships
2 Hire et OTP Customizable Time Authentication is
al.[10] through security lev- consuming, simplified by
image clicks els through requires users allowing users to
and clicking to remember deduce OTP from a
predefined pre-selected multiple clicks, grid without any
areas regions of prone to clicks, reducing time
image recognition and error likelihood.
errors, high
tolerance area.
3 Yang [6] Passpositions User-friendly Security may The grid structure
– Select a and flexible, weaken with and dynamic OTP
series of enhances larger tolerance elements reduce
points with memorabil- areas, tolerance issues and
a certain ity with susceptible to incorporate blanks
tolerance images shoulder surfing to deter shoulder-
area. surfing attempts.
4 Srinivas OTP Uses unique The OTP OTP can be
et al.[13] generation image generated can deciphered only by
based on processing still be shoulder the user since they
grayscale for OTP surfed. know their selected
image generation image.
processing.
5 Rajendran OTP based Strengthens Computationally Reduces cognitive
et al.[14] on entered security heavy, high load by simplifying
keywords through cognitive load the image selection
generating multiple for users process and using
images factors fewer OTP steps.
6 Vasudev MFA with Multiple Cumbersome Single graphical
et al.[15] ID cards security with several OTP step,
and QR layers, authentication streamlining the
codes including steps, may process and
biometric reduce user enhancing
and QR code adoption user-friendliness.
7 Miss et Pattern- Provides an Complexity in Grid-based system
al.[5] based additional recalling with random blanks
multifactor layer of patterns and decreases predicta-
authentica- security, over shoulder surfing bility and reduces
tion passwords of patterns shoulder surfing.
8 Malikovich OTP Highly Algorithm- Uses user-selected
et al.[16] generation secure for dependent, may images and
using pseu- OTP lack flexibility randomness within
dorandom generation, for the OTP grid for
number avoids cross-platform simpler cross-
generators repetition integration platform integration.
Table 1 Comparison of different MFA schemes

5
3 Proposed Method
The proposed system is an enhanced security measure that ensures that only
authorized users can perform transactions by enforcing a two-factor authentication
process.

Table 2 Table of Notations

S.No Notation Description

1 n Length of OTP
2 m Number of images the user selects in each matrix
3 k Order of each matrix
4 p Number of matrices generated
5 ⌈x⌉ Ceiling function of x
6 r no. of images to be selected in the additional matrix if created
7 t max failed login attempts
8 slot Region beside and above the matrix where OTP characters are placed

The authenticating service sets the values for n, m, k, t described above as per
their requirements prior to registration.
During the registration phase, the user is first asked to provide their details, which
include information such as name, account number, and password. The user is then
presented with at least m image categories such as trees, flowers, bottles, currency etc.
From each of the m categories, the user is required to select one image and remember
the order in which they selected them.
Once the user requests a transaction, the OTP server generates an n-character
OTP. Let p = ⌈n/m⌉. The OTP is split into p parts with each part having OTP
length m (m equals to the number of user-selected images), and an image matrix is
generated using the OTP and a random image generator.

Algorithm 1 OTP Generation

1: Generate the n -character OTP based on the algorithm in [16] in the OTP server.
2: A double transposition encryption is used to encrypt the OTP. The encryption
key is randomly generated with a length equal to that of the OTP.

The transposed OTP is partitioned for placing in the matrices generated, using
the below equation which shows how each partition is made.

OT P(p) = (OT P )T [(p − 1)m : pm] (1)

where, [a:b] represents slicing the OTP sequence from index a to b, excluding b since
we consider a 0 based indexing convention.

