Effectiveness of various user authentication techniques

Proceedings of the International Conference on Emerging Trends in Engineering and Management (ICETEM14)
30 – 31, December 2014, Ernakulam, India
142
EFFECTIVENESS OF VARIOUS USER
AUTHENTICATION TECHNIQUES
Nimisha Paulose
Computer Science and Engineering, Sree Narayana Gurukulam College of Engineering, Kerala, India
Sarika S
Assistant Professor, Computer Science and Engineering, Sree Narayana Gurukulam College of Engineering,
Kerala, India
ABSTRACT
Text passwords are the most popular form of user authentication on the internet due to simplicity of the
passwords. The internet users are required to remember many passwords to access their online accounts. These user
passwords are prone to be stolen and compromised under different vulnerabilities. Passwords are compromised due to its
simplicity of the passwords; the user select weak password that are easier to remember. The end users are not much
concerned about the security issues and that’s why they go for simple passwords. This makes the textual passwords easy
to break and vulnerable to dictionary or brute force attacks. Many password based schemes with smart cards, graphical
passwords and biometrics have been proposed; each scheme has its merits and demerits. In this paper, we analyzed and
compared some of the user authentication mechanisms that are commonly used.
Keywords: One Time Password, User Authentication, Smart Cards, 3D Password.
I. INTRODUCTION
The dramatic increase in the use of internet for the past few years has raised many security concerns. The major
security issue is with the authentication, which is the process of validating the user’s identity. The user authentication
mechanisms are mainly classified into three. They are what you (knowledge based), what you have (token based) and
what you are (biometric). Peoples select their username and password for registering their accounts into different
websites. The password based user authentication causes many security issues, because of the strength of these
passwords. This password based mechanism has major problems that users are not expert in memorizing the passwords.
In traditional authentication schemes the server keeps a password table to store the passwords of the users who
all are registered into the website. It is quite inefficient to maintain huge tables while the users are increasing
tremendously. Also this password tables are prone to be hacked and the user details can be easily revealed to the outside
world. To overcome this issue, in many schemes these password tables are replaced by verification tables. This
verification tables keep the hashed vales of each password instead of plain text passwords. But still there are many
security issues are raised with this verification table also. Many authentication systems requires not only what the user
knows but also what the user possess, and these tokens are also vulnerable to many attacks.
Many researchers have investigated a number of technologies to reduce the negative influence of human factor
in the user authentication process. Many graphical passwords schemes were designed to address the password recall
problem. There are some password management tools are available and these tools can be used as an alternative for this
INTERNATIONAL JOURNAL OF COMPUTER ENGINEERING &
TECHNOLOGY (IJCET)
ISSN 0976 – 6367(Print)
ISSN 0976 – 6375(Online)
Volume 5, Issue 12, December (2014), pp. 142-147
© IAEME: www.iaeme.com/IJCET.asp
Journal Impact Factor (2014): 8.5328 (Calculated by GISI)
www.jifactor.com
IJCET
© I A E M E

143
issues. These tools will generate strong passwords for each websites automatically and which will address the password
reuse and password recall problems. The main advantage of using this tool is, user is only required to remember the
master password to access the management tool.
Some researches focus on three factor authentication rather than password based authentication. The three factor
authentication is more secure compared to the two factor authentication against password stealing attacks, but still it
require high cost. This paper compares three main techniques used for user authentication; 3D password [1] technique,
user authentication technique using smart cards [2] and oPass [3]. Two factor authentications are much more attractive
than the n factor authentication due to its reduced cost. Two factor authentications are still suffered from the negative
influence of human factor, such as password reuse attacks.
II. OPASS USER AUTHENTICATION PROTOCOL
oPass uses the one time password strategy. This user authentication protocol leverages a user’s cell phone and
short message service. Through oPass users are only required to remember a long-term password for login to their cell
phones. Each participating websites should possess a unique phone number. A telecommunication service provider is
participating in the registration and recovery phases.
Fig.1 describes the architecture and environment of oPass system. In this architecture the user communicate
with web browser and the cell phone, through a physical contact. The communication between the cell phone and the
web browser
Fig.1: Architecture of oPass system
can use Bluetooth or wireless and between the cell phone and web server is only through SMS channel[4]. The web
browser and web server is connected via internet connection, through these channels are used for the communication
within the system. For the user to perform secure login the user is required to register their phone number with the web
browser. The user can operate on an untrusted computer but a malware free cell phone. The communications are only
between the cell phone and the web server through the secured channel; short message service.
The aim of registration phase is to allow user and server to negotiate a shared secret to authenticate succeeding
login for that user. User starts the oPass program by opening the program installed in their cell phone. The program will
send the user id and the website URL as a parameter to the telecommunication service provider through the 3G
connection to make a request of registration.
On the reception of this request the TSP will trace the cell phone based on user’s SIM card. Here a mutual
authentication scheme is done for preventing the phishing attacks. In the login phase the user send request from an un
trusted computer, and also the user start the program oPass on a trusted cell phone. The long term password is entered to
access the program; this long term password is used to generate the one time passwords for each logins. One time
password that is generated will be send to the web server for authentication. After user authentication is done in the
server side, sever will send the encrypted shared key to the cell phone for mutual authentication and this will helps to
avoid phishing attacks.
Recovery phase is designed for special conditions; for example if the user loses the cell phone. The oPass
protocol will recover the settings on a new cell phone except the phone number should be the same; with a new SIM card
with old mobile number. User can recover the oPass in a new cell phone is only through this method.

