One Time Passwords In Mobile Banking Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Mobile banking information security is crucial to protect users financial data and put banks in secured positions. Passwords are a critical and ubiquitous component of authentication in information security of mobile banking. Several security techniques have been investigated and proposed to develop an accurate and efficient model of security in mobile banking. In this paper, time-based one time passwords are proposed to improve information security and protect users financial information in the case of security threats. In this experimental study, TOTP are proposed as one of the most secure and convenient ways for users to use mobile banking without any worries about mobile security threats.


Mobile banking, Information security, Time-based one time password (TOTP)


Mobile banking is using mobile devices to presenting banking transaction and accessing financial services. This service is beneficial for both customers and bank industry. Customers can use this service to access their bank account wherever they are and using banking services. Bank industry also uses mobile banking to inform users about their services and reducing their face to face customers' service support.

Information security is one of the crucial parts of mobile banking. As this system is dealing with customers' financial information, this information could be intercepted easily by attackers. Customers and bank industry both face information security challenges. Mobile phones which users use them for their mobile banking are portable devices that could be stolen easily and the information which is registered on them could be misused by attacker. The weakness of mobile devices' computing power, operating system, and keyboard also creates security issues. As a result using security algorithms and more secure password face challenges by existing these weaknesses. The main point of this paper is focusing on making credit card number and bank password which users use for login to their bank accounts from their mobile phones more secure. Most of the people do not have expertise in creating a secure password and remembering them. In addition, mobile keyboard weakness creates challenges for users to create secure passwords. Furthermore, some people do not keep their password in their memory and write them on a text file in their mobile devices which make the system more insecure. As the use of mobile devices is increasing and more people tend to use them to work with different application, it is important to create more security for users' information and motivating them to buy a secure system which improving also the banking industry.

This paper proposed a solution for users' authentication security issues in mobile banking by using time-based one time password (TOTP) which will be updated every thirty seconds instead of static password in mobile banking. By using this type of password which will be updated every thirty seconds, in a case of a mobile device lost or stolen, the mobile device could not be used for login to bank account of the user by attacker. In this situation, attacker can find out the TOTP password on mobile device which does not work without the credit card number of the user. This paper is organized as follows:

In Section 2, we discuss the different models of mobile banking architecture. Different techniques of authentication which are used for mobile banking will be discussed in Section 3. In Section 4, we present our approach for the information security. Discussion and conclusions are presented in Section 5.


Mobile banking is one of the applications which are used in mobile devices by customers to complete banking transaction. Riivari et al. [1] mentioned that this system has been selected by bank industry to decrease cost, improve customer service, and supporting their branches by making them available to the customers by placing them in their pocket. Mobile devices are faces different security threats as they are portable devices which could be lost and stolen easily. Clark et al. [2] discussed different types of security threats in mobile devices in terms of mobile banking. Lost and stolen device, fishing and vishing, authentication, and cracking are some of the mobile device security threats which could affect mobile banking. Authentication plays a critical role in mobile banking as it uses a username and a password for connecting to bank's website and completing customers' transaction. Different approaches are proposed to protect this information. This device are also lost and stolen easily and the authentication and confidentiality of the device could be indangour. Different mobile device brands try to protect mobile devices in this case. For example, Blackberry creates a unique PIN number for each device and has this option to use PIN number to delete remotely the information on the mobile device. There is other approach which used by banks in this situation to disable the account to avoid misusing information. Streff et al. [3] explained that in terms of fishing and vinishing, if a user uses traditional type of authentication such as username and password, this information could be released to attackers by fooling the user. In this situation, it could cause bank the serious financial loss.

2. Mobile banking Architecture

Buse et al. [4] mentioned browser-based, messaging-based, and client-server based as three different types of mobile banking architectures which are used to address mobile banking security.

In the browser-based model users could access the bank website through their cellphone. One of the advantages of this model is that less information is stored on the cellphone and the server handles all the processing part. In addition, users have more familirity to use this service. For using mobile banking, users need to browse the bank website and enter their username and password to use the mobile banking. The browser-based model has the risk of confidential information attack because mobile devices do not have the capability of installing firewalls. Messaging-based is the second type of mobile banking communication which users and banks communicate with each other through text messaging [4] . Short Messaging Service (SMS) and Multimedia Messaging Service (MMS) are two types of messaging-based communications which are used. In this system, Mobile Banking Personal Identification Number (MPIN) are used for authentication. In addition, only registered mobile numbers for specific bank accounts could be accepted to send request to the bank. Furthermore, account keys are used instead of account numbers to keep confidentiality and avoid typing the account number. Client-based is the third type of mobile banking architecture. In this model, application should be downloaded and installed on users' cellphone. Transactions could be prepared offline by users and then connected to internet to reduce cost and connection time. Buse et al. [4] mentioned that this system could face less security threats as short online connection should be provided by customers and attackers have lower chance of breaking into the connection.

