OTPaaS—One Time Password as a Service

Conventional password-based authentication is considered inadequate by users as many online services started to affect each other. Online credentials are used to recover other credentials and complex attacks are directed to the weakest one of many of these online credentials. As researchers are looking for new authentication techniques, one time passwords, which is a two-factor authentication scheme, looks like a natural enhancement over conventional username/password schemes. The manuscript places the OTP verifier to the cloud to ease adoption of its usage by cloud service providers. When the OTP verifier is placed on the cloud as a service, other cloud service providers could outsource their OTP deployments as well as cloud users could activate their respective account on the OTP provider on several cloud services. This enables them to use several cloud services without the difficulty of managing several OTP accounts for each cloud service. On the other hand, OTP service provision saves inexperienced small to medium enterprises from spending extra costs for OTP provisioning hardware, software, and employers. The paper outlines architecture to build a secure, privacy-friendly, and sound OTP provider in the cloud to outsource the second factor of authentication. Cloud user registration to OTP provider, service provider activation, and authentication phases are inspected. The security and privacy considerations of the proposed architecture are defined and analyzed. Attacks from outsiders, unlinkability properties of user profiles, attacks from curious service providers or OTP verifiers are mitigated within the given assumptions. The proposed solution, which locates the OTP provider in the cloud, is rendered robust and sound as a result of the analysis.

[1]  Weizhong Qiang,et al.  Cloud Authentication Based on Anonymous One-Time Password , 2013 .

[2]  Ping Wang,et al.  Anonymous Two-Factor Authentication in Distributed Systems: Certain Goals Are Beyond Attainment , 2015, IEEE Transactions on Dependable and Secure Computing.

[3]  Bogdan Groza,et al.  ONE TIME PASSWORDS FOR UNCERTAIN NUMBER OF AUTHENTICATIONS , 2005 .

[4]  Cormac Herley,et al.  One-Time Password Access to Any Server without Changing the Server , 2008, ISC.

[5]  David M'Raïhi,et al.  TOTP: Time-Based One-Time Password Algorithm , 2011 .

[6]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[7]  Emmanuel Bresson,et al.  Security proofs for an efficient password-based key exchange , 2003, CCS '03.

[8]  Muhammad Ali Akbar,et al.  Secure biometric template generation for multi-factor authentication , 2015, Pattern Recognit..

[9]  Sunny Consolvo,et al.  "...No one Can Hack My Mind": Comparing Expert and Non-Expert Security Practices , 2015, SOUPS.

[10]  Jong Hyuk Park,et al.  Robust one-time password authentication scheme using smart card for home network environment , 2011, Comput. Commun..

[11]  Wei-Hsun Lee,et al.  A One-Time Password Scheme with QR-Code Based on Mobile Phone , 2009, 2009 Fifth International Joint Conference on INC, IMS and IDC.

[12]  David M'Raïhi,et al.  HOTP: An HMAC-Based One-Time Password Algorithm , 2005, RFC.

[13]  Ping Wang,et al.  Two Birds with One Stone: Two-Factor Authentication with Security Beyond Conventional Bound , 2018, IEEE Transactions on Dependable and Secure Computing.

[14]  Andrew Beng Jin Teoh,et al.  Biohashing: two factor authentication featuring fingerprint data and tokenised random number , 2004, Pattern Recognit..

[15]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[16]  Nalini K. Ratha,et al.  Biometric perils and patches , 2002, Pattern Recognit..

[17]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[18]  Gavin Lowe,et al.  A hierarchy of authentication specifications , 1997, Proceedings 10th Computer Security Foundations Workshop.

[19]  Feng Zhou,et al.  Keyboard acoustic emanations revisited , 2005, CCS '05.

[20]  Philippe Oechslin,et al.  Making a Faster Cryptanalytic Time-Memory Trade-Off , 2003, CRYPTO.

[21]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[22]  Ping Wang,et al.  Targeted Online Password Guessing: An Underestimated Threat , 2016, CCS.

[23]  Yunhao Liu,et al.  Context-free Attacks Using Keyboard Acoustic Emanations , 2014, CCS.

[24]  Fred Cheng Security Attack Safe Mobile and Cloud-based One-time Password Tokens Using Rubbing Encryption Algorithm , 2011, Mob. Networks Appl..

[25]  Daniel Klein,et al.  Foiling the cracker: A survey of, and improvements to, password security , 1992 .

[26]  Leslie Lamport,et al.  Password authentication with insecure communication , 1981, CACM.

[27]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[28]  Neil Haller,et al.  The S/KEY One-Time Password System , 1995, RFC.

[29]  Hao Chen,et al.  TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Motion , 2011, HotSec.

[30]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[31]  Hassan M. Elkamchouchi,et al.  Mobile one-time passwords: two-factor authentication using mobile phones , 2012, Secur. Commun. Networks.

[32]  Shengmei Zhao,et al.  A novel one-time password mutual authentication scheme on sharing renewed finite random sub-passwords , 2013, J. Comput. Syst. Sci..

[33]  Qi Xie,et al.  Provably Secure Dynamic ID-Based Anonymous Two-Factor Authenticated Key Exchange Protocol With Extended Security Model , 2017, IEEE Transactions on Information Forensics and Security.

[34]  Hidema Tanaka,et al.  A Trial of the Interception of Display Image Using Emanation of Electromagnetic Wave , 2005 .