User Identification using Two-factor authentication

Security Technology– Firewalls and VPNs

By: Anusha Manchala

Submitted to Dr. Themis A. Papageorge

Course: Foundations of Information Assurance

Contents

Abstract ....................................................................................................................... 3

Introduction ................................................................................................................. 3

Why Do We Need Security? ....................................................................................................... 3

Authentication ............................................................................................................................. 3

User authentication ................................................................................................................. 4

Single factor authentication ........................................................................................................ 4

Background .................................................................................................................. 5

Password protection .................................................................................................................... 5

Failures of Single factor authentication ...................................................................................... 5

Two-factor authentication ............................................................................................. 6

What is a Two-factor authentication? ......................................................................................... 6

Context and History ................................................................................................................ 6

One Time Password .................................................................................................................... 7

What is OTP? .......................................................................................................................... 7

OTP algorithm ........................................................................................................................ 7

Tokens .......................................................................................................................11

Hardware Token........................................................................................................................ 12

Software Tokens ....................................................................................................................... 13

Two factor authentication using mobile phones ....................................................................... 14

Multi factors Authentication ........................................................................................16

Disadvantages of Two-factor authentication ............................................................................ 16

Advantages of Multi factors Authentication ............................................................................. 17

Conclusion .................................................................................................................18

References ..................................................................................................................19

Figure 1 showing Yubikey ........................................................................................................... 12

Figure 2 showing Transaction Sign-in feature ............................................................................. 13

Table 1 showing an example of a hash string ................................................................................ 9

Equation 1showing the input for TOTP ...................................................................................... 10

Equation 2showing the time step value ....................................................................................... 10

Abstract

This paper mainly focuses on a security technology to identify a user. Information security ensures

to attain Confidentiality, Integrity, and Availability. Once a resource is in the hands of an attacker,

who is not claimed as an authorized person, the whole point of security is lost. Hence, it is essential

to identify the user before allowing him to access a resource. One way of implementing strong

user authentication is by using Two-factor authentication technology.

Introduction

Why Do We Need Security?

The internet is the most basic requirement in today’s world. Information is exchanged from one

point to another point, by passing through several intermediate points. There is no assurance that

every intermediate point is secure. While transmitting data, an intruder might wait for his turn to

alter, delete, add or intercept the data. A vulnerable spot in the transmission is all about welcoming

an intruder to make his malicious attempts. These malicious attempts may lead to catastrophic

effects such as loss of privacy, loss of information, loss of correctness of data, loss of availability.

To avoid such risks, it is essential to add a layer of security in the information technology.

The main goal of security is achieved when resources are allowed to be accessed by only

authorized persons. Also, it is essential to make sure that resources are kept away from the

unauthorized person who may perform malicious acts. Resources in the computer world can be

any services, such as web applications, network-based servers, and multi-user systems. One way

to achieve the security goal is by giving access rights to appropriate users. i.e., certain resources

must be given access rights only for particular users. But how to make certain if the right user is

using the resource? How to identify the user and give him permissions? The answer is possible

through authentication.

Authentication

It is a method to decide if a user or a machine is who it is claimed to be. Identification and

verification are two steps involved in the authentication process. Credentials, which act as an

identity proof of a user or a machine are stored in a database. When a user or a machine requests

for access permission to a resource by providing its credentials, the identity of the machine or user

is cross checked in the database, where credentials of each user are stored. If the credentials match

permission to access a resource is granted. The process of the verification and granting access

permission to a resource is called authorization. Authentication followed by authorization are the

methods to identify and validate a right user or a right machine. (Rouse, Authentication Definition

n.d.)

This paper mainly discusses user authentication and its various methods, password attacks, various

technologies to obtain strong authentication.

User authentication

User authentication can be done based on three identity factors. Password-based, Token-based,

Biometric-based are authentication methods that work using these identity factors.

Knowledge factor: It is something that a user knows. Such as, Account

number, Username, Password, Paraphrase, Personal identification number

(PIN), answers to certain security questions (e.g. What is the name of your

first manager)

Possession factor: It is something that a user has with him. Such as, his

mobile phone, ATM card, Smart card, Electronic keycards, Physical keys.

Inherence factor: It is something that a user is (static biometrics) and

something that a user does (dynamic biometrics). Static biometrics is Hand

geometry, fingerprint, facial characteristics, retina, and iris pattern.

Dynamic biometrics is voice print and signature. (Rouse, multifactor

authentication (MFA) definition n.d.)

Single factor authentication

If only one of the above identity factors is used to authenticate a user and permit access to a

resource, it is called as Single factor authentication. The most common user authentication in

today's business world is Password-based Authentication. (Rouse, Single-factor authentication

(SFA) definition n.d.)

Password-based Authentication

A user may register with his credentials to gain access rights to a resource. Or a System

administrator may register him. In either case, the main aim is to store the identity proof credentials

of the user in the database and retrieve them when needed. The credentials are most commonly, a

User ID or Username and a Password or PIN or Passphrase. If a user registers himself, he is

allowed to choose the password. Sometimes a system admin assigns a password to a user.

