![00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19
84 98 3E 44 1C 3B D2 6E BA AE 4A A1 F9 51 29 E5 E5 46 70 F1
Table 1 showing an example of a hash string
The last byte of the hash (byte number 19) has hex value 0xF1 and the last 4 bits or the
offset is 0x1.
The integer value of the offset is 1(0x1).
So the 4 bytes segment required to generate the hash value begins from the byte number
one.
The 32-bit segment is 0x983E441C.
Calculate the Decimal value of the 983E441C= 2554217500
Now apply modular computation based on the digits of the OTP required. Say, if a 6-digit
OTP is required, 2554217500 modulo 10^6= 217500.
217500 is the required 6-digit OTP.
If the number of digits required for the OTP is 8, then 2554217500 modulo 10^8= 54217500 is the
OTP generated. SHA-256, SHA-512 hash functions can also be used to generate the hash values.
Time-based one-time password algorithm (TOTP)
The time-based one-time password is an extension of the HMAC-based One-Time Password
(HOTP) algorithm. HOTP is an event-based algorithm with the sequence or a session counter as a
moving factor, whereas as, the TOTP has a time-value as a moving factor.
A random OTP generated by HOTP is secure enough, but it is susceptible to an attack when a user
does not use the OTP for authentication for some reason. When the OTP is not used, the counter
value remains same until a successful authentication is made for the current OTP. Hence, an
attacker can easily use the OTP. Instead, irrespective of the authentication success or failure if an
OTP is valid only for a certain time, the attacker remains clueless about the generated OTP. So, to
provide an enhanced security, the time values are used for a short span. TOTP works similar to the
HOTP except that a time-factor variant and the time step as a counter are used for the computation
of the one-time password. This algorithm works with HMAC-SHA-512 or HMAC-SHA-256
functions which are derived from SHA-512 or SHA-256 [SHA2].An efficient TOTP can provide
enhanced security with some requirements like:
1. Same secret (key) must be shared by a Client (a token) and an authenticating server (or
validator). Or at least they must share same ideas or knowledge of the secret.
2. Each Client must have a unique secret (key).
3. To enable uniqueness, the keys must be generated using key derivation algorithms or they
must be generated randomly.
4. These keys are secured in a device that is compact and resistant to any tampering attacks.
5. The algorithm must be based on the HOTP algorithm and its requirements.
6. The present UNIX time is calculated as the total number of seconds elapsed since midnight
UTC of January 1, 1970. The authentication server and the Client must be able to derive
this current UNIX time.
7. It is also required that a validator and a Client must use the same time-step value to have
proper synchronization for the authentication. (D, et al. 2011)](https://image.slidesharecdn.com/4ec17ca9-0145-434f-bb44-d0d239c17a8f-160327003757/85/Class-paper-final-9-320.jpg)
Class paper final
- 1. User Identification using Two-factor authentication Security Technology– Firewalls and VPNs By: Anusha Manchala Submitted to Dr. Themis A. Papageorge Course: Foundations of Information Assurance
- 2. Contents Abstract.......................................................................................................................3 Introduction .................................................................................................................3 Why Do We Need Security?....................................................................................................... 3 Authentication............................................................................................................................. 3 User authentication ................................................................................................................. 4 Single factor authentication ........................................................................................................ 4 Background..................................................................................................................5 Password protection.................................................................................................................... 5 Failures of Single factor authentication ...................................................................................... 5 Two-factor authentication .............................................................................................6 What is a Two-factor authentication?......................................................................................... 6 Context and History................................................................................................................ 6 One Time Password .................................................................................................................... 7 What is OTP?.......................................................................................................................... 7 OTP algorithm ........................................................................................................................ 7 Tokens .......................................................................................................................11 Hardware Token........................................................................................................................ 12 Software Tokens ....................................................................................................................... 13 Two factor authentication using mobile phones ....................................................................... 14 Multi factors Authentication........................................................................................16 Disadvantages of Two-factor authentication ............................................................................ 16 Advantages of Multi factors Authentication............................................................................. 17 Conclusion .................................................................................................................18 References..................................................................................................................19 Figure 1 showing Yubikey........................................................................................................... 12 Figure 2 showing Transaction Sign-in feature............................................................................. 13 Table 1 showing an example of a hash string ................................................................................ 9 Equation 1showing the input for TOTP ...................................................................................... 10 Equation 2showing the time step value....................................................................................... 10
