Download - Class paper final
User Identification using Two-factor authentication
Security Technology– Firewalls and VPNs
By: Anusha Manchala
Submitted to Dr. Themis A. Papageorge
Course: Foundations of Information Assurance
Contents
Abstract ....................................................................................................................... 3
Introduction ................................................................................................................. 3
Why Do We Need Security? ....................................................................................................... 3
Authentication ............................................................................................................................. 3
User authentication ................................................................................................................. 4
Single factor authentication ........................................................................................................ 4
Background .................................................................................................................. 5
Password protection .................................................................................................................... 5
Failures of Single factor authentication ...................................................................................... 5
Two-factor authentication ............................................................................................. 6
What is a Two-factor authentication? ......................................................................................... 6
Context and History ................................................................................................................ 6
One Time Password .................................................................................................................... 7
What is OTP? .......................................................................................................................... 7
OTP algorithm ........................................................................................................................ 7
Tokens .......................................................................................................................11
Hardware Token........................................................................................................................ 12
Software Tokens ....................................................................................................................... 13
Two factor authentication using mobile phones ....................................................................... 14
Multi factors Authentication ........................................................................................16
Disadvantages of Two-factor authentication ............................................................................ 16
Advantages of Multi factors Authentication ............................................................................. 17
Conclusion .................................................................................................................18
References ..................................................................................................................19
Figure 1 showing Yubikey ........................................................................................................... 12
Figure 2 showing Transaction Sign-in feature ............................................................................. 13
Table 1 showing an example of a hash string ................................................................................ 9
Equation 1showing the input for TOTP ...................................................................................... 10
Equation 2showing the time step value ....................................................................................... 10
Abstract
This paper mainly focuses on a security technology to identify a user. Information security ensures
to attain Confidentiality, Integrity, and Availability. Once a resource is in the hands of an attacker,
who is not claimed as an authorized person, the whole point of security is lost. Hence, it is essential
to identify the user before allowing him to access a resource. One way of implementing strong
user authentication is by using Two-factor authentication technology.
Introduction
Why Do We Need Security?
The internet is the most basic requirement in today’s world. Information is exchanged from one
point to another point, by passing through several intermediate points. There is no assurance that
every intermediate point is secure. While transmitting data, an intruder might wait for his turn to
alter, delete, add or intercept the data. A vulnerable spot in the transmission is all about welcoming
an intruder to make his malicious attempts. These malicious attempts may lead to catastrophic
effects such as loss of privacy, loss of information, loss of correctness of data, loss of availability.
To avoid such risks, it is essential to add a layer of security in the information technology.
The main goal of security is achieved when resources are allowed to be accessed by only
authorized persons. Also, it is essential to make sure that resources are kept away from the
unauthorized person who may perform malicious acts. Resources in the computer world can be
any services, such as web applications, network-based servers, and multi-user systems. One way
to achieve the security goal is by giving access rights to appropriate users. i.e., certain resources
must be given access rights only for particular users. But how to make certain if the right user is
using the resource? How to identify the user and give him permissions? The answer is possible
through authentication.
Authentication
It is a method to decide if a user or a machine is who it is claimed to be. Identification and
verification are two steps involved in the authentication process. Credentials, which act as an
identity proof of a user or a machine are stored in a database. When a user or a machine requests
for access permission to a resource by providing its credentials, the identity of the machine or user
is cross checked in the database, where credentials of each user are stored. If the credentials match
permission to access a resource is granted. The process of the verification and granting access
permission to a resource is called authorization. Authentication followed by authorization are the
methods to identify and validate a right user or a right machine. (Rouse, Authentication Definition
n.d.)
This paper mainly discusses user authentication and its various methods, password attacks, various
technologies to obtain strong authentication.
User authentication
User authentication can be done based on three identity factors. Password-based, Token-based,
Biometric-based are authentication methods that work using these identity factors.
Knowledge factor: It is something that a user knows. Such as, Account
number, Username, Password, Paraphrase, Personal identification number
(PIN), answers to certain security questions (e.g. What is the name of your
first manager)
Possession factor: It is something that a user has with him. Such as, his
mobile phone, ATM card, Smart card, Electronic keycards, Physical keys.
Inherence factor: It is something that a user is (static biometrics) and
something that a user does (dynamic biometrics). Static biometrics is Hand
geometry, fingerprint, facial characteristics, retina, and iris pattern.
Dynamic biometrics is voice print and signature. (Rouse, multifactor
authentication (MFA) definition n.d.)
Single factor authentication
If only one of the above identity factors is used to authenticate a user and permit access to a
resource, it is called as Single factor authentication. The most common user authentication in
today's business world is Password-based Authentication. (Rouse, Single-factor authentication
(SFA) definition n.d.)
Password-based Authentication
A user may register with his credentials to gain access rights to a resource. Or a System
administrator may register him. In either case, the main aim is to store the identity proof credentials
of the user in the database and retrieve them when needed. The credentials are most commonly, a
User ID or Username and a Password or PIN or Passphrase. If a user registers himself, he is
allowed to choose the password. Sometimes a system admin assigns a password to a user.
