Weixi Gu,Zheng Yang,Longfei Shangguan,Xiaoyu Ji,Yiyang Zhao

DOI: https://doi.org/10.1109/trustcom.2014.34

2014-01-01

Abstract:Near field authentication is of great importance for a range of applications, and has attracted many research efforts in the past decades. Several approaches have been developed and demonstrated their feasibility. The state-of-art works, however, still have much room to improve their automation and usability. First, user assistance is required in most existing approaches, which will be easily observed and imitated by attackers. Second, the authentications of several works heavily depend on special hardware, e.g., Server or high resolution screen, which greatly restricts their application scenarios. In this paper, we present a near field authentication system Tooth that needs little human assistance and is compatible with most smart phones. ToAuth is based on the key insight that the acceleration traces are similar for a pair of smart phones when they are contacting physically and vibrating. The random vibration patterns are sufficiently uncertain to provide high entropy to generate a pair of cryptographic keys yet are inimitable for a third party who does not get in touch with the vibration source. ToAuth leverages the keys to make authentication for smart phones. We implement ToAuth on Android platform and evaluate its performance under various scenarios. Extensive experiments demonstrate ToAuth could achieve around 90% success rate in stable environment, and prevent attacks depended on vibration noise.

Sajaad Ahmed Lone,Ajaz Hussain Mir

DOI: https://doi.org/10.1108/ijpcc-04-2021-0097

2021-08-19

International Journal of Pervasive Computing and Communications

Abstract:Purpose Because of the continued use of mobile, cloud and the internet of things, the possibility of data breaches is on the increase. A secure authentication and authorization strategy is a must for many of today’s applications. Authentication schemes based on knowledge and tokens, although widely used, lead to most security breaches. While providing various advantages, biometrics are also subject to security threats. Using multiple factors together for authentication provides more certainty about a user’s identity; thus, leading to a more reliable, effective and more difficult for an adversary to intrude. This study aims to propose a novel, secure and highly stable multi-factor one-time password (OTP) authentication solution for mobile environments, which uses all three authentication factors for user authentication. Design/methodology/approach The proposed authentication scheme is implemented as a challenge-response authentication where three factors (username, device number and fingerprint) are used as a secret key between the client and the server. The current scheme adopts application-based authentication and guarantees data confidentiality and improved security because of the integration of biometrics with other factors and each time new challenge value by the server to client for OTP generation. Findings The proposed authentication scheme is implemented on real android-based mobile devices, tested on real users; experimental results show that the proposed authentication scheme attains improved performance. Furthermore, usability evaluation proves that proposed authentication is effective, efficient and convenient for users in mobile environments. Originality/value The proposed authentication scheme can be adapted as an effective authentication scheme to accessing critical information using android smartphones.

English Else

Safa Hamdare,Varsha Nagpurkar,Jayashri Mittal

DOI: https://doi.org/10.14445/22315381/IJETT-V11P230

2014-05-20

Abstract:Security of financial transaction in e-commerce is difficult to implement and there is a risk that users confidential data over the internet may be accessed by hackers. Unfortunately, interacting with an online service such as a banking web application often requires certain degree of technical sophistication that not all Internet users possess. For the last couple of years such naive users have been increasingly targeted by phishing attacks that are launched by miscreants who are aiming to make an easy profit by means of illegal financial transactions. In this paper, we have proposed an idea for securing e-commerce transaction from phishing attack. An approach already exists where phishing attack is prevented using one time password which is sent on users registered mobile via SMS for <a class="link-external link-http" href="http://authentication.But" rel="external noopener nofollow">this http URL</a> this method can be counter attacked by man in the <a class="link-external link-http" href="http://middle.In" rel="external noopener nofollow">this http URL</a> our paper, a new idea is proposed which is more secure compared to the existing online payment system using OTP. In this mechanism, OTP is combined with the secure key and is then passed through RSA algorithm to generate the Transaction password. A copy of this password is maintained at the server side and is being generated at the user side using a mobile <a class="link-external link-http" href="http://application.So" rel="external noopener nofollow">this http URL</a> that it is not transferred over the insecure network leading to a fraudulent transaction.