- 3. Abstract This paper mainly focuses on a security technology to identify a user. Information security ensures to attain Confidentiality, Integrity, and Availability. Once a resource is in the hands of an attacker, who is not claimed as an authorized person, the whole point of security is lost. Hence, it is essential to identify the user before allowing him to access a resource. One way of implementing strong user authentication is by using Two-factor authentication technology. Introduction Why Do We Need Security? The internet is the most basic requirement in today’s world. Information is exchanged from one point to another point, by passing through several intermediate points. There is no assurance that every intermediate point is secure. While transmitting data, an intruder might wait for his turn to alter, delete, add or intercept the data. A vulnerable spot in the transmission is all about welcoming an intruder to make his malicious attempts. These malicious attempts may lead to catastrophic effects such as loss of privacy, loss of information, loss of correctness of data, loss of availability. To avoid such risks, it is essential to add a layer of security in the information technology. The main goal of security is achieved when resources are allowed to be accessed by only authorized persons. Also, it is essential to make sure that resources are kept away from the unauthorized person who may perform malicious acts. Resources in the computer world can be any services, such as web applications, network-based servers, and multi-user systems. One way to achieve the security goal is by giving access rights to appropriate users. i.e., certain resources must be given access rights only for particular users. But how to make certain if the right user is using the resource? How to identify the user and give him permissions? The answer is possible through authentication. Authentication It is a method to decide if a user or a machine is who it is claimed to be. Identification and verification are two steps involved in the authentication process. Credentials, which act as an identity proof of a user or a machine are stored in a database. When a user or a machine requests for access permission to a resource by providing its credentials, the identity of the machine or user is cross checked in the database, where credentials of each user are stored. If the credentials match permission to access a resource is granted. The process of the verification and granting access permission to a resource is called authorization. Authentication followed by authorization are the
- 4. methods to identify and validate a right user or a right machine. (Rouse, Authentication Definition n.d.) This paper mainly discusses user authentication and its various methods, password attacks, various technologies to obtain strong authentication. User authentication User authentication can be done based on three identity factors. Password-based, Token-based, Biometric-based are authentication methods that work using these identity factors. Knowledge factor: It is something that a user knows. Such as, Account number, Username, Password, Paraphrase, Personal identification number (PIN), answers to certain security questions (e.g. What is the name of your first manager) Possession factor: It is something that a user has with him. Such as, his mobile phone, ATM card, Smart card, Electronic keycards, Physical keys. Inherence factor: It is something that a user is (static biometrics) and something that a user does (dynamic biometrics). Static biometrics is Hand geometry, fingerprint, facial characteristics, retina, and iris pattern. Dynamic biometrics is voice print and signature. (Rouse, multifactor authentication (MFA) definition n.d.) Single factor authentication If only one of the above identity factors is used to authenticate a user and permit access to a resource, it is called as Single factor authentication. The most common user authentication in today's business world is Password-based Authentication. (Rouse, Single-factor authentication (SFA) definition n.d.) Password-based Authentication A user may register with his credentials to gain access rights to a resource. Or a System administrator may register him. In either case, the main aim is to store the identity proof credentials of the user in the database and retrieve them when needed. The credentials are most commonly, a User ID or Username and a Password or PIN or Passphrase. If a user registers himself, he is allowed to choose the password. Sometimes a system admin assigns a password to a user. However, for better security purpose user must reset the assigned password, by choosing a strong password. When a user provides his username and password (what he knows), the credentials are compared with those stored in the database to authorize the user. The database also stores the information related to access controls and privileges. Some of the users may have only limited privileges to a resource.
- 5. Background Password protection In order to avoid security breaches, several approaches have been in implementation to protect a user's password. Some of the approaches are the usage of Cryptographic and hashing techniques for confidential storage of passwords, training users about the strong passwords necessity, enforcement of password selection strategies like a password checker, complex password policies such as a minimum length of the password, the usage of alphanumeric characters. However, this single factor credentials used as a deciding factor for authorization has many drawbacks. Passwords became the most vulnerable source of an attack. Failures of Single factor authentication 1. When a password is hashed and stored in a system password file, an attacker may gain access to a system password file. He compares the commonly used password's hashes against the password hashes in the file until a valid password result is obtained. This attack is popularly known as Offline Dictionary attack. 2. An attacker may focus on a specific user ID and continuously guess passwords until a right password is obtained to log into the resource. 3. An attacker may try to obtain authorization by using easily remembered passwords on various user Ids. 4. An attacker may gain knowledge about the system's password policies and the user accounts used and simply guesses the password, to intrude into a system. 5. Sometimes a user might simply log into a workstation and keep it idle without performing any operations. When such systems are kept idle for a long time an attacker waits for his chance on another side until the system is unattended and performs his malicious acts. 6. User’s tendency to use a password that has his basic details like names, phone numbers, address etc. provide a good hint to an attacker. A user may forget to reset the default password created by admin and continues using the same password. Unable to remember a complex password, a user might write it down on a paper, send it in a mail, and paste it on a sticky note on the desktop. User's mistakes are a major source of an attack. Social engineering and sharing the password with someone else are also very common mistakes. 7. Attackers may intrude the communication channel when passwords are transmitted across the network to log into remote resources. Sometimes network resources may have similar passwords for a given user. 8. A brute force attack is one type of password cracker that checks the probability of usage of all the encryption keys to crack the password. In the rainbow table attacks, attacker generates all possible dictionary passwords and all possible salt values to create a valid hash and cracks the passwords. 9. Sometimes longer passphrases are also cracked by expertise hackers who use their techniques through malware, Trojan horses, spyware, key loggers etc. Passwords or passphrases are made strong, lengthy and unbreakable using various security measures. Ease of implementation and the low cost for usage are the main reasons of their adequate
