Biblio

Nowadays, the increasing complexity of digital applications for social and business activities has required more and more advanced mechanisms to prove the identity of subjects like those based on the Two-Factor Authentication (2FA). Such an approach improves the typical authentication paradigm but it has still some weaknesses. Specifically, it has to deal with the disadvantages of a centralized architecture causing several security threats like denial of service (DoS) and man-in-the-middle (MITM). In fact, an attacker who succeeds in violating the central authentication server could be able to impersonate an authorized user or block the whole service. This work advances the state of art of 2FA solutions by proposing a decentralized Microservices and Blockchain Based One Time Password (MBB-OTP) protocol for security-enhanced authentication able to mitigate the aforementioned threats and to fit different application scenarios. Experiments prove the goodness of our MBB-OTP protocol considering both private and public Blockchain configurations.

Risk-based authentication (RBA) extends authentication mechanisms to make them more robust against account takeover attacks, such as those using stolen passwords. RBA is recommended by NIST and NCSC to strengthen password-based authentication, and is already used by major online services. Also, users consider RBA to be more usable than two-factor authentication and just as secure. However, users currently obtain RBA’s high security and usability benefits at the cost of exposing potentially sensitive personal data (e.g., IP address or browser information). This conflicts with user privacy and requires to consider user rights regarding the processing of personal data. We outline potential privacy challenges regarding different attacker models and propose improvements to balance privacy in RBA systems. To estimate the properties of the privacy-preserving RBA enhancements in practical environments, we evaluated a subset of them with long-term data from 780 users of a real-world online service. Our results show the potential to increase privacy in RBA solutions. However, it is limited to certain parameters that should guide RBA design to protect privacy. We outline research directions that need to be considered to achieve a widespread adoption of privacy preserving RBA with high user acceptance.

The Internet of Drones (IoD) is a distributed network control system that mainly manages unmanned aerial vehicle access to controlled airspace and provides navigation between so-called nodes. Securing the transmission of real-time information from the nodes in these applications is essential. The limited drone nodes, data storage, computing and communication capabilities necessitate the need to design an effective and secure authentication scheme. Recently, research has proposed remote user authentication and the key agreement on IoD and claimed that their schemes satisfied all security issues in these networks. However, we found that their schemes may lead to losing access to the drone system due to the corruption of using a key management system and make the system completely unusable. To solve this drawback, we propose a lightweight and anonymous two-factor authentication scheme for drones. The proposed scheme is based on an asymmetric cryptographic method to provide a secure system and is more suitable than the other existing schemes by securing real-time information. Moreover, the comparison shows that the proposed scheme minimized the complexity of communication and computation costs.

The increased need for online account security and the prominence of smartphones in today’s society has led to smartphone-based two-factor authentication schemes, in which the second factor is a code received on the user’s smartphone. Evolving two-factor authentication mechanisms suggest using the proximity of the user’s devices as the second authentication factor, avoiding the inconvenience of user-device interaction. These mechanisms often use low-range communication technologies or the similarities of devices’ environments to prove devices’ proximity and user authenticity. However, such mechanisms are vulnerable to colocated adversaries. This paper proposes Vibe-an implicit two-factor authentication mechanism, which uses a vibration communication channel to prove users’ authenticity in a secure and non-intrusive manner. Vibe’s design provides security at the physical layer, reducing the attack surface to the physical surface shared between devices. As a result, it protects users’ security even in the presence of co-located adversaries-the primary drawback of the existing systems. We prototyped Vibe and assessed its performance using commodity hardware in different environments. Our results show an equal error rate of 0.0175 with an end-to-end authentication latency of approximately 3.86 seconds.

Authentication, forms an important step in any security system to allow access to resources that are to be restricted. In this paper, we propose a novel artificial intelligence-assisted risk-based two-factor authentication method. We begin with the details of existing systems in use and then compare the two systems viz: Two Factor Authentication (2FA), Risk-Based Two Factor Authentication (RB-2FA) with each other followed by our proposed AIA-RB-2FA method. The proposed method starts by recording the user features every time the user logs in and learns from the user behavior. Once sufficient data is recorded which could train the AI model, the system starts monitoring each login attempt and predicts whether the user is the owner of the account they are trying to access. If they are not, then we fallback to 2FA.

