SlideShare a Scribd company logo

Secure E-Government Authentication

Download as PPTX, PDF
Hamdi Jaber
Hamdi Jaber

The document proposes an advanced authentication solution for securing access to an e-government web portal. It suggests using a multi-step two-factor authentication system combining something the user knows (password) with something the user has (mobile phone). The system would generate one-time passwords and send them via SMS along with session details. An additional image-based step is included. Testing showed mobile SMS to have high delivery strength and usability for public users. The proposed solution aims to provide strong, usable authentication while avoiding drawbacks of traditional two-factor approaches.

1 of 66
SECURING E-GOVERNMENT WEB PORTAL ACCESS USING ENHANCED AUTHENTICATION SYSTEM Thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in Information Technology Engineering. The Libyan Academy School of Engineering and Applied Science Department of Electrical and Computer Engineering Division of Information Technology By: Hamdi Ahmed Jaber Under Supervision of: Dr. Elbahlul Fgee
The thesis proposes an advanced authentication solution that enhances the security of authenticate the users of the e- government web portal and avoids the drawbacks of two- factor authentication systems that has not been covered in the previous studies. Introduction
User ID and password is the most commonly used authentication mechanism. • There are many shortcomings of a password authentication mechanism • Passwords are at the edge of breaking down, especially in the web environments. • It is not secure enough for huge sensitive systems like e- government, banking and online payment systems.
Two-factor authentication is an approach for authentication that requires the presentation of two or more of the three authentication factors: • a knowledge factor (something only the user knows) • a possession factor (something only the user has) • an inherence factor (something only the user is). After presentation of the first factor, the other party for authentication will be required to validate user identity. Knows Has IS Password Smart card Fingerprints PIN Cryptographic key Retina Secret question USB token Iris SIM card Face OTP Generator Hand geometry Something a user
• Cryptographic attacks: These attacks directly target the cryptographic algorithms. • Untrustworthy Interface - phishing: Trojans, viruses and key logging • Theft/Loss of the authentication token • Man-in-the-middle-attacks • Eavesdropping: The communication between two contactless devices can be eavesdropped from a certain distance. Problem statement: Armor the e-government web portal with Two-factor authentication system avoids the following drawbacks of TFA
Motivation  Provide shielding for e-government web portal and their users from known security attacks that tries to gain access to their accounts  Provide a strong secure e-government web portal authentication system that avoid the drawbacks of traditional two-factor authentication methods  Obtain a higher authentication security guarantee than when using static password only or traditional two- factor authentication technologies
Proposed Solution This thesis contributes to propose an advanced authentication system that has high security and decreases the risk of illegal access to the E-government web portal by using multi-step authentication system that involves two authentication factors: a. Something only the account owner (user) knows b. Something only the account owner (user) has or get It will also provide a special designed image based authentication step as an added layer of security to resist illegal authentication threats.
Internet portals general security needs • Authentication: Processes of verifying that the user is who he say. • Authorization: Process to verify if the user has the rights to do what is trying to do. • Confidentiality: Capability to prevent unauthorized access to information • Integrity: Capability to prevent unauthorized modification of the data • Traceability: Capability to log every transaction details for auditing Note: This thesis is about securing the authentication process.
• Replay attack1 • Session hijacking2 • Phishing3 • Man-in-the-middle4 • Insider attacks5 • Malware6 • Password discovery attacks7 • Shoulder surfing8 • Social engineering attacks9 Web portals authentication security threats
Two-factor authentication success criterion • Customer acceptance • Token management difficulty • Credential replacement • System costs Also, Tamper evidence, detection and response play an important role for the security of authentication methods. The solution will provide a strong detection and response of any illegal try to access the system
• Shared secret1 • Digital certificate2 • One-Time Password (OTP)3 • Tokens with display (disconnected tokens)4 • Connected tokens5 • Magnetic stripe cards6 • Software tokens7 • Mobile phones8 • Biometrics9 • Image based authentication10 Authentication technologies
• One time password via SMS1 • One time password via phone calls2 •Mobile application/software token3 • Push notification4 • Mobile signature5 Methods used mobile phones
Targeted Solution An advanced multi-step two-factor authentication system that prevents any unauthorized access to the system and reduce it even when the attacker has the correct login credentials (ID/password) and can overcome the second authentication factor. The solution will be usable with E-government web portal and can be distributed among the public users of such huge system. Affordable and easy to implement and use for the ordinary people.
Thesis gathered data from: • Tests of methods that are widely used in Two- factor authentication systems • Online survey • Previews studies • Technical comparisons and trade-offs • Designed solution implementation
Required criterions for e-government web portal TFA system • Easy of distribute to the public • Cost effectiveness • Usability • Strength of delivery • Authentication process time
Compared second factor authentication methods: • Disconnected hardware token • Connected hardware token • Short messaging system (SMS) • Mobile phone software token • Smartphone push notification • E-mail message • Biometric (Finger print) • Biometric (Iris recognition)
Tested authentication methods: • Mobile phone software token • Short messaging system (SMS) • Smartphone push notification • E-mail message
Technical aspects: Cost effectiveness for the system owner and system users • Implementation cost • Token issuance cost • Maintenance cost • Token replacement cost
Technical aspects: cost effectiveness for the system owner
Technical aspects: cost effectiveness for the system users
Technical aspects: Outcome cost effectiveness for the system owner and system users
Technical aspects: Usability attributes per ISO 9241-11 • Effectiveness: The users can do the tasks without making mistakes • Efficiency: The users can complete the tasks in a reasonable time and effort • Satisfaction: The user finds the product to be effective and efficient
Technical aspects: Two-factor authentication usability criterions • Need of special end user hardware token • Need of special end user reader • Need of special software/driver • Need of end user training/special instructions • Need of configuration by the end user • End user ability to edit configuration • Access the portal without PC (Only with smart phone) • Token mobility with the end user • Loss portability
Technical aspects: Total usability value of the eight suggested methods (Higher is better)
Online survey Online digital survey created and distributed to the public via web to gain information from random sample of people and collect the required information that helps in identifying the importance, acceptance and most-liked methods that a normal person may prefer to use as a second authentication method for e-government web portal
Online survey: participants age range Age range Persons participated 18 – 25 year 39 26 – 33 year 54 34 – 40 year 48 41 – 48 year 21 49 – 56 year 9 57 – 64 year 3 More than 64 years 0 Total 174
Online survey: participants qualification Qualification Persons participated Below average education 2 average education 7 High school 53 High diploma 44 Bachelor degree 65 Graduate studies 3 Total 174
Online survey: participants daily internet usage Internet usage Persons participated Less than 30 minutes 27 30 Minutes – 1 Hour 31 1 Hour - 2 Hours 21 2 Hour - 4 Hour 38 More than 4 hours 57 Total 174
Online survey: participants preferred second factor authentication method Method Participate votes Biometric (Finger print) 135 Mobile Phone SMS 112 Mobile Phone Software token 105 Biometric (Eye retina) 90 Mobile Phone Push 67 E-mail Message 59 Connected Hardware Token 43 Disconnected Hardware Token 24
Online survey: Other results • 33% of the participants (58 person) are using internet services that uses confidential data or runs sensitive transactions • 54% of the participants (94 person) welcomed to carry additional hardware token • 42% of the participants (73 person) welcomed to buy additional hardware to scan biometrics while 58% (101 person) denied that. • 37% (65 person) are welcomed to install additional software or drivers to their personal computers or smart phones to gain access to e-government web portal • 99% (172 person) said they need to access e-government web portal from their smart phones or tablet PCs
Two-factor authentication methods test Two cloud TFA service providers services on two different geographic locations in Libya (Tripoli city and Benghazi city) tested during this thesis preparation to use the tests output and verify the deference between the suggested TFA methods and help choose the best one for e-government web portal. The methods tested are: • Mobile phone software token • Short messaging system (SMS) • Smartphone push notification • E-mail message
Test results - Software token Strength of delivery and Time of process: • The software token is a previously installed and configured software on a smart phone • It has a high strength of delivery and zero time of process as it is working in the background in the smart phone • It generates a new OTP every 60 seconds that can be used any time just after opened the software token application. • The drawback of this method comes from the need of smart phone to work. If the user have normal old-fashioned mobile phone, he simply could not use the software token
