Enhanced User Authentication Techniques using the Fourth Factor Some Body the User Knows

Proc. of Int. Conf. on Advances in Computer Science, AETACS Enhanced User Authentication Techniques using the Fourth Factor Some Body the User Knows K. Sharmila 1, V. Janaki 2, A. Nagaraju 3 1. Department of CSE, Aurora s Research and Technological Institute, Warangal, India E mail: Sharmilakreddy@gmail.com 2, 3. Department of CSE, Central University of Rajasthan., India E mail: janakicse@yahoo.com 3. E mail: nagaraju@curaj.ac.in Abstract The fundamental principle of identifying a person with the help of a trusted person is being used since the beginning of mankind. Due to the drastic development of the technology, a person is identified by implementing one factor, two factor or three factor authentication techniques. In today's world of increased connectivity, authentication issues are becoming progressively important. Each and every individual system has its own approach to authenticate a person or a machine. Among these, Password authentication is the simplest and most commonly used technique for authentication. Because of its simplicity, it can be attacked easily if proper precautions are not taken. This can be enhanced using two factor authentication (smart cards) and three factor authentication (biometrics). In addition to the above three factors, identity can also be proved using human relationship. In this paper, we concentrate on the most economical and social networking technique for authentication. i.e a fourth factor, somebody the user knows and whom he can trust upon. Index Terms Authentication, Biometrics, Social network, Vouching, vouch code I. INTRODUCTION Authentication is the process of checking the original identity, i.e., to verify whether a user or a machine is really whom he or it claims to be. This is usually achieved using one or more fundamental authentication factors. The different authentication techniques existing today can be divided into three groups: 1. Knowledge-based --Something the user knows or he only is aware of, i.e., some secret information e.g., Password, PIN, security question 2. Possession-based --Something the user has or possesses, i.e., some physical object (e.g., Smart-card, Badge or a token ); 3. Physiology-based or behaviour-based --Something the user personally is, i.e., some biometric data (e.g., Fingerprint, Voice, Iris pattern). Knowledge and possession-based authentication mechanisms indicate that users may be permitted to use any system or service which needs to memorize the authenticator. As the chances of keys being lost, stolen or easily duplicated, are more. Hence, it is suggested to use biometrics [6]. In certain instances, where a user is unable to use all the above said criteria to authenticate himself (when the user forgets or unable to recollect his password, loses his hardware token, cannot provide his biometrics) and Elsevier, 2013

is not in a position to contact Help desk [1], we suggest that there is a fourth factor which may be categorized as fourth group i.e somebody whom the user trusts and may be termed as backup authentication. 1. Someone whom the user knows, i.e., somebody whom the user trusts (e.g., Family member, Friend). Based on the human relationships, the above said factor acts as backup authenticator. In section II, existing system of authentication methodologies are explained and in section III, we explain various problems in implementing the current authentication factors. In section IV, we narrate our novel approach of Vouching and in section V, we conclude our proposal. II EXISTING SYSTEM. In this section, we discuss about the existing authentication techniques using one, two and three factor authentication. Authentication Factors: The authentication factors of an individual are generally classified into three categories: One Factor Authentication - (Information known to the user) It is a password or a personal identification number (PIN) which is to be secretly maintained. Two Factor Authentication - (Thing of Possession) ID card, software token or cell phone with a combination of a password. Three Factor Authentication - (Human Biometrics) Fingerprint, Iris, DNA, Voice recognition etc, with a combination of one and two factors. A. One Factor Authentication Authentication by password is the most commonly used mechanism but also considered as the most vulnerable form of authentication, as shown in Fig1. Significant effort has been put for developing the system of password administration with different levels of password complexity [6]. The usage of password system has two main disadvantages; the first one is that they are easily guessable. Another drawback is the necessity of frequent change of passwords. If any of the above are not met, they are easily crackable. Many users note down them in common places and put at risk, the security of password [10]. Even if the system administrators force the users to periodically change the passwords, the probability that an attacker will obtain the password, by guessing or by brute force attack is high. Yet, many companies use this system as the simplest way of protecting their data. Fig 1: Example of one factor Authentication B. Two