This project develops a face recognition-based door locking system with two-factor authentication using OpenCV. It uses Raspberry Pi 4 as the microcontroller. Face recognition-based door locking has been around for many years, but most of them only provide face recognition without any added security features, and they are costly. The design of this project is based on human face recognition and the sending of a One-Time Password (OTP) using the Twilio service. It will recognize the person at the front door. Only people who match the faces stored in its dataset and then inputs the correct OTP will have access to unlock the door. The Twilio service and image processing algorithm Local Binary Pattern Histogram (LBPH) has been adopted for this system. Servo motor operates as a mechanism to access the door. Results show that LBPH takes a short time to recognize a face. Additionally, if an unknown face is detected, it will log this instance into a "Fail" file and an accompanying CSV sheet.

The majority of systems rely on user authentication on passwords, but passwords have so many weaknesses and widespread use that easily raise significant security concerns, regardless of their encrypted form. Users hold the same password for different accounts, administrators never check password files for flaws that might lead to a successful cracking, and the lack of a tight security policy regarding regular password replacement are a few problems that need to be addressed. The proposed research work aims at enhancing this security mechanism, prevent penetrations, password theft, and attempted break-ins towards securing computing systems. The selected solution approach is two-folded; it implements a two-factor authentication scheme to prevent unauthorized access, accompanied by Honeyword principles to detect corrupted or stolen tokens. Both can be integrated into any platform or web application with the use of QR codes and a mobile phone.

Cloud computing has included an essential part of its industry and statistics garage is the main service provided, where a huge amount of data can be stored in a virtual server. Storing data in public platforms may be vulnerable to threats. Consequently, the obligation of secure usage and holistic backup of statistics falls upon the corporation providers. Subsequently, an affordable and compliant mechanism of records auditing that permits groups to audit the facts stored in shared clouds whilst acting quick and trouble- unfastened healing might be a fairly sought-after cloud computing task concept. There is a lot of advantage in growing this domain and there is considerable precedence to follow from the examples of dropbox, google power among others.

Blockchain-based cryptocurrencies offer an appealing alternative to Fiat currencies, due to their decentralized and borderless nature. However the decentralized settings make the authentication process more challenging: Standard cryptographic methods often rely on the ability of users to reliably store a (large) secret information. What happens if one user's key is lost or stolen? Blockchain systems lack of fallback mechanisms that allow one to recover from such an event, whereas the traditional banking system has developed and deploys quite effective solutions. In this work, we develop new cryptographic techniques to integrate security policies (developed in the traditional banking domain) in the blockchain settings. We propose a system where a smart contract is given the custody of the user's funds and has the ability to invoke a two-factor authentication (2FA) procedure in case of an exceptional event (e.g., a particularly large transaction or a key recovery request). To enable this, the owner of the account secret-shares the answers of some security questions among a committee of users. When the 2FA mechanism is triggered, the committee members can provide the smart contract with enough information to check whether an attempt was successful, and nothing more. We then design a protocol that securely and efficiently implements such a functionality: The protocol is round-optimal, is robust to the corruption of a subset of committee members, supports low-entropy secrets, and is concretely efficient. As a stepping stone towards the design of this protocol, we introduce a new threshold homomorphic encryption scheme for linear predicates from bilinear maps, which might be of independent interest. To substantiate the practicality of our approach, we implement the above protocol as a smart contract in Ethereum and show that it can be used today as an additional safeguard for suspicious transactions, at minimal added cost. We also implement a second scheme where the smart contract additionally requests a signature from a physical hardware token, whose verification key is registered upfront by the owner of the funds. We show how to integrate the widely used universal two-factor authentication (U2F) tokens in blockchain environments, thus enabling the deployment of our system with available hardware.

The use of wearable devices (e.g., smartwatches) in two factor authentication (2FA) is fast emerging, as wearables promise better usability compared to smartphones. Still, the current deployments of wearable 2FA have significant usability and security issues. Specifically, one-time PIN-based wearable 2FA (PIN-2FA) requires noticeable user effort to open the app and copy random PINs from the wearable to the login terminal's (desktop/laptop) browser. An alternative approach, based on one-tap approvals via push notifications (Tap-2FA), relies upon user decision making to thwart attacks and is prone to skip-through. Both approaches are also vulnerable to traditional phishing attacks. To address this security-usability tension, we introduce a fundamentally different design of wearable 2FA, called SG-2FA, involving wrist-movement “seamless gestures” captured near transparently by the second factor wearable device while the user types a very short special sequence on the browser during the login process. The typing of the special sequence creates a wrist gesture that when identified correctly uniquely associates the login attempt with the device's owner. The special sequence can be fixed (e.g., “\$@\$@\$\$”), does not need to be a secret, and does not need to be memorized (could be simply displayed on the browser). This design improves usability over PIN-2FA since only this short sequence has to be typed as part of the login process (no interaction with or diversion of attention to the wearable and copying of random PINs is needed). It also greatly improves security compared to Tap-2FA since the attacker can not succeed in login unless the user's wrist is undergoing the exact same gesture at the exact same time. Moreover, the approach is phishing-resistant and privacy-preserving (unlike behavioral biometrics). Our results show that SG-2FA incurs only minimal errors in both benign and adversarial settings based on appropriate parameterizations.

