SURVEY ON ONE TIME PASSWORD



Similar documents
One Time Password Generation for Multifactor Authentication using Graphical Password

Review Paper on Two Factor Authentication Using Mobile Phone (Android) ISSN

Security Levels for Web Authentication using Mobile Phones

Internet Banking Two-Factor Authentication using Smartphones

A SECURE COMMUNICATION IN SMART PHONES USING TWO FACTOR AUTHENTICATIONS

CSC Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity

International Journal of Software and Web Sciences (IJSWS)

An Approach towards Security in Private Cloud Using OTP

Protected Cash Withdrawal in Atm Using Mobile Phone

T. Venkat Narayana Rao et al IJCSET October 2011 Vol 1, Issue 9,

Research Article. Research of network payment system based on multi-factor authentication

SECURITY ANALYSIS OF PASSWORD BASED MUTUAL AUTHENTICATION METHOD FOR REMOTE USER

Integration of Sound Signature in 3D Password Authentication System

Two Factor Authentication Using Smartphone Generated One Time Password

IDRBT Working Paper No. 11 Authentication factors for Internet banking

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

SECUDROID - A Secured Authentication in Android Phones Using 3D Password

Monalisa P. Kini, Kavita V. Sonawane, Shamsuddin S. Khan

INTERNATIONAL JOURNAL FOR ENGINEERING APPLICATIONS AND TECHNOLOGY. Implementation of Multi-Factor Authentication Scheme

Multi Factor Authentication API

Dynamic Query Updation for User Authentication in cloud Environment

Advanced Authentication

Entrust IdentityGuard

SINGLE SIGN-ON MECHANISM FOR DISTRIBUTED COMPUTING SECURITY ENVIRONMENT

Multifactor Graphical Password Authentication System using Sound Signature and Handheld Device

Improving Online Security with Strong, Personalized User Authentication

Enhancing Totp Protocol By Embedding Current Gps Location

Security and Privacy Risks of Using Address as an Identity

A secure login system using virtual password

An Enhanced Countermeasure Technique for Deceptive Phishing Attack

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

CRYPTANALYSIS OF A MORE EFFICIENT AND SECURE DYNAMIC ID-BASED REMOTE USER AUTHENTICATION SCHEME

Microcontroller Based Smart ATM Access & Security System Using Fingerprint Recognition & GSM Technology

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management

XYPRO Technology Brief: Stronger User Security with Device-centric Authentication

Chapter 15 User Authentication

French Justice Portal. Authentication methods and technologies. Page n 1

SECURITY STORAGE MODEL OF DATA IN CLOUD Sonia Arora 1 Pawan Luthra 2 1,2 Department of Computer Science & Engineering, SBSSTC

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS

RFID Based Real Time Password Authentication System for ATM

Guide to Evaluating Multi-Factor Authentication Solutions

A Stubborn Security Model Based on Three-factor Authentication and Modified Public Key

An Improved Authentication Protocol for Session Initiation Protocol Using Smart Card and Elliptic Curve Cryptography

A Security Survey of Strong Authentication Technologies

Remote Access Securing Your Employees Out of the Office

ARM7 Based Smart ATM Access & Security System Using Fingerprint Recognition & GSM Technology

WHITE PAPER Usher Mobile Identity Platform

3D PASSWORD. Snehal Kognule Dept. of Comp. Sc., Padmabhushan Vasantdada Patil Pratishthan s College of Engineering, Mumbai University, India

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

A Vulnerability in the Song Authentication Protocol for Low-Cost RFID Tags

CRYPTOGRAPHY AS A SERVICE

Securing e-government Web Portal Access Using Enhanced Two Factor Authentication

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER

A Road Map on Security Deliverables for Mobile Cloud Application

Implementing two-factor authentication: Google s experiences. Cem Paya (cemp@google.com) Information Security Team Google Inc.