6
Algorithm 2 Matrix Generation
1: Server generates the image matrix using the encrypted OTP
2: p ← ⌈n/m⌉
3: r ← n mod m
4: if r ̸= 0 then
5: return p matrices with last matrix having r user-selected images
6: else
7: return p matrices
8: end if
9: for matrix in matrices do
10: for i=1 to m do
11: Randomly select both row, col where 0 <= row, col < k
12: if matrix[row][col] is Null then
13: pos ← Randomly select either row or col
14: if (pos is blocked) && (Existing OTP char ̸= New OTP char) then
15: Go back to 11
16: else
17: matrix[row][col] ← user selected image
18: slot[pos] ← N ew OT P char
19: end if
20: end if
21: end for
22: Non-user-selected images from the same categories as the user-selected images
are fed to the unfilled locations in each partitioned matrix.
23: Out of 2k row numbers and column numbers to be assigned, 2m are already
assigned as m OTP characters and m blank spaces. Extra blank spaces are
randomly assigned such that they fall in the range (((2k-2m)/2)-m) ±1
24: end for
25: end For

Algorithm 3 OTP Validation

1: Transposition key and H(OTP) are sent to the application server.
2: The matrices to the third-party application are sent.
3: Get user input for the Graphical OTP.
4: In the authenticating application, internally decrypt the user input OTP using the
below Pp
′ T
5: if H (OT P ) == H (( i=1 OT P(i) ) ) then
6: transaction allowed
7: else
8: transaction failed
9: end if
10: if transaction fails for t times then
11: block the account
12: end if

7
Fig. 1 Registration phase

For illustration purposes, we set n=4 and k=5. Further, we set m=2 and hence the
user chooses two images - say Bonsai tree from the category “Trees” and Rupee from
the category “Currency”. The 4-character OTP is generated from the random OTP
generator, and the OTP is split into two parts each of length 2. The matrix size for
this example is taken as 5×5.

8
Fig. 2 Login Phase

9
Fig. 3 Registration Page

The 2 user-selected images, i.e., “Bonsai tree” from the “Trees” category and the
“Rupee symbol” from the “Currency” category, are placed in the matrix. The corre-
sponding OTP characters will be placed in either the row or the column of the two
images, ensuring that if the row contains an OTP character, the column will remain
blank and vice versa. The remaining 23 locations within the matrix are populated
with random images that resemble the user-selected images. The other remaining rows
and columns are populated with random characters and blank spaces. This matrix,
along with the hashed OTP, is then transmitted to the application server. The user
is required to identify the user-selected image, and the character corresponding to the
image will constitute the OTP character.

Fig. 4 User Selected image a. Bonsai Tree User Selected image b. Rupee

10
Fig. 5 a. Login Matrix 1 b. Login Matrix 2

For the first matrix, shown in Fig. 5 a the user inputs “35”, ‘3’ for the Bonsai image
in the tree category and ‘5’ for the rupee image in the currency category in the first
matrix, as the “tree” was chosen first and then the “currency” for the second during
registration. Likewise, for the second matrix, shown in Fig. 5 b the user inputs “2d”,
‘2’ for the Bonsai image and ‘d’ for the rupee image.
The OTP is then concatenated to be “352d”, correctly transposed according to the
transposition key generated earlier, hashed, and compared with the initially hashed
OTP sent by the server. If they match, the transaction proceeds; otherwise, it fails.
Should the transaction fail repeatedly, the account may be blocked due to unauthorized
access.

4 Risks Mitigated
In developing this image-based multifactor authentication system, our aim is to address
several common security vulnerabilities inherent in traditional authentication meth-
ods. This subsection discusses some of the possible risks mitigated by our proposed
method. By incorporating user-selected images, dynamically generated OTPs, and
multiple layers of randomness, our system aims to effectively counter the below men-
tioned attacks. The following analysis highlights how each of these risks is addressed,
ensuring a secure and reliable authentication process for users.

4.1 Brute Force Attacks

The proposed method is similar to other methods of authentication with reference to
brute force attacks. We can say that it takes more time to compromise the system
than other methods since the hacker would have to brute force two screens one after
the other. As such, the attack can fail since there is more chance of the OTP’s lifetime

11
getting expired. Further, the number of attempts to enter the password will also be
over.

tattack = ∆t − tnavigate screen (2)

where ∆t is the time taken for the OTP to expire.