However, for better security purpose user must reset the assigned password, by choosing a strong

password. When a user provides his username and password (what he knows), the credentials are

compared with those stored in the database to authorize the user. The database also stores the

information related to access controls and privileges. Some of the users may have only limited

privileges to a resource.

Background

Password protection

In order to avoid security breaches, several approaches have been in implementation to protect a

user's password. Some of the approaches are the usage of Cryptographic and hashing techniques

for confidential storage of passwords, training users about the strong passwords necessity,

enforcement of password selection strategies like a password checker, complex password policies

such as a minimum length of the password, the usage of alphanumeric characters. However, this

single factor credentials used as a deciding factor for authorization has many drawbacks.

Passwords became the most vulnerable source of an attack.

Failures of Single factor authentication

1. When a password is hashed and stored in a system password file, an attacker may gain

access to a system password file. He compares the commonly used password's hashes

against the password hashes in the file until a valid password result is obtained. This attack

is popularly known as Offline Dictionary attack.

2. An attacker may focus on a specific user ID and continuously guess passwords until a

right password is obtained to log into the resource.

3. An attacker may try to obtain authorization by using easily remembered passwords on

various user Ids.

4. An attacker may gain knowledge about the system's password policies and the user

accounts used and simply guesses the password, to intrude into a system.

5. Sometimes a user might simply log into a workstation and keep it idle without performing

any operations. When such systems are kept idle for a long time an attacker waits for his

chance on another side until the system is unattended and performs his malicious acts.

6. User’s tendency to use a password that has his basic details like names, phone numbers,

address etc. provide a good hint to an attacker. A user may forget to reset the default

password created by admin and continues using the same password. Unable to remember

a complex password, a user might write it down on a paper, send it in a mail, and paste it

on a sticky note on the desktop. User's mistakes are a major source of an attack. Social

engineering and sharing the password with someone else are also very common mistakes.

7. Attackers may intrude the communication channel when passwords are transmitted across

the network to log into remote resources. Sometimes network resources may have similar

passwords for a given user.

8. A brute force attack is one type of password cracker that checks the probability of usage

of all the encryption keys to crack the password. In the rainbow table attacks, attacker

generates all possible dictionary passwords and all possible salt values to create a valid

hash and cracks the passwords.

9. Sometimes longer passphrases are also cracked by expertise hackers who use their

techniques through malware, Trojan horses, spyware, key loggers etc.

Passwords or passphrases are made strong, lengthy and unbreakable using various security

measures. Ease of implementation and the low cost for usage are the main reasons of their adequate

usage. It is obvious that single credential factor is not completely serving the purpose of security.

Though single factor usage is not weak, it cannot be used for all assurance levels because it does

not provide the desired high-level security to resources.

What else is needed to assure the resource that a right user is trying to access it? What are the other

means to identify the user to add an additional layer of security? How to achieve the stronger

authentication? All these questions are answered in the later sections.

Two-factor authentication

It can be discussed with a very familiar example used in everyday life. Globally almost all the

banks issue a credit or debit card to every user who open a bank account. The user is given an

account number, username, PIN and a debit card (sometimes a credit card on user’s choice). The

debit card has a full name of the user, card number, and expiry date of the card and a secret code

of 3 digits, which represent that the card is issued for only a specific user. If the user wants to

withdraw money or check the balance or deposit money, he has to first swipe his debit card at the

ATM machine and later enter his PIN of at least 4 digits. If everything is correct the ATM machines

validate the user and allows him to proceed for further steps. This simple scenario is a perfect

example of Two-factor authentication. Something the user has and something the user know are

used as identity factors to authenticate the user.

What is a Two-factor authentication?

A two-step verification process that gives an additional layer of security when two of the three

authentication factors are used for the identification of user to grant him access to a resource is

called two- factor authentication (TFA). It is otherwise called as 2FA.

Context and History

Frank Miller introduced one-time pads in 1882. One-time pads were reinvented after the First

World War in 1917 and are patented to Gilbert in 1919. They are mostly similar to Vernam ciphers

invented by Gilbert Vernam. Vernam cipher is a crypto algorithm that combines the plaintext with

keys in order to achieve encryption. These ciphers use keys that are generated on an iterative basis.

In the outset of the 1920's, three German cryptographers, Erich Langlotz, Rudolf Schauffler and

Werner Kunze described randomly generated numbers usage and their importance in avoiding

replay attacks. The one-time pad uses random generators to produce a key to combine with any

piece of information. The one-time pad is basically a paper that can be burned or recycled to

discard it once after used ciphering. The traditional approach followed One-time pads whereas, the

modern approach of two- factors authentication uses One-Time Passwords. (Cooperband 2015)

One Time Password

OTP is a more secure password than a user created password or a static password. It is not

vulnerable to a replay attack or a man-in-the-middle attack. There is no necessity to store these

one-time passwords in a database or any system. It can work without the internet. Many business

organizations implement the OTP tokens as a means of remote user authentication while accessing

the Virtual Private Networks, transaction-oriented Web applications, and Wi-Fi network login. It

can provide interoperability among various types of software and hardware vendors. (N, C, et al.

1998)

What is OTP?