- 6. usage. It is obvious that single credential factor is not completely serving the purpose of security. Though single factor usage is not weak, it cannot be used for all assurance levels because it does not provide the desired high-level security to resources. What else is needed to assure the resource that a right user is trying to access it? What are the other means to identify the user to add an additional layer of security? How to achieve the stronger authentication? All these questions are answered in the later sections. Two-factor authentication It can be discussed with a very familiar example used in everyday life. Globally almost all the banks issue a credit or debit card to every user who open a bank account. The user is given an account number, username, PIN and a debit card (sometimes a credit card on user’s choice). The debit card has a full name of the user, card number, and expiry date of the card and a secret code of 3 digits, which represent that the card is issued for only a specific user. If the user wants to withdraw money or check the balance or deposit money, he has to first swipe his debit card at the ATM machine and later enter his PIN of at least 4 digits. If everything is correct the ATM machines validate the user and allows him to proceed for further steps. This simple scenario is a perfect example of Two-factor authentication. Something the user has and something the user know are used as identity factors to authenticate the user. What is a Two-factor authentication? A two-step verification process that gives an additional layer of security when two of the three authentication factors are used for the identification of user to grant him access to a resource is called two- factor authentication (TFA). It is otherwise called as 2FA. Context and History Frank Miller introduced one-time pads in 1882. One-time pads were reinvented after the First World War in 1917 and are patented to Gilbert in 1919. They are mostly similar to Vernam ciphers invented by Gilbert Vernam. Vernam cipher is a crypto algorithm that combines the plaintext with keys in order to achieve encryption. These ciphers use keys that are generated on an iterative basis. In the outset of the 1920's, three German cryptographers, Erich Langlotz, Rudolf Schauffler and Werner Kunze described randomly generated numbers usage and their importance in avoiding replay attacks. The one-time pad uses random generators to produce a key to combine with any piece of information. The one-time pad is basically a paper that can be burned or recycled to discard it once after used ciphering. The traditional approach followed One-time pads whereas, the modern approach of two- factors authentication uses One-Time Passwords. (Cooperband 2015)
- 7. One Time Password OTP is a more secure password than a user created password or a static password. It is not vulnerable to a replay attack or a man-in-the-middle attack. There is no necessity to store these one-time passwords in a database or any system. It can work without the internet. Many business organizations implement the OTP tokens as a means of remote user authentication while accessing the Virtual Private Networks, transaction-oriented Web applications, and Wi-Fi network login. It can provide interoperability among various types of software and hardware vendors. (N, C, et al. 1998) What is OTP? OTP is a password or PIN with an alphanumeric or numeric set of characters used only once for each authentication attempt. These set of characters are valid only for a single session. When a user provides something he knows, a password or PIN to obtain access to a resource, OTP which acts as second identity factor is generated from a device that something a user has with him (Token devices are discussed later). OTP is generated in two common ways: 1. HMAC-based one-time password algorithm called as HOTP 2. Time-based one-time password algorithm called as TOTP OTP algorithm To prevent an unauthorized user guessing the next sequence of the password, OTP algorithm generates the sequence of PIN in a random manner to make it irreversible and unpredictable. The alphanumeric or numeric set of characters with specific length are generated based on one of the above two algorithms mentioned. This section gives a detailed explanation about both algorithms. HMAC-based one-time password algorithm HOTP generates a one-time password based on Hashed Message Authentication Code (HMAC). This is a simple OTP algorithm used to adopt the two-factor authentication. The main idea of the algorithm is to generate an OTP with the least interference of a user since a user is not expected to know cryptographic or mathematical computations to take care about the generation of a one-time password or to perform authentication. High usability with efficiency and low cost is the best practice of implementation. This event-based algorithm can be used in various devices like a GSM SIM, Smart cards that run with Java, USB dongles. (M’Raihi, et al. 2005) HOTP algorithm is designed to meet the following requirements:
- 8. 1. A device that generates OTP must be easy to handle, must consume less battery power, have less number of buttons to request an OTP, a small size display screen to show OTP and must require less horsepower. 2. OTP must be generated on a counter-based or a sequence-based approach. Otherwise, if the approach is iterative like a Vernam cipher, it can be easily guessed by the attacker. 3. Must be able to be embed in high volume devices like an SIM card or a Smart card to provide interoperability. 4. The algorithm must work without the need of any numeric input but must be efficient to work when devices like PIN-pads are used. And it has to produce a password of a specific reasonable length on the display screen which can be easily understood and easy to type for a user. It would be better if the minimum length is 6 characters and a maximum is 8. 5. It is essential to choose the type of algorithm to generate a hash of at least 128 bits (M’Raihi, et al. 2005). For example, MD5 is not recommended to use since it generates a hash of 16bytes. (Matt 2013) 6. The whole point of OTP is the usage of a counter. Hence, an easy approach to resynchronize the sequence number must be used. (M’Raihi, et al. 2005) The algorithm in this section discusses the HMAC- SHA1 implementation, where a 160bit (20- bytes) hash is used to generate the OTP. It needs certain parameters like: A secret value shared between a generator and a validator. A resynchronization parameter to remember the sequence or counter number. A counter value synchronized between a client and server to authenticate. Here the client is the HOTP generator and the server is the HOTP validator. The synchronization is needed to avoid any misinterpretations between a server and a client. The number of characters or digits of an OTP. A variable that keeps track of the number of attempts made by the client. The counter value and the shared secret are known only to the validation service and a token. The HMAC- SHA1 calculation generates a hash value of 20bytes or 160bits. The user cannot enter all these characters in the given time. Moreover, if the same hash value is used as OTP it fails the essential requirements of the algorithm. So, a password that can be easily entered by the user is generated by truncating the 160 bits hash value. (M’Raihi, et al. 2005) Steps of the HOTP algorithm 1. Compute the hash value by taking the input of a static symmetric key and counter value. 2. Calculate the integer value of the last 4 bits of the hash value. Consider this integer value as an offset to extract a segment of 4 bytes from the hash value. 3. Now perform modulo computation for the 4 bytes hash value based on the number of digits of the OTP value. (M’Raihi, et al. 2005) For example: Assume that a hash string- 84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1 is obtained from the first step of algorithm.
