This document discusses using grid cards with one-time passwords for strong authentication in online applications in Mongolia. It proposes a system where users are prompted with random grid card cell coordinates and must enter the corresponding password to authenticate. Passwords are created from the grid card contents using a one-time password algorithm. This provides two-factor authentication by combining something the user possesses (the grid card) with dynamically generated passwords. The document analyzes security aspects and compares this approach to other authentication methods used in Mongolian banking, concluding that grid cards can help improve online security in a cost-effective manner.
This document discusses using one-time password (OTP) grid cards for strong authentication in online applications in Mongolia. It proposes a system where OTPs are generated from grid cards containing numbers and letters. When logging in, a user must provide their password and the contents of a randomly selected cell from their unique grid card. Adding salt passwords and generating challenges from least-used cells increases security by preventing prediction of responses. The system aims to improve online banking security in Mongolia by providing multi-factor authentication without specialized hardware tokens.
GENERATION OF SECURE ONE-TIME PASSWORD BASED ON IMAGE AUTHENTICATIONcscpconf
Phishing, a serious security threat to Internet users is an e-mail fraud in which the perpetrator
sends out an email which looks like legitimate, in an order to gather personal and financial
information of the receiver. It is important to prevent such phishing attacks. One of the ways to
prevent the password theft is to avoid using passwords and to authenticate a user without a text
password. In this paper, we are proposing an authentication service that is image based and
which eliminates the need for text passwords. Using the instant messaging service available in
internet, user will obtain the One Time Password (OTP) after image authentication. This OTP
then can be used by user to access their personal accounts. The image based authentication
method relies on the user’s ability to recognize pre-chosen categories from a grid of pictures.
This paper integrates Image based authentication and HMAC based one time password to
achieve high level of security in authenticating the user over the internet. These algorithms are
very economical to implement provided they are time synchronized with the user.
Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...IOSR Journals
This document summarizes a research paper that proposes enhancing user authentication to protect against brute force and dictionary attacks. The paper conducts a review of existing graphical password techniques and proposes a new technique that sends text messages and emails for additional authentication. Key features include challenging hackers with many CAPTCHAs while allowing legitimate users to log in with one CAPTCHA. The technique aims to trace hackers by flooding their IP addresses and locking accounts on machines with many failed login attempts.
This document summarizes and compares different one-time password authentication algorithms. It discusses how one-time passwords avoid vulnerabilities of traditional static passwords by being only valid for a single login session. Different methods for generating and delivering one-time passwords are described, including via text messaging, mobile phone apps, or tokens. The document also discusses advantages and disadvantages of these different one-time password approaches.
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd Iaetsd
This document proposes using FPGA, RF technology, and face recognition for three-factor authentication in ATM security. The system uses an RF transmitter and receiver for the first authentication, a webcam for face recognition as the second authentication using PCA algorithms in MATLAB, and an existing text-based password for the third authentication factor. If an unauthorized person is detected, an alarm is triggered and an MMS is sent to the account owner for verification before access is granted. The system aims to improve upon existing smart card and password-based authentication systems.
An Enhanced Security System for Web Authentication IJMER
Web authentication has low security in these days. Todays, For Authentication purpose,
Textual passwords are commonly used; however, users do not follow their requirements. Users tend to
choose meaningful words from dictionaries, which make textual passwords easy tobreak and vulnerable
to dictionary or brute force attacks. Also, Textual passwords can be identified by 3rd
party software’s.
Many available graphicalpasswords have a password space that is less than or equal to the textual
passwordspace. Smart cards or tokens can be stolen.There are so many biometric authentications have
been proposed; however, users tend to resistusing biometrics because of their intrusiveness and the effect
on their privacy. Moreover,biometrics cannot be evoked.In this paper, we present and evaluate our
contribution,i.e., the OTP and 3-D password. A one-time password (OTP) is a password that isvalid for
only one login session or transaction. OTPs avoid a number of shortcomingsthat are associated with
traditional (static) passwords. The most important shortcoming that is addressed by OTPs is that, in
contrast to static passwords, they are not vulnerable to replay attacks. It means that a potential intruder
who manages to record an OTPthat was already used to log into a service or to conduct a transaction
will not be able toabuse it, since it will be no longer valid. The 3-D password is a multifactor
authenticationscheme. To be authenticated, we present a 3-D virtual environment where the
usernavigates and interacts with various objects. The sequence of actions and interactionstoward the
objects inside the 3-D environment constructs the user’s 3-D password.
This document summarizes a research paper on M-Pass, a proposed user authentication protocol that aims to prevent password stealing and reuse attacks. M-Pass leverages cell phones and SMS to authenticate users on untrusted devices without requiring them to enter passwords. It involves a registration phase where users register with a website and encrypt a password with their phone number. For login, users provide their username and long-term phone password, and the website generates a one-time password using a secret credential. The protocol aims to eliminate the need to remember multiple passwords by using the phone for authentication across websites. Evaluation shows registration and login times average around 4 and 3.5 minutes respectively. The researchers conclude M-Pass can prevent password stealing and reuse
This document proposes a system for strengthening security for online banking transactions. It involves multi-level authentication including face recognition, graphical OTP authentication using a 4x4 grid of random numbers, and security questions. Users first register security images, a security pattern by selecting indexes on a 4x4 grid, answers to security questions, and their face is recorded. For login, the security images and username/password are verified. Transactions require face recognition if a webcam is available, otherwise graphical OTP authentication is used where the user selects numbers from the indexes of their security pattern on a randomly generated 4x4 grid. Additionally, two random security questions are asked before completing a transaction. The system aims to provide secure electronic transactions through this multi-factor
This document discusses using one-time password (OTP) grid cards for strong authentication in online applications in Mongolia. It proposes a system where OTPs are generated from grid cards containing numbers and letters. When logging in, a user must provide their password and the contents of a randomly selected cell from their unique grid card. Adding salt passwords and generating challenges from least-used cells increases security by preventing prediction of responses. The system aims to improve online banking security in Mongolia by providing multi-factor authentication without specialized hardware tokens.
GENERATION OF SECURE ONE-TIME PASSWORD BASED ON IMAGE AUTHENTICATIONcscpconf
Phishing, a serious security threat to Internet users is an e-mail fraud in which the perpetrator
sends out an email which looks like legitimate, in an order to gather personal and financial
information of the receiver. It is important to prevent such phishing attacks. One of the ways to
prevent the password theft is to avoid using passwords and to authenticate a user without a text
password. In this paper, we are proposing an authentication service that is image based and
which eliminates the need for text passwords. Using the instant messaging service available in
internet, user will obtain the One Time Password (OTP) after image authentication. This OTP
then can be used by user to access their personal accounts. The image based authentication
method relies on the user’s ability to recognize pre-chosen categories from a grid of pictures.
This paper integrates Image based authentication and HMAC based one time password to
achieve high level of security in authenticating the user over the internet. These algorithms are
very economical to implement provided they are time synchronized with the user.
Enhancing a Dynamic user Authentication scheme over Brute Force and Dictionar...IOSR Journals
This document summarizes a research paper that proposes enhancing user authentication to protect against brute force and dictionary attacks. The paper conducts a review of existing graphical password techniques and proposes a new technique that sends text messages and emails for additional authentication. Key features include challenging hackers with many CAPTCHAs while allowing legitimate users to log in with one CAPTCHA. The technique aims to trace hackers by flooding their IP addresses and locking accounts on machines with many failed login attempts.