Cryptography and Security,Social and Information Networks

Yun Huang,Zheng Huang,Haoran Zhao,Xuejia Lai

DOI: https://doi.org/10.1016/j.ieri.2013.11.006

2013-01-01

IERI Procedia

Abstract:One-Time Passwords (OTP) can provide complete protection of the login-time authentication mechanism against replay attacks. In this paper, we propose TSOTP: a new effective simple OTP method that generates a unique passcode for each use. The calculation uses both time stamps and sequence numbers. A two-factor authentication prototype for mobile phones using this method has been developed and has been used in practice for a year.

Young Sil Lee,Nack Hyun Kim,Hyotaek Lim,HeungKuk Jo,Hoon Jae Lee

DOI: https://doi.org/10.1109/iccit.2010.5711134

2010-11-01

Abstract:As a high-speed internet infrastructure is being developed and people are informationized, the financial tasks are also engaged in internet field. However, the existing internet banking system was exposed to the danger of hacking. Recently, the personal information has been leaked by a high-degree method such as Phishing or Pharming beyond snatching a user&#x27;s ID and Password. Seeing that most of examples which happened in the domestic financial agencies were caused by the appropriation of ID or Password belonging to others, a safe user confirmation system gets much more essential. In this paper, we propose a new Online Banking Authentication system. This authentication system used Mobile OTP with the combination of QR-code which is a variant of the 2D barcode.

Zeyu Lei,Yuhong Nan,Yanick Fratantonio,Antonio Bianchi

DOI: https://doi.org/10.14722/ndss.2021.24212

2021-01-01

Abstract:SMS messages containing One-Time Passwords (OTPs) are a widely used mechanism for performing authentication in mobile applications. In fact, many popular apps use OTPs received via SMS as the only authentication factor, entirely replacing password-based authentication schemes. Although SMS OTP authentication mechanisms provide significant convenience to end-users, they also have significant security implications. In this paper, we study these mobile apps' authentication schemes based on SMS OTPs, and, in particular, we perform a systematic study on the threats posed by "local attacks," a scenario in which an attacker has control over an unprivileged third-party app on the victim's device. This study was carried out using a combination of reverse engineering, formal verification, user studies, and large-scale automated analysis. Our work not only revealed vulnerabilities in third-party apps, but it also uncovered several new design and implementation flaws in core APIs implemented by the mobile operating systems themselves. For instance, we found two official Android APIs to be vulnerable by design, i.e., APIs that inevitably lead to the implementation of insecure authentication schemes, even when used according to their documentation. Moreover, we found that other APIs are prone to be used unsafely by apps' developers. Our large-scale study found 36 apps, sharing hundreds of millions of installations, that misuse these APIs, allowing a malicious local attacker to completely hijack their accounts. Such vulnerable apps include Telegram and KakaoTalk, some of the most popular messaging apps worldwide. Finally, we proposed a new and safer mechanism to perform SMS-based authentication, and we prove its safety using formal verification.

Sneha Shukla,Gaurav Varshney,Shreya Singh,Swati Goel

2024-06-13

Abstract:Despite being more secure and strongly promoted, two-factor (2FA) or multi-factor (MFA) schemes either fail to protect against recent phishing threats such as real-time MITM, controls/relay MITM, malicious browser extension-based phishing attacks, and/or need the users to purchase and carry other hardware for additional account protection. Leveraging the unprecedented popularity of NFC and BLE-enabled smartphones, we explore a new horizon for designing an MFA scheme. This paper introduces an advanced authentication method for user verification that utilizes the user's real-time facial biometric identity, which serves as an inherent factor, together with BLE- NFC-enabled mobile devices, which operate as an ownership factor. We have implemented a prototype authentication system on a BLE-NFC-enabled Android device, and initial threat modeling suggests that it is safe against known phishing attacks. The scheme has been compared with other popular schemes using the Bonneau et al. assessment framework in terms of usability, deployability, and security.