Guidance on Multi-factor Authentication

Multi-Factor Authentication

Two-Factor Authentication: Tailor-Made for SMS

Preventing Abuse of Cookies Stolen by XSS

A Feasible and Cost Effective Two-Factor Authentication for Online Transactions

Enhancing Web Application Security

Authentication Types. Password-based Authentication. Off-Line Password Guessing

Authentication Tokens

User Authentication Platform using Provisioning in Cloud Computing Environment

A NOVEL GRAPHICAL PASSWORD APPROACH FOR ACCESSING CLOUD & DATA VERIFICATION

Contributions to Web Authentication for Untrusted Computers

Universal Multi-Factor Authentication Using Graphical Passwords

Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment

2-FACTOR AUTHENTICATION FOR MOBILE APPLICATIONS: INTRODUCING DoubleSec

Multi-factor authentication

Enhanced User Authentication Techniques using the Fourth Factor Some Body the User Knows

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

BANKING AUTHEMTICATION SYSTEM USING MOBILE-OTP WITH QR-CODE

Secrecy Maintaining Public Inspecting For Secure Cloud Storage

A Study on User Access Control Method using Multi-Factor Authentication for EDMS

Strong Authentication for Secure VPN Access

A Generic Framework to Enhance Two- Factor Authentication in Cryptographic Smart-card Applications

An Innovative Two Factor Authentication Method: The QRLogin System

Biometric Authentication Platform for a Safe, Secure, and Convenient Society

Entrust. Entrust IdentityGuard 8.1. Deployment Guide. Document issue: 2.0. Date of Issue: April 2007

ViSolve Open Source Solutions

International Journal of Advance Foundation and Research in Computer (IJAFRC) Volume 2, Special Issue (NCRTIT 2015), January 2015.

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Authentication Levels. White Paper April 23, 2014

Transcription:

SURVEY ON ONE TIME PASSWORD Nilesh Khankari, Geetanjali Kale Department of Computer Engineering, Pune Institute of Computer Technology, Pune, India ABSTRACT: Authentication is process in which right user will be given access to resource. Authentication protects resource to access from unauthorised user. There various traditional techniques are available for authentication. But these techniques have disadvantages. To overcome this disadvantages multi-factor authentication is used for authentication. In multi-factor authentication more than one authentication method is combined to perform authentication. One form of authentication that is mostly used with other forms of authentication for multifactor authentication is one time password (OTP). One time password is valid for one login session. In this paper we conduct survey of existing one time password generation methods. Keywords: Authentication, One time password (OTP), Security, Multi-factor authentication [1] INTRODUCTION In today s world to access critical resources authentication is required. To secure our critical resources more secure authentication is necessary. Authentication is process in which authorized user (i.e user which has rights to access particular resource) will be given access to resource. During authentication only authorize user will get access to resources. For example user who needs to perform internet banking operations is required to provide authentication details to access his internet banking account. There are various types of methods available for authentication. These methods basically classify into following 3 types. 1. Knowledge based authentication 2. Token based authentication 3. Biometric authentication In knowledge based authentication password is used for authentication. There are two types of password for authentication, Alphanumeric password and Graphical password. Alphanumeric password is sequence of alphabets, numbers and special characters. So in alphanumeric password characters are used to create password. This password should not guessable. But alphanumeric password which is not guessable is hard to remember. For example most people combines there name with some number related to them. Such passwords can be easily guessed. If we set passwords with random characters like UluR5g9SNX is strong password but it is hard to remember. To solve this problem pictures Nilesh Khankari and Geetanjali Kale 1