- 9. 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 84 98 3E 44 1C 3B D2 6E BA AE 4A A1 F9 51 29 E5 E5 46 70 F1 Table 1 showing an example of a hash string The last byte of the hash (byte number 19) has hex value 0xF1 and the last 4 bits or the offset is 0x1. The integer value of the offset is 1(0x1). So the 4 bytes segment required to generate the hash value begins from the byte number one. The 32-bit segment is 0x983E441C. Calculate the Decimal value of the 983E441C= 2554217500 Now apply modular computation based on the digits of the OTP required. Say, if a 6-digit OTP is required, 2554217500 modulo 10^6= 217500. 217500 is the required 6-digit OTP. If the number of digits required for the OTP is 8, then 2554217500 modulo 10^8= 54217500 is the OTP generated. SHA-256, SHA-512 hash functions can also be used to generate the hash values. Time-based one-time password algorithm (TOTP) The time-based one-time password is an extension of the HMAC-based One-Time Password (HOTP) algorithm. HOTP is an event-based algorithm with the sequence or a session counter as a moving factor, whereas as, the TOTP has a time-value as a moving factor. A random OTP generated by HOTP is secure enough, but it is susceptible to an attack when a user does not use the OTP for authentication for some reason. When the OTP is not used, the counter value remains same until a successful authentication is made for the current OTP. Hence, an attacker can easily use the OTP. Instead, irrespective of the authentication success or failure if an OTP is valid only for a certain time, the attacker remains clueless about the generated OTP. So, to provide an enhanced security, the time values are used for a short span. TOTP works similar to the HOTP except that a time-factor variant and the time step as a counter are used for the computation of the one-time password. This algorithm works with HMAC-SHA-512 or HMAC-SHA-256 functions which are derived from SHA-512 or SHA-256 [SHA2].An efficient TOTP can provide enhanced security with some requirements like: 1. Same secret (key) must be shared by a Client (a token) and an authenticating server (or validator). Or at least they must share same ideas or knowledge of the secret. 2. Each Client must have a unique secret (key). 3. To enable uniqueness, the keys must be generated using key derivation algorithms or they must be generated randomly. 4. These keys are secured in a device that is compact and resistant to any tampering attacks. 5. The algorithm must be based on the HOTP algorithm and its requirements. 6. The present UNIX time is calculated as the total number of seconds elapsed since midnight UTC of January 1, 1970. The authentication server and the Client must be able to derive this current UNIX time. 7. It is also required that a validator and a Client must use the same time-step value to have proper synchronization for the authentication. (D, et al. 2011)
- 10. Unlike the HOTP algorithm (which are not system dependent and which does not need any inputs other than a static symmetric key and a counter value) TOTP algorithm requires 2 system parameters. They are: A time step value measured in a number of seconds with the default value set to 30 seconds. This is represented as X. And a UNIX time counter represented as T0 which counts the number of time steps taken. The default value is set to 0. As mentioned earlier, the algorithm is an extension of HOTP and it takes the input of a static symmetric key and a time factor. (D, et al. 2011) TOTP=HOTP (K, T) Equation 1showing the input for TOTP Where K= static symmetric key and T is the number of time steps between a default counter value set initially, T0 and the UNIX current time. T= (Current UNIX time-T0)/X Equation 2showing the time step value For example, if the default values of X=30 seconds and T0=0 are considered for a current UNIX time of 59 seconds, then T=1. If the current UNIX time is 60 seconds then T=2. Computations are done using a default floor function. The default values of X and T0 can be set during the provision step. If the time goes beyond the year 2038, the algorithm must calculate T since the integer value will be larger than a 32-bits number. (Hoyer 2010) It is recommended to take few cautions while generating the TOTP algorithm. TOTP is dependent on the HOTP to provide enhanced security. As HOTP is the key building block for TOTP, the dynamic truncation (where 4 bytes segment extracted from the hash) must be independent and set of characters must be uniformly distributed. In order to give a distinct input of the key, it should be generated from a pseudo random generator, a cryptographic technique which has randomness test to output a unique key or it can also be generated randomly. Along with the randomness of the key, two other requisites are essential for an enhanced security: storage of the key in a secured device and the channel through which the key is passed. The key must be safely stored in a validation system and encrypted using a device that is protected from attacks like tampering so that it can be decrypted whenever needed for the verification purpose and encrypted back to give the least exposure to RAM. To avoid any malicious attacks the key storage database and validation systems must be highly protected by limiting the access only to the processes and programs required by the validation system. The communication between a validator and a Client must take place in a secure channel like a Secure Socket Layer/Transport Layer Security (SSL/TLS) or IPsec connections. (D, et al. 2011) OTPs generated within the same time-step are all same. For example, if the time step is 30 seconds, the OTP generated in the 1st second and 29th second are always same. The validation system uses a time stamp value to validate the OTP. But the validation system receives OTP at a time stamp different than the timestamp the OTP was generated at the client side. The validation system doesn't know the time stamp value of the OTP when it was generated on the client side. So it uses