Cryptography and Security

Maliheh Shirvanian,Shashank Agrawal

DOI: https://doi.org/10.1145/3485832.3485910

2021-12-06

Abstract:We propose a two-factor authentication (2FA) mechanism called 2D-2FA to address security and usability issues in existing methods. 2D-2FA has three distinguishing features: First, after a user enters a username and password on a login terminal, a unique identifier is displayed to her. She inputs the same identifier on her registered 2FA device, which ensures appropriate engagement in the authentication process. Second, a one-time PIN is computed on the device and automatically transferred to the server. Thus, the PIN can have very high entropy, making guessing attacks infeasible. Third, the identifier is also incorporated into the PIN computation, which renders concurrent attacks ineffective. Third-party services such as push-notification providers and 2FA service providers, do not need to be trusted for the security of the system. The choice of identifiers depends on the device form factor and the context. Users could choose to draw patterns, capture QR codes, etc. We provide a proof of concept implementation, and evaluate performance, accuracy, and usability of the system. We show that the system offers a lower error rate (about half) and better efficiency (2-3 times faster) compared to the commonly used PIN-2FA. Our study indicates a high level of usability with a SUS of 75, and a high perception of efficiency, security, accuracy, and adoptability.

Kai Chen,Weifeng Chen,Zhen Xu,Dongdai Lin,Yazhe Wang

DOI: https://doi.org/10.12720/jcm.10.6.366-379

2015-01-01

Journal of Communications

Abstract:Multi-factor authentication (MFA) has been widely used in various scenarios. By combining multiple forms of authentication, MFA effectively provides security assurance. Due to the rapid developments of mobile devices, especially smart phones, more and more sensitive information is now stored or accessible on smart phones. How to protect smart phones' security is now more important than ever. Unfortunately, because of the special features of smart phones such as computational limitations and input constraints, existing MFA schemes could not be directly used on smart phones. In this paper, we propose a new concept of Variable-Factor Authentication (VFA) for smart phones. VFA dynamically adjusts the number of authentication factors based on whether a user is suspicious or not. We implement a prototype to exam the performance. The experiment results show that, compared to MFA, VFA provides significant convenience to legitimate users whereas maintain the security protection to suspicious users. Index Terms—Multi-factor authentication, variable authentication factors, local outlier probabilities

Mariano Luis T. Uymatiao,William Emmanuel S. Yu

DOI: https://doi.org/10.1109/icist.2014.6920371

2014-04-01

Abstract:The main objective of this research is to build upon existing cryptographic standards and web protocols to design an alternative multi-factor authentication cryptosystem for the web. It involves seed exchange to a software-based token through a login-protected Transport Layer Security (TLS/SSL) tunnel, encrypted local storage through a password-protected keystore (BC UBER) with a strong key derivation function (PBEWithSHAANDTwofish-CBC), and offline generation of one-time passwords through the TOTP algorithm (IETF RFC 6239). Authentication occurs through the use of a shared secret (the seed) to verify the correctness of the one-time password used to authenticate. With the traditional use of username and password no longer wholly adequate for protecting online accounts, and with regulators worldwide toughening up security requirements (i.e. BSP 808, FFIEC), this research hopes to increase research effort on further development of cryptosystems involving multi-factor authentication.

Miss. Shweta Kamble,Miss. Pooja Kendre,Miss. Ayesha Siddiqua,Mr. Deshpande G. R

DOI: https://doi.org/10.48175/ijarsct-14204

2023-12-11

Abstract:This paper proposes an authentication system that combines One-Time Password (OTP) and Quick Response (QR) code technologies to enhance security and user experience. The system generates an OTP and a unique QR code for each authentication attempt, which can be scanned using a mobile device to complete the authentication process. The QR code contains encrypted information about the user's identity and the OTP, which is verified by the server. The proposed system provides a secure, convenient, and efficient method for user authentication, which is crucial in today's digital world. An e-authentication system that uses OTP and QR code technology is a secure and efficient method for authenticating users in online transactions. This system combines the benefits of OTP and QR code technology to provide a two-factor authentication mechanism that is convenient for users and effective in preventing unauthorized access. This system aims to address the vulnerabilities of traditional username and password authentication by providing an additional layer of security through two-factor authentication. the system aims to prevent unauthorized access to online services and transactions. The system aims to provide a userfriendly and convenient authentication method that can be easily integrated into existing online platforms. It protect sensitive information and ensure that only authorized users can access online services and transactions

