Securing e-government Web Portal Access Using Enhanced Two Factor Authentication



Similar documents
Monalisa P. Kini, Kavita V. Sonawane, Shamsuddin S. Khan

Dynamic Query Updation for User Authentication in cloud Environment

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS

IDENTITY MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device

Two-Factor Authentication

Multi Factor Authentication API

iii. You will not be able to access their iocbc account without a valid OTP token from 1 Nov 2012 onward.

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

Enhancing Web Application Security

IDRBT Working Paper No. 11 Authentication factors for Internet banking

IDENTITY & ACCESS. Providing Cost-Effective Strong Authentication in the Cloud. a brief for cloud service providers

Criteria for web application security check. Version

French Justice Portal. Authentication methods and technologies. Page n 1

Remote Access Securing Your Employees Out of the Office

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Two-Factor Authentication and Swivel

A brief on Two-Factor Authentication

CSC Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity

API-Security Gateway Dirk Krafzig

Review Paper on Two Factor Authentication Using Mobile Phone (Android) ISSN

Provider OnLine. Log-In Guide

An Implementation of Secure Online Voting System

An Enhanced Countermeasure Technique for Deceptive Phishing Attack

Applying Cryptography as a Service to Mobile Applications

Two-Factor Authentication: Tailor-Made for SMS

Accessing Derbyshire County Council s Outlook Web Access (OWA) Service. Smart Phone App version

a. StarToken controls the loss due to you losing your Internet banking username and password.

Improving Online Security with Strong, Personalized User Authentication

Layered security in authentication. An effective defense against Phishing and Pharming

Multi-Factor Authentication of Online Transactions

Two Factor Authentication (TFA; 2FA) is a security process in which two methods of authentication are used to verify who you are.

Strong Authentication for Secure VPN Access

AUTHENTIFIERS. Authentify Authentication Factors for Constructing Flexible Multi-Factor Authentication Processes

Building Secure Multi-Factor Authentication

Citrix Netscaler Advanced guide for SMS PASSCODE SMS PASSCODE 2014

EVALUATION GUIDE. Evaluating a Self-Service Password Reset Tool. Usability. The password reality

SECURING SELF-SERVICE PASSWORD RESET

RSA SecurID Two-factor Authentication

YubiKey Authentication Module Design Guideline

etoken Single Sign-On 3.0

Contextual Authentication: A Multi-factor Approach

Biometric SSO Authentication Using Java Enterprise System

Adding Stronger Authentication to your Portal and Cloud Apps

How Secure is your Authentication Technology?

A Method of Risk Assessment for Multi-Factor Authentication

Multifactor Graphical Password Authentication System using Sound Signature and Handheld Device

Security in an Increasingly Threatened World. SMS: A better way of doing Two Factor Authentication (2FA)

2-FACTOR AUTHENTICATION FOR MOBILE APPLICATIONS: INTRODUCING DoubleSec

A SECURE COMMUNICATION IN SMART PHONES USING TWO FACTOR AUTHENTICATIONS

ProtectID. for Financial Services

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication

Implementing two-factor authentication: Google s experiences. Cem Paya (cemp@google.com) Information Security Team Google Inc.

Beyond passwords: Protect the mobile enterprise with smarter security solutions

Implementing Identity Provider on Mobile Phone

The Security Behind Sticky Password

User Identity and Authentication

End-User Manual. for. e-pramaan: A National e-authentication Service. Submitted to

Strong authentication of GUI sessions over Dedicated Links. ipmg Workshop on Connectivity 25 May 2012

Allianz Global Investors Remote Access Guide

THE FUTURE OF MOBILE SECURITY

Interlink Networks RAD-Series AAA Server and RSA Security Two-Factor Authentication

Research Article. Research of network payment system based on multi-factor authentication

STRONGER AUTHENTICATION for CA SiteMinder

3D PASSWORD. Snehal Kognule Dept. of Comp. Sc., Padmabhushan Vasantdada Patil Pratishthan s College of Engineering, Mumbai University, India

