This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Many organizations still rely on static ID and password that is been used in the existing authentication system which consist of Single Factor Authentication technique to provide the simplest form of authentication that may not be sufficient to safeguard against unauthorized access. Therefore the rapid spread of e-Business has necessitated for securing transactions and therefore financial organizations are looking for two-factor authentication technique as a fundamental security function.
Strong Authentication is a fundamental security function. During the authentication process, the credentials submitted by an individual are validated and associated with the person's identity. This process of binding between the credentials and identity is typically done for the purpose of granting (or denying) authorization to perform some restricted operation, like accessing secured files or executing sensitive transactions. User authentication is commonly defined as the process of verifying the identity of an individual, usually based on credentials.
Now-a-days different strong authentication methods are in use some of them can be embedded in security devices such as tokens, smart cards. First we study the different authentication method, after that on the basis of study we integrate the OTP (One Time password) based two-factor authentication method in more flexible mobile devices (such as cell phones, PDA) in a cost effective manner.
Two-factor authentication method uses mobile devices as security tokens to receive a single-use password to strengthen the existing ID/password authentication and authorization process. In the first phase, the authenticator receives an application generated requests for the authentication of a specified user. When the request is received, a one-time password is generated and sent using Short Messaging Service to a GSM cell phone registered for that specified user. The one-time password has a default timeout 5 minutes which is configurable.
During the second phase of the authentication process, a request is made with the user id and a hash of the one-time password. If both the one-time and user specified password is valid then the user will be authenticated.
Even though the application is using clientâ€™s device to send the second factor, it is possible to completely avoid the clientâ€™s involvement in generating the password. There are few limitations in the paper. This proposal overcomes the problem of hacking but not from phishing.
In the field of computer security, the process of attempting to verify the digital identity of the sender of a communication process such as a request to log in is termed as authentication. The sender subjected to an authentication may be a human using a computer, a computer by itself or a computer program. A blind credential could not establish identity at all, but only a narrow right or status of the user or program.
In a web of trust, authentication is a way to make sure that the user who attempts to perform functions in a system is in fact the user who is permitted to do so.
2 Way Mobile Authentication System (2WMAS) is an innovative authentication system that provides access to Web-based resources by using a two-way user authentication through the existing personal mobile phones. It is used to solve the security flaws of the web based Internet and Intranet, by involving the users to authenticate themselves using their personal mobile phones. The registration of the users has to be done in a secured manner before he can actually use the system.
It is designed to provide security to Web-based Internet and Intranet applications, and requires users to authenticate themselves with two unique criterion - a username and password, and a code which they get only during authentication (a one-time password OTP sent to their mobile phone) before they are permitted to access a secured web resource. With 2WMAS, we can positively identify users and deliver services easily and in a most secured way to users, without having the need of an additional security system. End users can have the advantages of a very simple process that omits the need to remember multiple passwords.
As the Web-based Internet becomes the most important tool for financial transactions, the level of security becomes a major concern in an organization's transaction system. Transactions in these days are secured using passwords. Institutions spend huge amounts of money on secure SSL solutions to make sure the passwords are not tracked. But,in majority of cases security violations occurs above the reach of PKI and SSL solutions.
How the traditional password system can be compromised
Passwords could be captured when they are sent to the browser. For example, The 'Trojan- horse' applications which most of users might have installed without their knowledge, while installing shareware tools, while reading a email, or when visiting a suspicious website. Some 'Trojan-horse' applications can even control personal computers, and allow intruders to look into their screens like a remote software application PC anywhere!
Some users may even save their credentials carelessly on their PCs, The result of which, can be seen by anyone who has the access to the terminals, including the person who repairs their PC, or if they are using a computer in a cybercafe , anyone who uses that terminal after them.
An inefficient programming APIs of a system might give clues to the hackers to bypass the entire system.
Features of 2 Way Mobile Authentication System
Double-criterion to check the identity of the User:
It provides a cost-effective solution to provide the web resources with a double-criterion authentication system. Through a browser, a user requests permission to access a Web resource which needs an additional authentication code required for the Web Application. It then generates a unique access code (one-time acess code) and sends it to the mobile phone registered to the user by an SMS text message. The user has to enter the access code into the Web-browser to finish the authentication process. When a user enters the authentication information, the system determines if the information submitted is valid or not. If valid it goes ahead with the Web Application thereby allowing the user to perform the necessary transactions, otherwise not .By separating Web Application with Authentication server, we can also divide the responsibilities to decrease the internal fraud.
Protecting the existing authentication system:
The 2WMAS could not replace the existing authentication system, but instead serves as an added layer of security that protects and enriches the existing authentication system, either software or hardware.
Protecting against Internal fraud:
The systemâ€™s core authentication and messaging engine is such that it provides with a good level of security against the risk of reverse engineering and de-compilation of the software. A security platform is never secured if someone has the access to the parts of the application and its security algorithm, modify the content of code to reveal security flaws or even create a backdoor entry.
Limitations on 2 Way Mobile Authentication System
2 Way Mobile Authentication cannot solve the problem of phishing (phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication).
Users have common problems retaining a single authentication factor like a password. It is not easy for users to remember loads of unique passwords. In the present system, where one factor is a password, does not eliminate this problem. One possible solution is to have the second factor to be a biometric or a virtual token number that the user need not remember, instead of an entity that the user needs to memorize.
A user cannot login to the system if the GSM gateway service providerâ€™s servers are down where he could not receive the OTP even though he is a genuine user.
This system cannot be used when a users mobile network service provider terminates the connection due to the delay in bill payments and also poor signal of the network.
Market Segments where 2WMAS is in use
Secure remote access
Internet Service Providers
Application Language : HTML / CSS / Java Script and PHP
Operating System : Linux / Windows
Protocols : HTTP
Web Server : Apache