144
Fig. 2: Snapshot of 3D virtual environment
III. 3D PASSWORD TECHNIQUE
3D password is a multifactor authentication scheme. In this scheme the user has the choice to use which type of
authentication can be used. This scheme use a 3D virtual environment, is created by using various virtual objects. The
user will navigate through the virtual environment and interact with the objects to create the password. The 3D password
technique combines the recall, token, recognition and biometric based authentication system into a single system, by
designing the virtual environment. Virtual object used in the scheme can be anything that we encountered in the real
world.
Every user will have different requirements and preference when selecting the 3D passwords [6]. The fig. 2
shows a snapshot of a 3D virtual environment. Since the 3D password combines several authentication scheme into one
environment, the attackers are needed to study every single authentication schemes to discover what the most probable
selected secrets are. Fig. 3 shows the state diagram of a possible 3D password authentication technique [7]. In the 3D
virtual environment; the selection of objects reflects in the resulted password space.
The user can choose which types of authentications schemes are required. User can combine recall, recognition,
and token based mechanism for their easiness of use. Fig. 3 describes the state diagram of the 3D password scheme. For
example if one user is poor in memorizing the text password, can go for the biometric and recognition based
authentication schemes. For example, user can enter into a virtual environment and type some words on that computer
that exists in the position, and then enter in a room that has iris scan device that exists in a position and provide iris scan.
The combination and the sequence of the actions toward the specific objects will construct the user’s 3-D password.
Fig. 3: State diagram of a 3D password application

145
IV. USER AUTHENTICATION TECHNIQUE USING SMART CARDS
The smart card based authentication schemes are commonly used for authenticating remote users. This scheme
does not maintain any verification tables that used for storing the passwords. This authentication scheme allows the user
to choose and change their passwords. It will also achieve mutual authentication which is essential in critical
applications. Using the mutual authentication schemes the amount of phishing attacks can be reduced.
This scheme uses the modified Das et al’s scheme; however the scheme is vulnerable to many types of attacks.
Mainly three phases are designed for this scheme. In the registration phase, the user selects a password and submits this
password into the system. The system will create a hash value using this user id and password and this will be submitted
to the remote system through a secure channel. Remote system will compute a nonce using this hash value and smart
card’s unique identity and personalize this smart card with these parameters.
Fig. 4 describes the state diagram of the remote user authentication using smart cards. In the login phase, the
user inserts the smart card [5] into the card reader and keys the id and password. Then the smart card will compute the
hash value and send to the remote system. In verification phase, remote system will verify the value generated by the
hash function and the time interval of the reception of the message, if it matches user access will be granted otherwise
Fig. 4: State diagram of remote user authentication using smart cards
login request will be rejected. Upon receiving the login message the user terminates this session, otherwise checks for the
validity of the time interval. User can change the password by invoking the password change request without taking
assistance from remote system.
V. PERFORMANCE EVALUATION
In this paper three major user authentication techniques are compared based on some metrics and different
attacks. oPass user authentication is using the one time password technique. This protocol uses SMS channel for secure
transmission of encrypted message between the user and the web browser.
3D password scheme uses the multifactor authentication technique. In this scheme a 3D virtual environment is
created and objects are placed in the environment. User interaction in the virtual environment is taken as the password and
this password is used for the user authentication. Remote user authentication using smart cards uses the one time password
strategy. In this scheme mutual authentication is performed for providing security. The user id and passwords are used for
authentication for each logins. The comparison is done by using with common attacks and some performance metrics.
Insert Smart card in the card reader
entering user ID and password
mutual verification
recieve login message