One of the main security issues in telecare medecine information systems is the remote user authentication and key agreement between healthcare professionals and patient's medical sensors. Many of the proposed approaches are based on multiple factors (password, token and possibly biometrics). Two-factor authentication protocols do not resist to many possible attacks. As for three-factor authentication schemes, they usually come with high resource consumption. Since medical sensors have limited storage and computational capabilities, ensuring a minimal resources consumption becomes a major concern in this context. In this paper, we propose a secure and lightweight three-factor authentication and key generation scheme for securing communications between healtcare professional and patient's medical sensors. Thanks to formal verification, we prove that this scheme is robust enough against known possible attacks. A comparison with the most relevant related work's schemes shows that our protocol ensures an optimised resource consumption level.

In the current state of communication technology, the abuse of VoIP has led to the emergence of telecommunications fraud. We urgently need an end-to-end identity authentication mechanism to verify the identity of the caller. This paper proposes an end-to-end, dual identity authentication mechanism to solve the problem of telecommunications fraud. Our first technique is to use the Hermes algorithm of data transmission technology on an unknown voice channel to transmit the certificate, thereby authenticating the caller's phone number. Our second technique uses voice-print recognition technology and a Gaussian mixture model (a general background probabilistic model) to establish a model of the speaker to verify the caller's voice to ensure the speaker's identity. Our solution is implemented on the Android platform, and simultaneously tests and evaluates transmission efficiency and speaker recognition. Experiments conducted on Android phones show that the error rate of the voice channel transmission signature certificate is within 3.247 %, and the certificate signature verification mechanism is feasible. The accuracy of the voice-print recognition is 72%, making it effective as a reference for identity authentication.

Passive RFID technology is widely used in user authentication and access control. We propose RF-Rhythm, a secure and usable two-factor RFID authentication system with strong resilience to lost/stolen/cloned RFID cards. In RF-Rhythm, each legitimate user performs a sequence of taps on his/her RFID card according to a self-chosen secret melody. Such rhythmic taps can induce phase changes in the backscattered signals, which the RFID reader can detect to recover the user's tapping rhythm. In addition to verifying the RFID card's identification information as usual, the backend server compares the extracted tapping rhythm with what it acquires in the user enrollment phase. The user passes authentication checks if and only if both verifications succeed. We also propose a novel phase-hopping protocol in which the RFID reader emits Continuous Wave (CW) with random phases for extracting the user's secret tapping rhythm. Our protocol can prevent a capable adversary from extracting and then replaying a legitimate tapping rhythm from sniffed RFID signals. Comprehensive user experiments confirm the high security and usability of RF-Rhythm with false-positive and false-negative rates close to zero.

Current paradigms for client-server authentication often rely on username/password schemes. Studies show such schemes are increasingly vulnerable to heuristic and brute-force attacks. This is either due to poor practices by users such as insecure weak passwords, or insecure systems by server operators. A recurring problem in any system which retains information is insecure management policies for sensitive information, such as logins and passwords, by both hosts and users. Increased processing power on the horizon also threatens the security of many popular hashing algorithms. Furthermore, increasing reliance on applications that exchange sensitive information has resulted in increased urgency. This is demonstrated by a large number of mobile applications being deemed insecure by Open Web Application Security Project (OWASP) standards. This paper proposes a secure alternative technique of authentication that retains the current ecosystem, while minimizes attack vectors without inflating responsibilities on users or server operators. Our proposed authentication scheme uses layered encryption techniques alongside a two-part verification process. In addition, it provides dynamic protection for preventing against common cyber-attacks such as replay and man-in-the-middle attacks. Results show that our proposed authentication mechanism outperform other schemes in terms of deployability and resilience to cyber-attacks, without inflating transaction's speed.

