Wanjun Xiong,Fan Zhou,Ruomei Wang,Rushi Lan,Xiyan Sun,Xiaonan Luo

DOI: https://doi.org/10.1109/access.2018.2869535

IF: 3.9

2018-01-01

IEEE Access

Abstract:With regard to the privacy of client-server communication systems, most research works have concentrated on authentication to guarantee security. Among the investigated schemes, two-factor password authentication has been a major focus and has undergone considerable development. Two-factor password authentication is a process in which both a password and a physical object are used for authentication to achieve a higher level of security. However, these methods are still subject to some security vulnerabilities, such as malicious card reader attacks, man-in-the-middle attacks, and a lack of perfect forward secrecy. Moreover, although there are many evaluation criteria, there still lacks a set of universal criteria. To address these issues, a two-factor password authentication scheme is proposed in the context of practical application environment in this paper, such as side-channel attacks. Moreover, a card reader verification step is added to the authentication scheme to counteract malicious card reader attacks. In addition, the proposed scheme can resist various known attacks, including replay attacks, lost or stolen smart card attacks, and man-inthe-middle attacks. We present a detailed security analysis and comparative evaluation, and we prove the security of our scheme with Burrows-Abadi-Needham (BAN) logic. Compared with previous schemes, the main advantages of the proposed scheme are its low computational cost, guaranteed security, and better adaptability to actual client-server communication environments.

张亮,刘建伟

DOI: https://doi.org/10.3969/j.issn.1002-0802.2009.01.091

2009-01-01

Abstract:With the improvement of wireless network, there are increasing users wirelessly accessing the Internet through mobile phones. So it is very important to solve the identity authentication problems of wireless access users. Dynamic password has become the new development trend for the Identity Authentication mechanism. It offers stronger security than the static password. In this article, a dynamic password authentication protocol based on callenge/rsponse mechanism is designed. According to this protocol, a dynamic password identity authentication system based on mobile phone token is designed. The composition and authentication processes of this system are described in detail, and its security is analyzed as wel1. The analysis indicates that this system features high security and wide application. It can be conveniently used and implemented in low cost.

Donghong Sun,Wu Liu,Ping Ren,Dongbin Sun

DOI: https://doi.org/10.1109/ctc.2012.10

2012-01-01

Abstract:The proliferations of the mobile intelligent terminal have brought them to the spotlight of the attackers for the sensitive information they carried. However, the current security schemes on the mobile intelligent terminal are fragile. This paper proposed a new transparent authentication and encryption measure to protect the confidentiality and integrity of the data on the mobile intelligent terminal. Our method is user-friendly as no interaction is needed during the process. Also, the result can be applied as evidence to identify who have used the phone.

Mengjun Xie,Yanyan Li,Kenji Yoshigoe,Remzi Seker,Jiang Bian

DOI: https://doi.org/10.1109/hase.2015.41

2015-01-01

Abstract:Frequent outbreak of password database leaks and server breaches in recent years manifests the aggravated security problems of web authentication using only password. Two-factor authentication, despite being more secure and strongly promoted, has not been widely applied to web authentication. Leveraging the unprecedented popularity of both personal mobile devices (e.g., Smartphones) and barcode scans through camera, we explore a new horizon in the design space of two-factor authentication. In this paper, we present CamAuth, a web authentication scheme that exploits pervasive mobile devices and digital cameras to counter various password attacks including man-in-the-middle and phishing attacks. In CamAuth, a mobile device is used as the second authentication factor to vouch for the identity of a use who is performing a web login from a PC. The device communicates directly with the PC through the secure visible light communication channels, which incurs no cellular cost and is immune to radio frequency attacks. CamAuth employs public-key cryptography to ensure the security of authentication process. We implemented a prototype system of CamAuth that consists of an Android application, a Chrome browser extension, and a Java-based web server. Our evaluation results indicate that CamAuth is a viable scheme for enhancing the security of web authentication.

Hossen Asiful Mustafa,Hasan Muhammad Kafi

DOI: https://doi.org/10.48550/arXiv.1711.01198

2017-11-03

Abstract:Password security can no longer provide enough security in the area of remote user authentication. Considering this security drawback, researchers are trying to find solution with multifactor remote user authentication system. Recently, three factor remote user authentication using biometric and smart card has drawn a considerable attention of the researchers. However, most of the current proposed schemes have security flaws. They are vulnerable to attacks like user impersonation attack, server masquerading attack, password guessing attack, insider attack, denial of service attack, forgery attack, etc. Also, most of them are unable to provide mutual authentication, session key agreement and password, or smart card recovery system. Considering these drawbacks, we propose a secure three factor user authentication scheme using biometric and smart card. Through security analysis, we show that our proposed scheme can overcome drawbacks of existing systems and ensure high security in remote user authentication.