However, for better security purpose user must reset the assigned password, by choosing a strong
password. When a user provides his username and password (what he knows), the credentials are
compared with those stored in the database to authorize the user. The database also stores the
information related to access controls and privileges. Some of the users may have only limited
privileges to a resource.
Background
Password protection
In order to avoid security breaches, several approaches have been in implementation to protect a
user's password. Some of the approaches are the usage of Cryptographic and hashing techniques
for confidential storage of passwords, training users about the strong passwords necessity,
enforcement of password selection strategies like a password checker, complex password policies
such as a minimum length of the password, the usage of alphanumeric characters. However, this
single factor credentials used as a deciding factor for authorization has many drawbacks.
Passwords became the most vulnerable source of an attack.
Failures of Single factor authentication
1. When a password is hashed and stored in a system password file, an attacker may gain
access to a system password file. He compares the commonly used password's hashes
against the password hashes in the file until a valid password result is obtained. This attack
is popularly known as Offline Dictionary attack.
2. An attacker may focus on a specific user ID and continuously guess passwords until a
right password is obtained to log into the resource.
3. An attacker may try to obtain authorization by using easily remembered passwords on
various user Ids.
4. An attacker may gain knowledge about the system's password policies and the user
accounts used and simply guesses the password, to intrude into a system.
5. Sometimes a user might simply log into a workstation and keep it idle without performing
any operations. When such systems are kept idle for a long time an attacker waits for his
chance on another side until the system is unattended and performs his malicious acts.
6. User’s tendency to use a password that has his basic details like names, phone numbers,
address etc. provide a good hint to an attacker. A user may forget to reset the default
password created by admin and continues using the same password. Unable to remember
a complex password, a user might write it down on a paper, send it in a mail, and paste it
on a sticky note on the desktop. User's mistakes are a major source of an attack. Social
engineering and sharing the password with someone else are also very common mistakes.
7. Attackers may intrude the communication channel when passwords are transmitted across
the network to log into remote resources. Sometimes network resources may have similar
passwords for a given user.
8. A brute force attack is one type of password cracker that checks the probability of usage
of all the encryption keys to crack the password. In the rainbow table attacks, attacker
generates all possible dictionary passwords and all possible salt values to create a valid
hash and cracks the passwords.
9. Sometimes longer passphrases are also cracked by expertise hackers who use their
techniques through malware, Trojan horses, spyware, key loggers etc.
Passwords or passphrases are made strong, lengthy and unbreakable using various security
measures. Ease of implementation and the low cost for usage are the main reasons of their adequate
usage. It is obvious that single credential factor is not completely serving the purpose of security.
Though single factor usage is not weak, it cannot be used for all assurance levels because it does
not provide the desired high-level security to resources.
What else is needed to assure the resource that a right user is trying to access it? What are the other
means to identify the user to add an additional layer of security? How to achieve the stronger
authentication? All these questions are answered in the later sections.
Two-factor authentication
It can be discussed with a very familiar example used in everyday life. Globally almost all the
banks issue a credit or debit card to every user who open a bank account. The user is given an
account number, username, PIN and a debit card (sometimes a credit card on user’s choice). The
debit card has a full name of the user, card number, and expiry date of the card and a secret code
of 3 digits, which represent that the card is issued for only a specific user. If the user wants to
withdraw money or check the balance or deposit money, he has to first swipe his debit card at the
ATM machine and later enter his PIN of at least 4 digits. If everything is correct the ATM machines
validate the user and allows him to proceed for further steps. This simple scenario is a perfect
example of Two-factor authentication. Something the user has and something the user know are
used as identity factors to authenticate the user.
What is a Two-factor authentication?
A two-step verification process that gives an additional layer of security when two of the three
authentication factors are used for the identification of user to grant him access to a resource is
called two- factor authentication (TFA). It is otherwise called as 2FA.
Context and History
Frank Miller introduced one-time pads in 1882. One-time pads were reinvented after the First
World War in 1917 and are patented to Gilbert in 1919. They are mostly similar to Vernam ciphers
invented by Gilbert Vernam. Vernam cipher is a crypto algorithm that combines the plaintext with
keys in order to achieve encryption. These ciphers use keys that are generated on an iterative basis.
In the outset of the 1920's, three German cryptographers, Erich Langlotz, Rudolf Schauffler and
Werner Kunze described randomly generated numbers usage and their importance in avoiding
replay attacks. The one-time pad uses random generators to produce a key to combine with any
piece of information. The one-time pad is basically a paper that can be burned or recycled to
discard it once after used ciphering. The traditional approach followed One-time pads whereas, the
modern approach of two- factors authentication uses One-Time Passwords. (Cooperband 2015)
One Time Password
OTP is a more secure password than a user created password or a static password. It is not
vulnerable to a replay attack or a man-in-the-middle attack. There is no necessity to store these
one-time passwords in a database or any system. It can work without the internet. Many business
organizations implement the OTP tokens as a means of remote user authentication while accessing
the Virtual Private Networks, transaction-oriented Web applications, and Wi-Fi network login. It
can provide interoperability among various types of software and hardware vendors. (N, C, et al.
1998)
What is OTP?