User identity and personal information remain to be hot targets for attackers. From recent surveys, we can categorize that 65.5% of all cyberattacks in 2018 target user information. Sadly, most of the time, the system's security depends on how secure it is the implementation from the provider-side. One defense technique that the user can take part in is applying a two-factor authentication (2FA) system for their account. However, we observe that state-of-the-art 2FAs have several weaknesses and limitations. In this paper, we propose TwoChain, a blockchain-based 2FA system for web services to overcome those issues. Our implementation facilitates an alternative 2FA system that is more secure, disposable, and decentralized. Finally, we release TwoChain for public use.

RSA is a popular asymmetric key algorithm with two keys scheme, a public key for encryption and private key for decryption. RSA has weaknesses in encryption and decryption of data, including slow in the process of encryption and decryption because it uses a lot of number generation. The reason is RSA algorithm can work well and is resistant to attacks such as brute force and statistical attacks. in this paper, it aims to strengthen the scheme by combining RSA with the One Time Pad algorithm so that it will bring up a new design to be used to enhance security on two-factor authentication. Contribution in this paper is to find a new scheme algorithm for an enhanced scheme of RSA. One Time Pad and RSA can combine as well.

Studies on two-factor authentication based on RFID and face recognition have been carried out on a large scale. However, these studies didn't discuss the way to overcome the weaknesses of face recognition authentication in the access control systems. In this study, two authentication factors, RFID and face recognition, were implemented using the LBP (Local Binary Pattern) algorithm to overcome weaknesses of face recognition authentication in the access control system. Based on the results of performance testing, the access control system has 100% RFID authentication and 80% face recognition authentication. The average time for the RFID authentication process is 0.03 seconds, the face recognition process is 6.3885 seconds and the verification of the face recognition is 0.1970 seconds. The access control system can still work properly after three days without being switched off. The results of security testing showed that the capabilities spoofing detection has 100% overcome the photo attack.

{Mobile devices are promising to apply two-factor authentication in order to improve system security and enhance user privacy-preserving. Existing solutions usually have certain limits of requiring some form of user effort, which might seriously affect user experience and delay authentication time. In this paper, we propose PPGPass, a novel mobile two-factor authentication system, which leverages Photoplethysmography (PPG) sensors in wrist-worn wearables to extract individual characteristics of PPG signals. In order to realize both nonintrusive and secure, we design a two-stage algorithm to separate clean heartbeat signals from PPG signals contaminated by motion artifacts, which allows verifying users without intentionally staying still during the process of authentication. In addition, to deal with non-cancelable issues when biometrics are compromised, we design a repeatable and non-invertible method to generate cancelable feature templates as alternative credentials, which enables to defense against man-in-the-middle attacks and replay attacks. To the best of our knowledge, PPGPass is the first nonintrusive and secure mobile two-factor authentication based on PPG sensors in wearables. We build a prototype of PPGPass and conduct the system with comprehensive experiments involving multiple participants. PPGPass can achieve an average F1 score of 95.3%, which confirms its high effectiveness, security, and usability}.

Two-factor authentication (2FA) systems implement by verifying at least two factors. A factor is something a user knows (password, or phrase), something a user possesses (smart card, or smartphone), something a user is (fingerprint, or iris), something a user does (keystroke), or somewhere a user is (location). In the existing 2FA system, a user is required to act in order to implement the second layer of authentication which is not very user-friendly. Smart devices (phones, laptops, tablets, etc.) can receive signals from different radio frequency technologies within range. As these devices move among networks (Wi-Fi access points, cellphone towers, etc.), they receive broadcast messages, some of which can be used to collect information. This information can be utilized in a variety of ways, such as establishing a connection, sharing information, locating devices, and, most appropriately, identifying users in range. The principal benefit of broadcast messages is that the devices can read and process the embedded information without being connected to the broadcaster. Moreover, the broadcast messages can be received only within range of the wireless access point sending the broadcast, thus inherently limiting access to those devices in close physical proximity and facilitating many applications dependent on that proximity. In the proposed research, a new factor is used - something that is in the user's environment with minimal user involvement. Data from these broadcast messages is utilized to implement a 2FA scheme by determining whether two devices are proximate or not to ensure that they belong to the same user.