This document summarizes and compares different one-time password authentication algorithms. It discusses how one-time passwords avoid vulnerabilities of traditional static passwords by being only valid for a single login session. Different methods for generating and delivering one-time passwords are described, including via text messaging, mobile phone apps, or tokens. The document also discusses advantages and disadvantages of these different one-time password approaches.
Iaetsd fpga implementation of rf technology and biometric authenticationIaetsd Iaetsd
This document proposes using FPGA, RF technology, and face recognition for three-factor authentication in ATM security. The system uses an RF transmitter and receiver for the first authentication, a webcam for face recognition as the second authentication using PCA algorithms in MATLAB, and an existing text-based password for the third authentication factor. If an unauthorized person is detected, an alarm is triggered and an MMS is sent to the account owner for verification before access is granted. The system aims to improve upon existing smart card and password-based authentication systems.
An Enhanced Security System for Web Authentication IJMER
Web authentication has low security in these days. Todays, For Authentication purpose,
Textual passwords are commonly used; however, users do not follow their requirements. Users tend to
choose meaningful words from dictionaries, which make textual passwords easy tobreak and vulnerable
to dictionary or brute force attacks. Also, Textual passwords can be identified by 3rd
party software’s.
Many available graphicalpasswords have a password space that is less than or equal to the textual
passwordspace. Smart cards or tokens can be stolen.There are so many biometric authentications have
been proposed; however, users tend to resistusing biometrics because of their intrusiveness and the effect
on their privacy. Moreover,biometrics cannot be evoked.In this paper, we present and evaluate our
contribution,i.e., the OTP and 3-D password. A one-time password (OTP) is a password that isvalid for
only one login session or transaction. OTPs avoid a number of shortcomingsthat are associated with
traditional (static) passwords. The most important shortcoming that is addressed by OTPs is that, in
contrast to static passwords, they are not vulnerable to replay attacks. It means that a potential intruder
who manages to record an OTPthat was already used to log into a service or to conduct a transaction
will not be able toabuse it, since it will be no longer valid. The 3-D password is a multifactor
authenticationscheme. To be authenticated, we present a 3-D virtual environment where the
usernavigates and interacts with various objects. The sequence of actions and interactionstoward the
objects inside the 3-D environment constructs the user’s 3-D password.
This document summarizes a research paper on M-Pass, a proposed user authentication protocol that aims to prevent password stealing and reuse attacks. M-Pass leverages cell phones and SMS to authenticate users on untrusted devices without requiring them to enter passwords. It involves a registration phase where users register with a website and encrypt a password with their phone number. For login, users provide their username and long-term phone password, and the website generates a one-time password using a secret credential. The protocol aims to eliminate the need to remember multiple passwords by using the phone for authentication across websites. Evaluation shows registration and login times average around 4 and 3.5 minutes respectively. The researchers conclude M-Pass can prevent password stealing and reuse
This document proposes a system for strengthening security for online banking transactions. It involves multi-level authentication including face recognition, graphical OTP authentication using a 4x4 grid of random numbers, and security questions. Users first register security images, a security pattern by selecting indexes on a 4x4 grid, answers to security questions, and their face is recorded. For login, the security images and username/password are verified. Transactions require face recognition if a webcam is available, otherwise graphical OTP authentication is used where the user selects numbers from the indexes of their security pattern on a randomly generated 4x4 grid. Additionally, two random security questions are asked before completing a transaction. The system aims to provide secure electronic transactions through this multi-factor
The document describes a proposed 3D password authentication scheme. The scheme would present users with a 3D virtual environment containing various objects that they could interact with. A user's 3D password would be the specific sequence of interactions with different objects in the environment, such as typing on a virtual keyboard, providing fingerprint authentication at a device, or selecting radio channels in a virtual car. The scheme aims to combine elements of textual passwords, graphical passwords, biometrics, and tokens into a single 3D environment. Designing the virtual environment and selecting distinct object types and locations would determine the size of the possible password space. The scheme is presented as an alternative to traditional authentication methods that aims to be more secure, usable and flexible.
Two-factor authentication provides a more secure method of authentication than simple passwords alone. It adds a second factor of authentication, such as a one-time password (OTP) generated on a user's device, in addition to a username and password. The white paper explores how OTPs delivered via software or text message can provide two-factor authentication without hardware tokens. It also discusses standards-based OTP generation algorithms and integrating two-factor authentication with remote access systems.
Effectiveness of various user authentication techniquesIAEME Publication
This document discusses and compares various user authentication techniques. It analyzes one-time password authentication using smart phones (oPass), 3D password authentication using a virtual environment, and smart card-based authentication. oPass requires the user to remember only a long-term password for their phone, while the website generates one-time passwords via SMS. 3D passwords combine multiple authentication methods by having users navigate and interact with virtual objects. Smart card authentication does not store passwords in verification tables and allows password changes for mutual authentication. The document examines the advantages and disadvantages of these approaches.
IRJET- Graphical user Authentication for an Alphanumeric OTPIRJET Journal
This document discusses graphical passwords as an alternative to traditional alphanumeric passwords. It summarizes different types of graphical password authentication techniques, including recognition-based systems where users select images during registration and later identify those images to log in. It also discusses recall-based systems where users recreate a password by clicking or drawing on images. The document proposes using a one-time password (OTP) with graphical passwords to enhance security against shoulder surfing attacks, where the OTP provides information about which items to click in an image for authentication. Overall, the document analyzes the security and usability advantages of graphical passwords compared to traditional text-based passwords.
ipas implicit password authentication system ieee 2011prasanna9
This document summarizes a proposed authentication system called the Implicit Password Authentication System (IPAS). IPAS aims to address weaknesses in existing authentication schemes like passwords, tokens, biometrics and graphical passwords. It proposes using a set of questions and answers during registration that are then implicitly embedded into images by the server during authentication. The server randomly selects questions and images, requiring the user to demonstrate knowledge of their prior answers without directly reproducing them. The system is intended for mobile banking but could generalize to other client-server environments.
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET Journal
This document discusses an approach for continuous and transparent user identification for secure web services using biometrics. It proposes a framework called CASHMA (Context-Aware Security by Hierarchical Multilevel Architecture) that uses multi-modal biometrics for continuous authentication. CASHMA authenticates users using biometric traits instead of usernames and passwords, and periodically re-authenticates users during a session to ensure security. The document describes how CASHMA works, including how it issues authentication certificates to validate user identity on an ongoing basis and adaptively sets session timeouts. It concludes that CASHMA enhances security and usability for user sessions through continuous multi-modal biometric authentication and verification.
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD Editor
This document summarizes a research paper about developing an authentication system for banking using implicit passwords. The proposed system uses randomly generated security questions to authenticate users, with answers provided as clickable points on an image instead of text. If the user correctly identifies the points associated with the security question, they are authenticated. The system aims to improve security over traditional username/password schemes while maintaining usability on mobile devices. Key modules described include user profile creation, generation of random authentication questions, comparing login profiles to verify identity, and allowing transactions and balance checks via SMS.
This document discusses two-factor authentication and its importance for securing PHIN systems. It analyzes different two-factor authentication methods like digital certificates, one-time passwords, and biometrics. Digital certificates support open standards and interoperability for automated B2B authentication and messaging. One-time passwords provide mobility but require digital certificates for server authentication. The document proposes two approaches: Approach A uses passwords and client certificates for users and Approach B uses key-fobs for users but requires managing two infrastructures. It concludes by emphasizing strong authentication, authorization, and identity management for perimeter security.
This document provides guidance on configuring two-factor authentication for the IBM Security SiteProtector system using various plug-ins, including RADIUS, certificates/smart cards, LDAP, and default passwords. It includes code examples for setting up authentication using a RADIUS token protocol or smart card with user principal name mapping. Requirements and considerations are discussed for smart card usage, certificate validation, and property encryption.