- 11. the time-stamp when it receives the OTP. The received and generated time-stamps have a large time gap, they do not come under the same time -step window. The received timestamp may fall in the next time-step window. To overcome this large time gap, the validation system must set some rules or policies to accept the valid OTP though there is a delay in the transmission. The validation system must accept the OTP from the previous time stamp value along with the received time stamp which are in the range of a transmission delay time window. However, the delay transmission time should not be very long, because, longer the time allowed for accepting the transmission delays, higher the chances for vulnerabilities. Also, longer the time-step value, the higher scope for probabilities of attacks. If the time-step window is longer, the time gap will be very less between the client side and the receiving side and there are higher chances for the acceptance of OTPs by the validation system. A next OTP is generated in the next time-step window. Suppose the time-step value is 30 seconds, a new OTP is generated for every 30 seconds. If a user wants to generate a new OTP at 15th second he has to wait until the clock is reset back to 0. If the time-step window is too large, say 10 or 15 minutes, the user has to wait for a long time to obtain a new OTP, meanwhile the login session of the site requesting a second authentication factor also expires. Hence, to avoid attacks and to provide convenience the time-step window is better to use between 30 to 60 seconds. If an OTP is repeated in the same time-step window, the validator should not accept it if already an OTP is successfully authenticated. (D, et al. 2011) The validator has to set limitations to the number of attempts after which a token can be rejected. This limit can be set either backward or forward based on the time-step value of the computed OTP. Suppose the time-step window is set to 30 seconds and the limit is set as two steps backward. Then, the maximum time drift elapsed is 89 seconds (60 seconds from the past time-step windows and 29 seconds from the current time-step windows). It implies that a validator can verify the OTP for at most three validations. A successful verification by the validation server can be recorded in terms of the number of time-steps or clock drifts for the OTP. If at all a new OTP is requested for the verification at the validation server, it can verify based on the records of the time-step clock drifts and the current time-stamp of the OTP. The longer a client has not transmitted an OTP to the validation server, the longer the records of the time-step clock drift between the client and the verifier. This is a case with the exceeded limit value of clock drifts. A normal resynchronization mechanism described above won't work for such exceptional cases. (D, et al. 2011) Tokens A token is something that acts as an identity to represent an object. They have been in use from at least 2 decades. They are now widespread in the market. In order to enable two-factor authentication, a token serves as a means of the second factor for user authentication. The token must be communicated between a client and the validation server securely through the internet. Some tokens store biometric data or cryptographic keys or generate a PIN that changes periodically. A token is embedded in the physical device or in an application that is designed to transmit it through the internet. The device can be hardware or a software device.
- 12. Hardware Token A token is embedded in a physical device, which has an LCD/LED display screen and a single button (used for Validation and ID Protection (VIP)) is called as a Hardware token. A single press on the button generates a token, which simplifies the two-factor authentication mechanism. This is a user-friendly device since a user can carry it easily wherever he goes. A user can keep this hardware device in his pocket, wear it around his neck or attach it to a key ring. This provides a good ease of use, especially in the organizations. An organization issues VIP credentials for each employee and the employee can easily access to a network service using these hardware tokens. Recently many advanced features are enabled to design theses hardware tokens to provide more ease of access to users. (Rouse, Security Token n.d.) A USB authentication token can fit in the USB port of the system, can be connected to the mobile and generates a one-time password with a single touch on the button. These devices can be easily used without the need for drivers from any browser, any platform or any computer. These devices are designed in such a way that they save the time of user when he has to re-type the OTP by providing fast and error free login mechanisms. YubiKey shown in Figure 1 is an example of a USB authentication device. (Defender hardware tokens n.d.) Figure 1 showing Yubikey Source: https://www.yubico.com/products/yubikey-hardware/ A physical device can be a Security token card or a Key Fob. A Security token card is mainly used for two-factor authentication when a user does the Breeze mobile banking and online banking. It has features embedded within it to act like a Debit, Credit or ATM card. It can be used at ATM or make payments easily with enhanced security features. These cards use two types of methods to enable authentication. They are Transaction-Signing and One-time Passwords. It can be turned on and off using a button located on the card. It has an LED screen that displays an OTP number generated by the token card. Transaction Sign-in feature enables a user to enter the 3 or 4-digits on the card, which is displayed on the online banking page. After entering the correct 3 or 4-digits numbers, the token card displays an OTP on it which can be entered on an online banking page to validate a user. The figures 2 shows examples of Security Token card. (Security Token card online demo n.d.)