OTP is a password or PIN with an alphanumeric or numeric set of characters used only once for
each authentication attempt. These set of characters are valid only for a single session. When a
user provides something he knows, a password or PIN to obtain access to a resource, OTP which
acts as second identity factor is generated from a device that something a user has with him (Token
devices are discussed later). OTP is generated in two common ways:
1. HMAC-based one-time password algorithm called as HOTP
2. Time-based one-time password algorithm called as TOTP
OTP algorithm
To prevent an unauthorized user guessing the next sequence of the password, OTP algorithm
generates the sequence of PIN in a random manner to make it irreversible and unpredictable. The
alphanumeric or numeric set of characters with specific length are generated based on one of the
above two algorithms mentioned. This section gives a detailed explanation about both algorithms.
HMAC-based one-time password algorithm
HOTP generates a one-time password based on Hashed Message Authentication Code (HMAC).
This is a simple OTP algorithm used to adopt the two-factor authentication. The main idea of the
algorithm is to generate an OTP with the least interference of a user since a user is not expected to
know cryptographic or mathematical computations to take care about the generation of a one-time
password or to perform authentication. High usability with efficiency and low cost is the best
practice of implementation. This event-based algorithm can be used in various devices like a GSM
SIM, Smart cards that run with Java, USB dongles. (M’Raihi, et al. 2005)
HOTP algorithm is designed to meet the following requirements:
1. A device that generates OTP must be easy to handle, must consume less battery power,
have less number of buttons to request an OTP, a small size display screen to show OTP
and must require less horsepower.
2. OTP must be generated on a counter-based or a sequence-based approach. Otherwise, if
the approach is iterative like a Vernam cipher, it can be easily guessed by the attacker.
3. Must be able to be embed in high volume devices like an SIM card or a Smart card to
provide interoperability.
4. The algorithm must work without the need of any numeric input but must be efficient to
work when devices like PIN-pads are used. And it has to produce a password of a specific
reasonable length on the display screen which can be easily understood and easy to type
for a user. It would be better if the minimum length is 6 characters and a maximum is 8.
5. It is essential to choose the type of algorithm to generate a hash of at least 128 bits
(M’Raihi, et al. 2005). For example, MD5 is not recommended to use since it generates a
hash of 16bytes. (Matt 2013)
6. The whole point of OTP is the usage of a counter. Hence, an easy approach to
resynchronize the sequence number must be used. (M’Raihi, et al. 2005)
The algorithm in this section discusses the HMAC- SHA1 implementation, where a 160bit (20-
bytes) hash is used to generate the OTP. It needs certain parameters like:
A secret value shared between a generator and a validator.
A resynchronization parameter to remember the sequence or counter number.
A counter value synchronized between a client and server to authenticate. Here the client
is the HOTP generator and the server is the HOTP validator. The synchronization is needed
to avoid any misinterpretations between a server and a client.
The number of characters or digits of an OTP.
A variable that keeps track of the number of attempts made by the client.
The counter value and the shared secret are known only to the validation service and a token. The
HMAC- SHA1 calculation generates a hash value of 20bytes or 160bits. The user cannot enter all
these characters in the given time. Moreover, if the same hash value is used as OTP it fails the
essential requirements of the algorithm. So, a password that can be easily entered by the user is
generated by truncating the 160 bits hash value. (M’Raihi, et al. 2005)
Steps of the HOTP algorithm
1. Compute the hash value by taking the input of a static symmetric key and counter value.
2. Calculate the integer value of the last 4 bits of the hash value. Consider this integer value
as an offset to extract a segment of 4 bytes from the hash value.
3. Now perform modulo computation for the 4 bytes hash value based on the number of digits
of the OTP value. (M’Raihi, et al. 2005)
For example: Assume that a hash string- 84983E44 1C3BD26E BAAE4AA1 F95129E5
E54670F1 is obtained from the first step of algorithm.
00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19
84 98 3E 44 1C 3B D2 6E BA AE 4A A1 F9 51 29 E5 E5 46 70 F1
Table 1 showing an example of a hash string
The last byte of the hash (byte number 19) has hex value 0xF1 and the last 4 bits or the
offset is 0x1.
The integer value of the offset is 1(0x1).
So the 4 bytes segment required to generate the hash value begins from the byte number
one.
The 32-bit segment is 0x983E441C.
Calculate the Decimal value of the 983E441C= 2554217500
Now apply modular computation based on the digits of the OTP required. Say, if a 6-digit
OTP is required, 2554217500 modulo 10^6= 217500.
217500 is the required 6-digit OTP.
If the number of digits required for the OTP is 8, then 2554217500 modulo 10^8= 54217500 is the
OTP generated. SHA-256, SHA-512 hash functions can also be used to generate the hash values.
Time-based one-time password algorithm (TOTP)
The time-based one-time password is an extension of the HMAC-based One-Time Password
(HOTP) algorithm. HOTP is an event-based algorithm with the sequence or a session counter as a
moving factor, whereas as, the TOTP has a time-value as a moving factor.