3. Authentication Techniques

Different types of authentication techniques are used in mobile banking. Streff et al. [3] maintained that at least two different types of authentication are used by bank systems to identify the banks' customers. According to this article, using usernames and passwords for bank systems and PIN numbers for mobile devices are current authentication models which are used for mobile banking by banks to identify their customers. This model has security issues as users use weak passwords or writing them down to use them later. Sreff et al. [3] explained that increasing security of PIN numbers have been proposed to protect mobile devices. In this situation, a portion of PIN will be stored in mobile devices and the rest of that will be stored on a server. The security in this system have been increased because even if mobile devices be accessible for attackers, they can access just a portion of PIN number. Mazheils et al. [5] concluded biometric as another authentication method which could be used to find out what a user is. Streff et al. [3] identified five different types of biometric authentication which include facial recognition, handwriting recognition, keystroke analysis, speaker/voice recognition, and service utilixation.

4. Approach to Information Security

To implement our approach, the project requirements and algorithms should be described first. In our approach, a Time based-One Time Password (TOTP) are used instead of static password to create information security in mobile banking and present a secure authentication method. An One Time Password (OTP) is the password which only can be used one time, after that, this password will become an obsolete password [6]. In addition, each one time password has a lifetime, if the password has not been used in this period of time, it will still becomes obsolete. Therefore, the advantages of using the one time password is that even if someone knows your password (the one you have already used or the one have already passed 60 seconds), he cannot use the password anymore.

Time-based One-time Password (TOTP) Algorithm is an extension of the HMAC-Based One-Time Password (HOTP) to support time based moving factor [7]. The HOTP algorithm is a method which uses counter value to do the HMAC operation. TOTP method uses time steps and time variable to replaces TOTP calculation. Basically, TOTP = HOTP(K, T) [8]. The formula shows the change of HOTP method. T is an integer and it shows to us how many time steps between the initial counter time (we called T0) and the current UNIX time. More specifically:

T = (Current Unix time - T0) / X where:

- X is the time step which is measure time by the second (default value X = 30 seconds in our project) and also, it is a system parameter.

- T0 is the UNIX time, it is a count time steps that the default value is 0. It is also a system parameter;

Here is an example: if T0=0 and time step = 30. So, if the current UNIX time is 37 seconds, then the value of T is 1; but if the current UNIX time is 60 seconds, then the value of T equal as 2.

In this approach client server-based model are used for mobile banking. Java are used to generate TOTP password and this password is generated in a TOTP server. ToTP server is a seperate server than the bank server. Both servers are also database servers which use MySQL for creating their databases. The customer use his mobile phone to make connection to both servers through internet. Figure 1 shows the system architecture.

Figure 1: System Architecture

Each user has different TOTP software generator. TOTP software creates different passwords for each user depends on their id_client every 30 seconds. Cell phone number defines as id-client in this program as we need a unique number for each user.

The first time customers want to use this service, they should run the setup process. Figure 2 shows the setup process in this system. Before running the setup process, there is no connection between two databases for the user exist. At the first step of the setup process, the user needs to enter his credit card number and his static password. Then the system checks if the information is correct or not. If the information matches with the bank database, the user need to enters his id_client (cell phone number) and ToTP password which is generated by the TOTP server. The software should generate the TOTP password and shows in a window to the user on his cell phone. Next step, system checks for the consistency of this information in the client database which is located in the TOTP Server. If the information matches with the client database, id_client will be inserted in the bank table as a foreign key and successful setup window will be shown to the user's cell phone.

Figure 2: Setup Process Diagram

The setup process is the only stage for the user to enter his static password. Figure 3 provides information about the content of each table and how they connect together. Client table is the table which is located in TOTP server. This table concludes id_client which is the user's cell phone number and ranpass_client is the TOTP password which is generated by java program.

Bank table also includes account_number which is the client's credit card number and account_password which is the static password.