Factor Authentication As the use of password authentication is weakened by software attacks, it is necessary to improve the security by using two factors [7]. Since two-factor authentication uses more than one factor for verification, it is considered to be more secure. Two-factor authentication expects the use of two authentication factors as shown in Fig 2, i.e a software token (PIN) and a hardware token (Smart Card / USB token). Hardware authentication tokens are used to improvise the security in user authentication. Smart-card-based password authentication provides two-factor authentication [9], where a successful login needs to have a valid smartcard and a valid password. Principle of the USB Tokens: The USB token is a small portable device. It plugs directly into a computer s USB port and therefore does not require the installation of any special hardware on the user s computer. Once the USB token is detected [13] by the system, it prompts the user to enter his or her password (the second authenticating factor) so as to gain access to the system. USB tokens are hard to be duplicated. Therefore, they act as a secure medium for storing and transmitting confidential data. The device has the ability to store digital certificates that can be used in a public key infrastructure (PKI) environment [9] also. 256

Fig 2: Example of two factor Authentication Principle of Smart Card:A smart card also known as integrated circuit card (ICC) is a pocket-sized card with integrated circuits embedded. It requires special device for reading the embedded data. Smart cards provide identification and authentication of a user along with his confidential data storage. Smart cards also provide strong security authentication for single sign-on (SSO) transactions within large organizations [13]. C. TOKENS: A security token can be defined as a physical device which authenticates an authorized user to perform any online transaction. It can also be referred as an authentication token or a cryptographic token [7]. Authentication Tokens are of two formats: a) Hardware Token b) Software Token. Hardware Tokens: These are small devices which can be easily carried. Some of these tokens store cryptographic keys or biometric data (Credit Cards), where as others display a PIN that changes with time randomly (physical token) [13]. At any instance of time, if a user desires to authenticate himself, he has to use the PIN displayed on the token in addition to his normal account password. Software Tokens: These are the tokens generated using Random Number Generator (RNG). This RNG generates a password which is called as a token that changes with time. Such tokens implement a One Time Password (OTP) algorithm. OTP algorithms [9] are crucial in providing security to the systems since unauthorized users should not be able to guess the next password. The sequence of random numbers should be generated randomly for a maximum period, without repetition. The benefits of tokens include: Security: This can be provided by introducing cryptography, digital certificates to store and extract information from hardware devices. Portability: Since the devices are small in size, they can be easily carried and accessible like the USB tokens. Simple plug ins (User Convenience): The USB ports can be easily used therefore convenient and comfortable. Flexible and Ease: Administrative ease is very crucial in maintenance of any security system with respect to time, accuracy, efficiency in an acceptable cost. One application of these tokens is its wide usage in laptops. In this scenario, if the user wants to login, he has to enter a password and a random number which is generated by OTP algorithm while the USB token is plugged into the laptop. If a hacker wants to access the laptop, he must compromise both the USB and the user account password to log into the laptop which may be extremely difficult. The security cannot be assured when the token is lost or the password is guessed. The Two factor authentication provides stronger security against the normal password authentication. But still, there are chances of failure if both the authentication factors are compromised by a hacker (e.g., an attacker could successfully obtain the password and the data in the smart-card). In these circumstances, a third authentication factor can solve the problem and improve the system s security. C. Three Factor Authentication Another authentication mechanism is the third factor authentication through biometrics. Here, users are identified by physiological or behavioural characteristics [6]. Three factor authentication [7] is submission of Biometrics like Finger print, Voice recognition, Iris pattern along with the other two factors as shown in Fig 3. An advantage of biometrics is that the match rate between two people and their biometric features is very 257