English Else

Mete Eminağaoğlu,Ece Çini,Gizem Sert,Derya Zor,Mete Eminagaoglu,Ece Cini

DOI: https://doi.org/10.1109/est.2014.19

2014-09-01

Abstract:The use of QR code-based technologies and applications has become prevalent in recent years where QR codes are accepted to be a practical and intriguing data representation/processing mechanism amongst worldwide users. The aim of this study is to design and implement an alternative two-factor identity authentication system by using QR codes and to make the relevant mechanism and process that could be more user-friendly and practical than one-time password mechanisms used with similar purposes today. The proposed model in this project has been designed in order to enable the verification and validation steps with several security and networking options during the logon process. The model has been implemented by developing a two-factor identity verification system where the second factor is the user&#x27;s smart/mobile phone device and a pseudo-randomly generated alphanumerical QR code which is used as the one-time password token sent to the user via e-mail or MMS. The proposed model has been developed using C#, asp.net and jQuery languages with symmetrical and asymmetrical cryptography standards for database encryption/hashing and network infrastructure and it has been tested as a prototype where promising results are observed regarding the efficiency, speed and security requirements for today&#x27;s on-line financial services and similar e-commerce systems.

Hosam Alamleh,A. A. AlQahtani,J. Gourd

DOI: https://doi.org/10.1109/ACCESS.2020.2990604

IF: 3.9

IEEE Access

Abstract:Two-factor authentication (2FA) systems implement by verifying at least two factors. A factor can be one or more of something a user knows (password, or phrase), something a user possesses (smart card, or smartphone), something a user is (fingerprint, or iris), something a user does (keystroke), or somewhere a user is (location). In a conventional 2FA system, a user is required to interacts (e.g., typing a passcode) in order to implement the second layer of authentication, which is not very user-friendly. Nowadays, smart devices (phones, laptops, tablets, etc.) can receive signals from different radio frequency technologies within range. As these devices move among networks (Wi-Fi access points, cell phone towers, etc.), they receive broadcast messages, some of which can be used to collect information. This information can be utilized in a variety of ways, such as establishing a connection, sharing information, locating devices, and, most appropriately, identifying users in range. The principal benefit of broadcast messages is that the devices can read and process the embedded information without being connected to the broadcaster. Moreover, the broadcast messages can be received only within a range of the wireless access point sending the broadcast, thus inherently limiting access to those devices in close physical proximity and facilitating many applications dependent on that proximity. In this paper, 0EISUA is proposed, a zero-effort two-factor authentication scheme based on something that is in the user’s environment (ambient access points). In our research, data from the broadcast messages are utilized to implement the second authentication factor by determining whether two devices are proximate or not to ensure that they belong to the same user, in a way that requires zero interaction from the user. The new proposed system introduced in this paper is experimentally tested.

Computer Science,Engineering

Yi Chen,Hong Wen,Huanhuan Song,Songlin Chen,Feiyi Xie,Qing Yang,Lin Hu

DOI: https://doi.org/10.1049/iet-com.2018.0023

IF: 1.345

2018-01-01

IET Communications

Abstract:The energy-constrained devices such as the mobile terminals and nodes of the Internet of Things make lightweight security schemes an urgent need. The traditional identity authentication techniques can provide protection for the user's privacy and information to a certain extent, but they suffer from heavy cost. Non-cryptographic authentication mechanisms based on the physical layer characteristics are new techniques, which have a higher security level. The recognition technique of radio transmitter based on radio-frequency fingerprint (RFF) is one of the non-cryptographic authentication techniques. The authors propose a lightweight one-time password (OTP) authentication scheme based on RFF (RFF-OTP), which is a novel cross-layer secure authentication scheme and can provide mutual authentication between the mobile terminal and server, by combining RFF recognition algorithm with a hash encryption algorithm. By theoretical analysis and Syverson and van Oorschot logic verification, they prove that the RFF-OTP scheme is simple, efficient, flexible and independent of trusted-party while it also can resist the cloning attack and satisfy the anonymity compared with the OTP authentication scheme. Besides, it only requires the password to log into the system in the authors' scheme in comparison to the OTP scheme that needs both ID and password for the same purpose.

