Multi-factor Authentication and Their Approaches

A multi-factor authentication is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor ("something the user knows"), a possession factor ("something the user has"), and an inherence factor ("something the user is"). Two-factor authentication seeks to decrease the probability that the requestor is presenting false evidence of its identity. In reality, there are more variables to consider when establishing the relative assurance of truthfulness in an identity assertion than simply how many "factors" are used. The U.S. Federal Financial Institutions Examination Council issued supplemental guidance on this subject in August 2006, in which they clarified, "By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors

Implementing Resiliency of Adaptive Multi-Factor Authentication Systems

Multifactor authentication (MFA) is getting increasingly more popular to safeguard systems from unauthorized users access. Adaptive Multi-Factor Authentication (A-MFA) is an enhanced version of MFA that provides a method to allow legitimate users to access a system using different factors that are changing based on different considerations. In other words, authentication factors include passwords, biometrics among others are adaptively selected by the authentication system based on criteria (e.g., whether the user is trying to log in from within system boundary, or whether or not the user is trying to access during organization operating hours). The criteria (i.e. triggering events) that A-MFA uses to select authentication factors adaptively are usually pre-defined and hard-coded in the authentication system itself. In this paper, the graphical user interface application is designed to add more resiliency to the existing Adaptive Multi-Factor Authentication (A-MFA) method by enabling system administrators to rank the triggering criteria based on the users’ roles, system assets, tolerance to risks, etc. The proposed tool allows system administrators to determine when to tighten and soften user access to the system. The tool uses multiple criteria decision making (MCDM) method to allow system admins to access the trustworthiness of user. Based on the trustworthiness of the user, the tool selects the number and complexity of the authentication methods. This tool will help to utilize the systems administrator situational awareness to improve security. This work aims to preserve the AMFA strengths and at the same time give system administrators more flexibility and authority in controlling access to systems

Investigating customer-facing security features on South African e-commerce websites

E-commerce websites often store sensitive customer information and there is the impression that customers are not as concerned about protecting their data as they should be. Instead they often choose convenience over security. There are those who argue that e-vendors do not provide the necessary environment to adequately protect their customers’ data by utilizing multi-factor authentication and by providing customer support that educates and encourages customers to follow security best practices. This study develops criteria to evaluate website security and goes on to investigate how the top 20 South African e-commerce websites perform against this. The results show that multi-factor authentication is underutilized and security in the form of password-based authentication can be improved. Furthermore, despite many customer support channels and resources, there is little emphasis placed on educating and encouraging customers to follow security best practices. The results suggest areas for security improvement in order to build trust in e-commerce websites.</p

Integrating a usable security protocol for user authentication into the requirements and design process

L'utilisabilité et la sécurité sont des éléments cruciaux dans le processus d'authentification des utilisateurs. L'un des défis majeurs auquel font face les organisations aujourd'hui est d'offrir des systèmes d'accès aux ressources logiques (par exemple, une application informatique) et physiques (par exemple, un bâtiment) qui soient à la fois sécurisées et utilisables. Afin d'atteindre ces objectifs, il faut d'abord mettre en œuvre les trois composantes indispensables que sont l'identification (c.-à-d., définir l'identité d'un utilisateur), l'authentification (c.-à-d., vérifier l'identité d'un utilisateur) et l'autorisation (c.-à-d., accorder des droits d'accès à un utilisateur). Plus particulièrement, la recherche en authentification de l'utilisateur est essentielle. Sans authentification, par exemple, des systèmes informatiques ne sont pas capables de vérifier si un utilisateur demandant l'accès à une ressource possède les droits de le faire. Bien que plusieurs travaux de recherche aient porté sur divers mécanismes de sécurité, très peu de recherches jusqu'à présent ont porté sur l'utilisabilité et la sécurité des méthodes d'authentification des utilisateurs. Pour cette raison, il nous paraît nécessaire de développer un protocole d'utilisabilité et de sécurité pour concevoir les méthodes d'authentification des utilisateurs. La thèse centrale de ce travail de recherche soutient qu'il y a un conflit intrinsèque entre la création de systèmes qui soient sécurisés et celle de systèmes qui soient facile d'utilisation. Cependant, l'utilisabilité et la sécurité peuvent être construites de manière synergique en utilisant des outils d'analyse et de conception qui incluent des principes d'utilisabilité et de sécurité dès l'étape d'Analyse et de Conception de la méthode d'authentification. Dans certaines situations il est possible d'améliorer simultanément l'utilisabilité et la sécurité en revisitant les décisions de conception prises dans le passé. Dans d'autres cas, il est plus avantageux d'aligner l'utilisabilité et la sécurité en changeant l'environnement régulateur dans lequel les ordinateurs opèrent. Pour cette raison, cette thèse a comme objectif principal non pas d'adresser l'utilisabilité et la sécurité postérieurement à la fabrication du produit final, mais de faire de la sécurité un résultat naturel de l'étape d'Analyse et de Conception du cycle de vie de la méthode d'authentification. \ud ______________________________________________________________________________ \ud MOTS-CLÉS DE L’AUTEUR : authentification de l'utilisateur, utilisabilité, sécurité informatique, contrôle d'accès

