INTRODUCTION:

Online applications with single factor authentication have advantages as well as disadvantages. One advantage is static passwords are easy to remember for many users, but still few find it hard to remember and they write down passwords somewhere thus raising vulnerability to replay attacks, shoulder surfing and Phishing. To secure the static password-multilevel password authentication is used like one time passwords, Bio-Metric, hard codes and session passwords [1] [2].

Single factor authentication through passwords is also vulnerable to social engineering like people asking for passwords or guessing the password correctly. To overcome these disadvantages, a new method was introduced known as “One Time Password (OTP)”. OTP is a valid password that can be used only for one login or transaction within a stipulated time. This allows the users to login to the system by entering password with OTP.

In the proposed system, once username and passwords are generated the web server displays an NxN matrix of cells, which is known as Pattern Matrix. The user is required to draw the pattern of his/her choice and confirm the same. The pattern drawn will be stored at the server. At the time of login the user has to provide his/her username, password and then web server asks for the pattern. The pattern drawn will be validated by the server and then server sends an OTP to user's registered mobile number. And finally the received OTP will need to be provided to logon onto system.

Fig 1: Flow of OTP generation

RELATED WORK:

1. Static Password:

This is one of the best authentication methods. Benefit of static passwords [3] are easy to remember, but when we are dealing with multiple number of systems where each holds a different password-then it is very tough to remember and we start noting them down, which is very vulnerable. Disadvantage of holding the static password very weak to crack as most of them choose the topics which are very near to remembrance like birthdays, partner names, children names, pet names etc., which are mostly numbers or alphabets. These are insecure to the social engineering i.e., people may ask for your password/guessing it, they can be picked up by spyware too.

Alternative method of using these passwords are changing the passwords regularly, this is the benefit. A disadvantage of changing passwords frequently is that they can be easily forgettable, which leads to very high support costs and administration costs.

2. Pass Pattern System (PPS):

PPS is a challenge-response system and is based on the premise that humans are good at identifying, remembering and recollecting graphical patterns than test patterns [4].

Idea behind this PPS is that- Instead of remembering sequence of characters, user is asked to remember a shape (which is stored as a sequence of position in hash format).When user wants to login, this system displays an NxN matrix of cells, which is called as “Pattern Matrix”. Every cell of the square is an image, representing sequence of numbers, alphabets and also special characters. This square acts as a challenge by the server to the user as position of cells which may change in any of the directions. At registration user is asked to choose a sequence of cells (i.e., positions) as shown in fig. After user selecting, the sequence of position will remain as a user’s “Pass Pattern”. This sequence will remain as a secret between the user and the corresponding system. Advantage of this system is that user just to remember only one shape and as that is only one secret [5].

Fig 2: Pass Pattern System (PPS)

3. One Time Password (OTP):

An OTP is a password used for only single transaction or only one login session which is used on a digital device or on a computer. This method has avoided many issues which are associated with, static password authentication. These OTP’s are not vulnerable to replay attacks which means, a person who tries to record an OTP that has been already used to logon in top a machine(or) to make a transaction cannot use the same as it is no longer exists/valid. One more advantage is that a user who tries to access multiple machines using password is not allowed on all the systems [6].

All the algorithms which try to generate an OTP make an intensive use of pseudo randomness/ randomness which makes difficulty in predicting. Usage of hash function is also used to get a value and even this method cannot be easily broken as we are using hashing. Usage of this technique is very important because without using hashing generating an OTP will be very easy to break by observing the history of OTP’s received.

There are different methods to generate an OTP.

1. Time Synchronized: This method is being used to guarantee the uniqueness of the onetime password. This kind of OTP is generally related to a piece of hardware called as security token – where each user will be given a personal token that generates a OTP. An accurate clock is kept inside the token which will maintain sync with OTP authentication server. Time plays an important role in the password algorithm – where generation of new passwords is based on the current time. Typically, we will have a +1 to -1 ratio of acceptable passwords, which means that the authentication system will accept the last password, the current and also the next password which are generated in sequence. This helps for a small drift in time synchronization between token authentication server and the token card [7].

2. Mathematical Algorithms: There are two ways of generating OTP in Mathematical algorithms.

i) In the first method, these algorithms use previous OTP’s to generate a new OTP. Example of this type of algorithm, credited to Leslie Lamport, use a one-way function called ‘f’. OTP system works by starting with an initial seed s, then generating passwords f(s), f(f(s)), f(f(f(s))), f(f(f(f(s)))),... We can generate any number of times as required [8].

ii) In the second method, it is something which we see when using a virtual token system, we will use the software to run and then the user is asked to provide secret PIN. After successfully giving the Secret PIN, the virtual token software program will generate an OTP which is unique, and the user can enter the password with available network ID. The OTP generated can be used for a session or just for one user login.

3-Factor Authentication for Secured User Logins:

In this paper, we discuss a three step procedure which results in a secured login. For this the user while registering he has to a static password as in general and draw a pattern (as we generally see in smart phones for authentication) of his choice on the pattern matrix provided. This pattern matrix composed of number of cells in the matrix form. Each cell corresponds to a character that can be a number, alphabet are some selected special characters which are usually supported by almost all mobile phones, as our proposed system is dealing with sending OTP to mobile devices [9].

When the User confirms this pass pattern the cell index values and connections in the pattern will be stored at server. Whenever user whishes to login, the pattern matrix will be again provided to the user, but the characters which are corresponding to the cell will be rearranged. When the user draws the pattern, the server will verify with the stored pass pattern, if matches, generates the OTP based on characters of corresponding cells. These characters are considered as the Token (secret word). And to generate OTP we use TOTP (Time based One-Time Password) algorithm, which takes the token and time of sending the Pass Pattern to the server. We use TOTP algorithms because these TOTP passwords keep on changing and are valid for a short window in time.

