Skip to content

ShadyNights/Graphical-Password-Authentication

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

41 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

πŸ” Next-Gen Graphical Password Authentication (GPA)

A production-grade, adversarial-resistant graphical authentication system delivering high-entropy, zero-knowledge, phishing-resistant security.

Built with
FastAPI β€’ React β€’ TypeScript β€’ PostgreSQL β€’ Redis β€’ Argon2id β€’ Docker

License: MIT Python Version React Version Status Security Level Build Status

Live Demo β€’ Installation β€’ Architecture β€’ Documentation

Stars Badge Forks Badge Issues Badge


πŸ“– Table of Contents


πŸ”Ž Project Overview

Graphical Password Authentication (GPA) is an advanced authentication protocol that replaces traditional text-based passwords with a hybrid graphical system. By combining image recognition (selecting 3 decoyed images) and cued spatial recall (clicking 6 specific points on a canvas), it delivers approximately 82 bits of entropyβ€”equivalent to a 14-character randomized alphanumeric password.

Designed for high-security environments such as FinTech, Defense, and Enterprise SaaS, GPA operates on a zero-trust backend architecture. It incorporates memory-hard hashing (Argon2id), continuous behavioral biometrics (Isolation Forest ML), and tamper-evident audit logging.

⭐ Repository Highlights

  • Production-oriented authentication architecture
  • Hybrid graphical password protocol
  • Behavioral biometrics
  • Machine learning–assisted anomaly detection
  • Modern React + FastAPI stack
  • Docker & Kubernetes ready
  • Security-first backend design

🎯 Why This Project Exists

Traditional passwords are fundamentally broken. They are susceptible to:

  • Credential Stuffing & Dictionary Attacks: Easily automated by botnets.
  • Password Reuse: A breach in one service compromises many.
  • Phishing Exploitation: Users can be tricked into typing credentials into fake portals.

GPA mitigates these vectors by eliminating text passwords entirely. A graphical challenge-response protocol ensures that even if an attacker intercepts a single authentication payload, the underlying secret remains mathematically intractable to derive due to one-time nonces and salted Argon2id hashing.

✨ Key Features

Authentication & Cryptography

  • Hybrid Graphical Protocol: 3 image selections + 6 precise click points.
  • Irreversible Storage: Argon2id hashing combined with SHA3-256 pre-hashing and pepper.
  • Encrypted Data at Rest: AES-256-GCM encryption for recognition image data.
  • Replay Resistance: One-time use cryptographic challenge nonces.

Security & Abuse Prevention

  • Anti-Timing Oracles: Constant-time response padding (TimingGuardMiddleware).
  • Anti-Enumeration: Fake hash computation for non-existent users.
  • Behavioral Biometrics: Passive collection of mouse dynamics, click timing, and "honey pixel" traps.
  • Machine Learning Bot Detection: Scikit-learn Isolation Forest and Welford's drift detection.
  • Rate Limiting & Lockout: In-memory sliding window rate limiting and account lockout after 5 failed attempts.

Modern User Interface

  • Cyber-Industrial Aesthetic: Glassmorphism UI, smooth micro-animations, and interactive grid/canvas components.
  • Accessible Design: WCAG 2.1 AA compliance, fully keyboard navigable, touch-optimized targets.

πŸ“Š Project Status

This project is currently feature-complete and ready for production use. The core authentication workflow, cryptographic pipeline, and behavioral biometrics are fully implemented and tested.

Note: The TOTP (Time-Based One-Time Password) fallback module is currently a planned enhancement and exists as a stub in the codebase.

πŸš€ Live Demo

Application: https://graphical-password-authentication-seven.vercel.app/

Experience the complete graphical authentication workflow directly in your browser.

πŸ›  Technology Stack

Backend

  • Framework: Python 3.11+, FastAPI (Async)
  • Database: PostgreSQL (production), SQLite (development), via SQLAlchemy (Async)
  • Caching/State: Redis
  • Cryptography: Argon2-cffi, PyJWT, Cryptography (AES-GCM), hashlib (SHA3)
  • Machine Learning: Scikit-learn (Isolation Forest), NumPy

Frontend

  • Framework: React 18, TypeScript, Vite
  • Styling: Vanilla CSS (CSS Variables, Glassmorphism, Responsive Grid)
  • Fonts: Google Fonts (Inter, JetBrains Mono)

Infrastructure & Deployment

  • Containerization: Docker, Kubernetes (StatefulSet, HPA, Probes)
  • CI/CD: GitHub Actions (Bandit, Safety, Trivy container scans)

πŸ— Architecture Overview

GPA employs a two-tier client-server monolith with strict layer separation:

