The objective is not protected the authentication process against the shoulder surfing attacker who be able to see or cooperation at the same time both devices over the shoulder, but quite to make it hard forthe opponent to open the attack. We show how visualization can improve not only safety but also usability by proposing two visual authentication protocols: one for password-based authentication, and the other for one-time-password. During thorough study, we show that our protocols are impervious to many of the challenging attacks appropriate to other protocols in the literature. Additionally, using an wide-ranging case study on a prototype of our protocols, we underline the potential of our protocols in real-world consumption addressing users shortcomings and limitations.

—. Google authenticator. http://code.google.com/p/ google-authenticator/.

—. Rsasecurid. http://www.emc.com/security/rsa-securid.htm.

Cronto. http://www.cronto.com/.

—. BS ISO/IEC 18004:2006. information technology. automatic identification and data capture techniques. ISO/IEC, 2006.

—. ZXing. http://code.google.com/p/zxing/, 2011.

D. Boneh and X. Boyen. Short signatures without random oracles. In Proc. of EUROCRYPT, pages 56–73, 2004.

J. Bonneau, C. Herley, P. C. Van Oorschot, and F. Stajano. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 553–567. IEEE, 2012.

J. Brown. Zbar bar code reader, zbar android sdk 0.2. http://zbar. sourceforge.net/, April 2012.

C.-H. O. Chen, C.-W. Chen, C. Kuo, Y.-H. Lai, J. M. McCune, A. Studer, A. Perrig, B.-Y. Yang, and T.-C. Wu. Gangs: gather, authenticate ’n group securely. In J. J. Garcia-Luna-Aceves, R. Sivakumar, and P. Steenkiste, editors, MOBICOM, pages 92–103. ACM, 2008.

S. Chiasson, P. van Oorschot, and R. Biddle. Graphical password authentication using cued click points. In Proc. of ESORICS, 2008.

D. Crockford. The application/json media type for javascript object notation (json). http://www.ietf.org/rfc/rfc4627.txt?number=4627, July 2006.

D. Davis, F. Monrose, and M. Reiter. On user choice in graphical password schemes. In Proc. of USENIX Security, 2004.

N. Doraswamy and D. Harkins. IPSec: the new security standard for the Internet, intranets, and virtual private networks. Prentice Hall, 2003.

M. Farb, M. Burman, G. Chandok, J. McCune, and A. Perrig. Safeslinger: An easy-to-use and secure approach for human trust establishment. Technical report, CMU, 2011.

H. Gao, X. Guo, X. Chen, L. Wang, and X. Liu. Yagp: Yet another graphical password strategy. In Proc. of ACM ACSAC, pages 121–129, 2008.