MODERN THREATS DRIVE DEMAND FOR NEW GENERATION MULTI-FACTOR AUTHENTICATION

New Brunswick Internal Services Agency. RSA Self-Service Console User Guide

Protect Your Customers and Brands with Multichannel Two-Factor Authentication

Secure Web Access Solution

Securing SharePoint Server with Windows Azure Multi- Factor Authentication

Client Server Registration Protocol

BlackShield ID Agent for Remote Web Workplace

Multi-Factor Authentication FAQs

Security Provider Integration RADIUS Server

Designing federated identity management architectures for addressing the recent attacks against online financial transactions.

Authentication Levels. White Paper April 23, 2014

Swivel Multi-factor Authentication

Step 1. Step 2. Open your browser and go to and you will be presented a logon screen show below.

Public Auditing & Automatic Protocol Blocking with 3-D Password Authentication for Secure Cloud Storage

Virtual Code Authentication User s Guide. June 25, 2015

Flexible Identity. Tokenless authenticators guide. Multi-Factor Authentication. version 1.0

Guide to Evaluating Multi-Factor Authentication Solutions

MCBDirect Corporate Logging on using a Soft Token

Authentication Solutions Buyer's Guide

International Journal of Software and Web Sciences (IJSWS)

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

Welcome Guide for MP-1 Token for Microsoft Windows

2-FACTOR AUTHENTICATION WITH

RSA SecurID Software Token 1.0 for Android Administrator s Guide

Multi-factor authentication

Mobile Banking. Secure Banking on the Go. Matt Hillary, Director of Information Security, MX

Second Level Authentication Using QR Codes

Transcription:

Securing e-government Web Portal Access Using Enhanced Two Factor Authentication Ahmed Arara 1, El-Bahlul Emhemed Fgee 2, and Hamdi Ahmed Jaber 3 Abstract This paper suggests an advanced two-factor authentication solution to enhance the security of accessing the Libyan e-government web portal. It avoids the traditional two-factor authentication drawbacks such as cost and efficiency. It also provides guidelines to implement the two-factor authentication solution on e- government web portal. A survey is carried out to compare several authentication methods based on criteria of cost, usability, strength of delivery, and processing time. The Libyan citizen National ID is used as a user name followed by an OTP and login session details used as confirmatory feedback dataset. Moreover, an image based authentication step is to further identify the user of e-portal. As a two-channel technique, the user as client can receive an e-mail message instead of an SMS message from the server (e-portal server). In our research, we focus on configuring the authentication methods to obtain secure access to the Libyan e-government portal. Keywords Authentication, e-portal security, conformity configuration A I. INTRODUCTION UTHENTICATION methods are commonly used techniques to identify users who are in need to have an access to systems and information resources. User s ID s and passwords are most commonly used as 1-factor authentication mechanisms. Huge sensitive systems such as e-banking and on-line payments have become vulnerable if they use the 1- factor authentication mechanism [5,7]. As a matter of fact, such sensitive systems can be easily cracked by modern technology and new guessing techniques. Hence, the need for better secure systems has given rise to the concept of multifactor authentication systems. In multi-factor authentication systems, a combination of two or more factors are applied. There are three classes of factors. First class is just the usual password chosen when account is created. This class is related to what the user knows. The second class of factors has to do with what the user owns (SIM, a token). The third and last class of factors is what characterizes the user (fingerprint, eye retina, voice). Biometric features of the third class are very promising in gaining highly secured systems but they are cost prone. In this research, only the first two classes are considered, and consequently it is named two-factor Ahmed Arara 1 is with the University of Tripoli, Computer Engineering Department, Tripoli, Libya. El-Bahlul Emhemed Fgee, is with IT Department, Libyan Academy, Tripoli, Libya. Hamdi Ahmed Jaber 3 is an MSc Student at IT Department, Libyan Academy, Tripoli, Libya. authentication (2FA). II. TWO-FACTOR AUTHENTICATION A. Two-factor Authentication Overview Authentication is the process that verifies if the entity is the one it claims to be. Two factor authentication (2FA) is a combination of any two of the following three ways:- Something the user knows (PIN, password, secret question). Something the user owns (mobile phone, token). Something the user is (Biometrics like Retina, fingerprint). Despite the fact that the technology of 2FA was patented in 1984 but it is still commonly used effectively and efficiently. Configuration schemes of 2FA is what makes it attractive and promising[8]. In fact, by configuring the 2FA, users guarantee that their accounts are secure and they can have optimum control. B. Problem statement 2FA suffers from well-known limitations and drawbacks[10,11]. At first, several common security risks still exist namely: untrustworthy interface, theft/loss of 2FA devices, man-in-the-middle attacks, cryptanalytic attacks, and eavesdropping. Secondly, there are technical limitations of 2FA such as cost effectiveness, usability, processing time, strength of delivery. Based on the general security problems mentioned above, an approach based on 2FA configuration techniques are exploited. The empirical approach of configuring and analyzing the 2FA authentication process may contribute in resolving the problem of insecure and in-efficient authentication system. C. Research approach The proposed approach is intended to be empirical. 2FA methods for an e-government web portal were analyzed and compared with respect to cost, usability, strength of delivery and processing time. Based on the results of a survey and method analysis, it is concluded that mobile phone (SMS, software token, and Push) is the best choice. E-mail messaging method came as second out of all 8 methods under study [1]. III. 2FA FOR E-GOVERNMENT PORTAL Web portal is a web site that brings information together http://dx.doi.org/10.15242/iie.e1215065 65