- 13. Figure 2 showing Transaction Sign-in feature Source: http://www.superadrianme.com/technology/standard-chartered-bank-first-to- launch-mastercards-display-card-in-singapore/ A key fob is another security hardware token device that can perform authentication to network services or a computer. It displays OTP that changes periodically. Defender Go-6, RSA SecurID, Fortinet etc. are some of the examples of hardware tokens available in the market that generates OTP number randomly for every 30 seconds or 60 seconds. (Rouse, Key fob definition n.d.) The Nymi Band designed by Bionym is worn as wristband can provide unique biometric authentication of a user by monitoring his heartbeat. This device typically works based on algorithms where electrocardiogram (ECG) is used as an identity factor for recognition. It extracts unique information about a person from the pattern of an ECG waveform. It communicates to network resources in a secure way using Bluetooth Low Energy (BLE). Myris is another device similar to Nymi band used by the company Eyecorp. It uses a biometric unique credential for user's authentication. This device uses a user's iris. There are also many other devices that use fingerprints as a means of user authentication. These authentications are typically based on something a user knows and something a user is. (Cooperband 2015) In the year 2005 the National Bank of Abu Dhabi (NBAD) in the Middle East was the first bank to use physical devices (RSA SecurID) to implement two-factor authentication. It issued physical tokens to 19000 of its customers. In the same year, Bank of America also initiated to use these hardware tokens for its 14 million customers. The Commonwealth Bank of Australia, the Bank of Ireland and the Bank of Queensland were other international banks to use two-factor authentication using hardware tokens. The National Bank of Dubai (NBD) announced it mandatory that every client must use the hardware token along with their PINs/Passwords. (Fadi Aloul n.d.) Software Tokens A software token generates a unique PIN or a QR code to enable two-factor authentication .A QR code is a Quick Response code that can provide ease of access where a user entry can be authenticated quickly. A QR Code sent to the user mobile has to be scanned at the verifier page, thus a user need not type anything anywhere. (Cooperband 2015) The main idea behind using these tokens is to provide more convenience to users. Tokens are generated on devices that something a user already possess. Smartphones, iPads, tablets, laptops
- 14. are the most common devices used to generate soft tokens. Soft token apps installed in these devices can easily serve two-factor authentication with enhanced security. These tokens can smartly recognize the information about the time zones even when a user is traveling. There are many apps designed to be installed on various smartphones to enable authentication. Soft Tokens are available for Windows XP, Vista, Windows 7 and 8 operating systems, Mac OSX, Blackberry, iPhone, Android, Windows 7 and 8 mobile, Android, BlackBerry, iOS Java, In order to provide more ease of use tokenless apps are also designed where an SMS or text message, push notification, phone call or E-mail to a registered device is sent to confirm the user verification. Some of the examples of soft tokens apps are Authy, Google authenticator, Duo Security. (Sevilaja 2015) Two factor authentication using mobile phones Though physical devices resolved the problem of password attacks, customers raised issues from their side on the cost to purchase and manage those multiple devices. Also, the biggest problem is what if the customer loses the device or someone steals it? As already discussed soft tokens serve the purpose of 2FA with more user convenience. Using Mobile phones for two-factor authentication is a very appreciative way. Mobile phones have already expanded their advancements in infra-red, 3G, WLAN, Bluetooth, GSM connections. Today they are the most common source for communication. The mobile phone’s micro browser is serving the major use in fund transactions and confirmation of the payments. They are also used to receive information through SMS regarding account balances. Additionally installation of third-party and vendor- specific applications provides more expanded services. Mobile phones will decrease the cost of distributions, maintenance and manufacturing when they are used as tokens. Based on the user’s choice and certain limitations, mobiles phones can be used in two modes of operations- Connection-Less Authentication System (Stand-alone approach) and SMS-based Authentication System. These approaches work well with the system’s server connected to a GSM modem and using client side applications (like J2ME). The three essential parts of this system are (1) Server connected to a GSM modem, (2) Server software and (3) An application installed on the client’s mobile phone. (Fadi Aloul n.d.) In the Connection-Less Authentication System, a program installed on the mobile phone generates the OTP locally using the unique factors of a mobile phone. The server also has all the required factors to generate the same OTP to compare the password submitted by the client. The client and server need not be connected in this mode of operation. In the SMS-Based Authentication System, the phone does not create any password locally but requests the server to send OTP with an SMS (encrypts via 256-bit symmetric key) that is unique to the mobile phone. The server verifies the message (decrypts the message using same symmetric key) and sends an OTP to the mobile phone which is valid only for a certain amount of time. Both approaches are secure and easy to use, but the SMS-based approach is expensive than the stand-alone approach since both client and server must pay telecommunication charges to exchange messages. (Fadi Aloul n.d.) The unique factors to identify each mobile phone are International Mobile Equipment Identity (IMEI), International Mobile Subscriber Identity (IMSI) stored in Subscriber Identity Module (SIM), username, PIN/Password, and OTP validity period which can be a minute, an hour, a day, a year. All the unique factors are concatenated to generate a hash of 256 bits and this hash is
- 15. performed XOR operation with the PIN. The result is encoded to base64 to generate 28 characters of the message. 28 characters are divided to 2 halves and these halves are performed XOR operation repeatedly and generates a specific length of OTP convenient to the user. (Fadi Aloul n.d.) To accomplish the approaches, a database is needed that stores all the essential details of the client’s mobile phone such as the PIN, username, IMEI, Mobile number, IMSI, unique symmetric key. Also the program installed on the Client side is designed with a convenient GUI for user and the Server has a database connected to the GSM modem for any exchange of messages. As already discussed the Server’s application is multithreaded to initialized the database and GSM connections, accept client requests, verify the client’s identity and generate an OTP (SMS-based approach) or verify the OTP (Stand-alone approach). (Fadi Aloul n.d.) For example, The Client can be designed using a J2ME program such that it runs on any mobile phone that supports J2ME. This program, when installed as an application in the mobile phone, generates the OTP either using the unique factors of mobile such as the IMSI and IMEI numbers or it requests the server with an SMS to generate and send the OTP. It is up to user’s choice to select either of the options. In order to make this whole process work, the user must provide his credentials: the username and the PIN. The user is then prompted to select his option. If the user selects the stand-alone approach or connection-less method, an OTP is generated using the user’s username and PIN locally. This OTP is then discarded after a certain amount of time. The server generate the same OTP by storing the user’s username and PIN. Whereas, when the user selects the SMS-based method the OTP algorithm uses the