low. Examples of biometric features include hand or finger impressions, facial gestures, iris recognition etc [5]. Biometrics acts as a reliable authentication factor since they cannot be easily lost or forgotten. Biometric authentication may satisfy the security requirement process but with constraints. For example, voice authentication has considerable error rates in noise disturbance environments [14]. Face recognition schemes may be susceptible to differences in lighting surroundings. The fingerprint readers can be beaten-up by fake fingerprints. Physical authentication tokens overcome error rate and high memorable properties [15]. However, they are mostly vulnerable to theft and impersonation of legitimate users by the hackers. Fig 3: Example of three factor authentication A limitation of three factor authentication is its implementation. i.e installation of Biometric machinery and its maintenance is cumbersome. And they are not applicable for online transactions or ATM machines due to the expensive hardware needed [18]. D. Trustee based Authentication This type of authentication includes taking the help of a trusted third party for proving the identity of an individual. Authenticating users through an alternate email address is an example of trustee based authentication [8]. In some organizations, the trust based authentication works when a user who fails to access the system through primary authentication is authenticated by system administrators or his/her colleagues who can request a temporary password on his/her behalf. In 2006, Brainard et al. of RSA has proposed a two-factor authentication system (PIN + token) for system access in which a user who loses his/ her token can receive help from a pre-selected trustee called as Helper [1]. In this system, the trustee authenticates the user so as to generate a temporary pass code. This code acts as a substitute for the user s lost token for a specified short period. E. Connection-less authentication system: This method is implemented using a mobile device and a computer. The mobile device generates a onetime password which acts as a token generator at defined intervals locally and the same pass code is also generated at the server side with time synchronization [1]. Then the user enters the generated code into the machine and accesses it. Table I compares the existing authentication factors, their properties with examples. In the next section, we discuss about some of the securing issues related to the existing authentication factors. TABLE I: COMPARISION OF AUTHENTICATION FACTORS [3]. Name Example Property What you know One Factor Authentication User ID, Pass-word, PIN Shared, Easy to guess, Forgotten What you have One Factor Authentication Cards, Badges Keys, Tokens Shared, Duplicated, Lost or Stolen What you know + What you have Two Factor Authentication ATM card + PIN Shared, PIN is the weakest link What you are Three Factor Authentication Finger print, Face, Iris, Voice Scan the finger print, Devices are Costly 258

III SECURITY ISSUES IN IMPLEMENTING THE AUTHENTICATION FACTORS. In spite of providing security trough authentication factors, it is the responsibility of every individual to maintain the secrecy of their security tokens. Government organizations are enforcing standards, passing laws and forcing organizations and agencies to follow these standards to meet the security challenges. There are many issues with regard to security in implementing any of the authentication factors. Though each of the above mentioned authentication factors are suitable and advantageous for their own purposes, they still have some flaws which do not provide solution to all the requirements of the users. Many systems today rely on static passwords to verify the user s identity. On the other hand, these passwords give rise to major security constraints [11]-[12]. users normally incline to use easily guessable passwords, use the same password for their multiple accounts, store them on their personal computers etc. moreover, hackers possess many advanced techniques to steal passwords such as shoulder surfing, snooping, sniffing, guessing, [17] etc. Passwords are identified to be one of the easiest targets of hackers. Therefore, many organizations are trying to find out more secure methods to protect their applications, customers and employees. This lead to the usage of two factor authentication which requires the usage of a smart card/ token. All the financial organizations are using tokens as a means of two factor authentication. but if the user cannot provide both the factors in combination, the authentication seems to be impossible. And in biometrics, it may be difficult for the machinery to identify the person accurately because people change over time. So, these systems are not reliable always. In the next section we present the importance of fourth factor authentication i.e vouching and a model of its working environment. IV. OBJECTIVE: VOUCHING. In a three factor authentication system, a user is authenticated on submission of all of his authenticated information i.e Password, smartcard and his biometrics [6]. He cannot be recognized as an authentic user if he fails to submit either of the above said factors. The main objective of Vouching is to permit the user to continue his transaction in case he cannot authenticate himself using all his credentials. Whenever the authorized user is unable to do his/her transactions either because of password mismatch, failure of debit/credit card or impossession of biometrics, he has to make use of this Vouching [1]. What