1. User Registration:

The user should register with the server to perform any transactions or to access the services provided by the server. While registering, the user has to provide the details like name, address, mobile number and other related information. After providing the details, the mobile number of the user will be verified – verification of number is necessary as the user will receive OTP to the same. If the mobile number is not valid, then user is asked to verify the details once again. After successful verification of mobile number, user is asked to draw the pattern of his choice on the provided pattern matrix and confirm it. At this stage the pattern provided by the user will be the final and the user should remember it for the future use. The pass pattern will be saved at server. In any case, if the user forgets the pass pattern he/she can retrieve it by answering the security questions provided while filling the user details at the time of registration.

Fig 3: Flow chart of User Registration

2. User login:

Whenever user wishes to login, he/she has to enter user id and password which have been created at the time of registration. Input of user id and password will undergo verification, if valid; user is prompted to draw the Pass pattern. If the drawn pattern is matched with the pattern present at server, an OTP will be generated and the server will send it to the user’s registered mobile number. The generated OTP is valid for a particular time frame and also for single login session.

Drawing of wrong pattern and entering of wrong OTP will prompt the user to repeat the steps. After three unsuccessful attempts, the server sends a warning message saying that the login attempts for the day has been completed and user can retry to login only after 24 hrs (i.e., after one day).

Fig 4: Flow chart of User Login

DESIGN ISSUES IN 3-FACTOR AUTHENTICATION:

The strength of the proposed system can be adapted to various applications. The strength of the system can be enhanced by increasing the size of the pattern matrix. i.e, bigger matrix, more is the security. Number of possible patterns of an N X N matrix will be N². Thus, as the size of pattern matrix increase, the possible patterns will increase, which will increase the security. The strength of the system can be still enhanced by changing the characters corresponding to each cell of the matrix.

SECURITY STRENGTHS OF 3- FACTOR AUTHENTICATION:

The attacks like Brute force attack, dictionary attack, key logging and shoulder surfing and Man-in the middle attacks are possible on an authentication system [10].

1. Brute force attack: In classical password based authentication system, the user sends the user id and secret password which will be compared with saved user id and password saved at server. Because of the challenge and response nature of our system, it is more secure than the password based authentication to the Brute force attacks.

2. Dictionary attack: It is one of the most common attacks to break password based system. In our system the commonly used shapes, sequences can be possible candidates in a dictionary. However, the pattern matrix changes randomly and as we are using addition OTP, this attack can also be overcome.

3. Key logging: Key logger is a program, which captures the user keystroke and sends the information to the hacker. However, in our system even the pattern drawn is known to the hacker he cannot login as the OTP will be received on the user’s registered mobile number.

4. Shoulder Surfing: Shoulder surfing is looking over someone’s shoulder when they enter a password or a PIN code. Shoulder surfing can be easily done on the classical password based system. But, our system as it uses three factor authentications, if password is seen or pattern is seen, or even OTP is also seen, hacker cannot use it because the OTP is valid for only one login session.

FEATURE ENHANCEMENT:

The strength can still be enhanced by increasing the size of pattern matrix as well as changing the characters in pattern matrix. General problems we come across are -what if mobile network signal is week? What may be the best size for pattern matrix? What is the user behavior while choosing the pattern? These can still be overcome in the future.

CONCLUSION:

In this paper, we presented a new 3-factor authentication which can be potential replacement to the classical password system. The strength of system lies in generation of an OTP only after drawing the pass pattern .As it is a three step procedure even if an attacker knows the password and pass pattern - as the attacker does not hold the user's mobile cannot logon to the system. This mechanism has a strong approach of providing securiy in a reliable manner making all kinds of attacks to react very small.

REFERENCES:

[1] M. Sandirigama, A. Shimizu and M. T. Noda, “ Simple and Secure Password Authentication Protocol (SAS)”, IEICE Trans. Commun, Vol. E83-B, no. 6, pp. 1363-1365, June 2000.

[2] Strong passwords: How to create and use them, http://www.microsoft.com/protect/youself/password/create.mspx

[3] Password-Based Authentication: A System Perspective, 37th Annual Hawaii International conference on System Sciences (HICSS'04) - Track 7 - volume 7, Page 70170.2 IEEE Computer Society Washington, DC, USA .

[4] Shepard, R.N.: Recognition memory for words, sentences and pictures, Journal of verbal Learning and Verbal Behavior 6,153-163(1967).

[5] T Rakesh Kumar and S. V. Raghavan, Pass Pattern System (PPS): A Pattern-Based User Authentication, A Das et al(Eds.): Networking 2008.LNCS 4982.PP.162-169.2008.

[6] Dan Griffin, “Safer Authentication with a One-Time Password Solution”, https://msdn.microsoft.com/en-us/magazine/ cc507635.aspx.

[7] CCNP Security SISAS 300-208 by Aaron Wol and Kevin Redmon.

[8] L. Lamport, “Password authentication with insecure communication”, Commun. ACM, Vol.24,No.11, pp.770-772,Nov 1981

[9] Smart Authentication for Smart phones, Arpit Agrawal et al, (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 5 (4), 2014, 4839-4843.

[10] Mudassar Raza, Muhammad Iqbal, Muhammad Sharif and Waqas Haiderm, “A Survey of Password Attacks and Comparative Analysis on Methods for Secure Authentication”, World Applied Sciences Journal 19 (4): 439-444, 2012,

Received on 24.04.2015 Accepted on 20.06.2015

Research J. Engineering and Tech. 6(4): Oct. - Dec., 2015 page 408-412

DOI: 10.5958/2321-581X.2015.00063.X