SURVEY ON ONE TIME PASSWORD are used for password such passwords are called as graphical passwords. Graphical passwords are easy to remember. But shoulder surfing attack is possible in graphical password [1]. In token based authentication user has token which is used for authentication. For example Credit card, ATM card. Disadvantage of this method is when token is lost or stolen. In biometric authentication user is authenticated using user s physical and behavioural properties which are unique for each user. Face recognition, Fingerprint, voice recognition etc. are example of biometric authentication. Biometric authentication is costly as it requires hardware device for recognition of physical property of user [2]. Each above method has some disadvantage to overcome this disadvantages combination of more than one technique of authentication is used to authenticate user. This phenomenon called as multi-factor authentication. Multi-factor authentication uses the combination of more than one type of authentication. More than one form of authentication used in multi-factor authentication that s why multi-factor authentication. Multi-factor authentication provides extra layer of authentication which minimises risk in risk based authentication. Example of multi-factor authentication is ATM authentication in which ATM cards are used together with a PIN number. Authentication which uses two authentication techniques is called Two-factor authentication. One form that can be used for multi-factor authentication along with the traditional username-password scheme is the concept of One Time Passwords. In this paper, we conduct a comprehensive survey of the existing OTP generation techniques. [2] ONE TIME PASSWORD (OTP) Since 1981 when Lamport introduced one time password schemes, many banks authentication systems are now using his theory to provide secure authentication. One-Time Password is one of the simplest and most popular forms of two-factor authentication today. A One-Time Password (OTP) is valid for only one login session. Unlike a static password, a one time password changes each time the user logs in. A one time password generation system uses a different password every time you want to authenticate yourself. The most important shortcoming that is addressed by OTPs is that, they are not vulnerable to replay attacks. One-time passwords are a form of strong authentication, provides much better protection to on-line bank accounts, corporate networks and other systems containing sensitive data. OTP generation algorithms typically make use of randomness. This is necessary otherwise it would be easy to predict future OTPs from observing previous ones. [Figure-1] shows simple and basic OTP authentication system. One time passwords are generated either from a static mathematical expression or by the actual time of day and changes periodically which is called counter one-time-password or time synchronized one-time-password. There are basically 2 approaches for the generation of OTP s: 1. Based on the timesynchronized token and 2. Based on mathematical algorithm. 2

Figure: 1. Basic OTP Authentication flow [3] OTPS BASED ON TIME-SYNCHRONIZED TOKEN A Based on time-synchronization between the authentication server and the client providing the password (OTPs are valid only for a short period of time). A time-synchronized OTP is uses a piece of hardware called a security token. An accurate clock is their inside the token which is synchronized with the clock on authentication server. On these OTP systems, time is an important part of the OTP algorithm since the generation of new OTPs is based on the current time rather than, or in addition to, the previous password or a secret. This token may be a proprietary device, or a mobile phone or similar mobile device which runs software that is proprietary, freeware, or open-source. Due to the cost of hardware token and the infrastructure requirements this method is inconvenient. Fadi Aloul et.al proposed a system which uses a mobile phone as a software token for One Time Password generation. OTP generated by this system uses factors that are unique to both, the user and the mobile device itself. OTP generated is valid for only a short user defined period of time [4]. K.C. Liao et.al presented a QR code technique to support the onetime password system. As the QR code applications with mobile phones can derive the benefits inherited from QR code. Various properties, such as mobility and handiness, benefit from the mobile device make this approach more practical. This approach eliminates the usage of the password verification table. This scheme is a cost effective solution as most internet users already have mobile phones [6]. Manav Singhal and Shashikala Tapaswi proposed Two Factor Authentication mechanism using Mobile handsets. This two factor Nilesh Khankari and Geetanjali Kale 3