A random OTP generated by HOTP is secure enough, but it is susceptible to an attack when a user
does not use the OTP for authentication for some reason. When the OTP is not used, the counter
value remains same until a successful authentication is made for the current OTP. Hence, an
attacker can easily use the OTP. Instead, irrespective of the authentication success or failure if an
OTP is valid only for a certain time, the attacker remains clueless about the generated OTP. So, to
provide an enhanced security, the time values are used for a short span. TOTP works similar to the
HOTP except that a time-factor variant and the time step as a counter are used for the computation
of the one-time password. This algorithm works with HMAC-SHA-512 or HMAC-SHA-256
functions which are derived from SHA-512 or SHA-256 [SHA2].An efficient TOTP can provide
enhanced security with some requirements like:
1. Same secret (key) must be shared by a Client (a token) and an authenticating server (or
validator). Or at least they must share same ideas or knowledge of the secret.
2. Each Client must have a unique secret (key).
3. To enable uniqueness, the keys must be generated using key derivation algorithms or they
must be generated randomly.
4. These keys are secured in a device that is compact and resistant to any tampering attacks.
5. The algorithm must be based on the HOTP algorithm and its requirements.
6. The present UNIX time is calculated as the total number of seconds elapsed since midnight
UTC of January 1, 1970. The authentication server and the Client must be able to derive
this current UNIX time.
7. It is also required that a validator and a Client must use the same time-step value to have
proper synchronization for the authentication. (D, et al. 2011)
Unlike the HOTP algorithm (which are not system dependent and which does not need any inputs
other than a static symmetric key and a counter value) TOTP algorithm requires 2 system
parameters. They are:
A time step value measured in a number of seconds with the default value set to 30 seconds.
This is represented as X.
And a UNIX time counter represented as T0 which counts the number of time steps taken.
The default value is set to 0.
As mentioned earlier, the algorithm is an extension of HOTP and it takes the input of a static
symmetric key and a time factor. (D, et al. 2011)
TOTP=HOTP (K, T)
Equation 1showing the input for TOTP
Where K= static symmetric key and T is the number of time steps between a default counter value
set initially, T0 and the UNIX current time.
T= (Current UNIX time-T0)/X
Equation 2showing the time step value
For example, if the default values of X=30 seconds and T0=0 are considered for a current UNIX
time of 59 seconds, then T=1. If the current UNIX time is 60 seconds then T=2. Computations are
done using a default floor function. The default values of X and T0 can be set during the provision
step. If the time goes beyond the year 2038, the algorithm must calculate T since the integer value
will be larger than a 32-bits number. (Hoyer 2010)
It is recommended to take few cautions while generating the TOTP algorithm. TOTP is dependent
on the HOTP to provide enhanced security. As HOTP is the key building block for TOTP, the
dynamic truncation (where 4 bytes segment extracted from the hash) must be independent and set
of characters must be uniformly distributed. In order to give a distinct input of the key, it should
be generated from a pseudo random generator, a cryptographic technique which has randomness
test to output a unique key or it can also be generated randomly. Along with the randomness of the
key, two other requisites are essential for an enhanced security: storage of the key in a secured
device and the channel through which the key is passed. The key must be safely stored in a
validation system and encrypted using a device that is protected from attacks like tampering so
that it can be decrypted whenever needed for the verification purpose and encrypted back to give
the least exposure to RAM. To avoid any malicious attacks the key storage database and validation
systems must be highly protected by limiting the access only to the processes and programs
required by the validation system. The communication between a validator and a Client must take
place in a secure channel like a Secure Socket Layer/Transport Layer Security (SSL/TLS) or IPsec
connections. (D, et al. 2011)
OTPs generated within the same time-step are all same. For example, if the time step is 30 seconds,
the OTP generated in the 1st second and 29th second are always same. The validation system uses
a time stamp value to validate the OTP. But the validation system receives OTP at a time stamp
different than the timestamp the OTP was generated at the client side. The validation system
doesn't know the time stamp value of the OTP when it was generated on the client side. So it uses
the time-stamp when it receives the OTP. The received and generated time-stamps have a large
time gap, they do not come under the same time -step window. The received timestamp may fall
in the next time-step window. To overcome this large time gap, the validation system must set
some rules or policies to accept the valid OTP though there is a delay in the transmission. The
validation system must accept the OTP from the previous time stamp value along with the received
time stamp which are in the range of a transmission delay time window. However, the delay
transmission time should not be very long, because, longer the time allowed for accepting the
transmission delays, higher the chances for vulnerabilities. Also, longer the time-step value, the
higher scope for probabilities of attacks. If the time-step window is longer, the time gap will be
very less between the client side and the receiving side and there are higher chances for the
acceptance of OTPs by the validation system. A next OTP is generated in the next time-step
window. Suppose the time-step value is 30 seconds, a new OTP is generated for every 30 seconds.
If a user wants to generate a new OTP at 15th second he has to wait until the clock is reset back to
0. If the time-step window is too large, say 10 or 15 minutes, the user has to wait for a long time
to obtain a new OTP, meanwhile the login session of the site requesting a second authentication
factor also expires. Hence, to avoid attacks and to provide convenience the time-step window is
better to use between 30 to 60 seconds. If an OTP is repeated in the same time-step window, the
validator should not accept it if already an OTP is successfully authenticated. (D, et al. 2011)
The validator has to set limitations to the number of attempts after which a token can be rejected.