username, PIN, and the mobile phones unique identity factors and encrypts them with a 256-symmetric key to send it as an SMS to the server. The 256-symmetric key stored on both the client and server and is pre-defined at the registration time. The client registers in person at the organization with his mobile phone unique identification factors, e.g. IMEI, SIM, IMSI(mobile number), username and PIN are stored in the database (password file). (Fadi Aloul n.d.) The server recognizes the user by decrypting the SMS using the same 256-symmetric key. The server connected to the GSM mode extracts the message and compares all the identity factors with the credentials stored within the database. This database stores the hashes of all the temporary passwords. It is so secure that even though it is compromised, the hacker can never decrypt and obtain the passwords. After validation, it generates and sends the OTP to the user’s mobile phone. The servers program is designed as a multithreaded process to reduce the burden. The first thread initializes the SMS modem and database to handle the client requests on the modem. The second thread reads the message sent by the client, generates an OTP and transfers it to the client. The third thread compares the OTP obtained in the connection-less approach. To use the SMS option the J2ME program installed on the client’s mobile phone configures to connect to the GSM modem. Encryption with 256-symmetric key can avoid the attacks like sniffing, brute force attack. The server’s application works so efficiently that it accepts the requests from client with a message, identifies the client, generates and send the OTP in seconds. (Fadi Aloul n.d.)
- 16. Multi factors Authentication Multifactor authentication is the combination of at least two independent identity factors. The ultimate goal of multifactor authentication is to achieve layered security and make it complicated for an attacker to access the resource. If the attacker is able to compromise one identity factor, he still has to break two or more identity factors to gain access to the resource. Multifactor authentication is implemented with regulations like Federal Financial Institutions Examination Council (FFIEC) directive calling to process Internet banking transactions using multifactor authentication in the United States. (Rouse, multifactor authentication (MFA) definition n.d.) Single factor authentication is definitely not an advisable mechanism for user authentication. Two- factor authentication is a strong mechanism, but it is not always a right method to follow in all areas due to the few disadvantages it has. So using multifactor for authenticating a user increases security as it is very unlikely that an attacker obtains all the identity factors. Every additional factor adds an extra layer of security. Apart from the three identity factors discussed so far additional identity factors include somebody that a user knows, user’s location and the current time of login made. The reliability of authentication not only depends on the number of factors but also the way they are implemented. The options made for authentication rules in each category highly affects the security. Disadvantages of Two-factor authentication Many international banks provide two-factor authentication by issuing hardware tokens to customers. Using these hardware tokens involves token production, token distribution, registration of customers, authentication of the user and tokens, revocation of user and token among others. Organizations have to invest a lot of money to purchase and install them. Additionally, organizations must train their employees and customers on how to use the tokens, the cost of maintenance and replacements of tokens in case of loss or damage of tokens is very expensive. In the outset, some of the banks made it a compulsion that every customer has to use a token to access each of his bank accounts. It implies customers must purchase multiple tokens for multiple accounts which provide inconvenience and also too expensive to purchase each token. (Fadi Aloul n.d.) It is true that two-factor authentication is a savior for some of the passive threats: offline password guessing and eavesdropping. But nature of attacks has unfortunately changed to more active attacks: phishing, malware etc. Imagine a case of the Man-in-the-Middle attack, where an attacker creates a fake bank website and uses social engineering techniques to make the user believe that he is using real bank website. The user will never know that he is giving his credentials in a fake website. The attacker happily makes his fraudulent transactions and may also disconnect the user. An attacker installs Trojan on user’s computer and piggybacks on the session to make his fraudulent transactions when a user logs into bank’s website. In both cases (the Man-in-the-Middle attack and Trojan Attack), two-factor authentication is not resolving the problem. In the fake website case, the attacker doesn’t have to possess the second factor but easily performs transactions as a legitimate user. In the Trojan attack, the attacker completely relies on the user to access the
- 17. account. The whole purpose to avoid the fraud due to impersonation is defeated with the nature of an attack. (Schneier n.d.) Assume the second approach of two-factor authentication using mobile phones where the banking website relies on to identify the user with an SMS. In the man-in-the-middle attack, the intruder need not worry about this SMS verification since the user is innocently taking care of providing the unique identity details. And when it comes to the Trojan attack, the user is anyways helping the attacker to log in. Two-factor authentication does provide enough protection within few corporate networks and local log-in. But it is a doubtful savior for a remote authentication over the internet. Many organizations and banks are investing lots of money to purchase the tokens to decrease the amount of occurrence of frauds. Initially, the idea seems to be effective since the intruders focus on easy target but significantly frauds might increase with the expertise attackers. (Schneier n.d.) Advantages of Multi factors Authentication A layered security approach can enhance Security. Three-factor authentication includes an inherence factor along with the 2FA elements. It is mainly used in the government agencies and businesses who require highly enhanced security. The inherence factor includes voice recognition, facial recognition, finger vein scans, fingerprint scans, iris scans, retina scans, earlobe geometry and hand geometry. For example when a user logins with his username and password, he has to possess an ID card and his fingerprints must match with the records stored in the database. (Matthew n.d.) Four-factor authentication along with knowing password, possessing card and matching his inherence factors, additionally uses the mutual acquaintance of the user, someone the user knows as a fourth factor. The support of human for the scientific literature to authenticate a user is in use in the computer security in various roles: reputation networks, peer-level certification, privilege delegation and helpdesk assistance. This provides an emergency identity factor for user authentication in the absence of a password or token. (Brainard, et al. n.d.) Five-factor authentication uses the three factors used for 3FA and location and time as fourth and fifth factors for providing strong authentication. So, a user is granted access only when all the five factors are verified: password, the OTP, his biometric credential, his location within the allowed time. A smartphone with GPS eases the burden of tracing the login location, the MAC address of the login location is another means to identify the user’s location. The presence of a user at the time of login and the time when user logins are also used as identity factors. These identity factors provide additional security for the simple fact that it is impossible for a user to use his ATM card in China and then use it in India within few hours of a day.