4.2 Guessing Attack

The proposed system makes guessing attacks difficult to implement. Even if the hacker
manages to guess the image, the image pool provided by the method has various similar
images with only slight variations between them. For example, if the hacker guesses
the images to be a tree, there may be many trees with slight variations in colour
orientation or other features in the matrix that would make it difficult to pinpoint the
image selected by the user.

4.3 Shoulder Surfing

The proposed method makes the user enter the OTP in parts over multiple screens.
Thus, shoulder surfing two screens is more difficult than looking at a single screen. Fur-
ther, this method uses images for the user to select the corresponding OTP character
and hence until the user enters the actual OTP, shoulder surfing is impossible.

4.4 Dictionary Attack

Dictionary Attacks do not hold against OTPs since they are dynamically generated
and have a very short lifetime. But, if the attacker decides to create a rainbow table
for compromised user-selected images, then they would have an increased space com-
plexity compared to storing compromised text-based passwords. Further, even if a
rainbow table is created, it is not mandatory that two services provide the same set
of images for users to select from.

4.5 Hotspots
The proposed system is very less likely to have hotspots where the correct OTP will
be localized since the algorithm is incorporated with randomness at various points.
The OTP characters and the images corresponding to those are distributed across the
grid by the algorithm and are less likely to frequent the same cell.

5 Effectiveness of the scheme

To evaluate the effectiveness and user experience of our image-based multifactor
authentication (MFA) system, we conducted a survey involving 88 participants. We
segregated the participants according to their age group. No other data such as gender
or geographical location has been collected to prevent unnecessary bias, as well as to
be user-friendly. Each participant was tasked with identifying the pre-selected images
within matrices of varying sizes, and thereby enter the OTP as described in our
proposed method. The goals were a.) to assess the accuracy and reliability of users in

12
correctly identifying the OTP characters associated with the pre-selected images b.)
to identify an optimal matrix size for OTP size of 4 (one of the most commonly used
OTP sizes is 4).To prevent easy guessing of the OTP digits, it is proposed that as the
user-selected images (OTP digits per matrix) increase, the matrix size k should also
be increased. Recommendations according to this observation are in Table 2.

Based on the survey results, 80% of the users were successful in accurately identifying
and entering the OTP for at least two matrix sizes. Moreover, over 75% of users
could correctly enter the OTP for all matrix sizes. A correlation between matrix size
and OTP accuracy was observed, with a decrease in OTP accuracy as the matrix
size increased. From the survey and our experimentation, we find that for a 4-digit
OTP, two 5x5 matrices each having two digits of the OTP is an optimal approach
that balances both security and user-friendliness.

Table 3 Recommended values for optimal security

Length of OTP Total no. of matrices Number of images the user selects in each matrix
4 2 matrices each of size 5×5 2,2
5 3 matrices each of size 5×5 2,2,1
6 2 matrices each of size 6×6 3,3

Fig. 6 Overall OTP Entry Accuracy

From the data in Fig. 6, it is evident that over 80% of the surveyed users were able
to enter the proper OTP and authenticate successfully using the proposed system.
Thus, the user experience and usability of the proposed method is appreciable.