Test results - Mobile phone SMS Strength of delivery:
Test results - Mobile phone SMS Strength of delivery:
Test results - Mobile phone SMS Time of process:
Test results - Mobile phone SMS The excellence of the mobile phone SMS method comes from the fact that almost everyone is using the mobile phone services and this method can work on any mobile network and any mobile phone device from second generation to the fourth generation without any need of internet connection, special software or even a smart phone. The drawback if there is no mobile phone service in the area the user trying to login to the system from it.
Test results - Mobile push Strength of delivery: • Mobile push has optimum strength of delivery without any loss in the process. • The drawback in mobile push method is it does not work if the user does not have a wireless internet connection or mobile broadband • Also as the software token, it is originally a mobile application that has to be installed and configured previously on the smart phone
Test results - Mobile push Time of process:
Test results - E-mail message Strength of delivery of email system is very high unless the received e-mail considered spam by the email system the user are using it.
Test results - E-mail message
Note: Biometrics and hardware tokens have a very good strength of delivery and low process time, but it has other drawbacks in usability, cost and other discussed requirements when implementing two-factor authentication with E-government web portal.
Proposed authentication system • This thesis propose a solution that is using strong multi-step two-factor authentication by utilizing mobile phone SMS technology. • Turning a phone into an authentication device quickly solves the need and additional cost and delays of sending out hardware tokens. • The mobile phone SMS is used to send randomly generated time based One-Time-Password as a second authentication factor • Authentication server generation algorithm generating the OTP. Mobile SMS gateway service to deliver it to the user.
Proposed authentication system Beside the one-time password, the system send the following information in the SMS: • Session ID (each login attempt has its own session ID that has assigned OTP) • Login request time • Login request location (the system determine it by IP address) • Browser type • Operating system platform These details are sent to make sure that the user is aware of the login he or she is verifying. This is vital to avoid any possibility of man-in-the-middle and real-time phishing/pharming attacks
Proposed authentication system • The suggested solution is using Libyan government national ID that is a unique number assigned to each Libyan citizen that never changes during his life and password to initiate the login process. • To protect the users from key-logging and similar attacks. The password are only writeable by the portal’s built-in on-screen keyboard
Proposed authentication system In the final process step, the system uses an image- based authentication technology that: • Displays 12 picture from 12 deferent categories (National, ancients, desert, animals, flowers, cars, electronics, furniture, buildings, tools, people and food). • The user should select a photo that belongs to the category that assigned to his account during the account creation. This step add an additional layer of protection to the authentication process against attacks may happened after theft of the mobile device and compromise the password by the attacker.
Proposed authentication system Every successful and failed login attempt details sent to account owner default mobile phone via SMS and default e-mail address. These details are the same of the first message with the status of login (succeeded or failed) This confirmatory feedback feature is helping in detect tampering and illegal login attempts. This will allow the account owner to take required action or actions and report such incident quickly to the e- government authority.
Proposed alternative authentication method to be used as a backup Any good system should have a high level of usability, minimum effort of administration and of course a good plan for emergencies • A procedure contains a few steps should be implemented to recover the forgotten password without any interaction of the system administrators • E-mail service will be used to deliver OTP in case the user lost his mobile phone by steal, damage, or just he cannot reach it. He should follow another procedure to receive OTP via E-mail service
Proposed authentication system Step 1: Initial login step
Proposed authentication system Step 2: Choosing mobile number to receive OTP
Proposed authentication system Step 3: Receiving SMS message contains OTP and login session details
Proposed authentication system Step 4: Entering the received one-time password
Proposed authentication system Step 5: Image based authentication step
Proposed authentication system Step 6: Succeeded login to the system
Proposed authentication system Final confirmatory feedback SMS message (Traceability)
Results summary The proposed solution protects the e-government web portal access from security threats using strong multi-step two-factor authentication system that: • Provide strong multi-step two-factor authentication using National ID and password that only writeable by the portal’s built-in on-screen keyboard • Use one-time password that the system generate it and send it via SMS or e-mail (including login session ID, login request time, login request location, used browser and OS details) • Use image based authentication step that uses image category recognition. • Mutually-authenticated and speak over SHA-2 256bit Transport Layer Protocol (TLS) encrypted channels between client and server
• Avoid the known drawbacks of two-factor authentication systems • Provide a cost-effective, user-friendly and high secure authentication. • Use the mobile phone SMS as the user’s second authentication token. • Use the e-mail system as a backup second authentication token. • Easy to use for any regular user with no additional use of hardware or special training. • Easy to deploy solution for large enterprise • Does not rely on username and password only authentication that is not secure anymore in such enterprise system. Results summary
It overcomes the security limitations of traditional two- factor authentication systems and vulnerabilities of mobile device like: • Untrustworthy Interface • Theft/Loss of the Device • Man-in-the-middle-attacks • Cryptographic attacks • Eavesdropping • human vulnerability factors like compromised password also covered by the proposed solution. Security limitations that are solved by the proposed solution
Implement E-mail message as a backup two-factor authentication method when: • The GSM gateway service provider’s servers are down and could not sent OTP to the user even though he is a genuine user. • The user’s mobile network service provider terminates the connection due to the delay in bill payments • The user is in a poor signal of the network area. • Theft/steal of the mobile phone device of the user Mobile phone SMS two-factor authentication limitations the proposed solution overcomes
Thesis conclusion This thesis develops an authentication mechanism For the Libyan E-government web portal that combines the strength of the three popular authentication approaches: multilevel, multi-channel, and multi-factor. These three authentication approaches were merged to form an authentication mechanism that can highly protect e- government user accounts from illegal authentication. Also gives protection from using a compromised account credentials.
Thesis conclusion Research objectives: • Objective 1: Review the most commonly used authentication classes, authentication mechanisms, and authentication attacks. • Objective 2: Review the usability and acceptability aspects of authentication mechanisms and the evaluation techniques used to decide high secure and easy to use two- factor authentication solution for Libyan e-government portal.
Thesis conclusion Research objectives: • Objective 3: With respect to e-government web portal needs, discuss the currently used authentication mechanisms and identify their weaknesses, showing how they fail to protect customer accounts against different attacks identified in objective 1. • Objective 4: Propose an authentication solution that addresses the security and usability problems identified and listed in objective 2. Theoretically evaluate the security of this solution and identify all features needed for implementation.
Thesis conclusion Research contribution: The contribution is proposing a new multi-step, multi- channel two-factor authentication system that: • Increase security while maintain the usability of Libyan E-government web portal authentication. • Utilize a backup authentication mechanism • Other features and guidelines were included to complement and facilitate the actual implementation of the proposed authentication solution.
Thesis conclusion Future Work • More Usable Channels: Other possible usable communication channels can also be used to support two-factor authentication. This includes and not limited to chatting software. • Two-factor authentication for the disabled people: Disabled users might find it difficult to utilize two- factor authentication for their e-government transactions.
Final Word The proposed authentication system protects the Libyan e- government web portal user accounts from authentication attacks that other two-factor authentication mechanisms fail to address. Improves the security while maintaining usability. The guidelines and recommendations provided in this thesis will provide guidelines to implement a strong and more secure and usable authentication system for the Libyan e-government web portal.
ADDITIONAL READING AVAILABLE IN THE THESIS BOOK • Detailed technical aspects • Online survey • Tests • Solution Implementation • User account creation and first login steps and flowcharts • Normal login steps and flowcharts • Emergency user account login steps and flowcharts • References (35)
THANK YOU

