Many organizations still rely on static ID and password that is been used in the existing authentication system which consist of Single Factor Authentication technique to provide the simplest form of authentication that may not be sufficient to safeguard against unauthorized access. Therefore the rapid spread of e-Business has necessitated for securing transactions and therefore financial organizations are looking for two-factor authentication technique as a fundamental security function.
Strong Authentication is a fundamental security function. During the authentication process, the credentials submitted by an individual are validated and associated with the person's identity. This process of binding between the credentials and identity is typically done for the purpose of granting (or denying) authorization to perform some restricted operation, like accessing secured files or executing sensitive transactions. User authentication is commonly defined as the process of verifying the identity of an individual, usually based on credentials.
Now-a-days different strong authentication methods are in use some of them can be embedded in security devices such as tokens, smart cards. First we study the different authentication method, after that on the basis of study we integrate the OTP (One Time password) based two-factor authentication method in more flexible mobile devices (such as cell phones, PDA) in a cost effective manner.
Get your grade
or your money back
using our Essay Writing Service!
Two-factor authentication method uses mobile devices as security tokens to receive a single-use password to strengthen the existing ID/password authentication and authorization process. In the first phase, the authenticator gets a request generated by the application to authenticate a specified user. When the request is received, it generates a one-time password and sends it through a SMS to a GSM cell phone registered for that specified user. The one-time password has a default timeout 5 minutes which is configurable.
In the second phase of the authentication, a request is sent with the user id and a hash of the one-time password. If both the one-time and user specified password is valid then the user will be authenticated.
Even though the application is using clientâ€™s device to send the second factor, it is possible to completely avoid the clientâ€™s involvement in generating the password. There are few limitations in the paper. This proposal overcomes the problem of hacking but not from phishing.
In the field of computer security, the process of attempting to verify the digital identity of the sender of a communication process such as a request to log in is termed as authentication. The sender subjected to an authentication may be a human using a computer, a computer by itself or a computer program. A blind credential could not establish identity at all, but only a narrow right or status of the user or program.
In a web of trust, authentication is a way to make sure that the user who attempts to perform functions in a system is in fact the user who is permitted to do so.
2 Way Mobile Authentication System (2WMAS) is an innovative authentication system that provides access to Web-based resources by using a two-way user authentication through the existing personal mobile phones. It is used to solve the security flaws of the web based Internet and Intranet, by involving the users to authenticate themselves using their personal mobile phones. The registration of the users has to be done in a secured manner before he can actually use the system.
It is designed to provide security to Web-based Internet and Intranet applications, and requires users to authenticate themselves with two unique criterion - a username and password, and a code which they get only during authentication (a one-time password OTP sent to their mobile phone) before they are permitted to access a secured web resource. With 2WMAS, we can positively identify users and deliver services easily and in a most secured way to users, without having the need of an additional security system. End users can have the advantages of a very simple process that omits the need to remember multiple passwords.
As the Web-based Internet becomes the most important tool for financial transactions, the level of security becomes a major concern in an organization's transaction system. Transactions in these days are secured using passwords. Institutions spend huge amounts of money on secure SSL solutions to make sure the passwords are not tracked. But,in majority of cases security violations occurs above the reach of PKI and SSL solutions.
why the existing password system is not secured
Always on Time
Marked to Standard
Passwords could be captured when they are sent to the browser. For example, The 'Trojan- horse' applications which most of users might have installed without their knowledge, while installing shareware tools, while reading a email, or when visiting a suspicious website. Some 'Trojan-horse' applications can even control personal computers, and allow intruders to look into their screens like a remote software application PC anywhere!
Some users may even save their credentials carelessly on their PCs, The result of which, can be seen by anyone who has the access to the terminals, including the person who repairs their PC, or if they are using a computer in a cybercafe, anyone who uses that terminal after them.
An inefficient programming APIs of a system might give clues to the hackers to bypass the entire system.
Features of 2 Way Mobile Authentication System
Double-criterion to check the identity of the User:
It provides a cost-effective solution to provide the web resources with a double-criterion authentication system. Through a browser, a user requests permission to access a Web resource which needs an additional authentication code required for the Web Application. It then generates a one-time access code and sends it to the mobile phone registered to the user by an SMS text message. The user has to enter the access code into the Web-browser to finish the authentication. After the user enters the authentication information, the system determines if the information submitted is valid or not. If valid it goes ahead with the Web Application thereby allowing the user to perform the necessary transactions, otherwise not .By separating Web Application with Authentication server, we can also divide the responsibilities to decrease the internal fraud.
Protecting the existing authentication system:
The 2WMAS could not replace the existing authentication system, but instead serves as an added layer of security that protects and enriches the existing authentication system, either software or hardware.
Protecting against Internal fraud:
The systemâ€™s core authentication and messaging engine is such that it provides with a good level of security to safeguard from reverse engineering and program transformation of the software. A security platform is never secured if someone has the access to the parts of the application and its security algorithm, modify the content of code to reveal security flaws or even create a backdoor entry.
Limitations on 2 Way Mobile Authentication System
2 Way Mobile Authentication cannot solve the problem of phishing ( phishing is defined as a process of gathering personal data such as credentials, information of the credit cards and other sensitive data by impersonating as a trusted party through electronic communication)
A user cannot login to the system if the GSM gateway service providerâ€™s servers are down where he could not receive the OTP even though he is a genuine user.
This system cannot be used when a users mobile network service provider terminates the connection due to the delay in bill payments and also poor signal of the network.
Market Segments where 2WMAS is in use
Secure remote access
Internet Service Providers
Application Language : HTML / CSS / Java Script and PHP
Operating System : Linux / Windows
Protocols : HTTP
Web Server : Apache