This limit can be set either backward or forward based on the time-step value of the computed
OTP. Suppose the time-step window is set to 30 seconds and the limit is set as two steps backward.
Then, the maximum time drift elapsed is 89 seconds (60 seconds from the past time-step windows
and 29 seconds from the current time-step windows). It implies that a validator can verify the OTP
for at most three validations. A successful verification by the validation server can be recorded in
terms of the number of time-steps or clock drifts for the OTP. If at all a new OTP is requested for
the verification at the validation server, it can verify based on the records of the time-step clock
drifts and the current time-stamp of the OTP. The longer a client has not transmitted an OTP to
the validation server, the longer the records of the time-step clock drift between the client and the
verifier. This is a case with the exceeded limit value of clock drifts. A normal resynchronization
mechanism described above won't work for such exceptional cases. (D, et al. 2011)
Tokens
A token is something that acts as an identity to represent an object. They have been in use from at
least 2 decades. They are now widespread in the market. In order to enable two-factor
authentication, a token serves as a means of the second factor for user authentication. The token
must be communicated between a client and the validation server securely through the internet.
Some tokens store biometric data or cryptographic keys or generate a PIN that changes
periodically. A token is embedded in the physical device or in an application that is designed to
transmit it through the internet. The device can be hardware or a software device.
Hardware Token
A token is embedded in a physical device, which has an LCD/LED display screen and a single
button (used for Validation and ID Protection (VIP)) is called as a Hardware token. A single press
on the button generates a token, which simplifies the two-factor authentication mechanism. This
is a user-friendly device since a user can carry it easily wherever he goes. A user can keep this
hardware device in his pocket, wear it around his neck or attach it to a key ring. This provides a
good ease of use, especially in the organizations. An organization issues VIP credentials for each
employee and the employee can easily access to a network service using these hardware tokens.
Recently many advanced features are enabled to design theses hardware tokens to provide more
ease of access to users. (Rouse, Security Token n.d.)
A USB authentication token can fit in the USB port of the system, can be connected to the mobile
and generates a one-time password with a single touch on the button. These devices can be easily
used without the need for drivers from any browser, any platform or any computer. These devices
are designed in such a way that they save the time of user when he has to re-type the OTP by
providing fast and error free login mechanisms. YubiKey shown in Figure 1 is an example of a
USB authentication device. (Defender hardware tokens n.d.)
Figure 1 showing Yubikey
Source: https://www.yubico.com/products/yubikey-hardware/
A physical device can be a Security token card or a Key Fob. A Security token card is mainly used
for two-factor authentication when a user does the Breeze mobile banking and online banking. It
has features embedded within it to act like a Debit, Credit or ATM card. It can be used at ATM or
make payments easily with enhanced security features. These cards use two types of methods to
enable authentication. They are Transaction-Signing and One-time Passwords. It can be turned on
and off using a button located on the card. It has an LED screen that displays an OTP number
generated by the token card. Transaction Sign-in feature enables a user to enter the 3 or 4-digits
on the card, which is displayed on the online banking page. After entering the correct 3 or 4-digits
numbers, the token card displays an OTP on it which can be entered on an online banking page to
validate a user. The figures 2 shows examples of Security Token card. (Security Token card online
demo n.d.)
Figure 2 showing Transaction Sign-in feature
Source: http://www.superadrianme.com/technology/standard-chartered-bank-first-to-
launch-mastercards-display-card-in-singapore/
A key fob is another security hardware token device that can perform authentication to network
services or a computer. It displays OTP that changes periodically. Defender Go-6, RSA SecurID,
Fortinet etc. are some of the examples of hardware tokens available in the market that generates
OTP number randomly for every 30 seconds or 60 seconds. (Rouse, Key fob definition n.d.)
The Nymi Band designed by Bionym is worn as wristband can provide unique biometric
authentication of a user by monitoring his heartbeat. This device typically works based on
algorithms where electrocardiogram (ECG) is used as an identity factor for recognition. It extracts
unique information about a person from the pattern of an ECG waveform. It communicates to
network resources in a secure way using Bluetooth Low Energy (BLE). Myris is another device
similar to Nymi band used by the company Eyecorp. It uses a biometric unique credential for user's
authentication. This device uses a user's iris. There are also many other devices that use fingerprints
as a means of user authentication. These authentications are typically based on something a user
knows and something a user is. (Cooperband 2015)
In the year 2005 the National Bank of Abu Dhabi (NBAD) in the Middle East was the first bank
to use physical devices (RSA SecurID) to implement two-factor authentication. It issued physical
tokens to 19000 of its customers. In the same year, Bank of America also initiated to use these
hardware tokens for its 14 million customers. The Commonwealth Bank of Australia, the Bank of
Ireland and the Bank of Queensland were other international banks to use two-factor authentication
using hardware tokens. The National Bank of Dubai (NBD) announced it mandatory that every
client must use the hardware token along with their PINs/Passwords. (Fadi Aloul n.d.)