Recommended

F017513138
F017513138F017513138
F017513138IOSR Journals
 
Online e voting
Online e votingOnline e voting
Online e votingMerbinJose
 
Design and Development of Secure Electronic Voting System Using Radio Frequen...
Design and Development of Secure Electronic Voting System Using Radio Frequen...Design and Development of Secure Electronic Voting System Using Radio Frequen...
Design and Development of Secure Electronic Voting System Using Radio Frequen...iosrjce
 
Election Petition ICT Experts Report : What you need to Know
Election Petition ICT Experts Report : What you need to KnowElection Petition ICT Experts Report : What you need to Know
Election Petition ICT Experts Report : What you need to KnowAfrica Centre For Open Governance
 
An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...IJERA Editor
 
VOICE BIOMETRIC IDENTITY AUTHENTICATION MODEL FOR IOT DEVICES
VOICE BIOMETRIC IDENTITY AUTHENTICATION MODEL FOR IOT DEVICESVOICE BIOMETRIC IDENTITY AUTHENTICATION MODEL FOR IOT DEVICES
VOICE BIOMETRIC IDENTITY AUTHENTICATION MODEL FOR IOT DEVICESijsptm
 
Bu25425429
Bu25425429Bu25425429
Bu25425429IJERA Editor
 
E voting app
E voting appE voting app
E voting appAmitabha Das
 

Recommended

F017513138
F017513138F017513138
F017513138IOSR Journals
 
Online e voting
Online e votingOnline e voting
Online e votingMerbinJose
 
Design and Development of Secure Electronic Voting System Using Radio Frequen...
Design and Development of Secure Electronic Voting System Using Radio Frequen...Design and Development of Secure Electronic Voting System Using Radio Frequen...
Design and Development of Secure Electronic Voting System Using Radio Frequen...iosrjce
 
Election Petition ICT Experts Report : What you need to Know
Election Petition ICT Experts Report : What you need to KnowElection Petition ICT Experts Report : What you need to Know
Election Petition ICT Experts Report : What you need to KnowAfrica Centre For Open Governance
 
An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...IJERA Editor
 
VOICE BIOMETRIC IDENTITY AUTHENTICATION MODEL FOR IOT DEVICES
VOICE BIOMETRIC IDENTITY AUTHENTICATION MODEL FOR IOT DEVICESVOICE BIOMETRIC IDENTITY AUTHENTICATION MODEL FOR IOT DEVICES
VOICE BIOMETRIC IDENTITY AUTHENTICATION MODEL FOR IOT DEVICESijsptm
 
Bu25425429
Bu25425429Bu25425429
Bu25425429IJERA Editor
 
E voting app
E voting appE voting app
E voting appAmitabha Das
 
IRJET- Securing Internet Voting Protocol using Implicit Security Model and On...
IRJET- Securing Internet Voting Protocol using Implicit Security Model and On...IRJET- Securing Internet Voting Protocol using Implicit Security Model and On...
IRJET- Securing Internet Voting Protocol using Implicit Security Model and On...IRJET Journal
 
ADVANCED E-VOTING APPLICATION USING ANDROID PLATFORM
ADVANCED E-VOTING APPLICATION USING ANDROID PLATFORMADVANCED E-VOTING APPLICATION USING ANDROID PLATFORM
ADVANCED E-VOTING APPLICATION USING ANDROID PLATFORMijcax
 
ADVANCED ONLINE VOTING SYSTEM
ADVANCED ONLINE VOTING SYSTEMADVANCED ONLINE VOTING SYSTEM
ADVANCED ONLINE VOTING SYSTEMabadmgr
 
Alliance Compant Presentation
Alliance Compant PresentationAlliance Compant Presentation
Alliance Compant PresentationAlliance Tech Solution Pvt Ltd
 
Online e-voting
Online e-votingOnline e-voting
Online e-votingaeioou
 
An Efficient User VErification System via Mouse Movements
An Efficient User VErification System via Mouse MovementsAn Efficient User VErification System via Mouse Movements
An Efficient User VErification System via Mouse MovementsOuzza Brahim
 
11.graphical password based hybrid authentication system for smart hand held ...
11.graphical password based hybrid authentication system for smart hand held ...11.graphical password based hybrid authentication system for smart hand held ...
11.graphical password based hybrid authentication system for smart hand held ...Alexander Decker
 
Ict4 d unique identifier and frontline data collection detailed version
Ict4 d unique identifier and frontline data collection detailed versionIct4 d unique identifier and frontline data collection detailed version
Ict4 d unique identifier and frontline data collection detailed versionBRACSocialInnovationLab
 
Online voting
Online votingOnline voting
Online votingKashyap Gavadiya
 
E voting(online voting system)
E voting(online voting system)E voting(online voting system)
E voting(online voting system)Saurabh Kheni
 
online national polling
online national pollingonline national polling
online national pollingKasi Annapurna
 
Mobile Voting System Using Advanced NFC Technology
Mobile Voting System Using Advanced NFC TechnologyMobile Voting System Using Advanced NFC Technology
Mobile Voting System Using Advanced NFC Technologyijsrd.com
 
Online voting system full thesis project by jahir
Online voting system full thesis project by jahirOnline voting system full thesis project by jahir
Online voting system full thesis project by jahirJahir Khan
 
Propsal of online voting system
Propsal of online voting systemPropsal of online voting system
Propsal of online voting systemEagle Eyes
 
Report online voting system
Report online voting systemReport online voting system
Report online voting systemDeepak tandan
 
Convenient voting machine
Convenient voting machineConvenient voting machine
Convenient voting machineeSAT Publishing House
 
Online voting job presentation
Online voting job presentationOnline voting job presentation
Online voting job presentationbondito
 