Cryptography and Security

Zhi Guan,Hu Xiong,Suke Li,Zhong Chen

DOI: https://doi.org/10.1109/ISPA.2011.63

2011-01-01

Abstract:People's increasingly relying on web applications to manage their digital assets makes web authentication a critical security issue. As most websites today still authenticate a user with only username and password, the authentication credentials can be easily compromised in a vulnerable browsing environment without the owner's notice. Considering the browsing in mobile devices is more secure than personal computers, in this paper we explore the One-Time Password web application running inside mobile browsers as a second authentication factor for high value websites in hostile browsing environments. We discuss the security and efficiency of this authentication method from both theory and practice. An implementation with performance evaluation is also provided to prove our concept.

ZHANG Xiaolin,GU Dawu,ZHANG Chi

DOI: https://doi.org/10.11959/j.issn.2096-109x.2020081

2020-01-01

Abstract:Recent studies have shown that attacks against USIM card are increasing, and an attacker can use the cloned USIM card to bypass the identity verification process in some applications and thereby get the unauthorized access. Considering the USIM card being cloned easily even under 5G network, the identity verification process of the popular mobile applications over mobile platform was analyzed. The application behaviors were profiled while users were logging in, resetting password, and performing sensitive operations, thereby the tree model of application authentication was summarized. On this basis, 58 popular applications in 7 categories were tested including social communication, healthcare, etc. It found that 29 of them only need SMS verification codes to get authenticated and obtain permissions. To address this issue, two-step authentication was suggested and USIM anti-counterfeiting was applied to assist the authentication process.

Deyu ZHANG,Lian XU

2013-01-01

Abstract:Authentication as a first line of defense to protect network security,has been widely used in a variety of systems. On the basis of analysis of the shortcomings of traditional dynamic password authentication method,an improved Two-way dynamic password authentication method is proposed to implement mutual trust by increasing a Two-way authentication function,so it can prevent the personating attack. In addition,it adopts small computational calculation methods,which is easy to be accomplished,and it can be applied to the distributed network environment.

Xin Su,Bingying Wang,Xuewu Zhang,Yupeng Wang,Dongmin Choi

DOI: https://doi.org/10.1002/cpe.4150

2018-01-01

Abstract:Secure mechanisms have been adapted to satisfy the needs of mobile subscribers; however, the mobile environment is quite different from a desktop PC or laptop-based environment. The existing attack patterns in mobile environments are also quite different, and the countermeasures applied should be enhanced. In regards to usability, the mobile environment is based on mobility, and thus, mobile devices are designed and developed to enhance the owner's efficiency. To avoid forgetting passwords, people are willing to adopt simple alphanumeric-character combinations, which are easy to remember and convenient to enter. As a result, the passwords have a high probability of being cracked or exposed. In this paper, we study the potential security problems caused by simple and weak passwords, discuss drawbacks of some conventional works, and propose 3 creative schemes to increase the complexity and strength of passwords by applying the envisioned features. Note that our proposals are based on the assumption that the textual passwords are not difficult for users to remember or enter and do not cause inconvenience to users. In other words, the proposed methods can increase the complexity of simple passwords without the awareness of users.

Kai Chen,Weifeng Chen,Zhen Xu,Dongdai Lin,Yazhe Wang

DOI: https://doi.org/10.12720/jcm.10.6.366-379

2015-01-01

Journal of Communications

Abstract:Multi-factor authentication (MFA) has been widely used in various scenarios. By combining multiple forms of authentication, MFA effectively provides security assurance. Due to the rapid developments of mobile devices, especially smart phones, more and more sensitive information is now stored or accessible on smart phones. How to protect smart phones' security is now more important than ever. Unfortunately, because of the special features of smart phones such as computational limitations and input constraints, existing MFA schemes could not be directly used on smart phones. In this paper, we propose a new concept of Variable-Factor Authentication (VFA) for smart phones. VFA dynamically adjusts the number of authentication factors based on whether a user is suspicious or not. We implement a prototype to exam the performance. The experiment results show that, compared to MFA, VFA provides significant convenience to legitimate users whereas maintain the security protection to suspicious users. Index Terms—Multi-factor authentication, variable authentication factors, local outlier probabilities