OTP is a password or PIN with an alphanumeric or numeric set of characters used only once for

each authentication attempt. These set of characters are valid only for a single session. When a

user provides something he knows, a password or PIN to obtain access to a resource, OTP which

acts as second identity factor is generated from a device that something a user has with him (Token

devices are discussed later). OTP is generated in two common ways:

1. HMAC-based one-time password algorithm called as HOTP

2. Time-based one-time password algorithm called as TOTP

OTP algorithm

To prevent an unauthorized user guessing the next sequence of the password, OTP algorithm

generates the sequence of PIN in a random manner to make it irreversible and unpredictable. The

alphanumeric or numeric set of characters with specific length are generated based on one of the

above two algorithms mentioned. This section gives a detailed explanation about both algorithms.

HMAC-based one-time password algorithm

HOTP generates a one-time password based on Hashed Message Authentication Code (HMAC).

This is a simple OTP algorithm used to adopt the two-factor authentication. The main idea of the

algorithm is to generate an OTP with the least interference of a user since a user is not expected to

know cryptographic or mathematical computations to take care about the generation of a one-time

password or to perform authentication. High usability with efficiency and low cost is the best

practice of implementation. This event-based algorithm can be used in various devices like a GSM

SIM, Smart cards that run with Java, USB dongles. (M’Raihi, et al. 2005)

HOTP algorithm is designed to meet the following requirements:

1. A device that generates OTP must be easy to handle, must consume less battery power,

have less number of buttons to request an OTP, a small size display screen to show OTP

and must require less horsepower.

2. OTP must be generated on a counter-based or a sequence-based approach. Otherwise, if

the approach is iterative like a Vernam cipher, it can be easily guessed by the attacker.

3. Must be able to be embed in high volume devices like an SIM card or a Smart card to

provide interoperability.

4. The algorithm must work without the need of any numeric input but must be efficient to

work when devices like PIN-pads are used. And it has to produce a password of a specific

reasonable length on the display screen which can be easily understood and easy to type

for a user. It would be better if the minimum length is 6 characters and a maximum is 8.

5. It is essential to choose the type of algorithm to generate a hash of at least 128 bits

(M’Raihi, et al. 2005). For example, MD5 is not recommended to use since it generates a

hash of 16bytes. (Matt 2013)

6. The whole point of OTP is the usage of a counter. Hence, an easy approach to

resynchronize the sequence number must be used. (M’Raihi, et al. 2005)

The algorithm in this section discusses the HMAC- SHA1 implementation, where a 160bit (20-

bytes) hash is used to generate the OTP. It needs certain parameters like:

A secret value shared between a generator and a validator.

A resynchronization parameter to remember the sequence or counter number.

A counter value synchronized between a client and server to authenticate. Here the client

is the HOTP generator and the server is the HOTP validator. The synchronization is needed

to avoid any misinterpretations between a server and a client.

The number of characters or digits of an OTP.

A variable that keeps track of the number of attempts made by the client.

The counter value and the shared secret are known only to the validation service and a token. The

HMAC- SHA1 calculation generates a hash value of 20bytes or 160bits. The user cannot enter all

these characters in the given time. Moreover, if the same hash value is used as OTP it fails the

essential requirements of the algorithm. So, a password that can be easily entered by the user is

generated by truncating the 160 bits hash value. (M’Raihi, et al. 2005)

Steps of the HOTP algorithm

1. Compute the hash value by taking the input of a static symmetric key and counter value.

2. Calculate the integer value of the last 4 bits of the hash value. Consider this integer value

as an offset to extract a segment of 4 bytes from the hash value.

3. Now perform modulo computation for the 4 bytes hash value based on the number of digits

of the OTP value. (M’Raihi, et al. 2005)

For example: Assume that a hash string- 84983E44 1C3BD26E BAAE4AA1 F95129E5

E54670F1 is obtained from the first step of algorithm.

00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19

84 98 3E 44 1C 3B D2 6E BA AE 4A A1 F9 51 29 E5 E5 46 70 F1

Table 1 showing an example of a hash string

The last byte of the hash (byte number 19) has hex value 0xF1 and the last 4 bits or the

offset is 0x1.

The integer value of the offset is 1(0x1).

So the 4 bytes segment required to generate the hash value begins from the byte number

one.

The 32-bit segment is 0x983E441C.

Calculate the Decimal value of the 983E441C= 2554217500

Now apply modular computation based on the digits of the OTP required. Say, if a 6-digit

OTP is required, 2554217500 modulo 10^6= 217500.

217500 is the required 6-digit OTP.

If the number of digits required for the OTP is 8, then 2554217500 modulo 10^8= 54217500 is the

OTP generated. SHA-256, SHA-512 hash functions can also be used to generate the hash values.

Time-based one-time password algorithm (TOTP)

The time-based one-time password is an extension of the HMAC-based One-Time Password

(HOTP) algorithm. HOTP is an event-based algorithm with the sequence or a session counter as a

moving factor, whereas as, the TOTP has a time-value as a moving factor.