SURVEY ON ONE TIME PASSWORD authentication is based on Time Synchronous Authentication. Manav Singhal and Shashikala Tapaswi used RFC1321 MD5 Message Digest Algorithm of Epoch Time, Personal Identity Number (PIN) and Init - Secret to generate One Time Password (OTP) which would be valid for 60 seconds [8]. Huang Y et.al described Time-Synchronized OTP (TSOTP), a simple and effective OTP method that generates a unique password for one-time use. This system calculates TSOTP based on both time stamps and sequence numbers [16]. [4] OTPS BASED ON MATHEMATICAL ALGORITHM A mathematical algorithm is used to generate a new unique password. In this approach OTPs are generated using two methods one is based on the previous password and other is based on a challenge. OTPs generated based on previous password method effectively a chain and must be used in a predefined order. Each new OTP may be created from the past OTPs used. OTPs generated based on a challenge i.e. a random number chosen by the authentication server or transaction details or a counter is used. Song Luo et.al proposed a new one-time password scheme based on the bilinear pairings using smart card. Using the bilinear pairings, this scheme generates temporary identity and one-time password from user s identity to provide anonymity in authentication process proposed scheme is secure against forgery attack and ID attack under the random oracle model [3]. One time password based on noisy password technique is proposed by K. Alghathbar and H. Mahmoud. The noisy password is constituted of several parts, the actual password and additional noisy parts that are well studied to generate different passwords almost every time a user wants to authenticate him. This system alleviated the problem of shoulder surfing or eves dropping by making the replay of a password is of no use [5]. Sainath Guptaa et.al presented a unique graphical authentication system. System proposed by Sainath Guptaa et.al generates pseudo random one time passwords using a set of inkblots, which are unique to each user. This presented system is a simple, highly scalable and strong authentication system. According to authors presented system is simple enough for users to use and strong enough to keep malicious users away. Limitation of this proposed system is login duration is long [7]. Xuguang Ren and Xin-Wen Wu proposed an effective dynamic user authentication scheme. This scheme generates dynamic OTP based on user s password, the authenticating time, as well as a unique property that the user possesses at the moment of authentication. This scheme considers the time factor from previous work and combines one of the space factors like MAC address, providing a more secure and low overhead authentication manner This system effectively protects user s account against various attacks such as phishing attack, reply attack, and perfect-man-in-the-middle attack. Software phishing attack can be possible in this scheme [9]. 4

Longyan Gong, et.al proposed a novel one-time password (OTP) mutual authentication scheme based on challenge/response mechanisms. This scheme shares random sub-passwords and corresponding hashes between a user and a server and performs modular algebraic operations on two or more randomly chosen sub-passwords. Using this phenomenon relatively independent OTPs are produced in this scheme. The used sub-passwords are renewed according to random permutation functions [10]. Wen-Bin Hsieh and Jenq-Shiou Leu proposed a method with a volatile time/location-based password features more secure and more convenient for user authentication. In this paper, Wen-Bin Hsieh and Jenq-Shiou Leu proposed a solution that makes use of a time and location dependent OTP which prevents permanent passwords from being sniffed for authentication while accessing the web application services in a mobile environment. The proposed solution improves the user convenience and authentication security greatly. This scheme transparently authenticates users in a tolerant geometric region as well so that users do not need to manually type in their passwords [11]. Huiyi L. and Yuegong Z proposed scheme which uses two one-way hash functions, one is a hash chain-which is the core of the authentication scheme, and the other is used to secure the hash chain for information transmission between the user and server. This scheme provides functions of bidirectional identity authentication and presents higher security and lower computational cost [12]. Hayashi E., et.al present a framework is presented that combines passive factors (e.g. location) and active factors (e.g. tokens) in a probabilistic model for selecting an authentication scheme that satisfies security requirements; however, it does not consider client device constraints [13]. X Jiang, J Ling proposed new OTP authentication scheme is simple and effective. The proposed scheme uses the SM2 cryptographic algorithm and Hash function for generation of OTP. This scheme ensures data transmission security, provides the mutual authentication between client and server resists different kinds of attacks, and protects the user s identity information effectively. This scheme has simple structure, requires less computation time and reduces burden on the server [14].Byung Rae Cha et.al presented a new Mobile-OTP model with a password key generation method to create one-time passwords which makes use of fingerprints and cyclic permutation for Mobile-OTP systems [15]. Jeonil Kang, et.al suggested a two-factor face authentication scheme based on matrix transformations and a user password [16]. Yair H., et.al proposed context-aware multi-factor authentication scheme based on a Dynamic PIN. This scheme produces a graphical challenge based on context, client device constraints, and risk associated, while balancing assurance and usability. A methodology is proposed in this paper where the crypto-function used to generate the Dynamic PIN. A PIN is produced without any predictable backward and forward Nilesh Khankari and Geetanjali Kale 5