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ FRONTEND (React 18 SPA via Vite)                β”‚
β”‚  Components β†’ Services β†’ fetch() API calls      β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                      β”‚ HTTPS / JSON
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ BACKEND (FastAPI Monolith)                      β”‚
β”‚  β”œβ”€β”€ Middleware (CORS, RequestID, Security, Time)β”‚
β”‚  β”œβ”€β”€ Routes (Init, Register, Login, Refresh)    β”‚
β”‚  β”œβ”€β”€ Security (Crypto, JWT, Challenge, Audit)   β”‚
β”‚  β”œβ”€β”€ Biometrics (Rule Engine, ML Risk Engine)   β”‚
β”‚  └── Data Access (SQLAlchemy Repositories)      β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                      β”‚         β”‚
              β”Œβ”€β”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”  β”Œβ”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”
              β”‚PostgreSQLβ”‚  β”‚  Redis   β”‚
              β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

πŸ”„ Authentication Workflow

  1. Challenge Request (POST /api/auth/challenge): Client requests a login challenge. Backend generates a 32-byte secure nonce, samples a random pool of 12 images, stores it in Redis (300s TTL), and returns the challenge.
  2. Recognition & Recall: User selects 3 images from the grid, then clicks 6 points on the canvas. Client gathers these inputs alongside passive biometric data (mouse velocity, click intervals).
  3. Verification Request (POST /api/auth/login): Client sends the encrypted payload, challenge ID, and biometric telemetry.
  4. Backend Processing:
    • Validates challenge nonce.
    • Evaluates biometric data against rules and the ML Isolation Forest model.
    • Normalizes and quantizes click coordinates into a 4x4 grid string.
    • Computes Argon2id hash and verifies against the stored database hash.
    • Issues JWT and records a tamper-evident audit log.

πŸ›‘οΈ Security Architecture

Vector Implemented Protection
Credential Stuffing Text passwords eliminated entirely.
Brute Force / GPUs Argon2id memory-hard hashing (m=65536, t=2, p=2).
Replay Attacks 300-second TTL single-use challenge nonces via Redis.
Timing Attacks TimingGuardMiddleware enforces β‰₯180ms constant-time responses.
User Enumeration Identical fake-hash computation delays for unknown usernames.
Automated Bots Behavioral analysis, ML drift scoring, and UI "honey pixels".
Session Hijacking Short-lived JWTs (15 min) with device fingerprint binding.

πŸ” Cryptographic Pipeline

The system converts visual, spatial interactions into irreversible cryptographic material:

  1. Quantization: Normalized [0,1] click coordinates are mapped to a 4x4 grid (tolerance 0.30).
  2. Canonicalization: Selected image IDs are sorted and joined; grid indices are joined.
  3. Pre-hashing: The combined string + user salt is hashed with SHA3-256 to create a 32-byte prehash.
  4. Final Hashing: The prehash + server pepper is hashed via Argon2id.

πŸ“ Project Structure

β”œβ”€β”€ .github/              # GitHub Actions workflows
β”œβ”€β”€ docs/assets/          # Architecture diagrams and screenshots
β”œβ”€β”€ README.md             # Project documentation
β”œβ”€β”€ LICENSE               # MIT License
β”œβ”€β”€ backend/
β”‚   β”œβ”€β”€ app/
β”‚   β”‚   β”œβ”€β”€ biometric/    # Bot detection, ML rules, drift profiling
β”‚   β”‚   β”œβ”€β”€ core/         # Logging, telemetry (planned)
β”‚   β”‚   β”œβ”€β”€ db/           # SQLAlchemy models, sessions, repositories
β”‚   β”‚   β”œβ”€β”€ middleware/   # Security headers, timing guards, request IDs
β”‚   β”‚   β”œβ”€β”€ routes/       # FastAPI endpoint handlers
β”‚   β”‚   β”œβ”€β”€ schemas/      # Pydantic validation models
β”‚   β”‚   └── security/     # Hashing, AES encryption, JWT, challenges
β”‚   β”œβ”€β”€ benchmark/        # Crypto performance tests
β”‚   β”œβ”€β”€ infrastructure/   # Dockerfiles, K8s manifests, GitHub Actions
β”‚   β”œβ”€β”€ ml/               # Training pipelines and metrics
β”‚   └── tests/            # Penetration and red-team integration tests
β”œβ”€β”€ frontend/
β”‚   β”œβ”€β”€ public/           # Static assets, backgrounds
β”‚   └── src/
β”‚       β”œβ”€β”€ components/   # React UI (AuthFlow, ImageGrid, ClickCanvas)
β”‚       β”œβ”€β”€ services/     # API client, biometrics tracking, fingerprinting
β”‚       └── main.tsx      # Application entrypoint
└── docs/                 # Architectural deep-dives and specifications