Security and Authentication at a Low Cost
Security and Authentication at a Low CostSecurity and Authentication at a Low Cost
Security and Authentication at a Low CostDonald Malloy
 
eGovernment Action Plan 2016-2020, UC
eGovernment Action Plan 2016-2020, UCeGovernment Action Plan 2016-2020, UC
eGovernment Action Plan 2016-2020, UCStéphane VINCENT
 
Web2 0 for eGovernment: why and how?
Web2 0 for eGovernment: why and how?Web2 0 for eGovernment: why and how?
Web2 0 for eGovernment: why and how?osimod
 
How Linked Data is transforming eGovernment
How Linked Data is transforming eGovernmentHow Linked Data is transforming eGovernment
How Linked Data is transforming eGovernmentNikos Loutas
 
Designing and Creating a Secure Web Portal
Designing and Creating a Secure Web PortalDesigning and Creating a Secure Web Portal
Designing and Creating a Secure Web PortalPortalGuard
 

More Related Content

What's hot

IRJET- Securing Internet Voting Protocol using Implicit Security Model and On...
IRJET- Securing Internet Voting Protocol using Implicit Security Model and On...IRJET- Securing Internet Voting Protocol using Implicit Security Model and On...
IRJET- Securing Internet Voting Protocol using Implicit Security Model and On...IRJET Journal
 
ADVANCED E-VOTING APPLICATION USING ANDROID PLATFORM
ADVANCED E-VOTING APPLICATION USING ANDROID PLATFORMADVANCED E-VOTING APPLICATION USING ANDROID PLATFORM
ADVANCED E-VOTING APPLICATION USING ANDROID PLATFORMijcax
 
ADVANCED ONLINE VOTING SYSTEM
ADVANCED ONLINE VOTING SYSTEMADVANCED ONLINE VOTING SYSTEM
ADVANCED ONLINE VOTING SYSTEMabadmgr
 
Online e-voting
Online e-votingOnline e-voting
Online e-votingaeioou
 
An Efficient User VErification System via Mouse Movements
An Efficient User VErification System via Mouse MovementsAn Efficient User VErification System via Mouse Movements
An Efficient User VErification System via Mouse MovementsOuzza Brahim
 
11.graphical password based hybrid authentication system for smart hand held ...
11.graphical password based hybrid authentication system for smart hand held ...11.graphical password based hybrid authentication system for smart hand held ...
11.graphical password based hybrid authentication system for smart hand held ...Alexander Decker
 
Ict4 d unique identifier and frontline data collection detailed version
Ict4 d unique identifier and frontline data collection detailed versionIct4 d unique identifier and frontline data collection detailed version
Ict4 d unique identifier and frontline data collection detailed versionBRACSocialInnovationLab
 
E voting(online voting system)
E voting(online voting system)E voting(online voting system)
E voting(online voting system)Saurabh Kheni
 
online national polling
online national pollingonline national polling
online national pollingKasi Annapurna
 
Mobile Voting System Using Advanced NFC Technology
Mobile Voting System Using Advanced NFC TechnologyMobile Voting System Using Advanced NFC Technology
Mobile Voting System Using Advanced NFC Technologyijsrd.com
 
Online voting system full thesis project by jahir
Online voting system full thesis project by jahirOnline voting system full thesis project by jahir
Online voting system full thesis project by jahirJahir Khan
 
Propsal of online voting system
Propsal of online voting systemPropsal of online voting system
Propsal of online voting systemEagle Eyes
 
Report online voting system
Report online voting systemReport online voting system
Report online voting systemDeepak tandan
 
Online voting job presentation
Online voting job presentationOnline voting job presentation
Online voting job presentationbondito
 

What's hot (17)

IRJET- Securing Internet Voting Protocol using Implicit Security Model and On...
IRJET- Securing Internet Voting Protocol using Implicit Security Model and On...IRJET- Securing Internet Voting Protocol using Implicit Security Model and On...
IRJET- Securing Internet Voting Protocol using Implicit Security Model and On...
 
ADVANCED E-VOTING APPLICATION USING ANDROID PLATFORM
ADVANCED E-VOTING APPLICATION USING ANDROID PLATFORMADVANCED E-VOTING APPLICATION USING ANDROID PLATFORM
ADVANCED E-VOTING APPLICATION USING ANDROID PLATFORM
 
ADVANCED ONLINE VOTING SYSTEM
ADVANCED ONLINE VOTING SYSTEMADVANCED ONLINE VOTING SYSTEM
ADVANCED ONLINE VOTING SYSTEM
 
Alliance Compant Presentation
Alliance Compant PresentationAlliance Compant Presentation
Alliance Compant Presentation
 
Online e-voting
Online e-votingOnline e-voting
Online e-voting
 
An Efficient User VErification System via Mouse Movements
An Efficient User VErification System via Mouse MovementsAn Efficient User VErification System via Mouse Movements
An Efficient User VErification System via Mouse Movements
 
11.graphical password based hybrid authentication system for smart hand held ...
11.graphical password based hybrid authentication system for smart hand held ...11.graphical password based hybrid authentication system for smart hand held ...
11.graphical password based hybrid authentication system for smart hand held ...
 
Ict4 d unique identifier and frontline data collection detailed version
Ict4 d unique identifier and frontline data collection detailed versionIct4 d unique identifier and frontline data collection detailed version
Ict4 d unique identifier and frontline data collection detailed version
 
Online voting
Online votingOnline voting
Online voting
 
E voting(online voting system)
E voting(online voting system)E voting(online voting system)
E voting(online voting system)
 
online national polling
online national pollingonline national polling
online national polling
 
Mobile Voting System Using Advanced NFC Technology
Mobile Voting System Using Advanced NFC TechnologyMobile Voting System Using Advanced NFC Technology
Mobile Voting System Using Advanced NFC Technology
 
Online voting system full thesis project by jahir
Online voting system full thesis project by jahirOnline voting system full thesis project by jahir
Online voting system full thesis project by jahir
 
Propsal of online voting system
Propsal of online voting systemPropsal of online voting system
Propsal of online voting system
 
Report online voting system
Report online voting systemReport online voting system
Report online voting system
 
Convenient voting machine
Convenient voting machineConvenient voting machine
Convenient voting machine
 
Online voting job presentation
Online voting job presentationOnline voting job presentation
Online voting job presentation
 

Viewers also liked

Security and Authentication at a Low Cost
Security and Authentication at a Low CostSecurity and Authentication at a Low Cost
Security and Authentication at a Low CostDonald Malloy
 
eGovernment Action Plan 2016-2020, UC
eGovernment Action Plan 2016-2020, UCeGovernment Action Plan 2016-2020, UC
eGovernment Action Plan 2016-2020, UCStéphane VINCENT
 
Web2 0 for eGovernment: why and how?
Web2 0 for eGovernment: why and how?Web2 0 for eGovernment: why and how?
Web2 0 for eGovernment: why and how?osimod
 
How Linked Data is transforming eGovernment
How Linked Data is transforming eGovernmentHow Linked Data is transforming eGovernment
How Linked Data is transforming eGovernmentNikos Loutas
 