A random OTP generated by HOTP is secure enough, but it is susceptible to an attack when a user

does not use the OTP for authentication for some reason. When the OTP is not used, the counter

value remains same until a successful authentication is made for the current OTP. Hence, an

attacker can easily use the OTP. Instead, irrespective of the authentication success or failure if an

OTP is valid only for a certain time, the attacker remains clueless about the generated OTP. So, to

provide an enhanced security, the time values are used for a short span. TOTP works similar to the

HOTP except that a time-factor variant and the time step as a counter are used for the computation

of the one-time password. This algorithm works with HMAC-SHA-512 or HMAC-SHA-256

functions which are derived from SHA-512 or SHA-256 [SHA2].An efficient TOTP can provide

enhanced security with some requirements like:

1. Same secret (key) must be shared by a Client (a token) and an authenticating server (or

validator). Or at least they must share same ideas or knowledge of the secret.

2. Each Client must have a unique secret (key).

3. To enable uniqueness, the keys must be generated using key derivation algorithms or they

must be generated randomly.

4. These keys are secured in a device that is compact and resistant to any tampering attacks.

5. The algorithm must be based on the HOTP algorithm and its requirements.

6. The present UNIX time is calculated as the total number of seconds elapsed since midnight

UTC of January 1, 1970. The authentication server and the Client must be able to derive

this current UNIX time.

7. It is also required that a validator and a Client must use the same time-step value to have

proper synchronization for the authentication. (D, et al. 2011)

Unlike the HOTP algorithm (which are not system dependent and which does not need any inputs

other than a static symmetric key and a counter value) TOTP algorithm requires 2 system

parameters. They are:

A time step value measured in a number of seconds with the default value set to 30 seconds.

This is represented as X.

And a UNIX time counter represented as T0 which counts the number of time steps taken.

The default value is set to 0.

As mentioned earlier, the algorithm is an extension of HOTP and it takes the input of a static

symmetric key and a time factor. (D, et al. 2011)

TOTP=HOTP (K, T)

Equation 1showing the input for TOTP

Where K= static symmetric key and T is the number of time steps between a default counter value

set initially, T0 and the UNIX current time.

T= (Current UNIX time-T0)/X

Equation 2showing the time step value

For example, if the default values of X=30 seconds and T0=0 are considered for a current UNIX

time of 59 seconds, then T=1. If the current UNIX time is 60 seconds then T=2. Computations are

done using a default floor function. The default values of X and T0 can be set during the provision

step. If the time goes beyond the year 2038, the algorithm must calculate T since the integer value

will be larger than a 32-bits number. (Hoyer 2010)

It is recommended to take few cautions while generating the TOTP algorithm. TOTP is dependent

on the HOTP to provide enhanced security. As HOTP is the key building block for TOTP, the

dynamic truncation (where 4 bytes segment extracted from the hash) must be independent and set

of characters must be uniformly distributed. In order to give a distinct input of the key, it should

be generated from a pseudo random generator, a cryptographic technique which has randomness

test to output a unique key or it can also be generated randomly. Along with the randomness of the

key, two other requisites are essential for an enhanced security: storage of the key in a secured

device and the channel through which the key is passed. The key must be safely stored in a

validation system and encrypted using a device that is protected from attacks like tampering so

that it can be decrypted whenever needed for the verification purpose and encrypted back to give

the least exposure to RAM. To avoid any malicious attacks the key storage database and validation

systems must be highly protected by limiting the access only to the processes and programs

required by the validation system. The communication between a validator and a Client must take

place in a secure channel like a Secure Socket Layer/Transport Layer Security (SSL/TLS) or IPsec

connections. (D, et al. 2011)

OTPs generated within the same time-step are all same. For example, if the time step is 30 seconds,

the OTP generated in the 1st second and 29th second are always same. The validation system uses

a time stamp value to validate the OTP. But the validation system receives OTP at a time stamp

different than the timestamp the OTP was generated at the client side. The validation system

doesn't know the time stamp value of the OTP when it was generated on the client side. So it uses

the time-stamp when it receives the OTP. The received and generated time-stamps have a large

time gap, they do not come under the same time -step window. The received timestamp may fall

in the next time-step window. To overcome this large time gap, the validation system must set

some rules or policies to accept the valid OTP though there is a delay in the transmission. The

validation system must accept the OTP from the previous time stamp value along with the received

time stamp which are in the range of a transmission delay time window. However, the delay

transmission time should not be very long, because, longer the time allowed for accepting the

transmission delays, higher the chances for vulnerabilities. Also, longer the time-step value, the

higher scope for probabilities of attacks. If the time-step window is longer, the time gap will be

very less between the client side and the receiving side and there are higher chances for the

acceptance of OTPs by the validation system. A next OTP is generated in the next time-step

window. Suppose the time-step value is 30 seconds, a new OTP is generated for every 30 seconds.

If a user wants to generate a new OTP at 15th second he has to wait until the clock is reset back to

0. If the time-step window is too large, say 10 or 15 minutes, the user has to wait for a long time

to obtain a new OTP, meanwhile the login session of the site requesting a second authentication

factor also expires. Hence, to avoid attacks and to provide convenience the time-step window is

better to use between 30 to 60 seconds. If an OTP is repeated in the same time-step window, the

validator should not accept it if already an OTP is successfully authenticated. (D, et al. 2011)

The validator has to set limitations to the number of attempts after which a token can be rejected.

