Uploaded bymmubashirkhan
PPTX, PDF11,691 views

Two factor authentication presentation mcit

This document discusses two-factor authentication (2FA) as a method to strengthen user authentication beyond just a username and password. It describes how 2FA uses two different factors, something you know and something you have/are, to verify identity. Specifically, it evaluates using one-time passwords (OTPs) with hard tokens, mobile tokens, and SMS. While hardware tokens are very secure, they are also expensive and inconvenient. Mobile tokens are cheaper but still vulnerable to attacks. The best approach recommends sending the OTP via mobile token while sending transaction details via SMS to separate the factors and prevent SIM swap attacks. The document provides recommendations like using HTTPS and hashing to further improve security with 2FA.

EducationTechnologyBusiness
In this document
Powered by AI

Introduction to 2FA concept focusing on authentication types, agenda includes factors and business needs.

Authentication is verifying a user's identity using methods like passwords and factors such as knowledge, possession, and inherent characteristics.

Identifies various threats to password security including phishing, brute force, and passive attacks.

Defines 2FA requiring two authentication evidence types and emphasizes customer confidence and regulatory aspects.

Discusses the types of tokens used in 2FA, differing forms of OTP and their generation techniques.

Examines the use of hard tokens and mobile tokens for 2FA, outlining security mechanisms and user compliance.

Evaluation of security benefits and threats associated with hard and mobile tokens, including risks of device theft.

Proposes challenge-response mechanisms and SMS transaction details, addressing weaknesses in OTP security.

Summarizes effectiveness of various authentication methods against specified threats, highlighting strengths and weaknesses.

Offers best practices for enhancing security in authentication processes, such as ensuring HTTPS and mutual authentication.

List of references providing additional resources and studies on Two Factor Authentication.

Open forum for addressing questions regarding Two Factor Authentication.

Embed presentation

Downloaded 1,189 times
Some thing you know and Some thing you have. Two Factor Authentication Submitted By: Saba Hameed CT-025
Agenda Authentication Authentication Factors Two Factor Authentication (2FA) Business Need for 2FA 2FA Using OTP Hard Tokens 2FA Using Mobile Tokens Security Analysis Conclusion & Recommendations
Authentication  Authentication is the process of verifying the identity of user.  The most common technique to authenticate a user is to use username and passwords
Authentication Factors Something you know Something you have Something you are
Threats to Passwords  Social engineering  Phishing  Brute force attacks  Shoulder surfing  Keystroke logging  Eavesdropping  Dictionary attacks
Two factor Authentication  It is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are.
Customer Confidence Regulations & Best Practices EFT ACT 2007 PCI DSS NIST Threat Prevention Phishing and Packet Replay and Man in the middle attacks Fraud Prevention
Tokens Hard Token USB Token Smart Card Soft Token Mobile Token  OTP is a second layer of security to verify your identity.
Types of OTP  Software – OTP An one-time password (OTP) generated by the company and sent to your mobile phone or PC.  Hardware – OTP An OTP generated by a security device/token. You press the button on the security device/token to obtain the OTP.  Event Based OTP Here the moving factor is triggered by an event  Time Based OTP Here the moving factor is time.
2FA Using Hard Token Courtesy: RSA SecureID
Security Analysis Benefits  It is secure against packet replay attacks.  It prevents against phishing. Threats  User needs to carry the device everywhere, and there is a risk that it may get stolen or lost.  Cost is very high.  Vulnerable to active attacks and Man in the middle attacks  
2FA Using Mobile Tokens  It makes use of:  Application installed on user’s mobile  IMEI  Time Stamp  Seed  Algorithm Used: Time based One Time Password Algorithm/ HMAC- SHA 1
How it works  User Registration on Server •Seed •Pin •IMEI number •Time Stamp difference Mobile Application Mobile Application Auth Server
How it works  OTP Generation Same Seed Algorithm Time Seed Algorithm Time Seed 159759 159759 Same Time Same OTP Mobile Application Authentication Server
How it works  Login session
Security Analysis Benefits  A relatively cheaper and flexible means of OTP.  User just need to carry their mobiles with them, no extra device is needed. Threats  Still vulnerable to active attacks  Man in the middle attacks  Man in the browser attacks  
Solution?  1. Challenge Response Mechanism  For fund transfer transactions, the server generates a a code and sends to the user. The user enters the code provided to the Internet banking site in order to commit the transaction. Challenges: •High Cost required •Hardware required
Solution? 2. SMS with Transaction Details
Security Analysis Threat:  Mobile is now single point of failure. OTP is generated/ received on mobile and the verification code of transaction is also received via sms on mobile. If attacker has the possession of user’s mobile, then he can do everything. My Recommendation:  It is necessary that a different medium is used for receiving OTP and receiving transaction verification code.
Conclusions Method Threats Effective Against Man in the Browser attak? Static Passwords Can be lost and easily obtained Brute force attacks possible No Biometric No OTP Hard Tokens User has to carry the token No OTP Soft/ Mobile Token Man in the middle attacks No OTP with Signature (Challenge Response) Secure against man in the middle attacks Yes, but inconvenient OTP with SMS Transaction Detail Secure against Phishing, Packet Replay, MIM and MITM Yes!!
My Recommendations  User should check and make sure the website has https in the URL, so that the password goes encrypted while transmission.  The OTP and PIN should be hashed before sending.  Mutual authentication should be established between the client and the server before the session starts to ensure the user that server can be trusted.  Using split key technique for authentication.
References  Mohamed Hamdy Eldefrawy, Khaled Alghathbar, Muhammad Khurram Khan, “OTP- Based Two-Factor Authentication Using Mobile Phones”  Roland M. van Rijswijk – SURFnet bv, Utrecht, The Netherlands, “tiqr: a novel take on two factor authentication”  Fadi Aloul, Syed Zahidi, “Two Factor Authentication Using Mobile Phones”  Costin Andrei SOARE, “Internet Banking Two- Factor Authentication using Smartphones”
Q & A Session

More Related Content

PPTX
MFA-Powerpoint.pptx
byrestonverdana
 
PDF
3 reasons your business can't ignore Two-Factor Authentication
byFortytwo
 
PPTX
Two factor authentication 2018
byWill Adams
 
PPTX
Two Factor Authentication
byNikhil Shaw
 
PPTX
Seminar-Two Factor Authentication
byDilip Kr. Jangir
 
PPTX
Two factor authentication.pptx
byArpithaShoby
 
PPTX
Guide to MFA
byJack Forbes
 
PPTX
Multifactor Authentication
byRonnie Isherwood
 
MFA-Powerpoint.pptx
byrestonverdana
 
3 reasons your business can't ignore Two-Factor Authentication
byFortytwo
 
Two factor authentication 2018
byWill Adams
 
Two Factor Authentication
byNikhil Shaw
 
Seminar-Two Factor Authentication
byDilip Kr. Jangir
 
Two factor authentication.pptx
byArpithaShoby
 
Guide to MFA
byJack Forbes
 
Multifactor Authentication
byRonnie Isherwood
 

What's hot

PPTX
User authentication
byCAS
 
PPTX
One time password(otp)
byAnjali Agrawal
 
PPTX
Digital signature
byPraseela R
 
PPTX
One Time Password - A two factor authentication system
bySwetha Kogatam
 
PPTX
Password management
byWilmington University
 
PPTX
Authentication(pswrd,token,certificate,biometric)
byAli Raw
 
PDF
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
byCTM360
 
PDF
Digital certificates & its importance
bysvm
 
PDF
Unit 3_Digital Signature Model Details.pdf
byKanchanPatil34
 
PDF
Two factor authentication
byHai Nguyen
 
PPTX
SSL
byBadrul Alam bulon
 
PPTX
Mobile Device Security
byNemwos
 
PPTX
How to Create (use use) Strong & Unique Passwords
byConnectSafely
 
PPT
Digital certificates
bySheetal Verma
 
PPTX
Password Cracking
bySina Manavi
 
PPTX
Public key infrastructure
byAditya Nama
 
PPTX
Cybercrime and Security
byNoushad Hasan
 
PPTX
Digital certificates
bySimmi Kamra
 
PDF
Unit 4_SSL_Handshake Protocol_Record Layer Protocol.pdf
byKanchanPatil34
 
PPTX
Symmetric and asymmetric key cryptography
byMONIRUL ISLAM
 
User authentication
byCAS
 
One time password(otp)
byAnjali Agrawal
 
Digital signature
byPraseela R
 
One Time Password - A two factor authentication system
bySwetha Kogatam
 
Password management
byWilmington University
 
Authentication(pswrd,token,certificate,biometric)
byAli Raw
 
TWO FACTOR AUTHENTICATION - COMPREHENSIVE GUIDE
byCTM360
 
Digital certificates & its importance
bysvm
 
Unit 3_Digital Signature Model Details.pdf
byKanchanPatil34
 
Two factor authentication
byHai Nguyen
 
SSL
byBadrul Alam bulon
 
Mobile Device Security
byNemwos
 
How to Create (use use) Strong & Unique Passwords
byConnectSafely
 
Digital certificates
bySheetal Verma
 
Password Cracking
bySina Manavi
 
Public key infrastructure
byAditya Nama
 
Cybercrime and Security
byNoushad Hasan
 
Digital certificates
bySimmi Kamra
 
Unit 4_SSL_Handshake Protocol_Record Layer Protocol.pdf
byKanchanPatil34
 
Symmetric and asymmetric key cryptography
byMONIRUL ISLAM
 

Similar to Two factor authentication presentation mcit

PDF
A secure communication in smart phones using two factor authentication
byeSAT Journals
 
PDF
A secure communication in smart phones using two factor authentications
byeSAT Publishing House
 
PPTX
Passwords are passé. WebAuthn is simpler, stronger and ready to go
byMichael Furman
 
PDF
How to Implement Website Authentication By MyOtpApp
bymyotpappmarketing
 
PDF
Two aspect authentication system using secure
byUvaraj Shan
 
PDF
Two aspect authentication system using secure
byUvaraj Shan
 
PDF
Two Factor Authentication Using Smartphone Generated One Time Password
byIOSR Journals
 
PDF
120 i143
byHai Nguyen
 
PDF
Enhanced adaptive security system for SMS – based One Time Password
byChandrapriya Rediex
 
PDF
Effective 2FA - Part 1: the technical stuff
byConorGilsenan1
 
PDF
IRJET- Multi sharing Data using OTP
byIRJET Journal
 
PDF
Securing corporate assets_with_2_fa
byHai Nguyen
 
PPTX
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
bySecureAuth
 
PPTX
AUTHENTICATION APPLICATION IN Nw SC.pptx
bysujithangam
 
PDF
Two aspect authentication system using secure mobile devices
byUvaraj Shan
 
PDF
Two aspect authentication system using secure mobile
byUvaraj Shan
 
PDF
Two Factor Authentication (2FA) Deep Dive: How to Choose the Right Solution f...
byConorGilsenan1
 
PDF
Transecq ITA
bytransecq
 
PDF
2020-08_The_Evolution_of_Authentication.pdf
byFerriantoSuryanto
 
PPTX
A2 - broken authentication and session management(OWASP thailand chapter Apri...
byNoppadol Songsakaew
 
A secure communication in smart phones using two factor authentication
byeSAT Journals
 
A secure communication in smart phones using two factor authentications
byeSAT Publishing House
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
byMichael Furman
 
How to Implement Website Authentication By MyOtpApp
bymyotpappmarketing
 
Two aspect authentication system using secure
byUvaraj Shan
 
Two aspect authentication system using secure
byUvaraj Shan
 
Two Factor Authentication Using Smartphone Generated One Time Password
byIOSR Journals
 
120 i143
byHai Nguyen
 
Enhanced adaptive security system for SMS – based One Time Password
byChandrapriya Rediex
 
Effective 2FA - Part 1: the technical stuff
byConorGilsenan1
 
IRJET- Multi sharing Data using OTP
byIRJET Journal
 
Securing corporate assets_with_2_fa
byHai Nguyen
 
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
bySecureAuth
 
AUTHENTICATION APPLICATION IN Nw SC.pptx
bysujithangam
 
Two aspect authentication system using secure mobile devices
byUvaraj Shan
 
Two aspect authentication system using secure mobile
byUvaraj Shan
 
Two Factor Authentication (2FA) Deep Dive: How to Choose the Right Solution f...
byConorGilsenan1
 
Transecq ITA
bytransecq
 
2020-08_The_Evolution_of_Authentication.pdf
byFerriantoSuryanto
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
byNoppadol Songsakaew
 

More from mmubashirkhan

PPTX
Situational awareness for computer network security
bymmubashirkhan
 
PPTX
Security threats and countermeasure in 3 g network
bymmubashirkhan
 
PPTX
Comparison between traditional vpn and mpls vpn
bymmubashirkhan
 
PPT
Security in wireless la ns
bymmubashirkhan
 
PPTX
Saa s multitenant database architecture
bymmubashirkhan
 
PPTX
Improving intrusion detection system by honeypot
bymmubashirkhan
 
PPTX
Drive by downloads-cns
bymmubashirkhan
 
PPTX
Cyber security issues
bymmubashirkhan
 
PPTX
Biometric security tech
bymmubashirkhan
 
PPTX
Authentication in manet
bymmubashirkhan
 
PPTX
Advanced persistent threat (apt)
bymmubashirkhan
 
Situational awareness for computer network security
bymmubashirkhan
 
Security threats and countermeasure in 3 g network
bymmubashirkhan
 
Comparison between traditional vpn and mpls vpn
bymmubashirkhan
 
Security in wireless la ns
bymmubashirkhan
 
Saa s multitenant database architecture
bymmubashirkhan
 
Improving intrusion detection system by honeypot
bymmubashirkhan
 
Drive by downloads-cns
bymmubashirkhan
 
Cyber security issues
bymmubashirkhan
 
Biometric security tech
bymmubashirkhan
 
Authentication in manet
bymmubashirkhan
 
Advanced persistent threat (apt)
bymmubashirkhan
 

Recently uploaded

PDF
UGC NET Paper 1 Syllabus | 10 Units Complete Guide for NTA JRF
byNIKHIL K N
 
PDF
AI Chatbots and Prompt Engineering - by Ms. Oceana Wong
byagenticroom
 
PPTX
Time Series Analysis - Least Square Method Fitting a Linear Trend Equation
bySundar B N
 
PPTX
What are New Features in Purchase _Odoo 18
byCeline George
 
PPTX
A Presentation of PMES 2025-2028 with Salient features.pptx
byRoyPintor2
 
PPTX
General Wellness & Restorative Tonic: Draksharishta
byDr. Paindla Jyothirmai
 
PPTX
G-Protein-Coupled Receptors (GPCRs): Structure, Mechanism, and Functions
byAnoja Kurian
 
PPTX
Declaration of Helsinki Basic principles in medical research ppt.pptx
byRanikonde
 
PPTX
Masterclass on Cybercrime, Scams & Safety Hacks.pptx
bykalkidirwhytap
 
PDF
DEFINITION OF COMMUNITY Sociology. .pdf
byJhasketan Kuanar
 
PPTX
Photography Pillar 1 The Subject PowerPoint
bymjb77ny
 
PDF
CXC-AD Associate Degree Handbook (Revised)
byCaribbean Examinations Council
 
PDF
Digital Journalism Ethics 2025 materi for Regulation & Ethic Media
byAdePutraTunggali
 
PDF
The invasion of Alexander of Macedonia in India
byPrachiSontakke5
 
PDF
ASRB NET 2025 Paper GENETICS AND PLANT BREEDING ARS, SMS & STODiscussion | Co...
bySatyam Sharma
 
PDF
“Step-by-Step Fabrication of Bipolar Junction Transistors (BJTs)”
byGS Virdi
 
PDF
Past Memories and a New World: Photographs of Stoke Newington from the 70s, 8...
byHistory of Stoke Newington
 
PPTX
DEPED MEMORANDUM 089, 2025 PMES guidelines pptx
byRoseBubuli
 
PPTX
Time Series Analysis - Weighted (Unequal) Moving Average Method
bySundar B N
 
PPTX
kklklklklklklklk;lkpoipor[3rjdkjoe99759893058085
bypreetheshparmar
 
UGC NET Paper 1 Syllabus | 10 Units Complete Guide for NTA JRF
byNIKHIL K N
 
AI Chatbots and Prompt Engineering - by Ms. Oceana Wong
byagenticroom
 
Time Series Analysis - Least Square Method Fitting a Linear Trend Equation
bySundar B N
 
What are New Features in Purchase _Odoo 18
byCeline George
 
A Presentation of PMES 2025-2028 with Salient features.pptx
byRoyPintor2
 
General Wellness & Restorative Tonic: Draksharishta
byDr. Paindla Jyothirmai
 
G-Protein-Coupled Receptors (GPCRs): Structure, Mechanism, and Functions
byAnoja Kurian
 
Declaration of Helsinki Basic principles in medical research ppt.pptx
byRanikonde
 
Masterclass on Cybercrime, Scams & Safety Hacks.pptx
bykalkidirwhytap
 
DEFINITION OF COMMUNITY Sociology. .pdf
byJhasketan Kuanar
 
Photography Pillar 1 The Subject PowerPoint
bymjb77ny
 
CXC-AD Associate Degree Handbook (Revised)
byCaribbean Examinations Council
 
Digital Journalism Ethics 2025 materi for Regulation & Ethic Media
byAdePutraTunggali
 
The invasion of Alexander of Macedonia in India
byPrachiSontakke5
 
ASRB NET 2025 Paper GENETICS AND PLANT BREEDING ARS, SMS & STODiscussion | Co...
bySatyam Sharma
 
“Step-by-Step Fabrication of Bipolar Junction Transistors (BJTs)”
byGS Virdi
 
Past Memories and a New World: Photographs of Stoke Newington from the 70s, 8...
byHistory of Stoke Newington
 
DEPED MEMORANDUM 089, 2025 PMES guidelines pptx
byRoseBubuli
 
Time Series Analysis - Weighted (Unequal) Moving Average Method
bySundar B N
 
kklklklklklklklk;lkpoipor[3rjdkjoe99759893058085
bypreetheshparmar
 

Two factor authentication presentation mcit

  • 1.
    Some thing youknow and Some thing you have. Two Factor Authentication Submitted By: Saba Hameed CT-025
  • 2.
    Agenda Authentication Authentication Factors Two FactorAuthentication (2FA) Business Need for 2FA 2FA Using OTP Hard Tokens 2FA Using Mobile Tokens Security Analysis Conclusion & Recommendations
  • 3.
    Authentication  Authentication isthe process of verifying the identity of user.  The most common technique to authenticate a user is to use username and passwords
  • 4.
    Authentication Factors Something youknow Something you have Something you are
  • 5.
    Threats to Passwords Social engineering  Phishing  Brute force attacks  Shoulder surfing  Keystroke logging  Eavesdropping  Dictionary attacks
  • 6.
    Two factor Authentication It is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are.
  • 7.
    Customer Confidence Regulations & Best Practices EFT ACT 2007 PCIDSS NIST Threat Prevention Phishing and Packet Replay and Man in the middle attacks Fraud Prevention
  • 8.
    Tokens Hard Token USBToken Smart Card Soft Token Mobile Token  OTP is a second layer of security to verify your identity.
  • 9.
    Types of OTP Software – OTP An one-time password (OTP) generated by the company and sent to your mobile phone or PC.  Hardware – OTP An OTP generated by a security device/token. You press the button on the security device/token to obtain the OTP.  Event Based OTP Here the moving factor is triggered by an event  Time Based OTP Here the moving factor is time.
  • 10.
    2FA Using HardToken Courtesy: RSA SecureID
  • 11.
    Security Analysis Benefits  Itis secure against packet replay attacks.  It prevents against phishing. Threats  User needs to carry the device everywhere, and there is a risk that it may get stolen or lost.  Cost is very high.  Vulnerable to active attacks and Man in the middle attacks  
  • 12.
    2FA Using MobileTokens  It makes use of:  Application installed on user’s mobile  IMEI  Time Stamp  Seed  Algorithm Used: Time based One Time Password Algorithm/ HMAC- SHA 1
  • 13.
    How it works User Registration on Server •Seed •Pin •IMEI number •Time Stamp difference Mobile Application Mobile Application Auth Server
  • 14.
    How it works OTP Generation Same Seed Algorithm Time Seed Algorithm Time Seed 159759 159759 Same Time Same OTP Mobile Application Authentication Server
  • 15.
    How it works Login session
  • 16.
    Security Analysis Benefits  Arelatively cheaper and flexible means of OTP.  User just need to carry their mobiles with them, no extra device is needed. Threats  Still vulnerable to active attacks  Man in the middle attacks  Man in the browser attacks  
  • 17.
    Solution?  1. ChallengeResponse Mechanism  For fund transfer transactions, the server generates a a code and sends to the user. The user enters the code provided to the Internet banking site in order to commit the transaction. Challenges: •High Cost required •Hardware required
  • 18.
    Solution? 2. SMS withTransaction Details
  • 19.
    Security Analysis Threat:  Mobileis now single point of failure. OTP is generated/ received on mobile and the verification code of transaction is also received via sms on mobile. If attacker has the possession of user’s mobile, then he can do everything. My Recommendation:  It is necessary that a different medium is used for receiving OTP and receiving transaction verification code.
  • 20.
    Conclusions Method Threats EffectiveAgainst Man in the Browser attak? Static Passwords Can be lost and easily obtained Brute force attacks possible No Biometric No OTP Hard Tokens User has to carry the token No OTP Soft/ Mobile Token Man in the middle attacks No OTP with Signature (Challenge Response) Secure against man in the middle attacks Yes, but inconvenient OTP with SMS Transaction Detail Secure against Phishing, Packet Replay, MIM and MITM Yes!!
  • 21.
    My Recommendations  Usershould check and make sure the website has https in the URL, so that the password goes encrypted while transmission.  The OTP and PIN should be hashed before sending.  Mutual authentication should be established between the client and the server before the session starts to ensure the user that server can be trusted.  Using split key technique for authentication.
  • 22.
    References  Mohamed HamdyEldefrawy, Khaled Alghathbar, Muhammad Khurram Khan, “OTP- Based Two-Factor Authentication Using Mobile Phones”  Roland M. van Rijswijk – SURFnet bv, Utrecht, The Netherlands, “tiqr: a novel take on two factor authentication”  Fadi Aloul, Syed Zahidi, “Two Factor Authentication Using Mobile Phones”  Costin Andrei SOARE, “Internet Banking Two- Factor Authentication using Smartphones”
  • 23.
    Q & ASession

Editor's Notes

  • #8 EFT ACT – 2007 Financial Institutions and other institutions providing Electronic Funds Transfer facilities shall ensure that secure means are used for transfer, compliant with current international standards and as may be prescribed by the State Bank from time to time. PCI – DSS Implement two-factor authentication for remote access to the network by employees, administrators, and third parties. NIST SP 800-63 Provides technical guidance for implementing electronic authentication.
  • #12 PR attacks:These are passive attacks in which a hacker or a malicious attacker intercepts the data while transmission and retransmits it.
  • #17 PR attacks:These are passive attacks in which a hacker or a malicious attacker intercepts the data while transmission and retransmits it.