146
TABLE I: VALUATION OF USER AUTHENTICATION TECHNIQUES IN VARIOUS ATTACKS
Attack prevention
User authentication techniques
Using oPass Using smart cards Using 3D password
Guessing attack Not possible Possible Not possible
Shoulder surfing
attack
Not possible Not possible Possible
Phishing attack Not possible Not possible Not possible
Man in the middle
attack
Not possible possible Possible
A. Effectiveness in various attacks
Many attacks are possible in all the fields of user authentication scheme. The three techniques are compared in
the table based on the some common attacks. These attacks are common in these user authentication techniques. Some of
these attacks are possible in the three techniques but not in other techniques. For example the password guessing attack is
possible in remote user authentication technique using smart cards but not possible in the oPass and 3D password schemes.
B. Performance Metrics
Various user authentication techniques are analyzed and compared using some metrics. Based on the analysis the
three techniques have its own advantages and disadvantages. These three techniques have various applications in real life.
Many challenges are arising in the user authentication schemes while using the password based authentications. We
compared the techniques using cost, one time password, delay, average time and transmission medium etc.
Based on this comparison these metrics will vary according to the application of the techniques. The negative
influence of human factor is effecting in all the schemes. In 3D password scheme user have the opportunity to select which
type of authentication is required by that user. In 3D password scheme one time password is not using but users can
choose any type of authentications. These authentications schemes are combined into one for providing more secure
environment. Here the negative influence of human factor is high because the user can select simple authentication
scheme. Cost of building this 3D virtual environment is high compared to other schemes. Application of the 3D password
scheme is in critical area like military, jetfighters, critical servers etc. due to the ease of remembering these combination
passwords allow users to go this type of user authentication techniques.
Remote user authentication using smart cards are very common in the real life, for example ATM cards, credit
cards, punching cards, debit cards etc. Cost of this technique is relatively low compared to the other techniques. This user
authentication scheme uses mutual authentication. The mutual authentication is performed on both the remote system and
smart card. Mutual authentication will provide more secure environment for the communication. The transmission medium
used in this scheme is vulnerable to many attacks as it compared with other schemes.
oPass user authentication protocol leverages user’s cell phone and telecommunication service provider.
Telecommunication service provider acts as a third party in between the user and the web browser. 3G connection is used
for secure communication between the cell phone and web browser. SMS channel is used as the transmission medium with
cell phone and the web server. The SMS channel is considered as more secure transmission medium. A long term
password is used in the oPass for generating one time passwords for each login for corresponding users. The recovery
phase used for recovering the oPass by using a new cell phone with the old phone number. Drawback of this protocol is, if
signal is lost then this program cannot work. It requires wireless or Bluetooth connectivity so that this communication will
be possible.
VI. CONCLUSION
In this paper, we focused on three major user authentication scheme based on user passwords. We discussed the
security issues related to the password based authentication scheme. The authentication scheme has its own advantages
and disadvantages. The oPass protocol can only be used where the user’s cell phone have signal. If cell phone has no

147
signal then this program cannot work and another thing is that if user loses cell phone, oPass can only recover by using a
new SIM card with old phone number. But this authentication technique is free from password reuse
TABLE II. COMPAIRING USER AUTHENTICATION TECHNIQUES BASED ON VARIOUS METRICS
Metrics
User authentication techniques
Using oPass Using smart cards Using 3D password
One time password Used Used Not used
Cost Medium Low High
Security of transmission
medium
High Low Low
Average time High Medium High
Delay Moderate Low High
Mutual authentication Used Used Not used
attack, phishing attack, guessing attack, key loggers attacks etc.
The 3D password scheme can be applicable in the critical area include the critical servers, nuclear and military
facilities, airplane and jetfighters etc. The cost of building 3D password scheme is relatively high compared to the oPass
and using smart cards. 3D password scheme is free from brute force attack, timing attack, guessing attacks etc. The major
problem of this technique is with the negative influence of human factor and the amount of password space required by the
users. Another problem of 3D password scheme is shoulder surfing attack.
Smart cards have many applications in the real life, ATM, credit card, debit card etc. This scheme uses the mutual
authentication for preventing from some attacks. This scheme is free from replay attack and reflection attacks. The major
problem of smart cards is the password stealing attacks. Scheme is free from replay attack and reflection attacks. The
major problem of smart cards is the password stealing attacks.
REFERENCES
[1] Fawaz A. Alsulaiman and Abdulmotaleb El Saddik, “Three- imensional Password for More Secure
Authentication.
[2] Mohammed Misbahuddin, Mohammed Aijaz Ahmed, M.H. Shastri “A Simple and Efficient Solution to Remote
User Authentication Using Smart Cards”.
[3] oPass: A User Authentication Protocol Resistant to Password Stealing and Password Reuse Attacks Hung- Min
Sun, Yao-Hsin Chen, and Yue -Hsun Lin ieee transactions on information forensics and security, vol. 7, no. 2,
april 2012.
[4] T. Delenikas et al., SMSLib API—Java Library for Sending/Receiving SMS [Online]. Available:
http://smslib.org/
[5] Sonwanshi, S.S. Comput. Sci. & Eng, Samrat Ashok Technol. Inst., Vidisha, India Ahirwal, R.R. ; Jain, Y.K.
“An Efficient Smart card based Remote User Authentication Scheme using hash function”.
[6] Duhan Pooja, Gupta Shilpi , Sangwan Sujata, & Gulati Vinita , “secured authentication: 3d password”.
[7] Vishal Kolhe, Vipul Gunjal, Sayali Kalasakar, Pranjal Rathod, “Secure Authentication with 3D Password”.
[8] Santosh.B.Panjagal and M Lakshmipathy, “Design and Implementation of Advanced Security System Based on
One-Time Password for Highly Secure Zones”, International Journal of Electronics and Communication
Engineering & Technology (IJECET), Volume 4, Issue 4, 2013, pp. 291 - 300, ISSN Print: 0976- 6464,
ISSN Online: 0976 –6472.

Effectiveness of various user authentication techniques

More Related Content

What's hot (17)

Viewers also liked (18)

Similar to Effectiveness of various user authentication techniques (20)

More from IAEME Publication (20)

Recently uploaded (20)

Effectiveness of various user authentication techniques