happens when a user loses, or does not possess his token? In this case, the user's inability to authenticate himself may be overcome through a call to a help desk. The help desk operator must vouch for the user and provide him with a temporary pass code. This solution is generally workable in practice. Nevertheless, help desk backup authentication can be expensive and even less convenient where the help desk service is not available 24 hours a day. This may become a serious concern for social engineering [2]. For example, the help desk operator, not knowing the user personally, may take a chance in exploiting the user s privacy. In the Next section, we narrate our proposal in detail. A. Current Proposal: Because of failure of one or all the authentication factors, the user cannot make any transaction and his work will be in a suspended mode. At this juncture, our aim is to design an emergency authentication mechanism for the users (Askers) who are unable to authenticate themselves to the machine. These Askers could authenticate themselves to the system with the help of already preregistered users (Helpers), also termed as back up authentication. B. Pre-requisites: In our system, the pre-requisites are: The Helper should be a pre-registered user of the organization. At the time of registration with the organization, it is mandatory that the Asker should introduce a Helper who is a pre-registered user of the same organization, whom the Asker feels trustworthy. Both the Asker and the Helper should share Public and Private key pairs with the organization. In a public key system, there are two keys involved in which only one key has to be maintained as secret and the other one can be made public. The key in a shared secret system is referred to as shared-secret key and the key that is made public is called public key. The key that is kept secret is termed as Private key. C. Prototype of the proposal: In our proposal, all the user s information like names, account numbers, mobile numbers and email address etc are recorded at the time of creating an account at the organisation. The trustees are also informed with the 259

necessary information stating that they are acting as trustees for a specified Asker. These trustees will be referred to as Helpers in the rest of the paper. Fig. 4 illustrates the step wise procedure of our proposal. When a user (Asker) is in emergency where he/she is unable to make a transaction due to the loss of his authentication factors, the Asker may contact the Helper either through a mobile call or in person too (Step1). Asker must obtain a temporary code from the organisation with the help of a Helper. The process gets initiated only when the Asker sends a message to the Helper, and in turn the Helper acknowledges the Asker s request. Then the Helper forwards the request to the Organisation. There by there is no chance for non-repudiation at all the ends since there is a notification for all the three participants. Fig 4: A pictorial representation of vouching process At Helper:When a request is received from the Asker, the Helper has to communicate with the organisation, providing his credentials to the organisation along with the message sent by the Asker. Then the Helper requests the organisation to generate a temporary code which can be passed from the Helper to the Asker to make a transaction (Step 2) [4]. The Organisation then generates a vouch code which is an encrypted form of combination of private and public keys of the two users (Asker and Helper) and forwards it to the Helper (Step 3). At Asker: This generated vouch code is then forwarded from the Helper to the Asker to prove his identity (Step 4). This forwarded code is sent to the Organisation by the Asker (Step 5). The organisation then compares the code and understands that the Asker is indeed a genuine user and allows him to make an emergency transaction by providing an OTP. The Asker uses this temporary Vouch Code and continues his transaction. This emergency code given by the organisation is an OTP which is valid for a period of 24 hours and then expires (Step 6). This procedure of generating an emergency password can become a flexible security policy and can be more cost-effective, convenient and secure to use. Vouching is predominantly useful as a means of backup authentication. For practical implementation of fourth factor authentication, a secure authentication system must be developed so that neither the Asker nor the Helper can deceive without the notice of the other. Authentication is applied on a group of users with apt rights. i.e a Helper uses his authentication devices for providing emergency authentication provision to Asker. The connection establishment between the Asker, Helper and the Organisation is similar to the RSA [16] secured systems as shown in Fig 5. RSA Authentication Manager Implements two ways of generating emergency codes [5], [6] a temporary code and a set of one time pass codes. Temporary codes exist for a specified period of time whereas in set of pass codes, each of them can be used only one time. Here, user identification and verification plays a vital role. Ensuring that Asker is a genuine person is highly needed since there are several methods of obtaining unauthorized access. 260