from diversified sources in a uniform way. A web portal is called one stop shop. Hence, the main objective is to present the user with a single web page that brings together or aggregates content from a number of other resources, systems, and/or servers. Libyan e-government web portal is developed to provide Libyan nationals with sensitive and non-sensitive information. Secure authentication to have an access to the portal is strongly recommended. Security requirements of e-government web portal have become crucial in controlling and accessing sensitive information. Web portal authentication is considered to be the first defense line to protect from malicious attacks. An enhanced 2FA system will dramatically increase the security level and moreover will decrease the risks of illegal access to the Libyan e-government web portal. A. Authentication methods Three factors of authentication could be used to have higher level of security. Factors are based on something a user knows, a user has, and a user is. Hence, the authentication process could include one or more factors and their relevant technology used. Table I shows a snapshot of possible authentication methods. TABLE I FACTORS OF AUTHENTICATION PROCESS of each aspect is given below:- 1. System Costs Cost is a major decision factor for security system stakeholder [2]. To guarantee 2FA authentication solution, the cost is calculated for the entire life cycle, and for both the client side as well as the server side. 2. Usability Usability is used to define the case with which people can use a program or a method. It is more of the user s view of software quality. Many researchers [3,4] defined usability based on several dimension. The ISO, however, defines usability in terms of effectiveness, efficiency and satisfaction. Usability is a crucial criterion in selecting 2FA methods. Point evaluation (scale of 9) is used for 8 2FA methods. E-mail message method scored the highest value and mobile phone method came as a second with respect to overall usability value (see fig. 1). Fig. 1 Total usability value of the eight suggested methods B. Selection criteria of authentication methods Authentication is an absolutely essential element of any security model. It is the process of confirming the identification of the user (or a machine) that is trying to log on or access resources. Instead of using a single layer of authentication, a multilayered authentication is used to add extra protection in a high-security environment. There are a large number of authentication methods and protocols that are used depending on the application and the security requirements [1]. In this research, the following eight methods are studied and analyzed:- Disconnected hardware token, Connected hardware token, Mobile phone (SMS), Mobile phone (software token), Mobile phone (push), E-mail message, Biometric (finger print), Biometric (Iris recognition). There are four basic metrics that are used to select the most appropriate methods that can be used as 2FA authentication for the Libya e-government web portal [1]. A short description 3. Strength of delivery The strength of delivery indicates the success of a user to enter username/password and to get a response from the second authentication level or second factor (SMS, e-mail, etc.). It should be noted here that the network traffic and mobile coverage may cause a delay of the SMS message or a failed transmission. The strength of delivery for the mobile SMS method is considered moderate but other criteria are rated high which makes the proposed method more attractive (see fig. 2). Fig. 2 the overall strength of delivery for all methods 4. Processing time Processing time means the time required between the successful inputs of username/password and getting a response from the second authentication method (SMS, e- mail, etc.). A shorter time lead to a better experience of 2FA authentication and smooth login process. Fig. 3 shows the overall processing time for the eight 2FA authentication methods. http://dx.doi.org/10.15242/iie.e1215065 66

