A novel OTP based tripartite authentication scheme

Purpose Because of the continued use of mobile, cloud and the internet of things, the possibility of data breaches is on the increase. A secure authentication and authorization strategy is a must for many of today’s applications. Authentication schemes based on knowledge and tokens, although widely used, lead to most security breaches. While providing various advantages, biometrics are also subject to security threats. Using multiple factors together for authentication provides more certainty about a user’s identity; thus, leading to a more reliable, effective and more difficult for an adversary to intrude. This study aims to propose a novel, secure and highly stable multi-factor one-time password (OTP) authentication solution for mobile environments, which uses all three authentication factors for user authentication. Design/methodology/approach The proposed authentication scheme is implemented as a challenge-response authentication where three factors (username, device number and fingerprint) are used as a secret key between the client and the server. The current scheme adopts application-based authentication and guarantees data confidentiality and improved security because of the integration of biometrics with other factors and each time new challenge value by the server to client for OTP generation. Findings The proposed authentication scheme is implemented on real android-based mobile devices, tested on real users; experimental results show that the proposed authentication scheme attains improved performance. Furthermore, usability evaluation proves that proposed authentication is effective, efficient and convenient for users in mobile environments. Originality/value The proposed authentication scheme can be adapted as an effective authentication scheme to accessing critical information using android smartphones.

[1]  Aleksandr Ometov,et al.  Multi-Factor Authentication: A Survey , 2018, Cryptogr..

[2]  Ravinder Kumar Orientation Local Binary Pattern Based Fingerprint Matching , 2020, SN Comput. Sci..

[3]  O. C. Akinyokun,et al.  Fingerprint Singular Point Detection Based on Modified Poincare Index Method , 2014 .

[4]  Anil K. Jain,et al.  Biometric cryptosystems: issues and challenges , 2004, Proceedings of the IEEE.

[5]  Abdalha A Ali,et al.  A Framework for Measuring the Usability Issues and Criteria of Mobile Learning Applications , 2013 .

[6]  Burhan Ul Islam Khan,et al.  Contemplation of Effective Security Measures in Access Management from Adoptability Perspective , 2015 .

[7]  Sugata Sanyal,et al.  A Multifactor Secure Authentication System for Wireless Payment , 2010, Emergent Web Intelligence.

[8]  Wang Shiuh-Jeng,et al.  Refereed paper: Smart card based secure password authentication scheme , 1996 .

[9]  Kendall Ray Reese,et al.  Evaluating the Usability of Two-Factor Authentication , 2018 .

[10]  Diarmid Marshall,et al.  User perceptions of security and usability of single-factor and two-factor authentication in automated telephone banking , 2011, Comput. Secur..

[11]  Yung-Cheng Lee,et al.  Attack and Improvement on the One-Time Password Authentication Protocol Against Theft Attacks , 2007, 2007 International Conference on Machine Learning and Cybernetics.

[12]  Huy Kang Kim,et al.  Case study of the vulnerability of OTP implemented in internet banking systems of South Korea , 2014, Multimedia Tools and Applications.

[13]  Muhammad Khurram Khan,et al.  One-Time Password System with Infinite Nested Hash Chains , 2010, FGIT-SecTech/DRBC.

[14]  Angelos Stavrou,et al.  Universal Multi-Factor Authentication Using Graphical Passwords , 2008, 2008 IEEE International Conference on Signal Image Technology and Internet Based Systems.

[15]  David M'Raïhi,et al.  TOTP: Time-Based One-Time Password Algorithm , 2011 .

[16]  Md Arif Hassan,et al.  An Improved Time-Based One Time Password Authentication Framework for Electronic Payments , 2020 .

[17]  Xiaoping Li,et al.  Research on the S / KEY one-time password authentication system and its application in banking and financial systems , 2010, The 6th International Conference on Networked Computing and Advanced Information Management.

[18]  Hyunsoo Kwon,et al.  A secure OTP algorithm using a smartphone application , 2015, 2015 Seventh International Conference on Ubiquitous and Future Networks.

[19]  Hyunsoo Yoon,et al.  A practical challenge-response authentication mechanism for a Programmable Logic Controller control system with one-time password in nuclear power plants , 2019 .

[20]  Yue Li,et al.  Singular point detection based on orientation filed regularization and poincaré index in fingerprint images , 2013, 2013 IEEE International Conference on Acoustics, Speech and Signal Processing.

[21]  Christophe Rosenberger,et al.  A Review on Authentication Methods , 2013 .

[22]  Julian Jang,et al.  A survey of emerging threats in cybersecurity , 2014, J. Comput. Syst. Sci..

[23]  Sattar J. Aboud,et al.  Secure Password Authentication System Using Smart Card , 2014 .