Yuan Zhang,Chunxiang Xu,Hongwei Li,Kan Yang,Nan Cheng,Xuemin Shen

DOI: https://doi.org/10.1109/tmc.2020.2975792

IF: 6.075

2021-06-01

IEEE Transactions on Mobile Computing

Abstract:Password-based single-sign-on authentication has been widely applied in mobile environments. It enables an identity server to issue authentication tokens to mobile users holding correct passwords. With an authentication token, one can request mobile services from related service providers without multiple registrations. However, if an adversary compromises the identity server, he can retrieve users' passwords by performing dictionary guessing attacks (DGA) and can overissue authentication tokens to break the security. In this paper, we propose a password-based threshold single-sign-on authentication scheme dubbed PROTECT that thwarts adversaries who can compromise identity server(s), where multiple identity servers are introduced to authenticate mobile users and issue authentication tokens in a threshold way. PROTECT supports key renewal that periodically updates the secret on each identity server to resist perpetual leakage of the secret. Furthermore, PROTECT is secure against off-line DGA: a credential used to authenticate a user is computed from the password and a server-side key. PROTECT is also resistant to online DGA and password testing attacks in an efficient way. We conduct a comprehensive performance evaluation of PROTECT, which demonstrates the high efficiency on the user side in terms of computation and communication and proves that it can be easily deployed on mobile devices.

computer science, information systems,telecommunications

Mete Eminağaoğlu,Ece Çini,Gizem Sert,Derya Zor,Mete Eminagaoglu,Ece Cini

DOI: https://doi.org/10.1109/est.2014.19

2014-09-01

Abstract:The use of QR code-based technologies and applications has become prevalent in recent years where QR codes are accepted to be a practical and intriguing data representation/processing mechanism amongst worldwide users. The aim of this study is to design and implement an alternative two-factor identity authentication system by using QR codes and to make the relevant mechanism and process that could be more user-friendly and practical than one-time password mechanisms used with similar purposes today. The proposed model in this project has been designed in order to enable the verification and validation steps with several security and networking options during the logon process. The model has been implemented by developing a two-factor identity verification system where the second factor is the user's smart/mobile phone device and a pseudo-randomly generated alphanumerical QR code which is used as the one-time password token sent to the user via e-mail or MMS. The proposed model has been developed using C#, asp.net and jQuery languages with symmetrical and asymmetrical cryptography standards for database encryption/hashing and network infrastructure and it has been tested as a prototype where promising results are observed regarding the efficiency, speed and security requirements for today's on-line financial services and similar e-commerce systems.

Xi Li,Hanping Hu,Yì Wáng,Maocai Wang

2008-01-01

Abstract:At present the security of mobile services cannot be satisfied with the special requirements of mobile payment. Then the paper proposes a mobile terminal using the payment protocol and the security scheme to construct the mobile payment. With the character of generating keys from identity itself, furthermore, the scheme uses the efficient identity-based signature from tate pairings in smart card instead of digital certificate mechanism because the distribution and the management of digital certificate are not easy in wireless networks. The proposed signature scheme is simple, efficient so that it will be suitable for an environment of finite bandwidth of wireless networks and low-capability equipment. Security and performance analysis show that the proposed mobile terminal not only protects the data security but also reduces the time consuming and the costs.

Abdulrahman Alhothaily,Arwa Alrawais,Chunqiang Hu,Wei Li

DOI: https://doi.org/10.1016/j.procs.2018.03.019

2017-01-01

Abstract:Due to the complexity and volume, memorizing static usernames and passwords is deemed to be one of the most cumbersome tasks for ordinary users. Nevertheless, verifying the access legitimacy of a user without using a verification table and securely granting permissions based on an access control policy assigned to the user are two critical challenges to build an authentication scheme which is practical and effective. Traditional approaches either completely ignore the importance of user-centric access control or rely on a single point of verification or a third party authority; but in practice, access control and distributed verifiers are important for enhancing security and dealing with the dynamics caused by the user online browsing activities. In this paper, we propose a threshold-based authentication system leveraging user computing devices and allowing users to designate various permissions. Various (t,n) physical or virtual devices can participate to run an authentication protocol and provide the user with a one-time credential to access an online banking system. Our evaluation and results show that the solution is not only practical, but it also minimizes the risks associated with traditional approaches.

Xuqiu Chen,Wei Wang,Wei Gan,Yi Yang,Su Yuan,Meng Li

DOI: https://doi.org/10.1007/978-3-030-97774-0_10

2022-01-01

Abstract:With the rapid development of the power mobile Internet, traditional identity authentication and authentication modes still have identity information theft, are unable to prevent illegal behaviors of internal users, etc., which can no longer meet the security requirements of identity authentication in mobile Internet services. In response to this problem, this paper proposes a mobile terminal identity authentication method on the Identity-Based Cryptography (IBC). During registration, the user's voice is collected through the mobile terminal to establish an identity vector (i-vector) voiceprint model, and features are extracted and added to the identity mark to generate a user ID and a corresponding identity password system; during authentication, the legitimacy of the user is judged based on voice recognition to prevent illegal user intrusion, And then based on the identity password combined with the symmetric encryption algorithm AES to encrypt and decrypt data to achieve terminal identity authentication to resist common attacks in the mobile Internet. Finally, the experimental analysis shows that the method effectively improves the security of the power mobile Internet identity authentication process and has the advantages of low cost and high efficiency. In the power mobile Internet business scenario, this method greatly improves the identification ability of illegal users and the resistance to network malicious attacks.