This limit can be set either backward or forward based on the time-step value of the computed

OTP. Suppose the time-step window is set to 30 seconds and the limit is set as two steps backward.

Then, the maximum time drift elapsed is 89 seconds (60 seconds from the past time-step windows

and 29 seconds from the current time-step windows). It implies that a validator can verify the OTP

for at most three validations. A successful verification by the validation server can be recorded in

terms of the number of time-steps or clock drifts for the OTP. If at all a new OTP is requested for

the verification at the validation server, it can verify based on the records of the time-step clock

drifts and the current time-stamp of the OTP. The longer a client has not transmitted an OTP to

the validation server, the longer the records of the time-step clock drift between the client and the

verifier. This is a case with the exceeded limit value of clock drifts. A normal resynchronization

mechanism described above won't work for such exceptional cases. (D, et al. 2011)

Tokens

A token is something that acts as an identity to represent an object. They have been in use from at

least 2 decades. They are now widespread in the market. In order to enable two-factor

authentication, a token serves as a means of the second factor for user authentication. The token

must be communicated between a client and the validation server securely through the internet.

Some tokens store biometric data or cryptographic keys or generate a PIN that changes

periodically. A token is embedded in the physical device or in an application that is designed to

transmit it through the internet. The device can be hardware or a software device.

Hardware Token

A token is embedded in a physical device, which has an LCD/LED display screen and a single

button (used for Validation and ID Protection (VIP)) is called as a Hardware token. A single press

on the button generates a token, which simplifies the two-factor authentication mechanism. This

is a user-friendly device since a user can carry it easily wherever he goes. A user can keep this

hardware device in his pocket, wear it around his neck or attach it to a key ring. This provides a

good ease of use, especially in the organizations. An organization issues VIP credentials for each

employee and the employee can easily access to a network service using these hardware tokens.

Recently many advanced features are enabled to design theses hardware tokens to provide more

ease of access to users. (Rouse, Security Token n.d.)

A USB authentication token can fit in the USB port of the system, can be connected to the mobile

and generates a one-time password with a single touch on the button. These devices can be easily

used without the need for drivers from any browser, any platform or any computer. These devices

are designed in such a way that they save the time of user when he has to re-type the OTP by

providing fast and error free login mechanisms. YubiKey shown in Figure 1 is an example of a

USB authentication device. (Defender hardware tokens n.d.)

Figure 1 showing Yubikey

Source: https://www.yubico.com/products/yubikey-hardware/

A physical device can be a Security token card or a Key Fob. A Security token card is mainly used

for two-factor authentication when a user does the Breeze mobile banking and online banking. It

has features embedded within it to act like a Debit, Credit or ATM card. It can be used at ATM or

make payments easily with enhanced security features. These cards use two types of methods to

enable authentication. They are Transaction-Signing and One-time Passwords. It can be turned on

and off using a button located on the card. It has an LED screen that displays an OTP number

generated by the token card. Transaction Sign-in feature enables a user to enter the 3 or 4-digits

on the card, which is displayed on the online banking page. After entering the correct 3 or 4-digits

numbers, the token card displays an OTP on it which can be entered on an online banking page to

validate a user. The figures 2 shows examples of Security Token card. (Security Token card online

demo n.d.)

Figure 2 showing Transaction Sign-in feature

Source: http://www.superadrianme.com/technology/standard-chartered-bank-first-to-

launch-mastercards-display-card-in-singapore/

A key fob is another security hardware token device that can perform authentication to network

services or a computer. It displays OTP that changes periodically. Defender Go-6, RSA SecurID,

Fortinet etc. are some of the examples of hardware tokens available in the market that generates

OTP number randomly for every 30 seconds or 60 seconds. (Rouse, Key fob definition n.d.)

The Nymi Band designed by Bionym is worn as wristband can provide unique biometric

authentication of a user by monitoring his heartbeat. This device typically works based on

algorithms where electrocardiogram (ECG) is used as an identity factor for recognition. It extracts

unique information about a person from the pattern of an ECG waveform. It communicates to

network resources in a secure way using Bluetooth Low Energy (BLE). Myris is another device

similar to Nymi band used by the company Eyecorp. It uses a biometric unique credential for user's

authentication. This device uses a user's iris. There are also many other devices that use fingerprints

as a means of user authentication. These authentications are typically based on something a user

knows and something a user is. (Cooperband 2015)

In the year 2005 the National Bank of Abu Dhabi (NBAD) in the Middle East was the first bank

to use physical devices (RSA SecurID) to implement two-factor authentication. It issued physical

tokens to 19000 of its customers. In the same year, Bank of America also initiated to use these

hardware tokens for its 14 million customers. The Commonwealth Bank of Australia, the Bank of

Ireland and the Bank of Queensland were other international banks to use two-factor authentication

using hardware tokens. The National Bank of Dubai (NBD) announced it mandatory that every

client must use the hardware token along with their PINs/Passwords. (Fadi Aloul n.d.)