- 18. Conclusion Users need not take the burden with various authentication functions. If the usage of the second factor that ‘something the user has’ is not resistible for the active attacks, the best solution is to modify or replace the second factor rather than implementing the complicated multi-factor authentication. This can be implemented in two ways: one is by using the mobile phone but in a different approach than the current OTP usage and the other is to replace the identity factor from ‘something the user has’ to ‘something the user is’. The first approach is where a user's mobile phone receives a request of authentication as an alert message. A user can accept or reject this notification. This is secure unless the mobile phone is with the valid user to accept or reject the notification. This is less secure and less convenient. However, a user can make it more secure by implementing lock pattern, PIN, Passcode to his mobile phone itself. So that an attacker who steals the mobile phone can never know the unlock pattern to access any app. Mobile phones now have all the apps available. It is user’s choice to choose an app wisely by checking reviews and the designer of the app before downloading them. (Cooperband 2015). The second approach is to use a biometric device worn by a user. The device itself requests nearby resources and authenticates the user easily. It validates the authorized user only when he wears the device. The device doesn’t identify the user when he doesn’t wear it. This is the most secure and most convenient method. Though an attacker wears the biometric device, he can never be validated as an authorized user since the device is uniquely designed with the users unique inherence factors. (Cooperband 2015) Two-factor authentication is not in implementation globally by all users and enterprises because of the lack of awareness about its benefits. It is essential for each enterprise to explain among its employees and other users about its importance in ensuring strong security. It is recommended for all the organizations and users to implement two-factor authentication in above two approaches to attain high security.
- 19. References Brainard, John, Juels Ari, Ronald L.Rivest, Michael Szydlo , and Moti Yung. Fourth-Factor Authentication: Somebody You Know. n.d. Cooperband, Jared. "Two-factor Authentication." 2015. D, M’Raihi, Machani S, Pei M, and Rydell J. Time-Based One-Time Password Algorithm. 2011. Defender hardware tokens. n.d. http://software.dell.com/products/defender/hardwaretokens.aspx (accessed November 14, 2015). Fadi Aloul, Syed Zahidi ,Wassim El-Hajj. Two Factor Authentication Using Mobile Phones. n.d. Hoyer, P. Portable Symmetric Key Container (PSKC). 2010. M’Raihi, D, Bellare M, Hoornaert F, Naccache D, and Ranen O. HOTP: An HMAC-Based One- Time Password Algorithm. 2005. Matt, Rubin. "The Unreliability of MD5-based OTPs." 2013. Matthew , Haughn. three-factor authentication (3FA) definition. n.d. http://searchsecurity.techtarget.com/definition/three-factor-authentication-3FA (accessed December 3, 2015). N, Haller. The S/KEY One-Time Password System. 1995. N, Haller, Metz C, Nesser P, and Straw M. A One-Time Password System. 1998. Rouse, Margaret. Single-factor authentication (SFA) definition. n.d. http://searchsecurity.techtarget.com/definition/single-factor-authentication-SFA (accessed October 23, 2015). —. "Authentication Definition." n.d. http://searchsecurity.techtarget.com/definition/authentication (accessed October 10, 2015). —. "Key fob definition." n.d. http://searchsecurity.techtarget.com/definition/key-fob> (accessed November 15, 2015). —. multifactor authentication (MFA) definition. n.d. http://searchsecurity.techtarget.com/definition/multifactor-authentication-MFA (accessed December 2, 2015). —. "Security Token." n.d. http://searchsecurity.techtarget.com/definition/security-token (accessed October 23, 2015). Schneier, Bruce . Two-Factor Authentication: Too Little, Too Late. n.d. Security Token card online demo. n.d. https://www.sc.com/sg/ways-to-bank/token-card- demo/main.html#/getting_started/intro (accessed November 14, 2015).
- 20. Sevilaja, Chris. The Ins and Outs of Token based authentication. 2015. Shinder, Deb. Understanding and selecting authentication methods. n.d. http://www.techrepublic.com/article/understanding-and-selecting-authentication-method (accessed October 24, 2015). Strom, David. "CA Strong Authentication | Multifactor authentication product overview." n.d. http://searchsecurity.techtarget.com/feature/Multifactor-authentication-products-CA- Strong-Authentication (accessed November 11, 2015).