SURVEY ON ONE TIME PASSWORD correlation which makes infeasible for an attacker to predict the next PIN. The proposed approach integrates authentication factors based on user s client devices e.g. SIM cards, biometric readers, etc., sensors, and APIs, to modulate security assurance, and to optimise it using context [17]. [5] CONCLUSION The past decade has seen a growing interest in using one time password for strong authentication. In this paper, we have performed survey of one time password generation systems. This study shows that there is a need to implement a mechanism to generate One Time Passwords which has more randomness and which expires before the attacker can recover it. Much more research and user studies are needed for one time password (OTP) generation techniques. This study will provide an improvement to existing one time password authentication mechanisms. REFERENCES [1] X. Suo, Y. Zhu, and G. S. Owen, "Graphical passwords: A survey," Computer Security Applications Conference, 21st Annual. IEEE, pp. 10-19, 2005. [2] Wayman, J., Jain, A. K., Maltoni, D., and Maio, D., Biometric systems: Technology, design and performance evaluation, New York: Springer, 2004. [3] Song Luo, Jianbin Hu, Zhong Chen, An identity based one time password scheme with anonymous authentication, IEEE NSWCTC, vol. 2, pp. 864-867, April 2009. [4] Fadi Aloul, Syed Zahidi, and Wassim El-Hajj. "Two factor authentication using mobile phones." Computer Systems and Applications, 2009. AICCSA 2009. IEEE/ACS International Conference on. IEEE, 2009. [5] K. Alghathbar and H. Mahmoud, "Noisy password scheme: A new one time password system." Electrical and Computer Engineering, 2009. CCECE'09. Canadian Conference on. IEEE, 2009. [6] K.C. Liao, W.H. Lee, M.H. Sung and T.C. Lin, A One-Time Password Scheme with QR- Code Based on Mobile Phone, In Proceedings of the 5th International Joint Conference on INC, IMS and IDC,, pp. 2069-2071, 2009. [7] Sainath Gupta, Pruthvi Sabbu, Siddhartha Varma and Suryakanth V.Gangashetty. Passblot: A Highly Scalable Graphical One Time Password System, International Journal of Network Security & Its Applications (IJNSA), Vol.4, No.2, March 2012. [8] Manav Singhal, and Shashikala Tapaswi. "Software tokens based two factor authentication scheme." International Journal of Information and Electronics Engineering, Vol. 2, No. 3, 383-6, 2012. [9] Xuguang Ren, Xin-Wen Wu, A Novel Dynamic User Authentication Scheme, International Symposium on Communications and Information Technologies, pp. 713-717, 2012. 6

[10] L. Gong, J. Pan, B. Liu, S. Zhao, A novel one-time password mutual authentication scheme on sharing renewed finite random sub-passwords, Journal of Computer and System Sciences, Vol. 79 Issue 1, Pages 122-130, February, 2013. [11] Wen-Bin Hsieh and Jenq-Shiou Leu. "A Time and Location Information Assisted OTP Scheme." Wireless personal communications 72.1, pp 509-519, 2013. [12] Huiyi L., Yuegong Z., An Improved One-time Password Authentication Scheme, Proceedings of ICCT, pp 1-5, 2013. [13] Hayashi E., Das S., Amini S., Hong J., Oakley, CASA: context-aware scalable authentication, Proceedings of the Ninth Symposium on Usable Privacy and Security, pp. 1 10. ACM, Newcastle 2013. [14] X Jiang, J Ling, Simple and Effective One-time Password Authentication Scheme, Instrumentation and Measurement, Sensor Network and Automation (IMSNA), pp 529-531, 2013. [15] Byung Rae Cha, Yong Il Kim, and Jong Won Kim. "Design of new P2P-enabled Mobile- OTP system using fingerprint features." Telecommunication Systems 52.4, pp 2221-2236, 2013. [16] Huang Y, Huang Z, Zhao HR, Lai XJ. A new one-time password method, International Conference on Electronic Engineering and Computer Science, pp.32 37, 2013. [17] Kang, J., Nyang, D., Lee, K., Two-factor face authentication using matrix permutation transformation and a user password, Information Science. 269, pp. 1 20, 2014. [18] Yair H. Diaz-Tellez, Eliane L. Bodanese, Theo Dimitrakos, Michael Turner, "Context- Aware Multifactor Authentication Based on Dynamic Pin", IFIP Advances in Information and Communication Technology, Volume 428, pp 330-338,2014. Nilesh Khankari and Geetanjali Kale 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information