βš™οΈ Installation Guide

Prerequisites

  • Python 3.11+
  • Node.js 18+
  • Redis 7+ (Optional for local dev, falls back to memory)
git clone https://github.com/ShadyNights/Graphical-Password-Authentication.git
cd Graphical-Password-Authentication

πŸ” Environment Variables

Create .env files in both backend/ and frontend/.

backend/.env

DATABASE_URL=sqlite+aiosqlite:///./gpa_dev.db
REDIS_URL=redis://localhost:6379/0
GPA_SECRET_KEY=dev-secret-key-change-in-production
GPA_PEPPER=dev-pepper-value-change-in-production
GPA_MASTER_KEY=dev-master-key-change-in-production
GPA_ENV=development
FRONTEND_URL=http://localhost:5173

frontend/.env

VITE_API_URL=http://localhost:8000

πŸš€ Running Locally

Backend:

cd backend
python -m venv venv
source venv/bin/activate  # Windows: venv\Scripts\activate
pip install -r requirements.txt
uvicorn app.main:app --reload --port 8000

Frontend:

cd frontend
npm install
npm run dev

Access the application at http://localhost:5173.

🐳 Docker & Deployment

Docker (Production Image)

cd backend
docker build -t gpa-backend -f infrastructure/docker/Dockerfile .
docker run -p 8000:8000 --env-file .env gpa-backend

Kubernetes

Manifests are available in backend/infrastructure/k8s/:

kubectl apply -f backend/infrastructure/k8s/

(Includes Deployment, StatefulSet for PostgreSQL, HPA, and Service configurations).

πŸ”Œ API Endpoints

Method Endpoint Auth Description
POST /api/auth/challenge No Request a one-time challenge nonce & image pool.
POST /api/auth/register No Register a new user with graphical credentials.
POST /api/auth/login No Authenticate and retrieve JWT session tokens.
POST /api/auth/refresh Yes Refresh an active JWT session.
GET /api/auth/images No Retrieve the available recognition image catalog.
GET /health No Application health and readiness probe.
POST /api/auth/totp/verify Yes (Planned/Stub) TOTP 2FA verification.

πŸ—„οΈ Database Overview

The system uses PostgreSQL in production and SQLite in development.

  • users: Stores Argon2id hash (gpa_hash), 16-byte salt, AES-GCM encrypted recognition_blob, and lockout state.
  • sessions: Tracks active refresh tokens and device fingerprints.
  • audit_logs: A tamper-evident log appending SHA-256 hashes of critical security events (logins, lockouts, biometric anomalies).

πŸ›‘οΈ Security Highlights

  • Dependency Scanning: CI pipeline integrates safety and bandit SAST scanners.
  • Container Security: Trivy scanning enforced in GitHub Actions.
  • Zero Plaintext Storage: Neither click coordinates nor image selections are ever stored in plaintext.
  • Security Headers: Strict HSTS, CSP (default-src 'self'), X-Frame-Options, and Permissions-Policy middleware applied to all responses.

⏱️ Performance Highlights

Designed for low-latency authentication with memory-hard Argon2id hashing and constant-time response protection.

πŸ—ΊοΈ Roadmap

  • Data Layer: Implement Alembic database migrations.
  • Scalability: Migrate in-memory state (rate limits, challenges) fully to Redis for multi-replica K8s scaling.
  • Machine Learning: Persist raw biometric metrics to database to enable Isolation Forest retraining pipeline.
  • Security: Complete implementation of SHA3-256 audit log chaining.
  • Features: Implement pending TOTP fallback module.

🀝 Contributing

While this is an independently developed and solo-maintained project, community contributions, bug reports, and feature requests are highly welcome!

If you'd like to contribute:

  1. Fork the repository.
  2. Create a feature branch (git checkout -b feature/amazing-feature).
  3. Commit your changes with clear, descriptive messages.
  4. Push to the branch (git push origin feature/amazing-feature).
  5. Open a Pull Request.

Note: Security-sensitive changes or vulnerability reports should be communicated responsibly. PRs modifying the cryptographic pipeline require threat-impact notes.

πŸ“„ License

This project is licensed under the MIT License - see the LICENSE file for details.

πŸ‘¨β€πŸ’» Author

Kashif Ansari

Cybersecurity Engineer β€’ AI Developer β€’ Backend Engineer

This project was independently conceived, designed, architected, and developed solely by Kashif Ansari.

πŸ™Œ Acknowledgements

Special thanks to the open-source security community for pioneering work on behavioral biometrics, memory-hard key derivation functions, and zero-knowledge architectures.

πŸ“š Detailed Documentation

For deep technical dives, refer to the /docs directory and related documentation: