SURVEY ON ONE TIME PASSWORD

Transcription

1 SURVEY ON ONE TIME PASSWORD Nilesh Khankari, Geetanjali Kale Department of Computer Engineering, Pune Institute of Computer Technology, Pune, India ABSTRACT: Authentication is process in which right user will be given access to resource. Authentication protects resource to access from unauthorised user. There various traditional techniques are available for authentication. But these techniques have disadvantages. To overcome this disadvantages multi-factor authentication is used for authentication. In multi-factor authentication more than one authentication method is combined to perform authentication. One form of authentication that is mostly used with other forms of authentication for multifactor authentication is one time password (OTP). One time password is valid for one login session. In this paper we conduct survey of existing one time password generation methods. Keywords: Authentication, One time password (OTP), Security, Multi-factor authentication [1] INTRODUCTION In today s world to access critical resources authentication is required. To secure our critical resources more secure authentication is necessary. Authentication is process in which authorized user (i.e user which has rights to access particular resource) will be given access to resource. During authentication only authorize user will get access to resources. For example user who needs to perform internet banking operations is required to provide authentication details to access his internet banking account. There are various types of methods available for authentication. These methods basically classify into following 3 types. 1. Knowledge based authentication 2. Token based authentication 3. Biometric authentication In knowledge based authentication password is used for authentication. There are two types of password for authentication, Alphanumeric password and Graphical password. Alphanumeric password is sequence of alphabets, numbers and special characters. So in alphanumeric password characters are used to create password. This password should not guessable. But alphanumeric password which is not guessable is hard to remember. For example most people combines there name with some number related to them. Such passwords can be easily guessed. If we set passwords with random characters like UluR5g9SNX is strong password but it is hard to remember. To solve this problem pictures Nilesh Khankari and Geetanjali Kale 1

2 SURVEY ON ONE TIME PASSWORD are used for password such passwords are called as graphical passwords. Graphical passwords are easy to remember. But shoulder surfing attack is possible in graphical password [1]. In token based authentication user has token which is used for authentication. For example Credit card, ATM card. Disadvantage of this method is when token is lost or stolen. In biometric authentication user is authenticated using user s physical and behavioural properties which are unique for each user. Face recognition, Fingerprint, voice recognition etc. are example of biometric authentication. Biometric authentication is costly as it requires hardware device for recognition of physical property of user [2]. Each above method has some disadvantage to overcome this disadvantages combination of more than one technique of authentication is used to authenticate user. This phenomenon called as multi-factor authentication. Multi-factor authentication uses the combination of more than one type of authentication. More than one form of authentication used in multi-factor authentication that s why multi-factor authentication. Multi-factor authentication provides extra layer of authentication which minimises risk in risk based authentication. Example of multi-factor authentication is ATM authentication in which ATM cards are used together with a PIN number. Authentication which uses two authentication techniques is called Two-factor authentication. One form that can be used for multi-factor authentication along with the traditional username-password scheme is the concept of One Time Passwords. In this paper, we conduct a comprehensive survey of the existing OTP generation techniques. [2] ONE TIME PASSWORD (OTP) Since 1981 when Lamport introduced one time password schemes, many banks authentication systems are now using his theory to provide secure authentication. One-Time Password is one of the simplest and most popular forms of two-factor authentication today. A One-Time Password (OTP) is valid for only one login session. Unlike a static password, a one time password changes each time the user logs in. A one time password generation system uses a different password every time you want to authenticate yourself. The most important shortcoming that is addressed by OTPs is that, they are not vulnerable to replay attacks. One-time passwords are a form of strong authentication, provides much better protection to on-line bank accounts, corporate networks and other systems containing sensitive data. OTP generation algorithms typically make use of randomness. This is necessary otherwise it would be easy to predict future OTPs from observing previous ones. [Figure-1] shows simple and basic OTP authentication system. One time passwords are generated either from a static mathematical expression or by the actual time of day and changes periodically which is called counter one-time-password or time synchronized one-time-password. There are basically 2 approaches for the generation of OTP s: 1. Based on the timesynchronized token and 2. Based on mathematical algorithm. 2

3 Figure: 1. Basic OTP Authentication flow [3] OTPS BASED ON TIME-SYNCHRONIZED TOKEN A Based on time-synchronization between the authentication server and the client providing the password (OTPs are valid only for a short period of time). A time-synchronized OTP is uses a piece of hardware called a security token. An accurate clock is their inside the token which is synchronized with the clock on authentication server. On these OTP systems, time is an important part of the OTP algorithm since the generation of new OTPs is based on the current time rather than, or in addition to, the previous password or a secret. This token may be a proprietary device, or a mobile phone or similar mobile device which runs software that is proprietary, freeware, or open-source. Due to the cost of hardware token and the infrastructure requirements this method is inconvenient. Fadi Aloul et.al proposed a system which uses a mobile phone as a software token for One Time Password generation. OTP generated by this system uses factors that are unique to both, the user and the mobile device itself. OTP generated is valid for only a short user defined period of time [4]. K.C. Liao et.al presented a QR code technique to support the onetime password system. As the QR code applications with mobile phones can derive the benefits inherited from QR code. Various properties, such as mobility and handiness, benefit from the mobile device make this approach more practical. This approach eliminates the usage of the password verification table. This scheme is a cost effective solution as most internet users already have mobile phones [6]. Manav Singhal and Shashikala Tapaswi proposed Two Factor Authentication mechanism using Mobile handsets. This two factor Nilesh Khankari and Geetanjali Kale 3

4 SURVEY ON ONE TIME PASSWORD authentication is based on Time Synchronous Authentication. Manav Singhal and Shashikala Tapaswi used RFC1321 MD5 Message Digest Algorithm of Epoch Time, Personal Identity Number (PIN) and Init - Secret to generate One Time Password (OTP) which would be valid for 60 seconds [8]. Huang Y et.al described Time-Synchronized OTP (TSOTP), a simple and effective OTP method that generates a unique password for one-time use. This system calculates TSOTP based on both time stamps and sequence numbers [16]. [4] OTPS BASED ON MATHEMATICAL ALGORITHM A mathematical algorithm is used to generate a new unique password. In this approach OTPs are generated using two methods one is based on the previous password and other is based on a challenge. OTPs generated based on previous password method effectively a chain and must be used in a predefined order. Each new OTP may be created from the past OTPs used. OTPs generated based on a challenge i.e. a random number chosen by the authentication server or transaction details or a counter is used. Song Luo et.al proposed a new one-time password scheme based on the bilinear pairings using smart card. Using the bilinear pairings, this scheme generates temporary identity and one-time password from user s identity to provide anonymity in authentication process proposed scheme is secure against forgery attack and ID attack under the random oracle model [3]. One time password based on noisy password technique is proposed by K. Alghathbar and H. Mahmoud. The noisy password is constituted of several parts, the actual password and additional noisy parts that are well studied to generate different passwords almost every time a user wants to authenticate him. This system alleviated the problem of shoulder surfing or eves dropping by making the replay of a password is of no use [5]. Sainath Guptaa et.al presented a unique graphical authentication system. System proposed by Sainath Guptaa et.al generates pseudo random one time passwords using a set of inkblots, which are unique to each user. This presented system is a simple, highly scalable and strong authentication system. According to authors presented system is simple enough for users to use and strong enough to keep malicious users away. Limitation of this proposed system is login duration is long [7]. Xuguang Ren and Xin-Wen Wu proposed an effective dynamic user authentication scheme. This scheme generates dynamic OTP based on user s password, the authenticating time, as well as a unique property that the user possesses at the moment of authentication. This scheme considers the time factor from previous work and combines one of the space factors like MAC address, providing a more secure and low overhead authentication manner This system effectively protects user s account against various attacks such as phishing attack, reply attack, and perfect-man-in-the-middle attack. Software phishing attack can be possible in this scheme [9]. 4

5 Longyan Gong, et.al proposed a novel one-time password (OTP) mutual authentication scheme based on challenge/response mechanisms. This scheme shares random sub-passwords and corresponding hashes between a user and a server and performs modular algebraic operations on two or more randomly chosen sub-passwords. Using this phenomenon relatively independent OTPs are produced in this scheme. The used sub-passwords are renewed according to random permutation functions [10]. Wen-Bin Hsieh and Jenq-Shiou Leu proposed a method with a volatile time/location-based password features more secure and more convenient for user authentication. In this paper, Wen-Bin Hsieh and Jenq-Shiou Leu proposed a solution that makes use of a time and location dependent OTP which prevents permanent passwords from being sniffed for authentication while accessing the web application services in a mobile environment. The proposed solution improves the user convenience and authentication security greatly. This scheme transparently authenticates users in a tolerant geometric region as well so that users do not need to manually type in their passwords [11]. Huiyi L. and Yuegong Z proposed scheme which uses two one-way hash functions, one is a hash chain-which is the core of the authentication scheme, and the other is used to secure the hash chain for information transmission between the user and server. This scheme provides functions of bidirectional identity authentication and presents higher security and lower computational cost [12]. Hayashi E., et.al present a framework is presented that combines passive factors (e.g. location) and active factors (e.g. tokens) in a probabilistic model for selecting an authentication scheme that satisfies security requirements; however, it does not consider client device constraints [13]. X Jiang, J Ling proposed new OTP authentication scheme is simple and effective. The proposed scheme uses the SM2 cryptographic algorithm and Hash function for generation of OTP. This scheme ensures data transmission security, provides the mutual authentication between client and server resists different kinds of attacks, and protects the user s identity information effectively. This scheme has simple structure, requires less computation time and reduces burden on the server [14].Byung Rae Cha et.al presented a new Mobile-OTP model with a password key generation method to create one-time passwords which makes use of fingerprints and cyclic permutation for Mobile-OTP systems [15]. Jeonil Kang, et.al suggested a two-factor face authentication scheme based on matrix transformations and a user password [16]. Yair H., et.al proposed context-aware multi-factor authentication scheme based on a Dynamic PIN. This scheme produces a graphical challenge based on context, client device constraints, and risk associated, while balancing assurance and usability. A methodology is proposed in this paper where the crypto-function used to generate the Dynamic PIN. A PIN is produced without any predictable backward and forward Nilesh Khankari and Geetanjali Kale 5