Figure 3: Database Structure

The next step in this system for a user to use mobile banking is connecting to bank server by using authentication. Therefore, users need to enter their credit card number and the TOTP password which is displayed in users' cell phone window. This approach create more secure authentication mode for users and bank systems. Users do not need to memorize their password for login to mobile banking. This system also solve the physical security threats that mobile users' face because users use the TOTP password instead of static bank password. The attacker could not log in to the bank system even if he sees the TOTP password on user's cell phone. This password is not a static password and changes every 30 seconds. Also, Attacker needs to know users' credit card number to login to mobile banking. In addition, users do not need to write down their passwords somewhere in their cell phones as the password shows to users in their cell phones' screen.

2. Requirements:

In order to finish the authentication process, here are several requirements that we should pay attention to in our program.

1. The algorithm works in specific time. Both server and user application should have same method to generate the password in the same specific time. Therefore, current unix time can be used in our program in order to compute the time passed[the paper we print]. Unix time is a number which is start at zero in the midnight of Jan 1, 1970, and elapsed every seconds.

2. The password must be unique for each user. Each time step allow only one password can do the login process.

3. It is necessary for the server and user application keep the same time step.

4. The password should be generated automatically and randomly.


1. general

SHA-1 ,the hash function, which is using by HMAC determine this algorithm's security and strength. This security analysis conclusion was maintained in [RFC4226]. Analysis shows that the best possible HOTP function is the brute force attack. As we maintained in algorithm requirement part, the key should be free to choose and use a strong pseudo-random encryption or generate a random value. In addition, we should follow the suggestion of [RFC4086], for all pseudo-random and random generations, the use of the pseudo-random number key should successfully pass the test of randomness.

For the security issue, all of the communication should be taken over a secure channel, such as SSL/TLS, IP sec connection [RFC5246&4301]. Also, storing the key in a safe authentication system is important, because they use tamper-resistant hardware to do the encryption. For example, it is necessary to verify the OTP value to decrypt the key, and re-encryption to limit the exposure of a very short period of time in the RAM.

Furthermore, key store must be in the security field in order to avoid direct attacks on the authentication system and secret databases. In particular, access to the key material should be limited to program and verify the system only when the process needed.

2. Validity and Time-step Size

An OTP generated at the same time, the steps are the same. However, the network delay is inevitable. Because of an OTP application sends a request from a user authentication system and an actual input time of an OTP to a receiving system, the network delay between the actual OTP generation time and the server may receive the time stamp could be very large[the paper we print]. When the OTP is generated at the end of a time step window, mostly, the receiving time often fall into the next step window. Therefore, an acceptable transmission delay OTP authentication window should be set up in to the verification system( we don't do this part in our project at this time). It is necessary to allow the network delay in several seconds.

Time step size might determine the security and availability [the paper we print]. A large time step means that a greater acceptance by the OTP validation window. If an OTP generated and exposed to a third party before the password being consumed, that would be dangerous. Set default time step as 30 seconds would be acceptable. This 30 seconds default value can balance between security and usability [the paper we print].

Our project:

Use TOTP algorithm to design the first setup and use one time password to achieve the login process.

Here is the general view of our project. We have 5 main parts in the project.

First setup: when a customer wants to use OTP to make his account more safety, he should do the setup step. The reason for doing that is he needs to link his specific (unique) id to his account.

Time control& upgrade: this function control the database (insert new user unique id and upgrade the password), when the time passed every 30 seconds, the password generated automatically.

Select Ran Password: the password shows on some place which user can see the password somewhere. For example: token, webpage, or SMS message etc.

Login: people use account number and his specific one time password to login.

Here are each specific functions diagrams and detail:

1. First setup step. Before the user does the first setup step, the server should check the user permissions. User should put his account number and static password to login first, if the server database matches the user's account number and password, the first setup step form can be filled. In order to keep the security, the account number could not be changed in setup step.

2. Time control and upgrade.

As we already maintained in the (no.) section, 30 seconds is the best choice for keep the balance of security and usability. We use 30 seconds as one time step. The password (Ranpass) in database is upgrade in every 30 seconds. The password generate automatically by using TOTP method. Before insert a new link of account number, we recommended that we need to check the system database first in order to keep the secret number(id_client) which is link to the account number is unique.

3. Database.

We use Mysql as our database. The account number and static password should be import initialization. We have two tables in our project which are include bank_table and client_table. We use id client as a foreign key to connect two tables. Here is the ERR diagram.

4. Select Ran-password

User should know his ran-password in somewhere. We can use several to let user know his unique password in specific time which is generate by the TOTP algorism. For example, use token or SMS service in mobile phone.

5. Login

When user finished the first setup step and wants to login the system again. The login page would be change to require user's account number and ran-password.

Demonstration and Results:

(When our project can ran successfully, we need a picture to show the password generate result in every 30 seconds)