Hosam Alamleh,Ali Abdullah S. AlQahtani,Baker Al Smadi

DOI: https://doi.org/10.48550/arXiv.2304.09468

2023-04-19

Cryptography and Security

Abstract:The rise of smartphones has led to a significant increase in the usage of mobile payments. Mobile payments allow individuals to access financial resources and make transactions through their mobile devices while on the go. However, the current mobile payment systems were designed to align with traditional payment structures, which limits the full potential of smartphones, including their security features. This has become a major concern in the rapidly growing mobile payment market. To address these security concerns,in this paper we propose new mobile payment architecture. This architecture leverages the advanced capabilities of modern smartphones to verify various aspects of a payment, such as funds, biometrics, location, and others. The proposed system aims to guarantee the legitimacy of transactions and protect against identity theft by verifying multiple elements of a payment. The security of mobile payment systems is crucial, given the rapid growth of the market. Evaluating mobile payment systems based on their authentication, encryption, and fraud detection capabilities is of utmost importance. The proposed architecture provides a secure mobile payment solution that enhances the overall payment experience by taking advantage of the advanced capabilities of modern smartphones. This will not only improve the security of mobile payments but also offer a more user-friendly payment experience for consumers.

Sanyam Jain,Raju gautam,Shivani Sharma,Ravi Tomar

DOI: https://doi.org/10.1007/978-981-16-4149-7_35

2023-05-17

Abstract:Cybersecurity is very essential for Mobile Transactions to complete seamlessly. Mobile Commerce (Mcom.) is the very basic transaction type, which is very commonly used (2 in 5 people uses mobile as transaction medium), To secure this there are various technologies used by this research. The four factors formally known as Multi-Factor-Authentication are: two of them are Traditional methods (User Login-password and One Time Password (aka OTP)) with addition of Geolocation and Facial Recognition. All the data is converted to a text file, which is hidden in an image (using Babushka algorithm). The end-point then decrypts the image using same algorithm.

Cryptography and Security

Chen Wang,Yan Wang,Yingying Chen,Hongbo Liu,Jian Liu

DOI: https://doi.org/10.1016/j.comnet.2020.107118

IF: 5.493

2020-04-01

Computer Networks

Abstract:<p>Mobile devices have brought a great convenience to us these years, which allow the users to enjoy the anytime and anywhere various applications such as the online shopping, Internet banking, navigation and mobile media. While the users enjoy the convenience and flexibility of the "Go Mobile" trend, their sensitive private information (e.g., name and credit card number) on the mobile devices could be disclosed. An adversary could access the sensitive private information stored on the mobile device by unlocking the mobile devices. Moreover, the user's mobile services and applications are all exposed to security threats. For example, the adversary could utilize the user's mobile device to conduct non-permitted actions (e.g., making online transactions and installing malwares). The authentication on mobile devices plays a significant role to protect the user's sensitive information on mobile devices and prevent any non-permitted access to the mobile devices. This paper surveys the existing authentication methods on mobile devices. In particular, based on the basic authentication metrics (i.e., knowledge, ownership and biometrics) used in existing mobile authentication methods, we categorize them into four categories, including the knowledge-based authentication (e.g., passwords and lock patterns), physiological biometric-based authentication (e.g., fingerprint and iris), behavioral biometrics-based authentication (e.g., gait and hand gesture), and two/multi-factor authentication. We compare the usability and security level of the existing authentication approaches among these categories. Moreover, we review the existing attacks to these authentication approaches to reveal their vulnerabilities. The paper points out that the trend of the authentication on mobile devices would be the multi-factor authentication, which determines the user's identity using the integration (not the simple combination) of more than one authentication metrics. For example, the user's behavior biometrics (e.g., keystroke dynamics) could be extracted simultaneously when he/she inputs the knowledge-based secrets (e.g., PIN), which can provide the enhanced authentication as well as sparing the user's trouble to conduct multiple inputs for different authentication metrics.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Dea Saka Kurnia Putra,Mohamad Ali Sadikin,Susila Windarta