Fig 5: Structure of RSA SecureID system D. Security Concerns for the proposal: In the earlier days of cryptography, keys were never transmitted over the network since a compromised key may cause more damage than one compromised message [3]. But, nowadays cryptographic systems are developed and implemented strongly so as to overcome that risk. Furthermore, with key-distribution protocols, it is possible to generate new keys periodically. In our proposal, there is every need of transmitting the keys over a network. Necessary precautions should be taken to protect the message transmitted among Asker, Helper and the organisation. However, there is every chance that an active hacker might add, delete, or modify messages over the network [11]. A good crypto system is needed to ensure that the network communication is authenticated and confidential. V. CONCLUSION The present research work is based on human relationships and social network. Vouching mechanism i.e a fourth authentication factor, namely, somebody the user knows. This vouching factor allows emergency and secure authentication in failure of three-factor systems. Besides, it can provide secure authentication in situations where a user possess a physical operative authentication token but has forgotten the corresponding PIN and vice-versa. The authenticated Asker may be provided with a temporary code based on the vouch code which is utilizable for at least one additional authentication. But the Askers should not make it a habit of multiple accesses to the system, troubling the Helper always. Therefore, our vouching system restricts multiple accesses for enrolled askers and helpers for better security. VI. FUTURE SCOPE In the future, we try to implement the vouching process in the real time environment by overcoming all the constraints. The Helper may be substituted with a machine which may provide a safe solution by validating the users to make an emergency online transaction. More secure mechanisms can be employed to authenticate the users in case of non-availability of the authentication factors. REFERENCES [1] John Brainard, Ari juels, Ronald L Rivest, Michael Szydlo, Moti Yung Fourth Factor Authentication: Somebody You Know, ACM, June 2010. [2] Schechter S, Egelman S and Reeder R.W. It's not what you know, but who you know : A Social Approach to Last- Resort Authentication. ACM SIGCHI Conference on Human Factors in Computing Systems, CHI '09. [3] Garfinkel S. L, Email-Based Identification and Authentication: An Alternative to PKI, IEEE Computer Society, 1, 20-26, 2003. [4] Mohamed Shehab, Said Marouf, Christopher Hudel, ROAuth: Recommendation Based Open Authorization, Proceedings of the 7th Symposium on Usable Privacy and Security (SOUPS), Pittsburgh, July 2011. [5] J. M. McCune, A. Perrig, and M. K. Reiter, Seeing-is-believing: Using camera phones for human-verifiable authentication. In IEEE Symposium on Security and Privacy, pages 110 124, 2005. [6] Xinyi Huang, Yang Ashley Chonka, Jianying Zhou, and Robert H. Deng A Generic Framework for Three-Factor Authentication Preserving Security and Privacy in Distributed Systems, IEEE Xplore, June 2011. 261

[7] Jiri Sobotka, Radek Dolze, elektro revue, Multifactor Authentication Systems, December 2010, pages. 1-7 [8] [8] Stephen S. Hamilton, Martin C. Carlisle, and John A. Hamilton, A Global Look at Authentication, Proceedings of the 2007 IEEE SMC Information Assurance Workshop, West Point NY, June 2007. [9] Fadi Aloul, Syed Zahidi, Wassim El-Haj Two Factor Authentication Using Mobile Phones, Proceedings of the IEEE International Conference on Computer Systems and Applications, AICCSA, page 641-644. IEEE,2009. [10] V. Boyko, P. MacKenzie, and S.Patel. Provably secure password-authenticated key exchange using diffiehellman. In Advances in Cryptology - Eurocrypt, pages 156, LNCS No. 1807, Berlin, 2000. Springer-Verlag. [11] Xiao-Min Wang, Wen-Fang Zhang, Jia-Shu Zhang, Muhammad Khurram Khan Cryptanalysis and improvement on two efficient remote user authentication scheme using smart cards, online 16 January 2007 [12] K. Yee and K Sitaker, Passpet: Convenient Password Management and Phishing Protection, in the Symposium on Usable Privacy and Security July 12-14, 2006, Pittsburgh, PA. [13] C.T. Clancy, N. Kiyavash, and D. J. Lin, Secure Smartcard-Based Fingerprint Authentication, in Workshop on Biometric Methods and Applications 7 November, 2003. [14] A. Bhargav-Spantzel, A. Squicciarini, and B. Elisa, Privacy Preserving Multi-Factor Authentication with Biometrics, pages 63-71, DIM November 3, 2006, Alexandria Virginia. [15] A. Jain, L. Hong, and S. Pankanti. Biometric Identification, in Communications of the ACM 43 No. 2, pages 91-98, February, 2010. [16] RSA White Paper. RSA SecureID Authenticators, 2009. Available: <http://www.rsa.com/>. [17] A. K. Abdullah, Protecting Your Good Name: Identity Theft and its Prevention. In InfoSecCD Conference, Oct. 8th, 2004, Kennesaw, GA. [18] Yagiz Sutcu,Hursrev Taha Sencar,Nasir Memon, A Secure Biometric Authentication Scheme Based On Robust Hashing, Proceedings of the 7th workshop on Multimedia and security, page 111 116, ACM, 2005, New York, USA. 262