A Novel QR Code and mobile phone based Authentication protocol via Bluetooth

Password based authentication schemes are widely used in our daily life when we log into websites. However, there are varieties of problems with the simple methods, including susceptibility to unintentional exposure via phishing and cross-sites password reuse. We present a novel mobile phone based authentication scheme, which intends to provide security and usability greater than that of traditional two-factor authentication protocols. It contains four parties, i.e. the user, the mobile phone, the current computer and the remote server. At first, a user's personal device-mobile phone-stores the key token by scanning QR code, which is sent from the server after user completes the registration phase. Secondly, the current computer can use the Bluetooth device address registered in remote server to launch a connection request and then it can communicate with the mobile phone via Bluetooth. Thirdly, when user wants to log into a website, server would transmit an OTP(One time password )to user's mobile phone through the current computer in order to verify the user. Finally, our scheme has achieved the mutual authentication via Bluetooth. Our scheme only needs lower computation. In terms of users' requirements, our scheme provides request about changing bind-phone for legal users over the email address registered during registration phase. After usability and security analysis, we can demonstrate that the new scheme fits for the complicated network environment.

[1]  Cheng-Chi Lee,et al.  A password authentication scheme over insecure networks , 2006, J. Comput. Syst. Sci..

[2]  Ashutosh Saxena,et al.  A dynamic ID-based remote user authentication scheme , 2004, IEEE Transactions on Consumer Electronics.

[3]  Neil Haller,et al.  The S/KEY One-Time Password System , 1995, RFC.

[4]  Dengguo Feng,et al.  An improved smart card based password authentication scheme with provable security , 2009, Comput. Stand. Interfaces.

[5]  Dimitriadis Evangelos,et al.  The Quest to Replace Passwords : a Framework for Comparative Evaluation of Web Authentication Schemes , 2016 .

[6]  Do Van Thanh,et al.  Simple Strong Authentication for Internet Applications Using Mobile Phones , 2008, IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference.

[7]  N. Harini,et al.  2CAuth: A New Two Factor Authentication Scheme Using QR-Code , 2013 .

[8]  Soonduck Yoo,et al.  An effective Two Factor Authentication Method using QR code , 2013 .

[9]  Michael K. Reiter,et al.  Seeing-is-believing: using camera phones for human-verifiable authentication , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[10]  Wei-Hsun Lee,et al.  A Novel User Authentication Scheme Based on QR-Code , 2010, J. Networks.

[11]  Min-Shiang Hwang,et al.  A new remote user authentication scheme using smart cards , 2000, IEEE Trans. Consumer Electron..

[12]  Xiong Li,et al.  An enhanced smart card based remote user password authentication scheme , 2013, J. Netw. Comput. Appl..

[13]  Craig Metz,et al.  A One-Time Password System , 1996, RFC.

[14]  Wassim El-Hajj,et al.  Two factor authentication using mobile phones , 2009, 2009 IEEE/ACS International Conference on Computer Systems and Applications.

[15]  Leslie Lamport,et al.  Password authentication with insecure communication , 1981, CACM.

[16]  Wei-Bin Lee,et al.  An efficient and secure multi-server authentication scheme with key agreement , 2012, J. Syst. Softw..

[17]  Ronggong Song Advanced smart card based password authentication protocol , 2010, Comput. Stand. Interfaces.

[18]  Lorenz Froihofer,et al.  QR-TAN: Secure Mobile Transaction Authentication , 2009, 2009 International Conference on Availability, Reliability and Security.

[19]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.