of them (104 person) said they are not feeling secure by protecting their data by only username and password and 98% of them are using mobile phone services. B. 2FA authentication algorithm Fig. 3 The overall processing time of all methods IV. PROPOSED 2FA SOLUTION The overall results based on four basic criteria (cost, usability, strength of delivery, processing time) is shown in fig. 4. Fig. 4 overall results of 2FA authentication methods As a solution to the research question [1], the main authentication method is the mobile SMS technology. With over 8 million mobile phones in use in Libya according to local mobile operators (Libyana and Almadar), turning a phone into an authentication device quickly solves the need and additional cost and delays of sending out hardware tokens. A. Testing and survey results An online digital survey created and distributed to the public to gain information from random sample of people to collect required information that helps in identifying the importance, acceptance and most-liked methods that a normal person may prefer to use as a second authentication method. The online survey created and distributed via service provided by www.esurveycreator.com website. There is 187 person participated in the survey. Ninety three percent of them (174 persons) has completed the survey successfully and counted in the final survey results. The survey was designed to be answered by normal ordinary and even not qualified or technology involved people. It consist from thirteen questions. Three of them are general questions about email, gender and qualification. Four questions was for the general internet usage of the participants. The last section of the survey contains six questions that focus on the feeling of importance of securing sensitive online data. Acceptance of such technology and most liked method that the end user welcomed to use. Out of 174 participate persons, 33% (58 person) said that they are using internet services that uses confidential data or runs sensitive transactions like internet banking. While a 60% The client/server architecture overall development is considered. At the client side, an app program is developed and installed on the mobile phone to generate the software token or One-Time-Pass (OTP) using a simple easy-to-use GUI. The client (user) can request an OTP from the server. At the server side, the OTP is generated when requested by the client. Also, the server is responsible for verifying the SMS information. The general steps of 2FA authentication is performed as it follows:- 1. User enters pass word. 2. Server generates an OTP and sends it to user via SMS message. 3. User enters the OTP that he/she received 4. Servers compares the token entered buy user with one already generated by the server. 5. If the two tokens match, then a user logs in successfully. The above general algorithm is used to derive new algorithms according to the configuration of multi-layer mechanism and according to the client and server requirements. < 1. Client side algorithm In the client side, the user requests opening a new account based on his/her national ID (NID). Table II gives details of creating an account for new user. TABLE I USER FIRST TIME LOGIN Algorithm 1 Name: LoginFirstTime Input: login credentials Output: SuccessfulLoginNewAccount or FailLoginNewaccount 1. User receives from server SMS with initial login details 2. User enters NID and PW// randomly generated password 3. If correct NID and PW then 4. Begin 5. Choose mobile number 6. Enter OTP received from server 7. End 8. Else display wrong login details 9. If correct OTP then 10. Begin 11. Display image category 12. Select image from category 13. End 14. Else display wrong OTP 15. If correct image then 16. Begin 17. Change password 18. Display login succeeded 19. End 20. Else display wrong image The client may login and be able to change his/her password. Table III describes the login process for the first http://dx.doi.org/10.15242/iie.e1215065 67