13
5.1 Versatility
The proposed image-based MFA system offers several advantages in terms of versatil-
ity, catering to user needs and providing a secure authentication experience.
1. Accommodation for User Memory: One of the key features is the system’s
ability to leverage user memory effectively. Users select 2 or 3 images during reg-
istration and remember the order of these images to identify them in the matrix
during authentication. This approach is simpler and less demanding than remem-
bering complex, super-secure passwords, allowing users to maintain their selected
images for a longer period before needing a routine change. This conclusion is
supported by the survey data Fig.7(b)
2. Predefined Image Pool: The organization defines the image pool, preventing
users from making personal choices that could compromise security.
3. Enhanced Security through Randomness: Randomness is introduced at mul-
tiple points during OTP and matrix generation, ensuring that the system remains
unpredictable and secure.
4. Partition of OTP: Entering the OTP in parts can further improve security by
reducing the window of vulnerability if a portion is intercepted.
5. Faster Login Potential: Login duration is streamlined to a matter of seconds,
as users only need to identify their preselected images and enter the corresponding
OTP character. This can be quicker than entering long passwords or waiting for
SMS codes. This speed and simplicity ensure a quick and hassle-free login experi-
ence for the user. The image-based approach has the potential to be faster than
traditional methods.
6. Presence of blank spaces: An attacker may be able to identify user-selected
images by identifying the images that have a blank in its column or row. Thus, some
blank spaces and characters are randomly interspersed in the rows and columns.
These blank spaces enable the presence of non-user-selected images as potentially
correct choices, thereby ensuring the existence of multiple correct images.
7. Balancing Security and Usability: The system strikes a balance between secu-
rity and usability by combining image recognition with OTP character entry.
Preselected images enhance memorability compared to random images, while the
requirement to enter OTP characters adds an additional layer of security beyond
mere image recognition.

5.2 Scalability
Scalability analysis is essential for assessing how well the proposed image-based mul-
tifactor authentication (MFA) system would function in high-user environments, such
as banking or corporate platforms with millions of accounts.
In terms of server load and database management, storing unique image sets and
OTP data for each user session could place a substantial demand on resources. To
address this, the system can employ a predefined image pool that dynamically assigns
images to users, reducing storage requirements. Efficient database indexing for user
data, like image selections and login patterns, would improve retrieval speed. Caching

14
frequently accessed images and user data could also minimize database load, enhancing
the system’s ability to support a large user base.
Handling authentication requests simultaneously for many users, especially during
peak hours, is another key scalability concern. Load balancing across multiple servers
would help distribute these requests evenly, preventing bottlenecks. Lightweight ses-
sions and session tokens instead of frequent database calls would streamline the
process, and rate limiting would manage traffic to prevent overload or denial-of-service
(DoS) attacks.
For OTP and image grid generation, the system can use parallel processing to
handle multiple tasks concurrently, ensuring sustained performance as demand grows.
Managing network bandwidth and latency is also important; image-based authentica-
tion may increase data transfer needs, particularly for mobile and web applications.
Image compression can reduce data size without losing quality, and deploying a con-
tent delivery network (CDN) for images and grids would improve speed and reliability
for geographically dispersed users.
Scalability can also benefit from cloud infrastructure, as cloud platforms provide
the flexibility to scale resources up or down based on traffic. Horizontal scaling, adding
more instances of servers, databases, and load balancers, would maintain performance
as the user base grows.
In summary, the proposed system’s scalability potential is strong, with strategies
such as database indexing, caching, load balancing, and image compression. Utiliz-
ing cloud infrastructure and monitoring tools would enable the system to efficiently
manage large user bases while preserving security and user experience.

5.3 Cost Analysis

Infrastructure and computational resources are essential to support the scalability of
the proposed system. For servers, a cloud-based infrastructure, with load balancing
is recommended to ensure high availability, particularly during peak authentication
requests. Image grid generation and OTP processing are CPU intensive but can be
optimized using grayscale images. Memory requirements will vary according to the
concurrent user load and storage needs for the image matrices. For the database,
a relational or NoSQL database is suitable for storing user information, OTPs, and
session logs. A small pool of grayscale images (100x100 pixels) will be stored for the
selection of the OTP grid. Caching frequently accessed images and user data will
reduce database load and improve response times. A Content Delivery Network (CDN)
is also recommended to distribute images globally, decreasing latency and server load
by caching images closer to users.
Optimizing images as grayscale reduces file size without compromising usabil-
ity. Using images sized at 100x100 pixels (approximately 10 KB each) provides
enough detail for user recognition without high data demands. Additional compression
(e.g., JPEG with moderate quality) can reduce the file size to about 5 KB, further
minimizing bandwidth and storage requirements.
The cost of generating each matrix involves selecting and arranging images in a
5x5 grid, with OTP characters linked to selected images. For each matrix, around 125