[24]  Daesung Moon,et al.  Biometrics Information Protection Using Fuzzy Vault Scheme , 2012, 2012 Eighth International Conference on Signal Image Technology and Internet Based Systems.

[25]  A. H. Mir,et al.  A Stable and Secure One-Time-Password Generation Mechanism , 2019 .

[26]  Sharath Pankanti,et al.  Biometrics, Personal Identification in Networked Society: Personal Identification in Networked Society , 1998 .

[27]  Zheng Huang,et al.  A new One-time Password Method , 2013 .

[28]  Ricardo J. Barrientos,et al.  Fingerprint Classification through Standard and Weighted Extreme Learning Machines , 2020, Applied Sciences.

[29]  L. O'Gorman,et al.  Comparing passwords, tokens, and biometrics for user authentication , 2003, Proceedings of the IEEE.

[30]  Jenq-Shiou Leu,et al.  Design of a time and location based One-Time Password authentication scheme , 2011, 2011 7th International Wireless Communications and Mobile Computing Conference.

[31]  Sharath Pankanti,et al.  Guide to Biometrics , 2003, Springer Professional Computing.

[32]  Neil Haller,et al.  The S/KEY One-Time Password System , 1995, RFC.

[33]  Vijaya Waghmare,et al.  Cyber security automation for controlling distributed data , 2016, 2016 International Conference on Information Communication and Embedded Systems (ICICES).

[34]  Prabhat Kumar,et al.  A Comprehensive Study on Multifactor Authentication Schemes , 2012, ACITY.

[35]  A. W. Roscoe,et al.  Security and Usability: Analysis and Evaluation , 2010, 2010 International Conference on Availability, Reliability and Security.

[36]  Elisa Bertino,et al.  An empirical study of SMS one-time password authentication in Android apps , 2019, ACSAC.

[37]  Ian K. T. Tan,et al.  Improved look-ahead re-synchronization window for HMAC-based one-time password , 2012, ICWCA.

[38]  Anil K. Jain,et al.  Attacks on biometric systems: a case study in fingerprints , 2004, IS&T/SPIE Electronic Imaging.

[39]  Kyungho Lee,et al.  Usability Evaluation Model for Biometric System considering Privacy Concern Based on MCDM Model , 2019, Secur. Commun. Networks.

[40]  Hind Taleb Bintaleb,et al.  Extending Tangible Interactive Interfaces for Education: A System for Learning Arabic Braille using an Interactive Braille Keypad , 2020 .

[41]  Aleksandr Ometov,et al.  Multi-factor authentication: A survey and challenges in V2X applications , 2017, 2017 9th International Congress on Ultra Modern Telecommunications and Control Systems and Workshops (ICUMT).

[42]  Kui Ren,et al.  Addressing Smartphone-Based Multi-factor Authentication via Hardware-Rooted Technologies , 2017, 2017 IEEE 37th International Conference on Distributed Computing Systems (ICDCS).

[43]  Mahima Mary Mathews,et al.  Date time keyed - HMAC , 2016, 2016 Online International Conference on Green Engineering and Technologies (IC-GET).

[44]  Chanil Park,et al.  Analysis of Vulnerabilities That Can Occur When Generating One-Time Password , 2020, Applied Sciences.

[45]  Somnath Dey,et al.  Security Vulnerabilities Against Fingerprint Biometric System , 2018, ArXiv.

[46]  Dan S. Wallach,et al.  2FA Might Be Secure, But It’s Not Usable: A Summative Usability Assessment of Google’s Two-factor Authentication (2FA) Methods , 2018, Proceedings of the Human Factors and Ergonomics Society Annual Meeting.

[47]  Audun Jøsang,et al.  The Mobile Phone as a Multi OTP Device Using Trusted Computing , 2010, 2010 Fourth International Conference on Network and System Security.

[48]  R. Satyanarayana,et al.  A Three-Factor Authentication Scheme in ATM , 2014 .

[49]  Ray A. Perlner,et al.  Digital Identity Guidelines: Authentication and Lifecycle Management , 2017 .

[50]  Usability of Biometric Authentication Methods for Citizens with Disabilities , 2019 .

[51]  Shengmei Zhao,et al.  A novel one-time password mutual authentication scheme on sharing renewed finite random sub-passwords , 2013, J. Comput. Syst. Sci..

[52]  Aurélio J. C. Campilho,et al.  A new method for the detection of singular points in fingerprint images , 2009, 2009 Workshop on Applications of Computer Vision (WACV).

[53]  Arash Habibi Lashkari,et al.  A survey on usability and security features in graphical user authentication algorithms , 2009 .

[54]  Yang-Wai Chow,et al.  A Visual One-Time Password Authentication Scheme Using Mobile Devices , 2014, ICICS.