DOI: https://doi.org/10.1109/QIR.2017.8168487

2018-09-14

Abstract:Nowadays, mobile banking becomes a popular tool which consumers can conduct financial transactions such as shopping, monitoring accounts balance, transferring funds and other payments. Consumers dependency on mobile needs, make people take a little bit more interest in mobile banking. The use of the one-time password which is sent to the user mobile phone by short message service (SMS) is a vulnerability which we want to solve with proposing a new scheme called S-Mbank. We replace the authentication using the one-time password with the contactless smart card to prevent attackers to use the unencrypted message which is sent to the user's mobile phone. Moreover, it deals vulnerability of spoofer to send an SMS pretending as a bank's server. The contactless smart card is proposed because of its flexibility and security which easier to bring in our wallet than the common passcode generators. The replacement of SMS-based authentication with contactless smart card removes the vulnerability of unauthorized users to act as a legitimate user to exploit the mobile banking user's account. Besides that, we use public-private key pair and PIN to provide two factors authentication and mutual authentication. We use signcryption scheme to provide the efficiency of the computation. Pair based text authentication is also proposed for the login process as a solution to shoulder-surfing attack. We use Scyther tool to analyze the security of authentication protocol in S-Mbank scheme. From the proposed scheme, we are able to provide more security protection for mobile banking service.

Cryptography and Security

Priya Pankaj Kumar, Om Prakash, Sudhir Kumar

DOI: https://doi.org/10.52783/tjjpt.v44.i3.2616

2023-11-30

Abstract:In order to improve security and user experience, this article suggests an authentication system that combines Quick Response (QR) code technology with One-Time Password (OTP) technology. Each time an authentication attempt is made, the system generates a unique QR code and an OTP that must be scanned with a mobile device in order to complete the authentication process. Encrypted data, validated by the server, including the user's identity and the OTP included in the QR code. An effective, user-friendly, and secure way of user identification is provided by the suggested system, which is essential in the modern digital world. An effective and safe way to authenticate consumers in online transactions is through an e-authentication system that makes use of OTP and QR code technologies. This method offers a straightforward two-factor authentication technique that effectively blocks illegal access by combining the advantages of OTP and QR code technology.

Siqi Ma,Runhan Feng,Juanru Li,Yang Liu,Surya Nepal,Diethelm Ostry,Elisa Bertino,Robert H. Deng,Zhuo Ma,Sanjay Jha

DOI: https://doi.org/10.1145/3359789.3359828

2019-01-01

Abstract:A great quantity of user passwords nowadays has been leaked through security breaches of user accounts. To enhance the security of the Password Authentication Protocol (PAP) in such circumstance, Android app developers often implement a complementary One-Time Password (OTP) authentication by utilizing the short message service (SMS). Unfortunately, SMS is not specially designed as a secure service and thus an SMS One-Time Password is vulnerable to many attacks. To check whether a wide variety of currently used SMS OTP authentication protocols in Android apps are properly implemented, this paper presents an empirical study against them. We first derive a set of rules from RFC documents as the guide to implement secure SMS OTP authentication protocol. Then we implement an automated analysis system, AUTH-EYE, to check whether a real-world OTP authentication scheme violates any of these rules. Without accessing server source code, AUTH-EYE executes Android apps to trigger the OTP-relevant functionalities and then analyzes the OTP implementations including those proprietary ones. By only analyzing SMS responses, AUTH-EYE is able to assess the conformance of those implementations to our recommended rules and identify the potentially insecure apps. In our empirical study, AUTH-EYE analyzed 3,303 popular Android apps and found that 544 of them adopt SMS OTP authentication. The further analysis of AUTH-EYE demonstrated a far-from-optimistic status: the implementations of 536 (98.5%) out of the 544 apps violate at least one of our defined rules. The results indicate that Android app developers should seriously consider our discussed security rules and violations so as to implement SMS OTP properly.