15
KB is required (assuming each image is 5 KB). Optimized randomization allows each
matrix to be generated in a few milliseconds.
Data handled per user per session includes a 5x5 image grid matrix totaling 125
KB. For 1 million users, the daily data requirement is approximately 125 GB, which
is approximately 3.75 TB per month. Additional storage is needed for database and
session logs, which may add a few megabytes per day. Storing a pool of 500 images (5
KB each) requires only about 2.5 MB.
The estimated cost per matrix generation is minimal, with compute costs ranging
from Rs. 0.00085 to Rs. 0.0085 per request and data transfer costs around Rs. 0.042.
Combined, each session’s total cost is approximately Rs. 0.042.
The system’s cost-benefit analysis demonstrates that using small, grayscale images
(100x100 pixels, approx. 5 KB each) reduces storage and data transfer expenses,
making the system affordable and scalable. With cloud infrastructure, it can effi-
ciently handle increased demand in large-scale deployments while remaining secure
and cost-effective.

6 Conclusion and Future Work

In this article, we introduce, implement and analyze an innovative, user-friendly, and
versatile multifactor authentication system, aimed at reducing the risks associated
with shoulder surfing and other hacking attempts. Our system employs user-selected
images and dynamically generated OTPs to offer a secure, efficient, and user-friendly
authentication process. By incorporating randomness at various stages of OTP and
matrix generation, the system achieves a high level of unpredictability, effectively
reducing risks associated with brute force, guessing, shoulder surfing, and dictionary
attacks.
The system adeptly balances strong security measures with user convenience. Uti-
lizing familiar visual cues, the authentication process is simplified, reducing cognitive
load and making it easier for users to authenticate quickly and intuitively. This
approach is especially beneficial for those who find it challenging to remember complex
alphanumeric passwords, as images are inherently more memorable and less taxing.
Moreover, the system’s flexibility in accommodating different memory strengths by
allowing users to select 2 or 3 images enhances its accessibility. This adaptability
ensures that a broad range of users, including those with varying cognitive abilities,
can use the system effectively. The faster login experience compared to traditional
methods not only boosts user satisfaction but also encourages widespread adoption.
Overall, our graphical-based MFA system provides a promising solution to the chal-
lenges of secure authentication. By improving both security and usability, it meets
the demands of applications requiring robust protection, such as online banking. The
proposed system exhibits significant qualitative improvements over existing meth-
ods, including enhanced usability, reduced cognitive effort, and strengthened security
features. Initial assessments indicate it is on par with current approaches.
The proposed image-based multifactor authentication (MFA) system has potential,
but there are some areas that need further development. Machine learning algorithms
could be explored to dynamically adjust the difficulty and randomness of the image

16
matrix based on user behaviour and threat levels, improving the system’s adaptive
security. Additionally, assessing the system’s performance and scalability in large-
scale deployments is essential. Usability studies with diverse user groups, including
individuals with disabilities, will help refine the interface and ensure the system meets
everyone’s needs. In particular, developing visual aids and cues, like auditory feedback
and high-contrast image options, will be crucial to making the authentication process
accessible to all users. Presently, we are working on optimizing the scheme in these
areas to create a more robust and inclusive image-based solution.