Software Tokens

A software token generates a unique PIN or a QR code to enable two-factor authentication .A QR

code is a Quick Response code that can provide ease of access where a user entry can be

authenticated quickly. A QR Code sent to the user mobile has to be scanned at the verifier page,

thus a user need not type anything anywhere. (Cooperband 2015)

The main idea behind using these tokens is to provide more convenience to users. Tokens are

generated on devices that something a user already possess. Smartphones, iPads, tablets, laptops

are the most common devices used to generate soft tokens. Soft token apps installed in these

devices can easily serve two-factor authentication with enhanced security. These tokens can

smartly recognize the information about the time zones even when a user is traveling. There are

many apps designed to be installed on various smartphones to enable authentication. Soft Tokens

are available for Windows XP, Vista, Windows 7 and 8 operating systems, Mac OSX, Blackberry,

iPhone, Android, Windows 7 and 8 mobile, Android, BlackBerry, iOS Java, In order to provide

more ease of use tokenless apps are also designed where an SMS or text message, push notification,

phone call or E-mail to a registered device is sent to confirm the user verification. Some of the

examples of soft tokens apps are Authy, Google authenticator, Duo Security. (Sevilaja 2015)

Two factor authentication using mobile phones

Though physical devices resolved the problem of password attacks, customers raised issues from

their side on the cost to purchase and manage those multiple devices. Also, the biggest problem is

what if the customer loses the device or someone steals it? As already discussed soft tokens serve

the purpose of 2FA with more user convenience. Using Mobile phones for two-factor

authentication is a very appreciative way. Mobile phones have already expanded their

advancements in infra-red, 3G, WLAN, Bluetooth, GSM connections. Today they are the most

common source for communication. The mobile phone’s micro browser is serving the major use

in fund transactions and confirmation of the payments. They are also used to receive information

through SMS regarding account balances. Additionally installation of third-party and vendor-

specific applications provides more expanded services. Mobile phones will decrease the cost of

distributions, maintenance and manufacturing when they are used as tokens. Based on the user’s

choice and certain limitations, mobiles phones can be used in two modes of operations-

Connection-Less Authentication System (Stand-alone approach) and SMS-based Authentication

System. These approaches work well with the system’s server connected to a GSM modem and

using client side applications (like J2ME). The three essential parts of this system are (1) Server

connected to a GSM modem, (2) Server software and (3) An application installed on the client’s

mobile phone. (Fadi Aloul n.d.)

In the Connection-Less Authentication System, a program installed on the mobile phone generates

the OTP locally using the unique factors of a mobile phone. The server also has all the required

factors to generate the same OTP to compare the password submitted by the client. The client and

server need not be connected in this mode of operation. In the SMS-Based Authentication System,

the phone does not create any password locally but requests the server to send OTP with an SMS

(encrypts via 256-bit symmetric key) that is unique to the mobile phone. The server verifies the

message (decrypts the message using same symmetric key) and sends an OTP to the mobile phone

which is valid only for a certain amount of time. Both approaches are secure and easy to use, but

the SMS-based approach is expensive than the stand-alone approach since both client and server

must pay telecommunication charges to exchange messages. (Fadi Aloul n.d.)

The unique factors to identify each mobile phone are International Mobile Equipment Identity

(IMEI), International Mobile Subscriber Identity (IMSI) stored in Subscriber Identity Module

(SIM), username, PIN/Password, and OTP validity period which can be a minute, an hour, a day,

a year. All the unique factors are concatenated to generate a hash of 256 bits and this hash is

performed XOR operation with the PIN. The result is encoded to base64 to generate 28 characters

of the message. 28 characters are divided to 2 halves and these halves are performed XOR

operation repeatedly and generates a specific length of OTP convenient to the user. (Fadi Aloul

n.d.)

To accomplish the approaches, a database is needed that stores all the essential details of the

client’s mobile phone such as the PIN, username, IMEI, Mobile number, IMSI, unique symmetric

key. Also the program installed on the Client side is designed with a convenient GUI for user and

the Server has a database connected to the GSM modem for any exchange of messages. As already

discussed the Server’s application is multithreaded to initialized the database and GSM

connections, accept client requests, verify the client’s identity and generate an OTP (SMS-based

approach) or verify the OTP (Stand-alone approach). (Fadi Aloul n.d.)

For example, The Client can be designed using a J2ME program such that it runs on any mobile

phone that supports J2ME. This program, when installed as an application in the mobile phone,

generates the OTP either using the unique factors of mobile such as the IMSI and IMEI numbers

or it requests the server with an SMS to generate and send the OTP. It is up to user’s choice to

select either of the options. In order to make this whole process work, the user must provide his

credentials: the username and the PIN. The user is then prompted to select his option. If the user

selects the stand-alone approach or connection-less method, an OTP is generated using the user’s

username and PIN locally. This OTP is then discarded after a certain amount of time. The server

generate the same OTP by storing the user’s username and PIN. Whereas, when the user selects

the SMS-based method the OTP algorithm uses the username, PIN, and the mobile phones unique

identity factors and encrypts them with a 256-symmetric key to send it as an SMS to the server.

The 256-symmetric key stored on both the client and server and is pre-defined at the registration

time. The client registers in person at the organization with his mobile phone unique identification

factors, e.g. IMEI, SIM, IMSI(mobile number), username and PIN are stored in the database

(password file). (Fadi Aloul n.d.)