Designing and Creating a Secure Web Portal
Designing and Creating a Secure Web PortalDesigning and Creating a Secure Web Portal
Designing and Creating a Secure Web PortalPortalGuard
 
Portal, Telco And Mobile
Portal, Telco And MobilePortal, Telco And Mobile
Portal, Telco And MobileSeungyul Kim
 
Bahrain eGovernment: Towards a Better Life
Bahrain eGovernment: Towards a Better LifeBahrain eGovernment: Towards a Better Life
Bahrain eGovernment: Towards a Better LifeUnited Interactive™
 
Internet Now! centres phase 1 northern Uganda
Internet Now! centres phase 1 northern UgandaInternet Now! centres phase 1 northern Uganda
Internet Now! centres phase 1 northern UgandaMartin van der Steen
 
Federal Government Standard Web Portal developed at Joomla!
Federal Government Standard Web Portal developed at Joomla!Federal Government Standard Web Portal developed at Joomla!
Federal Government Standard Web Portal developed at Joomla!rafaelberlanda
 
Europe – eGovernment Benchmark 2012 background report
Europe – eGovernment Benchmark 2012 background reportEurope – eGovernment Benchmark 2012 background report
Europe – eGovernment Benchmark 2012 background reportVictor Gridnev
 
An eGovernment Research and Innovation Framework
An eGovernment Research and Innovation Framework An eGovernment Research and Innovation Framework
An eGovernment Research and Innovation Framework Trond Knudsen
 
ICT Association Suriname Presentation On eGovernment 2012
ICT Association Suriname Presentation On eGovernment 2012ICT Association Suriname Presentation On eGovernment 2012
ICT Association Suriname Presentation On eGovernment 2012Cyril Soeri
 
Unrw Aat60 Visual Highlights
Unrw Aat60 Visual HighlightsUnrw Aat60 Visual Highlights
Unrw Aat60 Visual HighlightsFroehlich Fritz
 
TRIAS eGovernment introduction
TRIAS eGovernment introductionTRIAS eGovernment introduction
TRIAS eGovernment introductionTRIAS
 
Web portal 4 local government
Web portal 4 local governmentWeb portal 4 local government
Web portal 4 local governmentMuhammad Farooq
 
Capitalizing on Human Potentials with eGovernment 2.0
Capitalizing on Human Potentials with eGovernment 2.0Capitalizing on Human Potentials with eGovernment 2.0
Capitalizing on Human Potentials with eGovernment 2.0Žiga Turk
 
From eGovernment to Smart Government, United Arab Emirates
From eGovernment to Smart Government, United Arab EmiratesFrom eGovernment to Smart Government, United Arab Emirates
From eGovernment to Smart Government, United Arab EmiratesUNDP India
 

Viewers also liked (20)

Security and Authentication at a Low Cost
Security and Authentication at a Low CostSecurity and Authentication at a Low Cost
Security and Authentication at a Low Cost
 
eGovernment Action Plan 2016-2020, UC
eGovernment Action Plan 2016-2020, UCeGovernment Action Plan 2016-2020, UC
eGovernment Action Plan 2016-2020, UC
 
Web2 0 for eGovernment: why and how?
Web2 0 for eGovernment: why and how?Web2 0 for eGovernment: why and how?
Web2 0 for eGovernment: why and how?
 
How Linked Data is transforming eGovernment
How Linked Data is transforming eGovernmentHow Linked Data is transforming eGovernment
How Linked Data is transforming eGovernment
 
Designing and Creating a Secure Web Portal
Designing and Creating a Secure Web PortalDesigning and Creating a Secure Web Portal
Designing and Creating a Secure Web Portal
 
Portal, Telco And Mobile
Portal, Telco And MobilePortal, Telco And Mobile
Portal, Telco And Mobile
 
Bahrain eGovernment: Towards a Better Life
Bahrain eGovernment: Towards a Better LifeBahrain eGovernment: Towards a Better Life
Bahrain eGovernment: Towards a Better Life
 
Internet Now! centres phase 1 northern Uganda
Internet Now! centres phase 1 northern UgandaInternet Now! centres phase 1 northern Uganda
Internet Now! centres phase 1 northern Uganda
 
EU eGovernment Benchmark
EU eGovernment BenchmarkEU eGovernment Benchmark
EU eGovernment Benchmark
 
Federal Government Standard Web Portal developed at Joomla!
Federal Government Standard Web Portal developed at Joomla!Federal Government Standard Web Portal developed at Joomla!
Federal Government Standard Web Portal developed at Joomla!
 
Europe – eGovernment Benchmark 2012 background report
Europe – eGovernment Benchmark 2012 background reportEurope – eGovernment Benchmark 2012 background report
Europe – eGovernment Benchmark 2012 background report
 
Vinnova: eGovernment of Tomorrow
Vinnova: eGovernment of TomorrowVinnova: eGovernment of Tomorrow
Vinnova: eGovernment of Tomorrow
 
An eGovernment Research and Innovation Framework
An eGovernment Research and Innovation Framework An eGovernment Research and Innovation Framework
An eGovernment Research and Innovation Framework
 
ICT Association Suriname Presentation On eGovernment 2012
ICT Association Suriname Presentation On eGovernment 2012ICT Association Suriname Presentation On eGovernment 2012
ICT Association Suriname Presentation On eGovernment 2012
 
Unrw Aat60 Visual Highlights
Unrw Aat60 Visual HighlightsUnrw Aat60 Visual Highlights
Unrw Aat60 Visual Highlights
 
TRIAS eGovernment introduction
TRIAS eGovernment introductionTRIAS eGovernment introduction
TRIAS eGovernment introduction
 
Web portal 4 local government
Web portal 4 local governmentWeb portal 4 local government
Web portal 4 local government
 
Capitalizing on Human Potentials with eGovernment 2.0
Capitalizing on Human Potentials with eGovernment 2.0Capitalizing on Human Potentials with eGovernment 2.0
Capitalizing on Human Potentials with eGovernment 2.0
 
Reasons For E Government
Reasons For E GovernmentReasons For E Government
Reasons For E Government
 
From eGovernment to Smart Government, United Arab Emirates
From eGovernment to Smart Government, United Arab EmiratesFrom eGovernment to Smart Government, United Arab Emirates
From eGovernment to Smart Government, United Arab Emirates
 

Similar to Secure E-Government Authentication

BLOCKCHAIN BASED voting system-an evoting.pptx
BLOCKCHAIN BASED voting system-an evoting.pptxBLOCKCHAIN BASED voting system-an evoting.pptx
BLOCKCHAIN BASED voting system-an evoting.pptxAlbiMathew4
 
ONLINE VOTING SYSTEM.PPT.pptx
ONLINE VOTING SYSTEM.PPT.pptxONLINE VOTING SYSTEM.PPT.pptx
ONLINE VOTING SYSTEM.PPT.pptxapnacollegework
 
Bhdhdd ududbdudbdbjdudbsbjsVotinghh hu ushsvsis system.pdf
Bhdhdd ududbdudbdbjdudbsbjsVotinghh hu ushsvsis system.pdfBhdhdd ududbdudbdbjdudbsbjsVotinghh hu ushsvsis system.pdf
Bhdhdd ududbdudbdbjdudbsbjsVotinghh hu ushsvsis system.pdfBazilTauhid1
 
online E-voting system
online E-voting systemonline E-voting system
online E-voting systemshubham patil
 
