Secure and Inclusive Authentication with a Talking Mobile One-Time-Password Client

Fuglerud, Kristin Skeide; Dale, Øystein

doi:10.1109/msp.2010.204

Cited by 18 publications

(18 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Authentication schemes need to be designed for inclusivity, both to be nondiscriminatory and to benefit businesses financially (Fuglerud & Dale, 2011). When users are frustrated or blocked when authenticating, companies lose their business.…”

Section: Human-centered Authentication Design Guidelines 1 Design Tomentioning

confidence: 99%

Human-centered authentication guidelines

Still

Cain

Schuster

2017

ICS

View full text Add to dashboard Cite

Much valuable and sensitive data (e.g., health, intellectual property, and banking information) is accessible digitally. For example, we no longer have to go to a physical bank to transfer money or to cash a check. We simply download an application or go to a website. However, this level of convenience comes at a cost. Hackers from around the world are now able to access our accounts remotely. Therefore, it is essential that systems housing valuable data be able to correctly verify users' identities. The authentication process attempts to validate a user's identity. Usually, this is achieved by asking for a username and a password known only to one user. Thus, attackers work to reveal passwords through a variety of methods, including social engineering, brute force guessing, shoulder surfing, key logging, interception, and searching physical and virtual space near the target (GCHQ & CPNI, 2015). Most of the research efforts have focused on developing stronger technical defenses against these attack methods. However, users are a critical part of the security loop, so designing an authentication system that encourages appropriate behavior increases the defensive strength of the system. Users are instructed to use "strong passwords", because they are more difficult for hackers to determine. Some basic guidelines for creating strong passwords include keeping the password private and secure (do not share it or write it down), avoiding the use of common words, using longer and more complex passwords (e.g., by including numbers and symbols), using different passwords for each account, and changing passwords following suspect activity. Following these "simple" guidelines demands an increased cognitive load. According to Grawemeyer and Johnson (2011), end-users reuse, share, and write down passwords in order to overcome an effortful authentication experience. In other words, end-users are aware of many of the best practice guidelines; unfortunately, these guidelines are not usable ones. Also, some of the best practices are not necessary, if others are followed. For instance, if one takes the time to develop and remember a strong password, changing it often is not necessary. There are many usability issues associated with conventional alphanumeric authentication. Users are forced to remember a significant number of complex passwords, which are always changing. Not only are users irritated by complex and changing passwords, but their password selection also becomes less secure as they are asked to remember more of them. For example, as the number of passwords increase, users are more likely to reuse the same password or some part of an already existing password. In one study, up to 50% of passwords were reused, and some were reused up to four times by the same user (Grawemeyer & Johnson, 2011). Also, when users do comply and use a unique password, they are nearly 18 times more likely to write down the password than if they had used a more familiar password (Grawemeyer & Johnson,

show abstract

Section: Human-centered Authentication Design Guidelines 1 Design Tomentioning

confidence: 99%

Human-centered authentication guidelines

Still

Cain

Schuster

2017

ICS

View full text Add to dashboard Cite

show abstract

“…After presentation, each factor must be validated by the other party for authentication to occur [2].…”

Section: Imentioning

confidence: 99%

Securing ATM with OTP and Biometric

Hamid¹

2015

IJRITCC

View full text Add to dashboard Cite

Abstract:-In today's world, money can be required at anytime or anywhere such as shopping, travelling or health emergencies etc. The need of money can only be satisfied when you are carrying money with you. That also increases the risk of getting robed. Bank is a safest place to keep money. Bank provides Automated teller machine (ATM) which can provide money any where you want. ATM is an easy way to get money, you just need to insert card and password and you just got the money. But what if someone will steal your card and somehow he/she will know your password, it will grant him/her full access to your money. That raise question on present security and demands something new in the system that can provide second level of security.One time password (OTP) is password that validates an authentic user for only one login to the respective system. If user is unauthorized, system will not allow further access. OTP can be generated by using different cryptographic hash functions that provides a fixed string which can be used as second level security at ATM. In generation of OTP there are many factors that can make OTP unique every time it is generated.Factors that can be considered are time at when the user is accessing the machine, account number of the user, mobile number of the user, Location of the user, International Mobile station Equipment Identity (IMEI) number which is unique for every mobile device. By taking into consideration factors like daily life problem (general problems) that is phone got switched off, battery is down; less coverage of network can affect the OTP solution etc. To avoid application based problem this report also suggest a solution i.e. biometric security; by using biometric security the alternative security will be as same as OTP.In this report, the flow of system I am developing, topics related to ATM banking and security, about OTP and biometric solution are discussed.

show abstract

“…In [11], the authors provide a built-in mechanism for mobile phone OTP generation that provides audible and visual output. In fact, mobile phones are gaining ground in regards to research in late years.…”

Section: ) Secure Tokensmentioning

confidence: 99%

Out-of-Band Authentication Model with Hashcash Brute-Force Prevention

Violaris

Dionysiou

2014

2014 IEEE Intl Conf on High Performance Computing and Communications, 2014 IEEE 6th Intl Symp on Cyberspace Safety and Security

View full text Add to dashboard Cite

Successful out-of-band authentication in popular languages such as PHP has proven to be problematic and in many ways unsafe as dynamically typed languages allow for more than one ways of doing things, and the standards set out are usually not followed. It is true that out-of-band authentication using SMS messaging enhances the security of simple passwords specified by users, however many times the handling of the One-Time-Passwords (OTP) on the server side is done with disregard of the ways an attacker can bypass the requirement for such a feature. It is therefore essential to find ways which the OTP cannot be brute-forced or circumvented, by providing mechanisms such as automatic purging of OTPs from the database and enhancing the safety of the server traffic handling as well as the HTTP form submission requests and responses with a library known as Hashcash. By using this method, a potential attacker would be met by a time-consuming challenge, which would leave any sort of brute-force, denial of service or requirement circumvention attacks impractical for gaining access to a PHP login system. Furthermore, the usage of Hashcash for credential retransmission and re-authentication for vital aspects of the user's workflow while authenticated, make such as system much more impenetrable than using simple outof-band or other two-factor authentication schemes.

show abstract

Secure and Inclusive Authentication with a Talking Mobile One-Time-Password Client

Cited by 18 publications

References 6 publications

Human-centered authentication guidelines

Human-centered authentication guidelines

Securing ATM with OTP and Biometric

Out-of-Band Authentication Model with Hashcash Brute-Force Prevention

Contact Info

Product

Resources

About