1. The document analyzes the risks of using SMS-based two-factor authentication for user authentication and transaction authentication.
2. It outlines threats including eavesdropping, man-in-the-middle attacks, SMS delays and losses, lack of coverage, and increasing costs.
3. The document recommends using message authentication codes instead of random numbers or hashes for signatures to protect against attacks. It also suggests verifying transaction data is unchanged when signatures are submitted.
IRJET - Graphical Password Authentication for Banking SystemIRJET Journal
This document describes a proposed system for enhancing authentication security for banking transactions through the use of graphical passwords. The system uses a two-step verification process, with pass-point authentication to validate the user during login by requiring them to click on a sequence of points on an image. For transactions, a color palette technique is used where the user must enter a pin number by selecting the corresponding color pairs. The system aims to improve security over traditional text passwords and prevent fraud by automatically filing a complaint if unauthorized access is detected and notifying the user via mobile if a transaction is halted.
Graphical Based Password for Android Phones using Keystroke Dynamics - A SurveyIJSRD
Technology has elevated to grab an important position in humans life, the best example is smartphones. They offer access to network as well as online banking transactions, where simplification of human labour affects security and user authentication, and passwords are first line of defense, it’s crucial to pick a strong password. Online banking applications currently use alphanumerical usernames and passwords for authentication, which are exposed to eves dropping, attacks, and shoulder surfing. Users often choose either easy to remember passwords, which can be easily guessed or difficult ones, which tend to be forgotten. The paper revolves around the views, limitation of current system and offers a dynamic biometrics, as it can be easily integrated into the existing computer security systems with minimal alteration and user intervention. The main objective is to secure using cued click point (CCP), which is one click based graphical password scheme for sequence of images and measuring, assessing humans typing rhythm, it’s based upon the human tendency to memorize graphical passwords more comfortably.
Two Factor Authentication Using Smartphone Generated One Time PasswordIOSR Journals
This document proposes a two-factor authentication system that uses smartphones to generate one-time passwords (OTPs). It aims to improve security over traditional password-based systems while reducing costs compared to hardware token-based OTP systems. The proposed system would have client software on PCs and Android apps to generate OTPs using cryptographic algorithms and unique device identifiers. OTPs would be validated by the server to authenticate transactions. Future work could explore using images instead of OTPs for two-factor authentication via mobile apps.
Two factor authentication-in_your_network_e_guideNick Owen
This document provides instructions for adding two-factor authentication to a corporate network using WiKID as the authentication server. It discusses configuring Radius clients like VPNs from Cisco and Juniper to communicate with an Active Directory server through a Radius server. The Active Directory server would authorize users while the WiKID server authenticates users with two-factor authentication. It provides step-by-step examples of configuring Network Policy Server and WiKID to enable two-factor authentication for remote access to a corporate network.
Database Security Two Way Authentication Using Graphical PasswordIJERA Editor
As data represent a key asset for today's organizations. The problem is that how to protect this data from
attackers, theft and misuse is at the forefront of any organization’s mind. Even though today several data
security techniques are available to protect database and computing infrastructure, many such as network
security and firewalls tools are unable to prevent attacks from insider. Insider is a person working in
organization who can try to access the sensitive data. This paper proposes a two-way authentication method
which fuses knowledge-based secret and personal trait information.
Two aspect authentication system using secureUvaraj Shan
This document proposes a two-factor authentication system using mobile devices. It uses a combination of one-time passwords (OTP) as the first factor and encrypted user credentials stored on the mobile device as the second factor. An OTP algorithm is developed that uses aspects like the IMEI, IMSI, username, PIN, hour and minute to generate unique and hard to guess passwords. The system can operate in two modes - a connectionless mode where OTP is generated locally on the device, or an SMS-based mode where the device requests the OTP from the server via SMS. A security and usability analysis is presented, showing the system is secure against various attacks and users are willing to accept lower usability for higher security.
Modern Method for Detecting Web Phishing Using Visual Cryp-tography (VC) and ...IJERA Editor
Phishing is an attempt by an individual or a group to thieve personal confidential information such as pass-words, credit card information etc from unsuspecting victims for identity theft, financial gain and other fraudu-lent activities. Here an image based (QR codes) authentication using Visual Cryptography (VC) is used. The use of Visual cryptography is explored to convert the QR code into two shares and both these shares can then be transmitted separately. One Time Passwords (OTP) is passwords which are valid only for a session to validate the user within a specified amount of time. In this paper we are presenting a new authentication scheme for se-cure OTP distribution in phishing website detection through VC and QR codes.
An efficient implementation for key management technique using smart card and...ijctcm
The document describes a proposed key management technique using smart cards and Elliptic Curve Integrated Encryption Scheme (ECIES) cryptography. The technique involves 4 phases: registration, login, verification, and password change. ECIES encryption and decryption are used to securely transmit keys during the process. The proposed approach aims to provide a more secure smart card-based key management solution compared to existing techniques.
Efficient Securing System Using Graphical CaptchaSankar Anand
The document proposes a new security system called CaRP (Captcha as graphical passwords) that integrates captcha technology into a graphical password scheme. CaRP allows users to set passwords by clicking on images in a captcha challenge. This addresses weaknesses in existing systems like vulnerability to brute force and dictionary attacks. The proposed system offers stronger security against online attacks while being easy for users. It is recommended for domains like banking that require enhanced security.
A secure communication in smart phones using two factor authenticationseSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
A secure communication in smart phones using two factor authenticationeSAT Journals
Abstract Most secure systems face security attacks mainly at the client side. Two Factor Authentication (TFA) provides improved protection to the system at the client side by prompting to provide something they know and something they have. This system uses a one time password(OTP) generation method which doesn’t require client-server communication, which frees the system from cost of sending a dynamic password each time the client wants to login. The OTP generation uses the factors that are unique to the user and is installed on a smart phone in Android platform owned by the user. An OTP is valid for a minutes time, after which, is useless. The system thus provides better client level security – a simple low cost method which protects system from hacking techniques like key logging, phishing, shoulder surfing, etc. Keywords—Authentication, OTP, key logging, phishing
This document provides an overview of a proposed mobile-based software token system for two-factor authentication. The system aims to replace existing hardware and computer-based software tokens by using mobile phones. It consists of software installed on client mobile phones, a server, and a GSM modem. The system can generate one-time passwords locally on the phone or via SMS from the server. Algorithms and factors like IMEI, IMSI, username, and PIN are used to securely generate unique passwords. Functional requirements include modules for password generation, client design, and server design. Non-functional requirements address availability, efficiency, flexibility, portability, integrity, and scalability.
The document describes a proposed 3D password authentication scheme. The scheme would present users with a 3D virtual environment containing various objects that they could interact with. A user's 3D password would be the specific sequence of interactions with different objects in the environment, such as typing on a virtual keyboard, providing fingerprint authentication at a device, or selecting radio channels in a virtual car. The scheme aims to combine elements of textual passwords, graphical passwords, biometrics, and tokens into a single 3D environment. Designing the virtual environment and selecting distinct object types and locations would determine the size of the possible password space. The scheme is presented as an alternative to traditional authentication methods that aims to be more secure, usable and flexible.
Two-factor authentication provides a more secure method of authentication than simple passwords alone. It adds a second factor of authentication, such as a one-time password (OTP) generated on a user's device, in addition to a username and password. The white paper explores how OTPs delivered via software or text message can provide two-factor authentication without hardware tokens. It also discusses standards-based OTP generation algorithms and integrating two-factor authentication with remote access systems.
Effectiveness of various user authentication techniquesIAEME Publication
This document discusses and compares various user authentication techniques. It analyzes one-time password authentication using smart phones (oPass), 3D password authentication using a virtual environment, and smart card-based authentication. oPass requires the user to remember only a long-term password for their phone, while the website generates one-time passwords via SMS. 3D passwords combine multiple authentication methods by having users navigate and interact with virtual objects. Smart card authentication does not store passwords in verification tables and allows password changes for mutual authentication. The document examines the advantages and disadvantages of these approaches.
IRJET- Graphical user Authentication for an Alphanumeric OTPIRJET Journal
This document discusses graphical passwords as an alternative to traditional alphanumeric passwords. It summarizes different types of graphical password authentication techniques, including recognition-based systems where users select images during registration and later identify those images to log in. It also discusses recall-based systems where users recreate a password by clicking or drawing on images. The document proposes using a one-time password (OTP) with graphical passwords to enhance security against shoulder surfing attacks, where the OTP provides information about which items to click in an image for authentication. Overall, the document analyzes the security and usability advantages of graphical passwords compared to traditional text-based passwords.
ipas implicit password authentication system ieee 2011prasanna9
This document summarizes a proposed authentication system called the Implicit Password Authentication System (IPAS). IPAS aims to address weaknesses in existing authentication schemes like passwords, tokens, biometrics and graphical passwords. It proposes using a set of questions and answers during registration that are then implicitly embedded into images by the server during authentication. The server randomly selects questions and images, requiring the user to demonstrate knowledge of their prior answers without directly reproducing them. The system is intended for mobile banking but could generalize to other client-server environments.
IRJET-An Economical and Secured Approach for Continuous and Transparent User ...IRJET Journal
This document discusses an approach for continuous and transparent user identification for secure web services using biometrics. It proposes a framework called CASHMA (Context-Aware Security by Hierarchical Multilevel Architecture) that uses multi-modal biometrics for continuous authentication. CASHMA authenticates users using biometric traits instead of usernames and passwords, and periodically re-authenticates users during a session to ensure security. The document describes how CASHMA works, including how it issues authentication certificates to validate user identity on an ongoing basis and adaptively sets session timeouts. It concludes that CASHMA enhances security and usability for user sessions through continuous multi-modal biometric authentication and verification.
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD Editor
This document summarizes a research paper about developing an authentication system for banking using implicit passwords. The proposed system uses randomly generated security questions to authenticate users, with answers provided as clickable points on an image instead of text. If the user correctly identifies the points associated with the security question, they are authenticated. The system aims to improve security over traditional username/password schemes while maintaining usability on mobile devices. Key modules described include user profile creation, generation of random authentication questions, comparing login profiles to verify identity, and allowing transactions and balance checks via SMS.
This document discusses two-factor authentication and its importance for securing PHIN systems. It analyzes different two-factor authentication methods like digital certificates, one-time passwords, and biometrics. Digital certificates support open standards and interoperability for automated B2B authentication and messaging. One-time passwords provide mobility but require digital certificates for server authentication. The document proposes two approaches: Approach A uses passwords and client certificates for users and Approach B uses key-fobs for users but requires managing two infrastructures. It concludes by emphasizing strong authentication, authorization, and identity management for perimeter security.
This document provides guidance on configuring two-factor authentication for the IBM Security SiteProtector system using various plug-ins, including RADIUS, certificates/smart cards, LDAP, and default passwords. It includes code examples for setting up authentication using a RADIUS token protocol or smart card with user principal name mapping. Requirements and considerations are discussed for smart card usage, certificate validation, and property encryption.
1. The document analyzes the risks of using SMS-based two-factor authentication for user authentication and transaction authentication.
2. It outlines threats including eavesdropping, man-in-the-middle attacks, SMS delays and losses, lack of coverage, and increasing costs.
3. The document recommends using message authentication codes instead of random numbers or hashes for signatures to protect against attacks. It also suggests verifying transaction data is unchanged when signatures are submitted.
IRJET - Graphical Password Authentication for Banking SystemIRJET Journal
This document describes a proposed system for enhancing authentication security for banking transactions through the use of graphical passwords. The system uses a two-step verification process, with pass-point authentication to validate the user during login by requiring them to click on a sequence of points on an image. For transactions, a color palette technique is used where the user must enter a pin number by selecting the corresponding color pairs. The system aims to improve security over traditional text passwords and prevent fraud by automatically filing a complaint if unauthorized access is detected and notifying the user via mobile if a transaction is halted.
Graphical Based Password for Android Phones using Keystroke Dynamics - A SurveyIJSRD
Technology has elevated to grab an important position in humans life, the best example is smartphones. They offer access to network as well as online banking transactions, where simplification of human labour affects security and user authentication, and passwords are first line of defense, it’s crucial to pick a strong password. Online banking applications currently use alphanumerical usernames and passwords for authentication, which are exposed to eves dropping, attacks, and shoulder surfing. Users often choose either easy to remember passwords, which can be easily guessed or difficult ones, which tend to be forgotten. The paper revolves around the views, limitation of current system and offers a dynamic biometrics, as it can be easily integrated into the existing computer security systems with minimal alteration and user intervention. The main objective is to secure using cued click point (CCP), which is one click based graphical password scheme for sequence of images and measuring, assessing humans typing rhythm, it’s based upon the human tendency to memorize graphical passwords more comfortably.
Two Factor Authentication Using Smartphone Generated One Time PasswordIOSR Journals
This document proposes a two-factor authentication system that uses smartphones to generate one-time passwords (OTPs). It aims to improve security over traditional password-based systems while reducing costs compared to hardware token-based OTP systems. The proposed system would have client software on PCs and Android apps to generate OTPs using cryptographic algorithms and unique device identifiers. OTPs would be validated by the server to authenticate transactions. Future work could explore using images instead of OTPs for two-factor authentication via mobile apps.
Two factor authentication-in_your_network_e_guideNick Owen
This document provides instructions for adding two-factor authentication to a corporate network using WiKID as the authentication server. It discusses configuring Radius clients like VPNs from Cisco and Juniper to communicate with an Active Directory server through a Radius server. The Active Directory server would authorize users while the WiKID server authenticates users with two-factor authentication. It provides step-by-step examples of configuring Network Policy Server and WiKID to enable two-factor authentication for remote access to a corporate network.
Database Security Two Way Authentication Using Graphical PasswordIJERA Editor
As data represent a key asset for today's organizations. The problem is that how to protect this data from
attackers, theft and misuse is at the forefront of any organization’s mind. Even though today several data
security techniques are available to protect database and computing infrastructure, many such as network
security and firewalls tools are unable to prevent attacks from insider. Insider is a person working in
organization who can try to access the sensitive data. This paper proposes a two-way authentication method
which fuses knowledge-based secret and personal trait information.
Two aspect authentication system using secureUvaraj Shan
This document proposes a two-factor authentication system using mobile devices. It uses a combination of one-time passwords (OTP) as the first factor and encrypted user credentials stored on the mobile device as the second factor. An OTP algorithm is developed that uses aspects like the IMEI, IMSI, username, PIN, hour and minute to generate unique and hard to guess passwords. The system can operate in two modes - a connectionless mode where OTP is generated locally on the device, or an SMS-based mode where the device requests the OTP from the server via SMS. A security and usability analysis is presented, showing the system is secure against various attacks and users are willing to accept lower usability for higher security.
Modern Method for Detecting Web Phishing Using Visual Cryp-tography (VC) and ...IJERA Editor
Phishing is an attempt by an individual or a group to thieve personal confidential information such as pass-words, credit card information etc from unsuspecting victims for identity theft, financial gain and other fraudu-lent activities. Here an image based (QR codes) authentication using Visual Cryptography (VC) is used. The use of Visual cryptography is explored to convert the QR code into two shares and both these shares can then be transmitted separately. One Time Passwords (OTP) is passwords which are valid only for a session to validate the user within a specified amount of time. In this paper we are presenting a new authentication scheme for se-cure OTP distribution in phishing website detection through VC and QR codes.
An efficient implementation for key management technique using smart card and...ijctcm
The document describes a proposed key management technique using smart cards and Elliptic Curve Integrated Encryption Scheme (ECIES) cryptography. The technique involves 4 phases: registration, login, verification, and password change. ECIES encryption and decryption are used to securely transmit keys during the process. The proposed approach aims to provide a more secure smart card-based key management solution compared to existing techniques.
Efficient Securing System Using Graphical CaptchaSankar Anand
The document proposes a new security system called CaRP (Captcha as graphical passwords) that integrates captcha technology into a graphical password scheme. CaRP allows users to set passwords by clicking on images in a captcha challenge. This addresses weaknesses in existing systems like vulnerability to brute force and dictionary attacks. The proposed system offers stronger security against online attacks while being easy for users. It is recommended for domains like banking that require enhanced security.
A secure communication in smart phones using two factor authenticationseSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
A secure communication in smart phones using two factor authenticationeSAT Journals
Abstract Most secure systems face security attacks mainly at the client side. Two Factor Authentication (TFA) provides improved protection to the system at the client side by prompting to provide something they know and something they have. This system uses a one time password(OTP) generation method which doesn’t require client-server communication, which frees the system from cost of sending a dynamic password each time the client wants to login. The OTP generation uses the factors that are unique to the user and is installed on a smart phone in Android platform owned by the user. An OTP is valid for a minutes time, after which, is useless. The system thus provides better client level security – a simple low cost method which protects system from hacking techniques like key logging, phishing, shoulder surfing, etc. Keywords—Authentication, OTP, key logging, phishing
This document provides an overview of a proposed mobile-based software token system for two-factor authentication. The system aims to replace existing hardware and computer-based software tokens by using mobile phones. It consists of software installed on client mobile phones, a server, and a GSM modem. The system can generate one-time passwords locally on the phone or via SMS from the server. Algorithms and factors like IMEI, IMSI, username, and PIN are used to securely generate unique passwords. Functional requirements include modules for password generation, client design, and server design. Non-functional requirements address availability, efficiency, flexibility, portability, integrity, and scalability.
E AUTHENICATION SYSTEM USING QR CODE AND OTPIRJET Journal
This document proposes an e-authentication system using QR codes and OTP (one-time passwords) for secure login. It discusses how QR codes containing login information and OTPs sent via SMS could provide multiple layers of security. The system aims to prevent hacking of login credentials, shoulder surfing attacks, and accidental logins. The document provides background on QR codes and OTPs, describes the proposed system and authentication process, reviews related work, and concludes the system allows for a simple yet secure login experience for users.
Empirical Study of a Key Authentication Scheme in Public Key CryptographyIJERA Editor
Public key cryptosystem plays major role in many online business applications. In public key cryptosystem, public key need not be protected for confidentiality, but the authenticity of public key is needed. Earlier, many key authentication schemes are developed based on discrete logarithms. Each scheme has its own drawbacks. We developed a secure key authentication scheme based on discrete logarithms to avoid the drawbacks of earlier schemes. In this paper, we illustrate the empirical study to show the experimental proof of our scheme.
This document summarizes a research paper that proposes a method for implementing two-factor authentication using mobile devices. The method uses time synchronous authentication based on hashing the current epoch time, a personal identification number, and a secret initialization value. This generates a one-time password on the mobile device that is valid for 60 seconds. The proposed method was implemented on J2ME-based mobile phones and could be extended to Android phones. It aims to provide stronger authentication than passwords alone in a manner that is portable and compatible with mobile devices.
Two aspect authentication system using secureUvaraj Shan
This document proposes a two-factor authentication system using mobile devices. It uses a combination of one-time passwords (OTP) as the first factor and encrypted user credentials stored on a mobile device as the second factor. An OTP algorithm is developed that uses aspects like the IMEI, IMSI, username, PIN, hour and minute to generate unique passwords. The system can operate in a standalone mode where OTPs are generated locally on devices, or an SMS-based mode where OTPs are requested from the server. Security and usability evaluations show the system protects against attacks while being usable.
Survey Paper on Frodo: Fraud Resilient Device for Off-Line Micro-PaymentsIRJET Journal
This document summarizes and compares previous research on secure offline micro-payment systems. It describes FRoDO, a new proposed system that features an identity element and coin element to enable secure offline payments. The identity element is embedded in the customer's device and is used to link a coin element to that specific device. This provides two-factor authentication. The coin element uses a physical unclonable function and regenerative keys to securely read and redeem digital coins. The document reviews related work on context-aware and software-based authentication solutions, offline micropayment schemes without trusted hardware, and approaches using hash-chaining in mobile networks. It concludes that FRoDO is the first solution able to provide fully secure offline
IRJET- Securing Internet Voting Protocol using Implicit Security Model and On...IRJET Journal
This document summarizes a research paper about developing an internet voting system with enhanced security features. It discusses how the current system is limited to desktop and laptop users. The authors propose restructuring the system to expand usage to mobile devices so more voters can remotely cast ballots. This would increase voter turnout among groups like disabled, elderly, military, and overseas citizens. The document then reviews security criteria for internet voting like eligibility, anonymity, and discusses challenges like authentication. It proposes using an implicit security model combining a login system with one-time passwords to securely authenticate mobile users for internet voting.
The document proposes a virtual password system to improve security for online banking transactions. In the proposed system, a mobile application is used to generate one-time virtual passwords based on a permanent PIN number and random number, removing the vulnerabilities of password delivery via SMS. This virtual password system aims to enhance security by making password guessing and hacking techniques like phishing and keylogging more difficult to exploit.
REMOVAL OF CERTIFICATES FROM SET PROTOCOL USING CERTIFICATELESS PUBLIC KEY CR...IJNSA Journal
Secure Electronic Transaction (SET) is a standard e-commerce protocol for securing credit card transactions over insecure networks. In a transaction using SET, all the members need public key certificates in order to authenticate their public key. Certificates are created by certificate authorities (CAs), The process of getting certificates from a certificate authority(CA) for any SET participants involves a large number of procedures like sending request to issue a certificates, getting approval or
rejection of request and finally obtain the certificates, which is essentially time consuming as because these are associated with certificate management, including renew, revocation ,storage and distribution and the computational cost of certificate verification, also the chain of verification can be quite long, depending on the certificate hierarchy. So, the issues associated with certificate management are quite complex and costly.The present paper attempts the removal of the certificates using the ‘certificateless public key cryptography (CL-PKC)’ . The basic idea of CL-PKC is to generate a public/private key pair for a user by using a master key of a Key Generation Center (KGC) with a random secret value selected by the user. Hence, CL-PKC eliminates the use of certificates in traditional PKC and solves the key escrow problem in ID-PKC.The comparison with existing SET implementation is also addressed in the paper that shows the effectiveness of the proposal.
Three Step Multifactor Authentication Systems for Modern Securityijtsrd
Three factor authentication includes all major features in password authentication such as one factor authentication. Using passwords and two factor authentication is not enough to provide the best protection in the digital age significantly. Advances in the field of information technology. Even when one or two feature authentication was used to protect the remote control system, hacking tools, it was a simple computer program to collect private keys, and private generators made it difficult to provide protection. Security threats based on malware, such as key trackers installed, continue to be available to improve security risks. This requires the use of safe and easy to use materials. As a result, Three Level Security is an easy to use software. Soumyashree RK | Goutham S "Three Step Multifactor Authentication Systems for Modern Security" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-6 | Issue-3 , April 2022, URL: https://www.ijtsrd.com/papers/ijtsrd49785.pdf Paper URL: https://www.ijtsrd.com/computer-science/computer-security/49785/three-step-multifactor-authentication-systems-for-modern-security/soumyashree-rk
IRJET- Data Security with Multifactor AuthenticationIRJET Journal
This document discusses a multi-factor authentication system for improving data security. It proposes using passwords, one-time passwords via QR codes, and encryption/decryption of stored data. The system uses three stages of verification: login with username and password, verification with a randomly generated OTP QR code, and encrypting uploaded data and decrypting downloaded data with keys. By adding multiple layers of authentication and encrypting data, the system aims to minimize unauthorized access to secure systems and stored information.
AN ENHANCED SECURITY FOR GOVERNMENT BASE ON MULTIFACTOR BIOMETRIC AUTHENTICATIONIJCNCJournal
This paper is demonstrating to create a system of multifactor authentication based on biometric verification. Our system use iris for the first factor and fingerprint for the second factor. nce an attacker attempts to attack the system, there must have two factors. If one of them is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target. Furthermore, this system will be implemented to enhance security for accessing control login governmentsystem.
AN ENHANCED SECURITY FOR GOVERNMENT BASE ON MULTIFACTOR BIOMETRIC AUTHENTICATIONIJCNCJournal
This paper is demonstrating to create a system of multifactor authentication based on biometric verification. Our system use iris for the first factor and fingerprint for the second factor. nce an attacker attempts to attack the system, there must have two factors. If one of them is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target. Furthermore, this system will be implemented to enhance security for accessing control login government system.
IRJET- Enhancement in Netbanking SecurityIRJET Journal
This document discusses enhancing security for online banking. It describes some existing security issues with online banking such as passwords being vulnerable to attacks like phishing. The proposed system aims to provide two-factor authentication for online banking login by adding a secret question step before transactions. This would help filter out unauthorized users at the login phase before they can access transactions. The system would use time-based one-time passwords and secret questions that only the real user can answer to authenticate users in a secure manner. The integration of these components is expected to significantly improve online banking security.
Secure Code Generation for Multi-level Mutual AuthenticationTELKOMNIKA JOURNAL
Any secured system requires one or more logging policies to make that system safe. Static
passwords alone cannot be furthermore enough for securing systems, even with strong passwords illegal
intrusions occur or it suffers the risk of forgotten. Authentication using many levels (factors) might
complicate the steps when intruders try to reach system resources. Any person to be authorized for
logging-in a secured system must provide some predefined data or present some entities that identify
his/her authority. Predefined information between the client and the system help to get more secure level
of logging-in. In this paper, the user that aims to log-in to a secured system must provide a recognized
RFID card with a mobile number, which is available in the secured systems database, then the secured
system with a simple algorithm generates a One-time Password that is sent via GSM Arduino compatible
shield to the user announcing him/her as an authorized person.
IRJET- Password Management Kit for Secure AuthenticationIRJET Journal
This document proposes a passwordless authentication system using unique identification tokens. It discusses the limitations of traditional password-based authentication systems, including susceptibility to phishing and users reusing passwords across multiple accounts. The proposed system would generate a unique token during authentication on the server-side rather than requiring the user to store and enter multiple passwords. This token would be included in the authorization header for authentication to protected routes on the server. The system aims to provide a more secure and usable authentication method compared to existing password-based systems.
PortalGuard is a software solution that provides five layers of authentication functionality including two-factor authentication. It can enforce two-factor authentication for accessing cloud applications directly, via VPN using RADIUS, or during self-service password resets. PortalGuard delivers one-time passwords (OTPs) for verification via SMS, email, voice call, printer, or transparent tokens. It has configurable OTP settings and supports standard RADIUS authentication for VPN access. Implementation requires server-side software installation on IIS servers and optional client-side software for additional features.
Two-factor Authentication: A Tokenless ApproachPortalGuard
PortalGuard is a software solution designed as a strong authentication platform, consisting of five layers including two-factor authentication, single sign-on, self-service password management, contextual authentication, and password synchronization, used for protect-ing browser-based applications which are hosted within an Intranet and/or outside the fire-wall, now commonly known as the Cloud.
Similar to Online applications using strong authentication with OTP grid cards (20)
How to Make a Field Mandatory in Odoo 17Celine George
In Odoo, making a field required can be done through both Python code and XML views. When you set the required attribute to True in Python code, it makes the field required across all views where it's used. Conversely, when you set the required attribute in XML views, it makes the field required only in the context of that particular view.
This slide is special for master students (MIBS & MIFB) in UUM. Also useful for readers who are interested in the topic of contemporary Islamic banking.
How to Manage Your Lost Opportunities in Odoo 17 CRMCeline George
Odoo 17 CRM allows us to track why we lose sales opportunities with "Lost Reasons." This helps analyze our sales process and identify areas for improvement. Here's how to configure lost reasons in Odoo 17 CRM
Main Java[All of the Base Concepts}.docxadhitya5119
This is part 1 of my Java Learning Journey. This Contains Custom methods, classes, constructors, packages, multithreading , try- catch block, finally block and more.
The simplified electron and muon model, Oscillating Spacetime: The Foundation...RitikBhardwaj56
Discover the Simplified Electron and Muon Model: A New Wave-Based Approach to Understanding Particles delves into a groundbreaking theory that presents electrons and muons as rotating soliton waves within oscillating spacetime. Geared towards students, researchers, and science buffs, this book breaks down complex ideas into simple explanations. It covers topics such as electron waves, temporal dynamics, and the implications of this model on particle physics. With clear illustrations and easy-to-follow explanations, readers will gain a new outlook on the universe's fundamental nature.
A review of the growth of the Israel Genealogy Research Association Database Collection for the last 12 months. Our collection is now passed the 3 million mark and still growing. See which archives have contributed the most. See the different types of records we have, and which years have had records added. You can also see what we have for the future.
How to Add Chatter in the odoo 17 ERP ModuleCeline George
In Odoo, the chatter is like a chat tool that helps you work together on records. You can leave notes and track things, making it easier to talk with your team and partners. Inside chatter, all communication history, activity, and changes will be displayed.
Walmart Business+ and Spark Good for Nonprofits.pdfTechSoup
"Learn about all the ways Walmart supports nonprofit organizations.
You will hear from Liz Willett, the Head of Nonprofits, and hear about what Walmart is doing to help nonprofits, including Walmart Business and Spark Good. Walmart Business+ is a new offer for nonprofits that offers discounts and also streamlines nonprofits order and expense tracking, saving time and money.
The webinar may also give some examples on how nonprofits can best leverage Walmart Business+.
The event will cover the following::
Walmart Business + (https://business.walmart.com/plus) is a new shopping experience for nonprofits, schools, and local business customers that connects an exclusive online shopping experience to stores. Benefits include free delivery and shipping, a 'Spend Analytics” feature, special discounts, deals and tax-exempt shopping.
Special TechSoup offer for a free 180 days membership, and up to $150 in discounts on eligible orders.