Sistema d'autenticació one-time password (OTP) per a mòbils

Aquest projecte consisteix en fer l'anàlisi, disseny i implementació d'un sistema d'autenticació a través de contrasenyes d'un sol ús (One Time Password -OTP-) per a dispositius mòbils. Per evitar l'ús de contrasenyes estàtiques farem una aplicació per a telèfons mòbils capaç de generar contrasenyes aleatòries gràcies a uns paràmetres previs, així com de poder tenir un registre dels serveis on poden ser utilitzades. Partirem d'un protocol repte/resposta on l'usuari interactuarà amb el seu telèfon mòbil i un ordinador personal amb una connexió a Internet. Podrà registrar-se i, introduint certes dades al mòbil que li proporciona el servidor, podrà fer el procés d'autenticar-se per poder accedir a zones restringides del servei.Este proyecto consiste en hacer el análisis, diseño e implementación de un sistema de autenticación a través de contraseñas de un solo uso (One Time Password -OTP-) para dispositivos móviles. Para evitar el uso de contraseñas estáticas haremos una aplicación para teléfonos móviles capaz de generar contraseñas aleatorias gracias a unos parámetros previos, así como de poder tener un registro de los servicios donde pueden ser utilizadas. Partiremos de un protocolo reto/respuesta donde el usuario interactuará con su teléfono móvil y un ordenador personal con una conexión a Internet. Podrá registrarse e, introduciendo ciertos datos en el móvil que le proporcionará el servidor, podrá hacer el proceso de autenticarse para poder acceder a zonas restringidas del servicio.This Project consists of the analysis, design and implementation of a One Time Password system for mobile devices. To avoid the use of static passwords, we will develop a mobile phone application capable of generating random passwords from previous parameters, and storing a register containing the services where they might be used. We will start from a challenge/response protocol. The user will interact through his mobile phone and a personal computer connected to the Internet. He will be able to register and, introducing certain data given from the server in his cell phone, he might authenticate himself to access the service's restricted zones

Development of a secure multi-factor authentication algorithm for mobile money applications

A Thesis Submitted in Fulfillment of the Requirements for the Degree of Doctor of Philosophy in Information and Communication Science and Engineering of the Nelson Mandela African Institution of Science and TechnologyWith the evolution of industry 4.0, financial technologies have become paramount and mobile money as one of the financial technologies has immensely contributed to improving financial inclusion among the unbanked population. Several mobile money schemes were developed but, they suffered severe authentication security challenges since they implemented two-factor authentication. This study focused on developing a secure multi-factor authentication (MFA) algorithm for mobile money applications. It uses personal identification numbers, one-time passwords, biometric fingerprints, and quick response codes to authenticate and authorize mobile money subscribers. Secure hash algorithm-256, Rivest-Shamir-Adleman encryption, and Fernet encryption were used to secure the authentication factors, confidential financial information and data before transmission to the remote databases. A literature review, survey, evolutionary prototyping model, and heuristic evaluation and usability testing methods were used to identify authentication issues, develop prototypes of native genuine mobile money (G-MoMo) applications, and identify usability issues with the interface designs and ascertain their usability, respectively. The results of the review grouped the threat models into attacks against privacy, authentication, confidentiality, integrity, and availability. The survey identified authentication attacks, identity theft, phishing attacks, and PIN sharing as the key mobile money systems’ security issues. The researcher designed a secure MFA algorithm for mobile money applications and developed three native G-MoMo applications to implement the designed algorithm to prove the feasibility of the algorithm and that it provided robust security. The algorithm was resilient to non-repudiation, ensured strong authentication security, data confidentiality, integrity, privacy, and user anonymity, was highly effective against several attacks but had high communication overhead and computational costs. Nevertheless, the heuristic evaluation results showed that the G-MoMo applications’ interface designs lacked forward navigation buttons, uniformity in the applications’ menu titles, search fields, actions needed for recovery, and help and documentation. Similarly, the usability testing revealed that they were easy to learn, effective, efficient, memorable, with few errors, subscriber satisfaction, easy to use, aesthetic, easy to integrate, and understandable. Implementing a secure mobile money authentication and authorisation by combining multiple factors which are securely stored helps mobile money subscribers and other stakeholders to have trust in the developed native G-MoMo applications