Software Tokens
A software token generates a unique PIN or a QR code to enable two-factor authentication .A QR
code is a Quick Response code that can provide ease of access where a user entry can be
authenticated quickly. A QR Code sent to the user mobile has to be scanned at the verifier page,
thus a user need not type anything anywhere. (Cooperband 2015)
The main idea behind using these tokens is to provide more convenience to users. Tokens are
generated on devices that something a user already possess. Smartphones, iPads, tablets, laptops
are the most common devices used to generate soft tokens. Soft token apps installed in these
devices can easily serve two-factor authentication with enhanced security. These tokens can
smartly recognize the information about the time zones even when a user is traveling. There are
many apps designed to be installed on various smartphones to enable authentication. Soft Tokens
are available for Windows XP, Vista, Windows 7 and 8 operating systems, Mac OSX, Blackberry,
iPhone, Android, Windows 7 and 8 mobile, Android, BlackBerry, iOS Java, In order to provide
more ease of use tokenless apps are also designed where an SMS or text message, push notification,
phone call or E-mail to a registered device is sent to confirm the user verification. Some of the
examples of soft tokens apps are Authy, Google authenticator, Duo Security. (Sevilaja 2015)
Two factor authentication using mobile phones
Though physical devices resolved the problem of password attacks, customers raised issues from
their side on the cost to purchase and manage those multiple devices. Also, the biggest problem is
what if the customer loses the device or someone steals it? As already discussed soft tokens serve
the purpose of 2FA with more user convenience. Using Mobile phones for two-factor
authentication is a very appreciative way. Mobile phones have already expanded their
advancements in infra-red, 3G, WLAN, Bluetooth, GSM connections. Today they are the most
common source for communication. The mobile phone’s micro browser is serving the major use
in fund transactions and confirmation of the payments. They are also used to receive information
through SMS regarding account balances. Additionally installation of third-party and vendor-
specific applications provides more expanded services. Mobile phones will decrease the cost of
distributions, maintenance and manufacturing when they are used as tokens. Based on the user’s
choice and certain limitations, mobiles phones can be used in two modes of operations-
Connection-Less Authentication System (Stand-alone approach) and SMS-based Authentication
System. These approaches work well with the system’s server connected to a GSM modem and
using client side applications (like J2ME). The three essential parts of this system are (1) Server
connected to a GSM modem, (2) Server software and (3) An application installed on the client’s
mobile phone. (Fadi Aloul n.d.)
In the Connection-Less Authentication System, a program installed on the mobile phone generates
the OTP locally using the unique factors of a mobile phone. The server also has all the required
factors to generate the same OTP to compare the password submitted by the client. The client and
server need not be connected in this mode of operation. In the SMS-Based Authentication System,
the phone does not create any password locally but requests the server to send OTP with an SMS
(encrypts via 256-bit symmetric key) that is unique to the mobile phone. The server verifies the
message (decrypts the message using same symmetric key) and sends an OTP to the mobile phone
which is valid only for a certain amount of time. Both approaches are secure and easy to use, but
the SMS-based approach is expensive than the stand-alone approach since both client and server
must pay telecommunication charges to exchange messages. (Fadi Aloul n.d.)
The unique factors to identify each mobile phone are International Mobile Equipment Identity
(IMEI), International Mobile Subscriber Identity (IMSI) stored in Subscriber Identity Module
(SIM), username, PIN/Password, and OTP validity period which can be a minute, an hour, a day,
a year. All the unique factors are concatenated to generate a hash of 256 bits and this hash is
performed XOR operation with the PIN. The result is encoded to base64 to generate 28 characters
of the message. 28 characters are divided to 2 halves and these halves are performed XOR
operation repeatedly and generates a specific length of OTP convenient to the user. (Fadi Aloul
n.d.)
To accomplish the approaches, a database is needed that stores all the essential details of the
client’s mobile phone such as the PIN, username, IMEI, Mobile number, IMSI, unique symmetric
key. Also the program installed on the Client side is designed with a convenient GUI for user and
the Server has a database connected to the GSM modem for any exchange of messages. As already
discussed the Server’s application is multithreaded to initialized the database and GSM
connections, accept client requests, verify the client’s identity and generate an OTP (SMS-based
approach) or verify the OTP (Stand-alone approach). (Fadi Aloul n.d.)
For example, The Client can be designed using a J2ME program such that it runs on any mobile
phone that supports J2ME. This program, when installed as an application in the mobile phone,
generates the OTP either using the unique factors of mobile such as the IMSI and IMEI numbers
or it requests the server with an SMS to generate and send the OTP. It is up to user’s choice to
select either of the options. In order to make this whole process work, the user must provide his
credentials: the username and the PIN. The user is then prompted to select his option. If the user
selects the stand-alone approach or connection-less method, an OTP is generated using the user’s
username and PIN locally. This OTP is then discarded after a certain amount of time. The server
generate the same OTP by storing the user’s username and PIN. Whereas, when the user selects
the SMS-based method the OTP algorithm uses the username, PIN, and the mobile phones unique
identity factors and encrypts them with a 256-symmetric key to send it as an SMS to the server.
The 256-symmetric key stored on both the client and server and is pre-defined at the registration
time. The client registers in person at the organization with his mobile phone unique identification
factors, e.g. IMEI, SIM, IMSI(mobile number), username and PIN are stored in the database
(password file). (Fadi Aloul n.d.)