Spark Good (walmart.com/sparkgood) is a charitable platform that enables nonprofits to receive donations directly from customers and associates.
Answers about how you can do more with Walmart!"
How to Build a Module in Odoo 17 Using the Scaffold MethodCeline George
Odoo provides an option for creating a module by using a single line command. By using this command the user can make a whole structure of a module. It is very easy for a beginner to make a module. There is no need to make each file manually. This slide will show how to create a module using the scaffold method.
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Dr. Vinod Kumar Kanvaria
Exploiting Artificial Intelligence for Empowering Researchers and Faculty,
International FDP on Fundamentals of Research in Social Sciences
at Integral University, Lucknow, 06.06.2024
By Dr. Vinod Kumar Kanvaria
This presentation was provided by Steph Pollock of The American Psychological Association’s Journals Program, and Damita Snow, of The American Society of Civil Engineers (ASCE), for the initial session of NISO's 2024 Training Series "DEIA in the Scholarly Landscape." Session One: 'Setting Expectations: a DEIA Primer,' was held June 6, 2024.
Pollock and Snow "DEIA in the Scholarly Landscape, Session One: Setting Expec...
Online applications using strong authentication with OTP grid cards
1. Online applications using
strong authentication with OTP grid cards
Bayalagmaa Davaanaym)
Department of Professional
Soyol Erdem University
Ulaanbaatar,48/88,Mongolia
E-mail: bayalag2007@yahoo.com
Abstract—Several techniques using technology based on
biometrics, passwords, certificates, and smart cards can be used
for user authentication in the accessible network system. One of
the most popular areas in OTP authentication protocol can be
used for an authenticating user by a server. Focusing on methods
that are used to implement strong user authentication for online-
consumer identities, this paper aims to distill a comprehensive
view of strong user authentication by examining its concepts,
implementation approaches, and challenges/additional concerns
at the architectural level. It discusses effective solution
approaches, overall architecture designs, and emerging
developments. Authentication system over Grid card allows you
to change the policy and define the entropy of a card and its
strength. Grid cards also may be set to expire with greater
frequency — requiring the issuance of new cards — to increase
security.
Keywords—One time password, grid card authentication
I. INTRODUCTION
Passwords as a means of authentication have long reached
their expiry date. Web-based user-authentication systems
without compromising usability and ubiquity, when the
Internet is accessed mostly through a browser that has limited
access to the client environment and hardware devices. The
most common solution approaches that are used today involve,
in more generalized terms, various forms of enhanced shared-
secret and multifactor authentication.
Enhanced shared-secret authentication refers to extensions
of conventional knowledge-based (single-factor)
authentication—for example, additional passwords, site keys,
preregistered graphical icons to support mutual authentication,
challenge-response, randomized code selections that are based
on input patterns, CAPTCHA, and so on.
Multifactor authentication refers to a compound
implementation of two or more classes of human-
authentication factors: Something known to only the user—
Knowledge-based (for example, password, pass phrase, shared
secrets, account details and transaction history, PIN,
CAPTCHA, and so on).
Something held by only the user—Possession-based (for
example, security token, smart card, shared soft tokens, mobile
device, and so on).
Something inherent to only the user—Biological or
behavior biometric traits (for example, facial recognition,
fingerprint, voice recognition, keystroke dynamics, signature,
and so on).
For example, many enterprise extranet/VPN solutions today
require both simple credentials (something known, such as ID
and password) and hardware tokens (something held, such as
secure ID with time-based one-time password generators, smart
cards that use embedded PKI solutions, and so on) in order to
gain access. The combination of the two "known" and "held"
factors makes up the multifactor authentication method, and
significantly improves the authentication strength, as it curtails
the threat of stolen digital identities.
In practice, however, there is a wealth of implementations,
methods, and permutations of them—all with varying trade-
offs in terms of cost, complexity, usability, and security.
It is standard practice to achieve strong authentication by
requiring the communicating party to provide two different
pieces of authentication of different types: in this case these are
the user password (something known) and the one-time
password (something possessed).
Fig. 1. Example of a figure caption. (figure caption)
TABLE I.
Type device
OTP PKI (HW) Biometry
Strong authentication *
Encryption *
Digital signature *
Non repudiation *
Strong link with the
user *
a.
* Biometry type Fingerprinting
b.
In Mongolia, online banking and online services are
increasing. Online banking (or Internet banking) that allows
customers to conduct financial transactions on a secure
website. However, with increased convenience, the threats of
2. online banking fraud have also become a greater concern.
Customer confidence and loyalty to a bank with online banking
services depend greatly on the protection against banking fraud
and identity theft. But Most of the banks are single password
authentication is still in use, it by itself is not considered secure
enough for online banking in Mongolia. Goal of this paper that
improve online applications secure in Mongolia with grid card
authentication system. The grid card is functionally equivalent
to the electronic tokens commonly used for applications such
as online banking.
Companies and banks have been introducing a variety of
methods to improve the authentication of customers. For
examples, some banks are distributing special cards to their
customers that resemble grid cards. During authentication,
users are prompted with column and row numbers, and they
have to provide the secret number contained in the
corresponding cell. This provides a second form of
authentication, something you have, along with the traditional
username and password.
Since an imposter does not have the security card, they
are not able to look-up the correct information in each cell
when they attempt to fraudulently access the user account.
Chapter 2 of this study explains the grid card authentication
related study, and chapter 3 presents a password key creation
method through extraction of grid card with OTP. Grid card
authentication is strong authentication function, it can create
temporary one time password keys. Chapter 4 carries out a
simulation adopting the presented one time password key using
grid card algorithm, and lastly, draws a conclusion.
II. RELATED WORKS
A. Grid card authentication
The multi-factor authentication system requires a password,
plus the grid that’s often printed on the back of a special card
and salt. When a user logs in using their ID and password ,
they are prompted for a random cell in the grid. The user then
enters the correct combination of numbers and letters in that
cell and is granted access.
Each grid card is unique and carries a serial number, so
every user can be uniquely identified and authenticated. Each
time a user is asked to authenticate they are presented with a
different challenge requiring them to validate via a different set
of grid coordinates. The coordinate request changes for each
authentication challenge. In this scenario, the challenge
presents the user with coordinates such as B2, F5 and J4. The
user refers to their unique grid card to provide the information
from the requested cells: 18, H1, X8.
Challenge Generation Algorithms
After enabling grid authentication, Authentication system
allows you to choose between two challenge-generation
algorithms. Random Challenge algorithm (default) picks cells
randomly when creating a challenge. The process for creating a
challenge does not depend on previous challenges. Random
Challenge algorithm that choose DRBG. Deterministic
Random Bit Generators (also known as Pseudo Random
Number Generators – PRNGs) take input (a seed) from either
the noise source(s) or the conditioning step and produce
outputs of random values
Least-Used Cells Challenge
This algorithm uses one or more least-used cells (set in
policy) in every challenge. By generating challenges using the
least-used cells from a user’s grid, it becomes more difficult for
an attacker who has previously viewed some successful
authentications to correctly respond to the challenge.
B. One Time Password
One Time Password (OTP) is a password system where
passwords can only be used once, and the user has to be
authenticated with a new password key each time. It is a
password key creation method that makes it extremely difficult
to predict the next password key based on the current
password. A new password key is created in its own device
constantly after a set period of time and the user has to enter a
new password every time he or she uses the system, so it
prevents exposure of the user’s password due to hacking or the
user’s mistake. OTP has much stronger security because the
user has to enter a newly created password key even if his or
password is exposed. Most OTPs’ password key creation
algorithms are based on one-way functions. For example,
S/Key systems (RFC1760) in almost all UNIX OS use such
functions. The OTP is standardized by the IETF, and
standardized again by verification related companies, and the
RSA and OATH are carrying out the most competitive
standardizations.