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
Webinar: Beyond Two-Factor: Secure Access Control for Office 365 Webinar: Beyond Two-Factor: Secure Access Control for Office 365
Webinar: Beyond Two-Factor: Secure Access Control for Office 365SecureAuth
 
Secure e voting system
Secure e voting systemSecure e voting system
Secure e voting systemMonira Monir
 
Eds user authenticationuser authentication methods
Eds user authenticationuser authentication methodsEds user authenticationuser authentication methods
Eds user authenticationuser authentication methodslapao2014
 
Presentation of smart voting system.pptx
Presentation of smart voting system.pptxPresentation of smart voting system.pptx
Presentation of smart voting system.pptxSony235240
 
Protecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i AccessProtecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i AccessPrecisely
 
Network security for E-Commerce
Network security for E-CommerceNetwork security for E-Commerce
Network security for E-CommerceHem Pokhrel
 
Embracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and CentrifyEmbracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and CentrifySumana Mehta
 
Unit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptxUnit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptxPuskar Bhandari
 
Information and network security 47 authentication applications
Information and network security 47 authentication applicationsInformation and network security 47 authentication applications
Information and network security 47 authentication applicationsVaibhav Khanna
 
Blockchain-Based Voting System.pptx
Blockchain-Based Voting System.pptxBlockchain-Based Voting System.pptx
Blockchain-Based Voting System.pptxssuser561dc11
 
Un enfoque práctico para implementar confianza cero en el trabajo híbrido
Un enfoque práctico para implementar confianza cero en el trabajo híbridoUn enfoque práctico para implementar confianza cero en el trabajo híbrido
Un enfoque práctico para implementar confianza cero en el trabajo híbridoCristian Garcia G.
 
COLLEGE ONLINE ELECTION SYSTEM
COLLEGE ONLINE ELECTION SYSTEMCOLLEGE ONLINE ELECTION SYSTEM
COLLEGE ONLINE ELECTION SYSTEMIRJET Journal
 

Similar to Secure E-Government Authentication (20)

eDem&eGov 2014
eDem&eGov 2014eDem&eGov 2014
eDem&eGov 2014
 
BLOCKCHAIN BASED voting system-an evoting.pptx
BLOCKCHAIN BASED voting system-an evoting.pptxBLOCKCHAIN BASED voting system-an evoting.pptx
BLOCKCHAIN BASED voting system-an evoting.pptx
 
ONLINE VOTING SYSTEM.PPT.pptx
ONLINE VOTING SYSTEM.PPT.pptxONLINE VOTING SYSTEM.PPT.pptx
ONLINE VOTING SYSTEM.PPT.pptx
 
Bhdhdd ududbdudbdbjdudbsbjsVotinghh hu ushsvsis system.pdf
Bhdhdd ududbdudbdbjdudbsbjsVotinghh hu ushsvsis system.pdfBhdhdd ududbdudbdbjdudbsbjsVotinghh hu ushsvsis system.pdf
Bhdhdd ududbdudbdbjdudbsbjsVotinghh hu ushsvsis system.pdf
 
online E-voting system
online E-voting systemonline E-voting system
online E-voting system
 
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
Webinar: Beyond Two-Factor: Secure Access Control for Office 365 Webinar: Beyond Two-Factor: Secure Access Control for Office 365
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
 
Secure e voting system
Secure e voting systemSecure e voting system
Secure e voting system
 
Eds user authenticationuser authentication methods
Eds user authenticationuser authentication methodsEds user authenticationuser authentication methods
Eds user authenticationuser authentication methods
 
Presentation of smart voting system.pptx
Presentation of smart voting system.pptxPresentation of smart voting system.pptx
Presentation of smart voting system.pptx
 
Access-control-system
Access-control-systemAccess-control-system
Access-control-system
 
Protecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i AccessProtecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i Access
 
Network security for E-Commerce
Network security for E-CommerceNetwork security for E-Commerce
Network security for E-Commerce
 
Embracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and CentrifyEmbracing secure, scalable BYOD with Sencha and Centrify
Embracing secure, scalable BYOD with Sencha and Centrify
 
Unit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptxUnit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptx
 
Context Based Authentication
Context Based AuthenticationContext Based Authentication
Context Based Authentication
 
Information and network security 47 authentication applications
Information and network security 47 authentication applicationsInformation and network security 47 authentication applications
Information and network security 47 authentication applications
 
Blockchain-Based Voting System.pptx
Blockchain-Based Voting System.pptxBlockchain-Based Voting System.pptx
Blockchain-Based Voting System.pptx
 
BEST CYBER SECURITY PRACTICES
BEST CYBER SECURITY PRACTICESBEST CYBER SECURITY PRACTICES
BEST CYBER SECURITY PRACTICES
 
Un enfoque práctico para implementar confianza cero en el trabajo híbrido
Un enfoque práctico para implementar confianza cero en el trabajo híbridoUn enfoque práctico para implementar confianza cero en el trabajo híbrido
Un enfoque práctico para implementar confianza cero en el trabajo híbrido
 
COLLEGE ONLINE ELECTION SYSTEM
COLLEGE ONLINE ELECTION SYSTEMCOLLEGE ONLINE ELECTION SYSTEM
COLLEGE ONLINE ELECTION SYSTEM
 