time. The user s normal login process is the same as shown in algorithm 1 (see table I) except for the change of the password from the initial password given by the server to the new password selected by the user. 2. Server side algorithm The main function of the server is to create new accounts and modify accounts. Table II illustrates how a new account is set up when new user joins the server. TABLE II NEW USER ACCOUNT GENERATION Algorithm 2 Name: NewAccountCreation Input: login credentials Output: newaccount 1. Create an account (NID, PW)// PW random generated password 2. Add mobile number, email// (3 numbers maximum) 3. Assign photo category // out of 12 images 4. Activate the account The server supports a backup procedure in case of emergency that prevents the user from login to his account. An algorithm is shown in table III describes the steps of recovery when failure of login occurs. Algorithm 3 Name: BackupRecovery // case of lost/ forgotto password Input: login credential Output: AlternateLogin 1. User enters NID and PW 2. // case of lost or forgotten password 3. If (lost/forgotten) PW then 4. Inform the system via a link click 5. Enter user info (mobile number, e-mail, security question) 6. If correct info then 7. Begin 8. Reset PW; 9. Send SMS to user// 10. // SMS + confirmatory data (sessionid, OS template, time, etc. 11. // case of mobile phone lost SMS delay 12. If incorrect phone number 13. Begin 14. Inform the system 15. Choose an e-mail address 16. Receive ( OTP + confirmatory data) in e-mail message 17. End 18. If no access to e-portal then 19. Display appear in person to e-service desk analysis of several 2FA methods was carried out according to basic criteria of cost, usability, processing time, and strength of delivery. Based on on-line survey, 2FA authentication testing procedure, and comparative analysis of eight 2FA methods, it was validated that Mobile phone SMS method to be the best when implemented in e-government web portal access. Email messages used as backup in case of emergency or lack of mobile phone services. REFERENCES [1] Thesis Jaber, A..Hamdi, Libyan national Academy, Tripoli, Libya. [2] B. Nanus and L. Farr, "Some cost contributors to large-scale programs," in The Spring Joint Computer Conference, 1964, p. 239. http://dx.doi.org/10.1145/1464122.1464147 [3] J. Nielsen, Usability engineering. Boston: Academic Press, 1993. [4] An Investigation into the Usability and Acceptability of Multi-channel Authentication. Ph.D. thesis by Mohamed Ali Al-Fairuz. University of Glasgow. [5] "Frequently Asked Questions on FFIEC Guidance on Authentication in an Internet Banking Environment", August 15, 2006 [6] Yu Tao Fan, Gui ping Su. Design of Two-Way One-Time-Password Authentication Scheme Based On True Random Numbers. Second International Workshop on Computer Science and Engineering 2009. [7] A. Allan. Passwords Are Near the Breaking Point. Technical report, Gartner, December 2004. [8] "Frequently Asked Questions on FFIEC Guidance on Multi-factor Authentication", February 22, 2009. [9] RSA Security. RSA mobile and RSA Securid. December 2002. [10] The drawbacks of Two-factor authentication. URL http://searchitchannel.techtarget.com/tip/the-drawbacks-of-two-factorauthentication [11] Angela Moscaritolo (2011-07-12). "Zeus for Android steals one-time banking passwords". SC Magazine. [12] Authentication in an Internet Banking Environment. URL http://www.ffiec.gov/pdf/authentication_guidance.pdf. V. CONCLUSION Passwords alone are no longer enough to protect critical resources and data. Things have to be stepped up to achieve better security in today s networking environment. With 2FA authentication, you can take a combination of what user has, what he knows, and what he is, in order to ensure granting of access in secure and appropriate manner. In this paper, an http://dx.doi.org/10.15242/iie.e1215065 68

APPENDIX A SCREEN SHOT 4 LIBYAN E-GOVERNMENT WEB PORTAL AUTHENTICATION USER INTERFACE SCREEN SHOT 1 SCREEN SHOT 5 SCREEN SHOT 2 SCREEN SHOT 6 SCREEN SHOT 3 http://dx.doi.org/10.15242/iie.e1215065 69

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information