6 SURVEY ON ONE TIME PASSWORD correlation which makes infeasible for an attacker to predict the next PIN. The proposed approach integrates authentication factors based on user s client devices e.g. SIM cards, biometric readers, etc., sensors, and APIs, to modulate security assurance, and to optimise it using context [17]. [5] CONCLUSION The past decade has seen a growing interest in using one time password for strong authentication. In this paper, we have performed survey of one time password generation systems. This study shows that there is a need to implement a mechanism to generate One Time Passwords which has more randomness and which expires before the attacker can recover it. Much more research and user studies are needed for one time password (OTP) generation techniques. This study will provide an improvement to existing one time password authentication mechanisms. REFERENCES [1] X. Suo, Y. Zhu, and G. S. Owen, "Graphical passwords: A survey," Computer Security Applications Conference, 21st Annual. IEEE, pp , [2] Wayman, J., Jain, A. K., Maltoni, D., and Maio, D., Biometric systems: Technology, design and performance evaluation, New York: Springer, [3] Song Luo, Jianbin Hu, Zhong Chen, An identity based one time password scheme with anonymous authentication, IEEE NSWCTC, vol. 2, pp , April [4] Fadi Aloul, Syed Zahidi, and Wassim El-Hajj. "Two factor authentication using mobile phones." Computer Systems and Applications, AICCSA IEEE/ACS International Conference on. IEEE, [5] K. Alghathbar and H. Mahmoud, "Noisy password scheme: A new one time password system." Electrical and Computer Engineering, CCECE'09. Canadian Conference on. IEEE, [6] K.C. Liao, W.H. Lee, M.H. Sung and T.C. Lin, A One-Time Password Scheme with QR- Code Based on Mobile Phone, In Proceedings of the 5th International Joint Conference on INC, IMS and IDC,, pp , [7] Sainath Gupta, Pruthvi Sabbu, Siddhartha Varma and Suryakanth V.Gangashetty. Passblot: A Highly Scalable Graphical One Time Password System, International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.2, March [8] Manav Singhal, and Shashikala Tapaswi. "Software tokens based two factor authentication scheme." International Journal of Information and Electronics Engineering, Vol. 2, No. 3, 383-6, [9] Xuguang Ren, Xin-Wen Wu, A Novel Dynamic User Authentication Scheme, International Symposium on Communications and Information Technologies, pp ,

7 [10] L. Gong, J. Pan, B. Liu, S. Zhao, A novel one-time password mutual authentication scheme on sharing renewed finite random sub-passwords, Journal of Computer and System Sciences, Vol. 79 Issue 1, Pages , February, [11] Wen-Bin Hsieh and Jenq-Shiou Leu. "A Time and Location Information Assisted OTP Scheme." Wireless personal communications 72.1, pp , [12] Huiyi L., Yuegong Z., An Improved One-time Password Authentication Scheme, Proceedings of ICCT, pp 1-5, [13] Hayashi E., Das S., Amini S., Hong J., Oakley, CASA: context-aware scalable authentication, Proceedings of the Ninth Symposium on Usable Privacy and Security, pp ACM, Newcastle [14] X Jiang, J Ling, Simple and Effective One-time Password Authentication Scheme, Instrumentation and Measurement, Sensor Network and Automation (IMSNA), pp , [15] Byung Rae Cha, Yong Il Kim, and Jong Won Kim. "Design of new P2P-enabled Mobile- OTP system using fingerprint features." Telecommunication Systems 52.4, pp , [16] Huang Y, Huang Z, Zhao HR, Lai XJ. A new one-time password method, International Conference on Electronic Engineering and Computer Science, pp.32 37, [17] Kang, J., Nyang, D., Lee, K., Two-factor face authentication using matrix permutation transformation and a user password, Information Science. 269, pp. 1 20, [18] Yair H. Diaz-Tellez, Eliane L. Bodanese, Theo Dimitrakos, Michael Turner, "Context- Aware Multifactor Authentication Based on Dynamic Pin", IFIP Advances in Information and Communication Technology, Volume 428, pp ,2014. Nilesh Khankari and Geetanjali Kale 7