Instant messaging is an application that is widely used to communicate. Based on the wearesocial.com report, three of the five most used social media platforms are chat or instant messaging. Instant messaging was chosen for communication because it has security features in log in using a One Time Password (OTP) code, end-to-end encryption, and even two-factor authentication. However, instant messaging applications still have a vulnerability to account theft. This account theft occurs when the user loses his cellphone. Account theft can happen when a cellphone is locked or not. As a result of this account theft, thieves can read confidential messages and send fake news on behalf of the victim. In this research, instant messaging application security will be applied using hybrid encryption and two-factor authentication, which are made interrelated. Both methods will be implemented in 2 implementation designs. The implementation design is securing login and securing sending and receiving messages. For login security, QR Code implementation is sent via email. In sending and receiving messages, the message decryption process will be carried out when the user is authenticated using a fingerprint. Hybrid encryption as message security uses RSA 2048 and AES 128. Of the ten attempts to steal accounts that have been conducted, it is shown that the implementation design is proven to reduce the impact of account theft.

We present True2F, a system for second-factor authentication that provides the benefits of conventional authentication tokens in the face of phishing and software compromise, while also providing strong protection against token faults and backdoors. To do so, we develop new lightweight two-party protocols for generating cryptographic keys and ECDSA signatures, and we implement new privacy defenses to prevent cross-origin token-fingerprinting attacks. To facilitate real-world deployment, our system is backwards-compatible with today's U2F-enabled web services and runs on commodity hardware tokens after a firmware modification. A True2F-protected authentication takes just 57ms to complete on the token, compared with 23ms for unprotected U2F.

In this paper, we consider the problem of transparently authenticating a user to a local terminal (e.g., a desktop computer) as she approaches towards the terminal. Given its appealing usability, such zero-effort authentication has already been deployed in the real-world where a computer terminal or a vehicle can be unlocked by the mere proximity of an authentication token (e.g., a smartphone). However, existing systems based on a single authentication factor contains one major security weakness - unauthorized physical access to the token, e.g., during lunch-time or upon theft, allows the attacker to have unfettered access to the terminal. We introduce ZEMFA, a zero-effort multi-factor authentication system based on multiple authentication tokens and multi-modal behavioral biometrics. Specifically, ZEMFA utilizes two types of authentication tokens, a smartphone and a smartwatch (or a bracelet) and two types of gait patterns captured by these tokens, mid/lower body movements measured by the phone and wrist/arm movements captured by the watch. Since a user's walking or gait pattern is believed to be unique, only that user (no impostor) would be able to gain access to the terminal even when the impostor is given access to both of the authentication tokens. We present the design and implementation of ZEMFA. We demonstrate that ZEMFA offers a high degree of detection accuracy, based on multi-sensor and multi-device fusion. We also show that ZEMFA can resist active attacks that attempt to mimic a user's walking pattern, especially when multiple devices are used.

Two-factor authentication has been widely used due to the vulnerabilities associated with the traditional password-based authentication. One-Time Password (OTP) plays an important role in authentication protocol. However, a variety of security problems have been challenging the security of OTP, and improvements are introduced to solve it. This paper reviews several schemes to implement and modify the OTP, a comparison among the popular OTP algorithms is presented. A smart grid architecture with edge computing is shown. The authentication techniques in the smart grid are analyzed.

Nowadays one-time passwords are used in a lot of areas of information technologies including e-commerce. A few vulnerabilities in authentication protocols based on one-time passwords are widely known. In current work, we analyze authentication protocols based on one-time passwords and their vulnerabilities. Both simple and complicated protocols which are implementing cryptographic algorithms are reviewed. For example, an analysis of relatively old Lamport's hash-chain protocol is provided. At the same time, we examine HOTP and TOTP protocols which are actively used nowadays. The main result of the work are conclusions about the security of reviewed protocols based on one-time passwords.

Two-factor authentication (2FA) defends against password compromise by a remote attacker. We surveyed 4,275 students, faculty, and staff at Brigham Young University to measure user sentiment about Duo 2FA one year after the university adopted it. The results were mixed. A majority of the participants felt more secure using Duo and felt it was easy to use. About half of all participants reported at least one instance of being locked out of their university account because of an inability to authenticate with Duo. We found that students and faculty generally had more negative perceptions of Duo than staff. The survey responses reveal some pain points for Duo users. In response, we offer recommendations that reduce the frequency of 2FA for users. We also suggest UI changes that draw more attention to 2FA methods that do not require WiFi, the "Remember Me" setting, and the help utility.