Secure E-Government Authentication

  • 1. SECURING E-GOVERNMENT WEB PORTAL ACCESS USING ENHANCED AUTHENTICATION SYSTEM Thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in Information Technology Engineering. The Libyan Academy School of Engineering and Applied Science Department of Electrical and Computer Engineering Division of Information Technology By: Hamdi Ahmed Jaber Under Supervision of: Dr. Elbahlul Fgee
  • 2. The thesis proposes an advanced authentication solution that enhances the security of authenticate the users of the e- government web portal and avoids the drawbacks of two- factor authentication systems that has not been covered in the previous studies. Introduction
  • 3. User ID and password is the most commonly used authentication mechanism. • There are many shortcomings of a password authentication mechanism • Passwords are at the edge of breaking down, especially in the web environments. • It is not secure enough for huge sensitive systems like e- government, banking and online payment systems.
  • 4. Two-factor authentication is an approach for authentication that requires the presentation of two or more of the three authentication factors: • a knowledge factor (something only the user knows) • a possession factor (something only the user has) • an inherence factor (something only the user is). After presentation of the first factor, the other party for authentication will be required to validate user identity. Knows Has IS Password Smart card Fingerprints PIN Cryptographic key Retina Secret question USB token Iris SIM card Face OTP Generator Hand geometry Something a user
  • 5. • Cryptographic attacks: These attacks directly target the cryptographic algorithms. • Untrustworthy Interface - phishing: Trojans, viruses and key logging • Theft/Loss of the authentication token • Man-in-the-middle-attacks • Eavesdropping: The communication between two contactless devices can be eavesdropped from a certain distance. Problem statement: Armor the e-government web portal with Two-factor authentication system avoids the following drawbacks of TFA
  • 6. Motivation  Provide shielding for e-government web portal and their users from known security attacks that tries to gain access to their accounts  Provide a strong secure e-government web portal authentication system that avoid the drawbacks of traditional two-factor authentication methods  Obtain a higher authentication security guarantee than when using static password only or traditional two- factor authentication technologies
  • 7. Proposed Solution This thesis contributes to propose an advanced authentication system that has high security and decreases the risk of illegal access to the E-government web portal by using multi-step authentication system that involves two authentication factors: a. Something only the account owner (user) knows b. Something only the account owner (user) has or get It will also provide a special designed image based authentication step as an added layer of security to resist illegal authentication threats.
  • 8. Internet portals general security needs • Authentication: Processes of verifying that the user is who he say. • Authorization: Process to verify if the user has the rights to do what is trying to do. • Confidentiality: Capability to prevent unauthorized access to information • Integrity: Capability to prevent unauthorized modification of the data • Traceability: Capability to log every transaction details for auditing Note: This thesis is about securing the authentication process.
  • 9. • Replay attack1 • Session hijacking2 • Phishing3 • Man-in-the-middle4 • Insider attacks5 • Malware6 • Password discovery attacks7 • Shoulder surfing8 • Social engineering attacks9 Web portals authentication security threats
  • 10. Two-factor authentication success criterion • Customer acceptance • Token management difficulty • Credential replacement • System costs Also, Tamper evidence, detection and response play an important role for the security of authentication methods. The solution will provide a strong detection and response of any illegal try to access the system
  • 11. • Shared secret1 • Digital certificate2 • One-Time Password (OTP)3 • Tokens with display (disconnected tokens)4 • Connected tokens5 • Magnetic stripe cards6 • Software tokens7 • Mobile phones8 • Biometrics9 • Image based authentication10 Authentication technologies
  • 12. • One time password via SMS1 • One time password via phone calls2 •Mobile application/software token3 • Push notification4 • Mobile signature5 Methods used mobile phones
  • 13. Targeted Solution An advanced multi-step two-factor authentication system that prevents any unauthorized access to the system and reduce it even when the attacker has the correct login credentials (ID/password) and can overcome the second authentication factor. The solution will be usable with E-government web portal and can be distributed among the public users of such huge system. Affordable and easy to implement and use for the ordinary people.
  • 14. Thesis gathered data from: • Tests of methods that are widely used in Two- factor authentication systems • Online survey • Previews studies • Technical comparisons and trade-offs • Designed solution implementation
  • 15. Required criterions for e-government web portal TFA system • Easy of distribute to the public • Cost effectiveness • Usability • Strength of delivery • Authentication process time
  • 16. Compared second factor authentication methods: • Disconnected hardware token • Connected hardware token • Short messaging system (SMS) • Mobile phone software token • Smartphone push notification • E-mail message • Biometric (Finger print) • Biometric (Iris recognition)
  • 17. Tested authentication methods: • Mobile phone software token • Short messaging system (SMS) • Smartphone push notification • E-mail message
  • 18. Technical aspects: Cost effectiveness for the system owner and system users • Implementation cost • Token issuance cost • Maintenance cost • Token replacement cost
  • 19. Technical aspects: cost effectiveness for the system owner
  • 20. Technical aspects: cost effectiveness for the system users
  • 21. Technical aspects: Outcome cost effectiveness for the system owner and system users
  • 22. Technical aspects: Usability attributes per ISO 9241-11 • Effectiveness: The users can do the tasks without making mistakes • Efficiency: The users can complete the tasks in a reasonable time and effort • Satisfaction: The user finds the product to be effective and efficient
  • 23. Technical aspects: Two-factor authentication usability criterions • Need of special end user hardware token • Need of special end user reader • Need of special software/driver • Need of end user training/special instructions • Need of configuration by the end user • End user ability to edit configuration • Access the portal without PC (Only with smart phone) • Token mobility with the end user • Loss portability
  • 24. Technical aspects: Total usability value of the eight suggested methods (Higher is better)
  • 25. Online survey Online digital survey created and distributed to the public via web to gain information from random sample of people and collect the required information that helps in identifying the importance, acceptance and most-liked methods that a normal person may prefer to use as a second authentication method for e-government web portal
  • 26. Online survey: participants age range Age range Persons participated 18 – 25 year 39 26 – 33 year 54 34 – 40 year 48 41 – 48 year 21 49 – 56 year 9 57 – 64 year 3 More than 64 years 0 Total 174
  • 27. Online survey: participants qualification Qualification Persons participated Below average education 2 average education 7 High school 53 High diploma 44 Bachelor degree 65 Graduate studies 3 Total 174
  • 28. Online survey: participants daily internet usage Internet usage Persons participated Less than 30 minutes 27 30 Minutes – 1 Hour 31 1 Hour - 2 Hours 21 2 Hour - 4 Hour 38 More than 4 hours 57 Total 174
  • 29. Online survey: participants preferred second factor authentication method Method Participate votes Biometric (Finger print) 135 Mobile Phone SMS 112 Mobile Phone Software token 105 Biometric (Eye retina) 90 Mobile Phone Push 67 E-mail Message 59 Connected Hardware Token 43 Disconnected Hardware Token 24
  • 30. Online survey: Other results • 33% of the participants (58 person) are using internet services that uses confidential data or runs sensitive transactions • 54% of the participants (94 person) welcomed to carry additional hardware token • 42% of the participants (73 person) welcomed to buy additional hardware to scan biometrics while 58% (101 person) denied that. • 37% (65 person) are welcomed to install additional software or drivers to their personal computers or smart phones to gain access to e-government web portal • 99% (172 person) said they need to access e-government web portal from their smart phones or tablet PCs
  • 31. Two-factor authentication methods test Two cloud TFA service providers services on two different geographic locations in Libya (Tripoli city and Benghazi city) tested during this thesis preparation to use the tests output and verify the deference between the suggested TFA methods and help choose the best one for e-government web portal. The methods tested are: • Mobile phone software token • Short messaging system (SMS) • Smartphone push notification • E-mail message
  • 32. Test results - Software token Strength of delivery and Time of process: • The software token is a previously installed and configured software on a smart phone • It has a high strength of delivery and zero time of process as it is working in the background in the smart phone • It generates a new OTP every 60 seconds that can be used any time just after opened the software token application. • The drawback of this method comes from the need of smart phone to work. If the user have normal old-fashioned mobile phone, he simply could not use the software token
  • 33. Test results - Mobile phone SMS Strength of delivery:
  • 34. Test results - Mobile phone SMS Strength of delivery:
  • 35. Test results - Mobile phone SMS Time of process:
  • 36. Test results - Mobile phone SMS The excellence of the mobile phone SMS method comes from the fact that almost everyone is using the mobile phone services and this method can work on any mobile network and any mobile phone device from second generation to the fourth generation without any need of internet connection, special software or even a smart phone. The drawback if there is no mobile phone service in the area the user trying to login to the system from it.
  • 37. Test results - Mobile push Strength of delivery: • Mobile push has optimum strength of delivery without any loss in the process. • The drawback in mobile push method is it does not work if the user does not have a wireless internet connection or mobile broadband • Also as the software token, it is originally a mobile application that has to be installed and configured previously on the smart phone
  • 38. Test results - Mobile push Time of process:
  • 39. Test results - E-mail message Strength of delivery of email system is very high unless the received e-mail considered spam by the email system the user are using it.
  • 40. Test results - E-mail message
  • 41. Note: Biometrics and hardware tokens have a very good strength of delivery and low process time, but it has other drawbacks in usability, cost and other discussed requirements when implementing two-factor authentication with E-government web portal.
  • 42. Proposed authentication system • This thesis propose a solution that is using strong multi-step two-factor authentication by utilizing mobile phone SMS technology. • Turning a phone into an authentication device quickly solves the need and additional cost and delays of sending out hardware tokens. • The mobile phone SMS is used to send randomly generated time based One-Time-Password as a second authentication factor • Authentication server generation algorithm generating the OTP. Mobile SMS gateway service to deliver it to the user.
  • 43. Proposed authentication system Beside the one-time password, the system send the following information in the SMS: • Session ID (each login attempt has its own session ID that has assigned OTP) • Login request time • Login request location (the system determine it by IP address) • Browser type • Operating system platform These details are sent to make sure that the user is aware of the login he or she is verifying. This is vital to avoid any possibility of man-in-the-middle and real-time phishing/pharming attacks
  • 44. Proposed authentication system • The suggested solution is using Libyan government national ID that is a unique number assigned to each Libyan citizen that never changes during his life and password to initiate the login process. • To protect the users from key-logging and similar attacks. The password are only writeable by the portal’s built-in on-screen keyboard
  • 45. Proposed authentication system In the final process step, the system uses an image- based authentication technology that: • Displays 12 picture from 12 deferent categories (National, ancients, desert, animals, flowers, cars, electronics, furniture, buildings, tools, people and food). • The user should select a photo that belongs to the category that assigned to his account during the account creation. This step add an additional layer of protection to the authentication process against attacks may happened after theft of the mobile device and compromise the password by the attacker.
  • 46. Proposed authentication system Every successful and failed login attempt details sent to account owner default mobile phone via SMS and default e-mail address. These details are the same of the first message with the status of login (succeeded or failed) This confirmatory feedback feature is helping in detect tampering and illegal login attempts. This will allow the account owner to take required action or actions and report such incident quickly to the e- government authority.
  • 47. Proposed alternative authentication method to be used as a backup Any good system should have a high level of usability, minimum effort of administration and of course a good plan for emergencies • A procedure contains a few steps should be implemented to recover the forgotten password without any interaction of the system administrators • E-mail service will be used to deliver OTP in case the user lost his mobile phone by steal, damage, or just he cannot reach it. He should follow another procedure to receive OTP via E-mail service
  • 48. Proposed authentication system Step 1: Initial login step
  • 49. Proposed authentication system Step 2: Choosing mobile number to receive OTP
  • 50. Proposed authentication system Step 3: Receiving SMS message contains OTP and login session details
  • 51. Proposed authentication system Step 4: Entering the received one-time password
  • 52. Proposed authentication system Step 5: Image based authentication step
  • 53. Proposed authentication system Step 6: Succeeded login to the system
  • 54. Proposed authentication system Final confirmatory feedback SMS message (Traceability)
  • 55. Results summary The proposed solution protects the e-government web portal access from security threats using strong multi-step two-factor authentication system that: • Provide strong multi-step two-factor authentication using National ID and password that only writeable by the portal’s built-in on-screen keyboard • Use one-time password that the system generate it and send it via SMS or e-mail (including login session ID, login request time, login request location, used browser and OS details) • Use image based authentication step that uses image category recognition. • Mutually-authenticated and speak over SHA-2 256bit Transport Layer Protocol (TLS) encrypted channels between client and server
  • 56. • Avoid the known drawbacks of two-factor authentication systems • Provide a cost-effective, user-friendly and high secure authentication. • Use the mobile phone SMS as the user’s second authentication token. • Use the e-mail system as a backup second authentication token. • Easy to use for any regular user with no additional use of hardware or special training. • Easy to deploy solution for large enterprise • Does not rely on username and password only authentication that is not secure anymore in such enterprise system. Results summary
  • 57. It overcomes the security limitations of traditional two- factor authentication systems and vulnerabilities of mobile device like: • Untrustworthy Interface • Theft/Loss of the Device • Man-in-the-middle-attacks • Cryptographic attacks • Eavesdropping • human vulnerability factors like compromised password also covered by the proposed solution. Security limitations that are solved by the proposed solution
  • 58. Implement E-mail message as a backup two-factor authentication method when: • The GSM gateway service provider’s servers are down and could not sent OTP to the user even though he is a genuine user. • The user’s mobile network service provider terminates the connection due to the delay in bill payments • The user is in a poor signal of the network area. • Theft/steal of the mobile phone device of the user Mobile phone SMS two-factor authentication limitations the proposed solution overcomes
  • 59. Thesis conclusion This thesis develops an authentication mechanism For the Libyan E-government web portal that combines the strength of the three popular authentication approaches: multilevel, multi-channel, and multi-factor. These three authentication approaches were merged to form an authentication mechanism that can highly protect e- government user accounts from illegal authentication. Also gives protection from using a compromised account credentials.
  • 60. Thesis conclusion Research objectives: • Objective 1: Review the most commonly used authentication classes, authentication mechanisms, and authentication attacks. • Objective 2: Review the usability and acceptability aspects of authentication mechanisms and the evaluation techniques used to decide high secure and easy to use two- factor authentication solution for Libyan e-government portal.
  • 61. Thesis conclusion Research objectives: • Objective 3: With respect to e-government web portal needs, discuss the currently used authentication mechanisms and identify their weaknesses, showing how they fail to protect customer accounts against different attacks identified in objective 1. • Objective 4: Propose an authentication solution that addresses the security and usability problems identified and listed in objective 2. Theoretically evaluate the security of this solution and identify all features needed for implementation.
  • 62. Thesis conclusion Research contribution: The contribution is proposing a new multi-step, multi- channel two-factor authentication system that: • Increase security while maintain the usability of Libyan E-government web portal authentication. • Utilize a backup authentication mechanism • Other features and guidelines were included to complement and facilitate the actual implementation of the proposed authentication solution.
  • 63. Thesis conclusion Future Work • More Usable Channels: Other possible usable communication channels can also be used to support two-factor authentication. This includes and not limited to chatting software. • Two-factor authentication for the disabled people: Disabled users might find it difficult to utilize two- factor authentication for their e-government transactions.
  • 64. Final Word The proposed authentication system protects the Libyan e- government web portal user accounts from authentication attacks that other two-factor authentication mechanisms fail to address. Improves the security while maintaining usability. The guidelines and recommendations provided in this thesis will provide guidelines to implement a strong and more secure and usable authentication system for the Libyan e-government web portal.
  • 65. ADDITIONAL READING AVAILABLE IN THE THESIS BOOK • Detailed technical aspects • Online survey • Tests • Solution Implementation • User account creation and first login steps and flowcharts • Normal login steps and flowcharts • Emergency user account login steps and flowcharts • References (35)