The server recognizes the user by decrypting the SMS using the same 256-symmetric key. The

server connected to the GSM mode extracts the message and compares all the identity factors with

the credentials stored within the database. This database stores the hashes of all the temporary

passwords. It is so secure that even though it is compromised, the hacker can never decrypt and

obtain the passwords. After validation, it generates and sends the OTP to the user’s mobile phone.

The servers program is designed as a multithreaded process to reduce the burden. The first thread

initializes the SMS modem and database to handle the client requests on the modem. The second

thread reads the message sent by the client, generates an OTP and transfers it to the client. The

third thread compares the OTP obtained in the connection-less approach. To use the SMS option

the J2ME program installed on the client’s mobile phone configures to connect to the GSM

modem. Encryption with 256-symmetric key can avoid the attacks like sniffing, brute force attack.

The server’s application works so efficiently that it accepts the requests from client with a message,

identifies the client, generates and send the OTP in seconds. (Fadi Aloul n.d.)

Multi factors Authentication

Multifactor authentication is the combination of at least two independent identity factors. The

ultimate goal of multifactor authentication is to achieve layered security and make it complicated

for an attacker to access the resource. If the attacker is able to compromise one identity factor, he

still has to break two or more identity factors to gain access to the resource. Multifactor

authentication is implemented with regulations like Federal Financial Institutions Examination

Council (FFIEC) directive calling to process Internet banking transactions using multifactor

authentication in the United States. (Rouse, multifactor authentication (MFA) definition n.d.)

Single factor authentication is definitely not an advisable mechanism for user authentication. Two-

factor authentication is a strong mechanism, but it is not always a right method to follow in all

areas due to the few disadvantages it has. So using multifactor for authenticating a user increases

security as it is very unlikely that an attacker obtains all the identity factors. Every additional factor

adds an extra layer of security. Apart from the three identity factors discussed so far additional

identity factors include somebody that a user knows, user’s location and the current time of login

made. The reliability of authentication not only depends on the number of factors but also the way

they are implemented. The options made for authentication rules in each category highly affects

the security.

Disadvantages of Two-factor authentication

Many international banks provide two-factor authentication by issuing hardware tokens to

customers. Using these hardware tokens involves token production, token distribution, registration

of customers, authentication of the user and tokens, revocation of user and token among others.

Organizations have to invest a lot of money to purchase and install them. Additionally,

organizations must train their employees and customers on how to use the tokens, the cost of

maintenance and replacements of tokens in case of loss or damage of tokens is very expensive. In

the outset, some of the banks made it a compulsion that every customer has to use a token to access

each of his bank accounts. It implies customers must purchase multiple tokens for multiple

accounts which provide inconvenience and also too expensive to purchase each token. (Fadi Aloul

n.d.)

It is true that two-factor authentication is a savior for some of the passive threats: offline password

guessing and eavesdropping. But nature of attacks has unfortunately changed to more active

attacks: phishing, malware etc. Imagine a case of the Man-in-the-Middle attack, where an attacker

creates a fake bank website and uses social engineering techniques to make the user believe that

he is using real bank website. The user will never know that he is giving his credentials in a fake

website. The attacker happily makes his fraudulent transactions and may also disconnect the user.

An attacker installs Trojan on user’s computer and piggybacks on the session to make his

fraudulent transactions when a user logs into bank’s website. In both cases (the Man-in-the-Middle

attack and Trojan Attack), two-factor authentication is not resolving the problem. In the fake

website case, the attacker doesn’t have to possess the second factor but easily performs transactions

as a legitimate user. In the Trojan attack, the attacker completely relies on the user to access the

account. The whole purpose to avoid the fraud due to impersonation is defeated with the nature of

an attack. (Schneier n.d.)

Assume the second approach of two-factor authentication using mobile phones where the banking

website relies on to identify the user with an SMS. In the man-in-the-middle attack, the intruder

need not worry about this SMS verification since the user is innocently taking care of providing

the unique identity details. And when it comes to the Trojan attack, the user is anyways helping

the attacker to log in. Two-factor authentication does provide enough protection within few

corporate networks and local log-in. But it is a doubtful savior for a remote authentication over the

internet. Many organizations and banks are investing lots of money to purchase the tokens to

decrease the amount of occurrence of frauds. Initially, the idea seems to be effective since the

intruders focus on easy target but significantly frauds might increase with the expertise attackers.

(Schneier n.d.)

Advantages of Multi factors Authentication

A layered security approach can enhance Security. Three-factor authentication includes an

inherence factor along with the 2FA elements. It is mainly used in the government agencies and

businesses who require highly enhanced security. The inherence factor includes voice recognition,

facial recognition, finger vein scans, fingerprint scans, iris scans, retina scans, earlobe geometry

and hand geometry. For example when a user logins with his username and password, he has to

possess an ID card and his fingerprints must match with the records stored in the database.

(Matthew n.d.)