Khaja Mizbahuddin Quadry,A Govardhan,Mohammed Misbahuddin,

DOI: https://doi.org/10.5815/ijcnis.2021.03.04

2021-06-08

International Journal of Computer Network and Information Security

Abstract:With the increase in the number of e-services, there is a sharp increase in online financial transactions these days. These services require a strong authentication scheme to validate the users of these services and allow access to the resources for strong security. Since two-factor authentication ensures the required security strength, various organizations employ biometric-based or Smart Card or Cryptographic Token-based methods to ensure the safety of user accounts. But most of these methods require a verifier table for validating users at a server. This poses a security threat of stolen-verifier attack. To address this issue, there is a strong need for authentication schemes for e-services that do not require a verifier table at the server. Therefore, this paper proposes the design of an authentication scheme for eservices which should be resistant to various attacks including a stolen verifier attack. The paper will also discuss: 1) The proposed scheme analyzed for security provided against the known authentication attacks 2) The concept mplementation of the proposed scheme.

Xinman Zhang,Jiayu Zhang,Tingting He,Yiyu Chen,Yuanjun Shen,Xuebin Xu

DOI: https://doi.org/10.1145/3301551.3301600

2018-01-01

Abstract:In the modern era of rapid development of information technology and mobile Internet, mobile terminals represented by Android smart phones are applied to various fields of life, and the number of users is far more than that of traditional PC terminals. Mobile financial applications marked by mobile banking and mobile payment have higher access control requirements, while traditional text passwords, dynamic passwords and verification codes have hidden dangers of being stolen and copied. How to apply biometrics to mobile identity authentication with high security requirements has become a hot issue for scholars all over the world. Lip reading and speech biometrics are studied in this paper, and a multi-biometric fusion authentication system based on both on Android smart phone platform is developed.

Ziyi Zhou,Xing Han,Zeyuan Chen,Yuhong Nan,Juanru Li,Dawu Gu

DOI: https://doi.org/10.1109/dsn53405.2022.00059

2022-01-01

Abstract:A recently emerged cellular network based One-Tap Authentication (OTAuth) scheme allows app users to quickly sign up or log in to their accounts conveniently: Mobile Network Operator (MNO) provided tokens instead of user passwords are used as identity credentials. After conducting a first in-depth security analysis, however, we have revealed several fundamental design flaws among popular OTAuth services, which allow an adversary to easily (1) perform unauthorized login and register new accounts as the victim, (2) illegally obtain identities of victims, and (3) interfere OTAuth services of legitimate apps. To further evaluate the impact of our identified issues, we propose a pipeline that integrates both static and dynamic analysis. We examined 1,025/894 Android/iOS apps, each app holding more than 100 million installations. We confirmed 396/398 Android/iOS apps are affected. Our research systematically reveals the threats against OTAuth services. Finally, we provide suggestions on how to mitigate these threats accordingly.

Yongjun Shen

2012-01-01

Abstract:Because of the limitation of the resource and computing capability for wireless sensor networks a simple and efficient authentication protocol need to be taken into account.It was found that M.L.Das and Khan's protocols have a few security flaws.Therefore,This paper presents a double factor authentication protocol applying to wireless sensor networks and makes the security analysis and performance testing.The results show that the protocol has high security,which can cope with the multiple attacks.

Qi Xie,Na Dong,Duncan S. Wong,Bin Hu

DOI: https://doi.org/10.1002/dac.2858

2014-01-01

International Journal of Communication Systems

Abstract:SummaryTwo‐factor user authentication scheme allows a user to use a smart card and a password to achieve mutual authentication and establish a session key between a server and a user. In 2012, Chen et al. showed that the scheme of Sood et al. does not achieve mutual authentication and is vulnerable to off‐line password guessing and smart card stolen attacks. They also found that another scheme proposed by Song is vulnerable to similar off‐line password guessing and smart card stolen attacks. They further proposed an improved scheme. In this paper, we first show that the improved scheme of Chen et al. still suffers from off‐line password guessing and smart card stolen attacks, does not support perfect forward secrecy, and lacks the fairness of session key establishment. We then propose a new security‐enhanced scheme and show its security and authentication using the formal verification tool ProVerif, which is based on applied pi calculus. Copyright © 2014 John Wiley & Sons, Ltd.