III. CREATION OF PASWORD KEYS USING GRID CARD
Normally when a user requests authentication, even after
first contact, certain important services confirm passwords
again. However, as explained above, the existing password
system has many weaknesses, and a solution for this is one
time password mechanism.
The elements of one time password mechanism are a token
included in a security/password algorithm or one time
password key creating device, a authentication server and a
authentication client. Since the one time password mechanism
is a program, it is programmed to be random, but the
randomness breaks after a certain period of time and passwords
become predictable so one time password mechanisms have the
disadvantage of having to exchange OTP modules after a
certain period of time.
In order to overcome such weaknesses, this study presents a
method of creating one time password keys in OTP Clients
using grid card characteristics. On characteristics of this study
that should be focused on is that the OTP system is not
positioned in the OTP Server.
The password key creation process starts with a user logs in
using their ID and password
send to request to server. Then next process shows the
randomly prime number of coordinate challenge selecting and
reply to client. The process of creating a combination of
permutation using the selected prime number by order, and
3. creation of coordinate challenge using S/Key authentication
scheme.
OTP password is a secret key that salt words and
information in the corresponding cells from the unique grid
card they possess.
Figure1. Grid card authentication system with salt passwords
This secret key can either be provided by the user, or can be
generated by a computer. In case we choose salt is a random
string of data used to modify a password hash. Salt can be
added to the hash to prevent a collision by uniquely identifying
a user's password, even if another user in the system has
selected the same password. Salt can also be added to make it
more difficult for an attacker to break into a system by using
password hash-matching strategies because adding salt to a
password hash prevents an attacker from testing known
dictionary words across the entire system.
IV. SECURITY ANALYSIS
Grid authentication card security is determined by a number
of factors. Card size is arguably the most important variable.
Increasing the grid size (i.e., number of cells) and format (i.e.,
contents of the cell) exponentially increases the number of
challenge responses available.
Entropy is defined as the uncertainty involved in predicting
the value of a random variable. In this case, it refers to the
ability to predict the information contained on a grid card —
both coordinates and characters.
A larger grid card and additional cell contents increase the
uncertainty of predicting the coordinates and characters on the
card. In other words, more variables mean less chance of
―cracking‖ the grid.
However, OTP security measures have not proven totally
secure. Once grid cards and tokens appeared on the online
banking landscape, it was not long before the banks started to
see phishing scams targeting OTPs.
Some banks do not limit reloading times it keep reloading
until the eavesdropped pattern appears. If the grid card does not
have many enough numbers, the card could be reproduced by
eavesdropping for several times. And it can be successfully
phished by entering all the numbers in grid card. Grid card
adopts 8-10 random numbers even easier to phish.
In these cases, phishing e-mails generally tried to trick the
banking user by asking him to "authenticate" or "revalidate" his
token or grid card by entering a long series of OTPs from the
token or the entire contents of the grid card. So we add salt
password so without a salt, a successful SQL injection (it is a
code injection technique that exploits a security vulnerability in
a website’s software to retrieve the database contents to the
attacker) attack may yield easily crackable passwords. Because
many users re-use passwords for multiple sites, the use of a salt
is an important component of overall web application security.
The benefit provided by using a salted password is also making
a lookup table assisted dictionary attack against the stored
values impractical.
Salt also makes brute-force attacks (the technique for
checking all possible keys until the correct key is found in a
database) for cracking large numbers of passwords much
slower. Without salts, an attacker who is cracking many
passwords at the same time only needs to hash (the random bit
string) each password guess once, and compare it to all the
hashes. Using Salt each password will likely have a different
bit; so each guess would have to be hashed separately for each
Salt, which is much slower since hashing is generally
computationally expensive. Simple, easy-to-use authenticator
for any industry, region or user population and proven
authenticator as part of the software authentication platform .
Cost-effective solution that is a fraction of the cost of
traditional two-factor options. The coordinate request changes
for each authentication challenge.
V. CONCLUSION
Online banking services were introduced by banks in 2002
and the number of service providers reached 9 commercial
banks by the end of 2009. As of 2009, Online bank users
numbered 3,566, representing 134,100 transactions and 3.3
billion MNT in value.
Conducting financial transactions was made easy with
online banking (or Internet banking) that allows customers to
conduct financial transactions on a secure website. However,
with increased convenience, the threats of online banking fraud
have also become a greater concern. Customer confidence and
loyalty to a bank with online banking services depend greatly
on the protection against banking fraud and identity theft.
The use of a secure website has become almost universally
adopted. Though single password authentication is still in use,
it by itself is not considered secure enough for online banking
in Mongolia . Basically there are two different security
methods in use for Mongolian online banking.
The PIN/TAN system where the PIN represents a
password, used for the login and TAN(security tokens)s
representing one-time passwords to authenticate transactions.
TANs can be distributed in different ways, the most popular
one is to send a list of TANs to the online banking user by
postal letter. Another way of using TANs is to generate them
by need using a security token. These token generated TANs
4. depend on the time and a unique secret, stored in the security
token (two-factor authentication or 2FA).
Many of the banks in the Mongolia, the task becomes
inherently more expensive, especially when customers are not
willing to pay for such tokens. A typical hardware token based
on a 3-year period costs the bank almost US$ 60-$125 per
customer (when fully implemented, cost of hardware device,
servers, support, marketing, postage, etc.)
Signature based online banking where all transactions are
signed and encrypted digitally. The Keys for the signature
generation and encryption can be stored on smartcards or any
memory medium, depending on the concrete implementation.
A signature takes the concept of traditional paper-based signing
and turns it into an electronic ―fingerprint.‖ This ―fingerprint,‖
or coded message, is unique to both the document and the
signer and binds them together.
REFERENCES
[1] THE S/KEYTM ONE-TIME PASSWORD SYSTEM‖Neil M.
Haller,Bellcore http://www.cs.utk.edu/~dunigan/cs594-cns/skey.pdf.
(references)
[2] The N/R One Time Password System‖Vipul Goyal, Ajith Abraham,
Sugata Sanyal and Sang Yong Han OSP Global, Mumbai, India.
[3] ―One-Time Password Authentication Scheme Using Smart Cards
Providing User ―YOON Eun-Jun ; YOO Kee-Young, Deparment of
computer engineering,Kyunbook National University K. Elissa
[4] http://en.wikipedia.org/wiki/Stream_cipher -incl: RC4, A5/1, A5/2.
[5] ―Enhanced Authentication In Online Banking‖ Gregory D. Williamson
GE Money – America’s Journal of Economic Crime Management 2006
[6] ―Security Analysis of Pseudo-Random Number Generators with Input‖
Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault, Damien
Vergnaud, and Daniel Wichs
[7] ― Securing E-Mail Communication Using Hybrid Cryptosystem on
Android-based Mobile Devices‖Teddy Mantoro, Andri Zakariya
[8] ―How to Make Secure Email Easier To Use‖ Simson L. Garfinkel Erik
Nordlander Robert C. Miller MIT CSAILCambridge, MA
{simsong,erikn,rcm}@mit.edu David Margrave Amazon.com Seattle,
WA DavidMA@amazon.com Jeffrey I. Schiller MIT Network Services
[9] NIST Special Publication 800-90A ―Recommendation for Random
Number Generation Using Deterministic Random Bit Generators‖Elaine
Barker and John Kelsey