Four-factor authentication along with knowing password, possessing card and matching his

inherence factors, additionally uses the mutual acquaintance of the user, someone the user knows

as a fourth factor. The support of human for the scientific literature to authenticate a user is in use

in the computer security in various roles: reputation networks, peer-level certification, privilege

delegation and helpdesk assistance. This provides an emergency identity factor for user

authentication in the absence of a password or token. (Brainard, et al. n.d.)

Five-factor authentication uses the three factors used for 3FA and location and time as fourth and

fifth factors for providing strong authentication. So, a user is granted access only when all the five

factors are verified: password, the OTP, his biometric credential, his location within the allowed

time. A smartphone with GPS eases the burden of tracing the login location, the MAC address of

the login location is another means to identify the user’s location. The presence of a user at the

time of login and the time when user logins are also used as identity factors. These identity factors

provide additional security for the simple fact that it is impossible for a user to use his ATM card

in China and then use it in India within few hours of a day.

Conclusion

Users need not take the burden with various authentication functions. If the usage of the second

factor that ‘something the user has’ is not resistible for the active attacks, the best solution is to

modify or replace the second factor rather than implementing the complicated multi-factor

authentication. This can be implemented in two ways: one is by using the mobile phone but in a

different approach than the current OTP usage and the other is to replace the identity factor from

‘something the user has’ to ‘something the user is’.

The first approach is where a user's mobile phone receives a request of authentication as an alert

message. A user can accept or reject this notification. This is secure unless the mobile phone is

with the valid user to accept or reject the notification. This is less secure and less convenient.

However, a user can make it more secure by implementing lock pattern, PIN, Passcode to his

mobile phone itself. So that an attacker who steals the mobile phone can never know the unlock

pattern to access any app. Mobile phones now have all the apps available. It is user’s choice to

choose an app wisely by checking reviews and the designer of the app before downloading them.

(Cooperband 2015).

The second approach is to use a biometric device worn by a user. The device itself requests nearby

resources and authenticates the user easily. It validates the authorized user only when he wears the

device. The device doesn’t identify the user when he doesn’t wear it. This is the most secure and

most convenient method. Though an attacker wears the biometric device, he can never be validated

as an authorized user since the device is uniquely designed with the users unique inherence factors.

(Cooperband 2015)

Two-factor authentication is not in implementation globally by all users and enterprises because

of the lack of awareness about its benefits. It is essential for each enterprise to explain among its

employees and other users about its importance in ensuring strong security. It is recommended for

all the organizations and users to implement two-factor authentication in above two approaches to

attain high security.

References

Brainard, John, Juels Ari, Ronald L.Rivest, Michael Szydlo , and Moti Yung. Fourth-Factor

Authentication: Somebody You Know. n.d.

Cooperband, Jared. "Two-factor Authentication." 2015.

D, M’Raihi, Machani S, Pei M, and Rydell J. Time-Based One-Time Password Algorithm. 2011.

Defender hardware tokens. n.d. http://software.dell.com/products/defender/hardwaretokens.aspx

(accessed November 14, 2015).

Fadi Aloul, Syed Zahidi ,Wassim El-Hajj. Two Factor Authentication Using Mobile Phones. n.d.

Hoyer, P. Portable Symmetric Key Container (PSKC). 2010.

M’Raihi, D, Bellare M, Hoornaert F, Naccache D, and Ranen O. HOTP: An HMAC-Based One-

Time Password Algorithm. 2005.

Matt, Rubin. "The Unreliability of MD5-based OTPs." 2013.

Matthew , Haughn. three-factor authentication (3FA) definition. n.d.

http://searchsecurity.techtarget.com/definition/three-factor-authentication-3FA (accessed

December 3, 2015).

N, Haller. The S/KEY One-Time Password System. 1995.

N, Haller, Metz C, Nesser P, and Straw M. A One-Time Password System. 1998.

Rouse, Margaret. Single-factor authentication (SFA) definition. n.d.

http://searchsecurity.techtarget.com/definition/single-factor-authentication-SFA

(accessed October 23, 2015).

—. "Authentication Definition." n.d.

http://searchsecurity.techtarget.com/definition/authentication (accessed October 10,

2015).

—. "Key fob definition." n.d. http://searchsecurity.techtarget.com/definition/key-fob> (accessed

November 15, 2015).

—. multifactor authentication (MFA) definition. n.d.

http://searchsecurity.techtarget.com/definition/multifactor-authentication-MFA (accessed

December 2, 2015).

—. "Security Token." n.d. http://searchsecurity.techtarget.com/definition/security-token

(accessed October 23, 2015).

Schneier, Bruce . Two-Factor Authentication: Too Little, Too Late. n.d.

Security Token card online demo. n.d. https://www.sc.com/sg/ways-to-bank/token-card-

demo/main.html#/getting_started/intro (accessed November 14, 2015).

Sevilaja, Chris. The Ins and Outs of Token based authentication. 2015.

Shinder, Deb. Understanding and selecting authentication methods. n.d.

http://www.techrepublic.com/article/understanding-and-selecting-authentication-method

(accessed October 24, 2015).

Strom, David. "CA Strong Authentication | Multifactor authentication product overview." n.d.

http://searchsecurity.techtarget.com/feature/Multifactor-authentication-products-CA-

Strong-Authentication (accessed November 11, 2015).