References
[1] Whitworth, D.: Mobile fraud: Thieves ’shoulder surfing’ victims to steal phones.
https://www.bbc.com/news/business-65456325. Accessed: 2024-03-30 from the
BBC website (2023)

[2] Six arrested in Rs 4 crore insurance policies scam.

https://www.deccanchronicle.com/amp/nation/crime/080523/
six-arrested-in-rs-4-crore-insurance-policies-scam.html. Accessed: 2024-03-30
from the Deccan Chronicle website (2023)

[3] Kantipudi, R., Kumar Mallavarapu, A.S., Rajagopal, S.M., Kagolanu, M.: A
comprehensive analysis on using multifactor authentication system for three
level security. In: 2024 2nd International Conference on Intelligent Data Com-
munication Technologies and Internet of Things (IDCIoT), pp. 498–503 (2024).
https://doi.org/10.1109/IDCIoT59759.2024.10467901

[4] Sivashanmugam, S.H., Chidambaram, K., Niketh, G.K., Harini, N.: Enhancing
security of one time passwords in online banking systems. International Journal
of Recent Technology and Engineering 7, 319–324 (2019)

[5] Miss, P., Sinha, A., Shrivastava, G., Kumar, P.: A pattern-based multi-factor
authentication system. Scalable Computing 20, 101–112 (2019) https://doi.org/
10.12694/scpe.v20i1.1460

[6] Alsaiari, H., Papadaki, M., Haskell-Dowland, P., Furnell, S.: Alternative graphical
authentication for online banking environments. In: Proceedings of the Eighth
International Symposium on Human Aspects of Information Security & Assurance
(HAISA 2014) (2014)

[7] Al-Farraji, S., Saadeh, H.: One time password generation based on random permu-
tation using user identity with timestamp. International Journal of Engineering
and Advanced Technology 9, 2279–2283 (2020) https://doi.org/10.35940/ijeat.
D7019.049420

[8] Sudar, C., Arjun, S., Deepthi, L.R.: Time-based one-time password for wi-fi

17
 authentication and security. 2017 International Conference on Advances in Com-
puting, Communications and Informatics (ICACCI), 1212–1216 (2017) https:
//doi.org/10.1109/ICACCI.2017.8126007

[9] Carrillo-Torres, D., Pérez-Dı́az, J.A., Cantoral-Ceballos, J.A.e.a.: A novel multi-

factor authentication algorithm based on image recognition and user established
relations. Appl. Sci. 13 (2023) https://doi.org/10.3390/app13031374

[10] Hire, M.D., Bhatt, M., Anand, M., Harde, C.: Literature survey of two-way
authentication system. International Journal of Scientific Research & Engineering
Trends 7, 951–953 (2021)

[11] Yang, G.-C.: Passpositions: A secure and user-friendly graphical password scheme.
In: 2017 4th International Conference on Computer Applications and Informa-
tion Processing Technology (CAIPT), pp. 1–5 (2017). https://doi.org/10.1109/
CAIPT.2017.8320723

[12] Williamson, J., Curran, K.: The role of multi-factor authentication for modern
day security. Semiconductor Science and Information Devices 3(1), 16–23 (2021)
https://doi.org/10.30564/ssid.v3i1.3152

[13] Srinivas, K., Janaki, V.: A novel approach for generation of otp’s using image’s.
Procedia Computer Science 85, 511–518 (2016) https://doi.org/10.1016/j.procs.
2016.05.206 . International Conference on Computational Modelling and Security
(CMS 2016)

[14] Rajendran, A.R., Raj, J.G., Kumar, K.S., Mukeshvar, A., Radhika, G.: User
impersonation detection and authentication using image based otp. In: 2023
Innovations in Power and Advanced Computing Technologies (i-PACT), pp. 1–8
(2023). https://doi.org/10.1109/i-PACT58649.2023.10434333

[15] Vasudev, R., Harini, N., Neethu, M.R.: Multi-factor authentication system with
id card credentials for secure transactions. In: 2023 14th International Conference
on Computing Communication and Networking Technologies (ICCCNT), pp. 1–8
(2023). https://doi.org/10.1109/ICCCNT56998.2023.10308252

[16] Malikovich, K.M., Turakulovich, K.Z., Tileubayevna, A.J.: A method of efficient

otp generation using pseudorandom number generators. In: 2019 International
Conference on Information Science and Communications Technologies (ICISCT),
pp. 1–4 (2019). https://doi.org/10.1109/ICISCT47635.2019.9011825

18