The server recognizes the user by decrypting the SMS using the same 256-symmetric key. The
server connected to the GSM mode extracts the message and compares all the identity factors with
the credentials stored within the database. This database stores the hashes of all the temporary
passwords. It is so secure that even though it is compromised, the hacker can never decrypt and
obtain the passwords. After validation, it generates and sends the OTP to the user’s mobile phone.
The servers program is designed as a multithreaded process to reduce the burden. The first thread
initializes the SMS modem and database to handle the client requests on the modem. The second
thread reads the message sent by the client, generates an OTP and transfers it to the client. The
third thread compares the OTP obtained in the connection-less approach. To use the SMS option
the J2ME program installed on the client’s mobile phone configures to connect to the GSM
modem. Encryption with 256-symmetric key can avoid the attacks like sniffing, brute force attack.
The server’s application works so efficiently that it accepts the requests from client with a message,
identifies the client, generates and send the OTP in seconds. (Fadi Aloul n.d.)
Multi factors Authentication
Multifactor authentication is the combination of at least two independent identity factors. The
ultimate goal of multifactor authentication is to achieve layered security and make it complicated
for an attacker to access the resource. If the attacker is able to compromise one identity factor, he
still has to break two or more identity factors to gain access to the resource. Multifactor
authentication is implemented with regulations like Federal Financial Institutions Examination
Council (FFIEC) directive calling to process Internet banking transactions using multifactor
authentication in the United States. (Rouse, multifactor authentication (MFA) definition n.d.)
Single factor authentication is definitely not an advisable mechanism for user authentication. Two-
factor authentication is a strong mechanism, but it is not always a right method to follow in all
areas due to the few disadvantages it has. So using multifactor for authenticating a user increases
security as it is very unlikely that an attacker obtains all the identity factors. Every additional factor
adds an extra layer of security. Apart from the three identity factors discussed so far additional
identity factors include somebody that a user knows, user’s location and the current time of login
made. The reliability of authentication not only depends on the number of factors but also the way
they are implemented. The options made for authentication rules in each category highly affects
the security.
Disadvantages of Two-factor authentication
Many international banks provide two-factor authentication by issuing hardware tokens to
customers. Using these hardware tokens involves token production, token distribution, registration
of customers, authentication of the user and tokens, revocation of user and token among others.
Organizations have to invest a lot of money to purchase and install them. Additionally,
organizations must train their employees and customers on how to use the tokens, the cost of
maintenance and replacements of tokens in case of loss or damage of tokens is very expensive. In
the outset, some of the banks made it a compulsion that every customer has to use a token to access
each of his bank accounts. It implies customers must purchase multiple tokens for multiple
accounts which provide inconvenience and also too expensive to purchase each token. (Fadi Aloul
n.d.)
It is true that two-factor authentication is a savior for some of the passive threats: offline password
guessing and eavesdropping. But nature of attacks has unfortunately changed to more active
attacks: phishing, malware etc. Imagine a case of the Man-in-the-Middle attack, where an attacker
creates a fake bank website and uses social engineering techniques to make the user believe that
he is using real bank website. The user will never know that he is giving his credentials in a fake
website. The attacker happily makes his fraudulent transactions and may also disconnect the user.
An attacker installs Trojan on user’s computer and piggybacks on the session to make his
fraudulent transactions when a user logs into bank’s website. In both cases (the Man-in-the-Middle
attack and Trojan Attack), two-factor authentication is not resolving the problem. In the fake
website case, the attacker doesn’t have to possess the second factor but easily performs transactions
as a legitimate user. In the Trojan attack, the attacker completely relies on the user to access the
account. The whole purpose to avoid the fraud due to impersonation is defeated with the nature of
an attack. (Schneier n.d.)
Assume the second approach of two-factor authentication using mobile phones where the banking
website relies on to identify the user with an SMS. In the man-in-the-middle attack, the intruder
need not worry about this SMS verification since the user is innocently taking care of providing
the unique identity details. And when it comes to the Trojan attack, the user is anyways helping
the attacker to log in. Two-factor authentication does provide enough protection within few
corporate networks and local log-in. But it is a doubtful savior for a remote authentication over the
internet. Many organizations and banks are investing lots of money to purchase the tokens to
decrease the amount of occurrence of frauds. Initially, the idea seems to be effective since the
intruders focus on easy target but significantly frauds might increase with the expertise attackers.
(Schneier n.d.)
Advantages of Multi factors Authentication
A layered security approach can enhance Security. Three-factor authentication includes an
inherence factor along with the 2FA elements. It is mainly used in the government agencies and
businesses who require highly enhanced security. The inherence factor includes voice recognition,
facial recognition, finger vein scans, fingerprint scans, iris scans, retina scans, earlobe geometry
and hand geometry. For example when a user logins with his username and password, he has to
possess an ID card and his fingerprints must match with the records stored in the database.
(Matthew n.d.)
Four-factor authentication along with knowing password, possessing card and matching his
inherence factors, additionally uses the mutual acquaintance of the user, someone the user knows
as a fourth factor. The support of human for the scientific literature to authenticate a user is in use
in the computer security in various roles: reputation networks, peer-level certification, privilege
delegation and helpdesk assistance. This provides an emergency identity factor for user
authentication in the absence of a password or token. (Brainard, et al. n.d.)
Five-factor authentication uses the three factors used for 3FA and location and time as fourth and
fifth factors for providing strong authentication. So, a user is granted access only when all the five
factors are verified: password, the OTP, his biometric credential, his location within the allowed
time. A smartphone with GPS eases the burden of tracing the login location, the MAC address of
the login location is another means to identify the user’s location. The presence of a user at the
time of login and the time when user logins are also used as identity factors. These identity factors
provide additional security for the simple fact that it is impossible for a user to use his ATM card
in China and then use it in India within few hours of a day.
Conclusion
Users need not take the burden with various authentication functions. If the usage of the second
factor that ‘something the user has’ is not resistible for the active attacks, the best solution is to
modify or replace the second factor rather than implementing the complicated multi-factor
authentication. This can be implemented in two ways: one is by using the mobile phone but in a
different approach than the current OTP usage and the other is to replace the identity factor from
‘something the user has’ to ‘something the user is’.
The first approach is where a user's mobile phone receives a request of authentication as an alert
message. A user can accept or reject this notification. This is secure unless the mobile phone is
with the valid user to accept or reject the notification. This is less secure and less convenient.
However, a user can make it more secure by implementing lock pattern, PIN, Passcode to his
mobile phone itself. So that an attacker who steals the mobile phone can never know the unlock
pattern to access any app. Mobile phones now have all the apps available. It is user’s choice to
choose an app wisely by checking reviews and the designer of the app before downloading them.
(Cooperband 2015).
The second approach is to use a biometric device worn by a user. The device itself requests nearby
resources and authenticates the user easily. It validates the authorized user only when he wears the
device. The device doesn’t identify the user when he doesn’t wear it. This is the most secure and
most convenient method. Though an attacker wears the biometric device, he can never be validated
as an authorized user since the device is uniquely designed with the users unique inherence factors.
(Cooperband 2015)
Two-factor authentication is not in implementation globally by all users and enterprises because
of the lack of awareness about its benefits. It is essential for each enterprise to explain among its
employees and other users about its importance in ensuring strong security. It is recommended for
all the organizations and users to implement two-factor authentication in above two approaches to
attain high security.
References
Brainard, John, Juels Ari, Ronald L.Rivest, Michael Szydlo , and Moti Yung. Fourth-Factor
Authentication: Somebody You Know. n.d.
Cooperband, Jared. "Two-factor Authentication." 2015.
D, M’Raihi, Machani S, Pei M, and Rydell J. Time-Based One-Time Password Algorithm. 2011.
Defender hardware tokens. n.d. http://software.dell.com/products/defender/hardwaretokens.aspx
(accessed November 14, 2015).
Fadi Aloul, Syed Zahidi ,Wassim El-Hajj. Two Factor Authentication Using Mobile Phones. n.d.
Hoyer, P. Portable Symmetric Key Container (PSKC). 2010.
M’Raihi, D, Bellare M, Hoornaert F, Naccache D, and Ranen O. HOTP: An HMAC-Based One-
Time Password Algorithm. 2005.
Matt, Rubin. "The Unreliability of MD5-based OTPs." 2013.
Matthew , Haughn. three-factor authentication (3FA) definition. n.d.
http://searchsecurity.techtarget.com/definition/three-factor-authentication-3FA (accessed
December 3, 2015).
N, Haller. The S/KEY One-Time Password System. 1995.
N, Haller, Metz C, Nesser P, and Straw M. A One-Time Password System. 1998.
Rouse, Margaret. Single-factor authentication (SFA) definition. n.d.
http://searchsecurity.techtarget.com/definition/single-factor-authentication-SFA
(accessed October 23, 2015).
—. "Authentication Definition." n.d.
http://searchsecurity.techtarget.com/definition/authentication (accessed October 10,
2015).
—. "Key fob definition." n.d. http://searchsecurity.techtarget.com/definition/key-fob> (accessed
November 15, 2015).
—. multifactor authentication (MFA) definition. n.d.
http://searchsecurity.techtarget.com/definition/multifactor-authentication-MFA (accessed
December 2, 2015).
—. "Security Token." n.d. http://searchsecurity.techtarget.com/definition/security-token
(accessed October 23, 2015).
Schneier, Bruce . Two-Factor Authentication: Too Little, Too Late. n.d.
Security Token card online demo. n.d. https://www.sc.com/sg/ways-to-bank/token-card-
demo/main.html#/getting_started/intro (accessed November 14, 2015).
Sevilaja, Chris. The Ins and Outs of Token based authentication. 2015.
Shinder, Deb. Understanding and selecting authentication methods. n.d.
http://www.techrepublic.com/article/understanding-and-selecting-authentication-method
(accessed October 24, 2015).
Strom, David. "CA Strong Authentication | Multifactor authentication product overview." n.d.
http://searchsecurity.techtarget.com/feature/Multifactor-authentication-products-CA-
Strong-Authentication (accessed November 11, 2015).