DESIGN AND IMPLEMENTATION OF A TWO FACTOR AUTHENTICATION LOGIN SYSTEM USING ONE TIME PASSWORD (OTP) WITH SMS
ABSTRACT
The paper examined the design and implementation of a two-factor authentication login system using OTP with SMS. The quest for the application of tighter security measures to web, desktop and mobile applications developed has been a major concern to a lot of people. Faced with the challenges of poor security and vulnerability of users, resulting to applications being hacked by unauthorized people, the researcher delved into developing a more secured login application that sends a secret passcode to the registered phone number of a user for identification purpose. The aim of the application is basically to ensure that users are safe, and all logins are authorized. The application was developed with PHP, MYSQL, CSS, BOOTSTRAP AND HTML technologies.
CHAPTER ONE
INTRODUCTION
INTRODUCTION
With the development of science and technology and means of storage and exchange of information in different ways, or so-called transfer of data across the network from one site to another site, became to look at the security of data and information is important; we need to provide protection for the information of the dangers that threaten them or attack them through the use of tools to protect information from internal or external threats. In addition to the procedures adopted to prevent access information into the hands of unauthorized persons through communications and to ensure the authenticity of these communications.
Today security concerns are on the ascent in all areas. Most systems today rely on static passwords to verify the user’s identity. Users have a propensity to use obvious passwords, simple password, easily guessable password and same password for multiple accounts, and even write their passwords, store them on their system or asking the websites for remembering their password etc. Utilization of static passwords in this expanded dependence on access to IT systems progressively presents themselves to Hackers, ID Thieves and Fraudsters. In addition, hackers have the preference of using numerous techniques / attacks such as guessing attack, shoulder surfing attack, dictionary attack, brute force attack, snooping attack, social engineering attack etc. to steal passwords so as to gain access to their login accounts. Quite a few techniques, strategies for using passwords have been proposed but some of which are especially not easy to use and practice. To solve the password problem in banking sectors and also for online transaction two factor authentications using OTP and ATM pin / cards have been implemented.
OBJECTIVE OF THE STUDY
The project aims and objectives that will be achieved after completion of this project are discussed in this subchapter. The aims and objectives are as follows:
1. Avoid the risks related to the use password.
2. Limit the unauthorized access to accounts.
3. Verification of the person requesting access to the system.
4. Building authentication process with low cost.
5. To take advantage of users smartphone’s
STATEMENT OF THE PROBLEMS
In recent years, increased interest institutions and organizations in the security aspects of their networks and systems, and among these aspects to verify that the person requesting access to the system that he is the person who claims that he/she is, this process called Authentication, in most systems are using a password only to access the system for login process. Below are some problems and risks for the use of password in the user authentication process:
1. Recently it became Breakthroughs systems, websites and personal accounts are a large and different ways, because of weak protection of those systems methods so it was necessary to find ways more secure to protect those systems.
2. Passwords become easier to guess.
3. Short passwords are easy to guess and crack.
4. Equipment and software often has standard pre-configured passwords (default passwords).
5. Most people they have many account use same password for all these accounts.
SIGNIFICANCE OF THE STUDY
With the development of computer science progressed accordingly ways to hack, and different ways plus sensitivity of data; as a result, the greater the need to find solutions to overcome the weaknesses those hackers exploits it, we will give a proposal for two level user authentications to access the system.
SCOPE OF THE STUDY
The two way mobile authentication system is an innovative technology used to solve the existing problems of the present one factor authentication which is a simple username and a password. The two way mobile authentication solves this problem by using a strong authentication with the combination of ―something you know‖, ―something you have‖ and ―something you are‖. When compared the above three methods individually, all the methods have some vulnerabilities. Something you know—may be shared, something you have –may be stolen and something you are stronger but it is expensive to use in all the cases. So the combination provides a stronger authentication.
The project is aimed towards the realization of a strong two factor authentication using mobile device to
1. Provides with a cost effective and user friendly authentication.
2. Avoids the use of a simple username and password system which is not secure anymore.
3. Using the mobile as your authentication token.
4. Ease to use any existing applications on web.
5. No additional use of hardware.
6. Easy to deploy.
DEFINITION OF TERMS
1. Authentication: the process or action of proving or showing something to be true, genuine, or valid.
2. System: Physical component of a computer that is used to perform certain task.
3. Data: Numbers, Text or image which is in the form suitable for Storage in or processing by a computer, or incomplete information.
4. Information: A meaning full material derived from computer data by organizing it and interpreting it in a specified way.
5. Input: Data entered into a computer for storage or processing.
6. Output: Information produced from a computer after processing.
7. Information System: A set of interrelated components that collect (or retrieve), process, store and distribute information to support decision making and control in an organization.
8. Computer: Computer is an electronic device that accepts data as Input, processes data and gives out information as output to the user.
9. Software:-Software is set of related programs that are designed by the manufacturer to control the hardware and to enable the computer perform a given task.
10. Hardware: - Hardware is a physical part of a computer that can be touched, seen, feel which are been control by the software to perform a given task.
11. Database: - Database is the collection of related data in an organized form.
12. Programming: - programming is a set of coded instruction which the computers understands and obey.
13. Technology: -Technology is the branch of knowledge that deals with the creation and use technical and their interrelation with life, society and the environment, drawing upon such as industrial art, engineering, applied science and pure science.
14. Algorithm : A set of logic rules determined during the design phase of a data matching application. The ‘blueprint’ used to turn logic rules into computer instructions that detail what step to perform in what order.
15. Application: The final combination of software and hardware which performs the data matching.
16. Data matching database: A structured collection of records or data that is stored in a computer system.
17. Data integrity : The quality of correctness, completeness and complain with the intention of the creators of the data i.e ‘fit for purpose’
18. Password: This is a secret code that a user must type into a computer to enable he/she access it or its applications. This is made up of numbers, letters, characters or contribution of any of the above categories.
19. PHP: Hypertext Preprocessor (the name is a recursive acronym) This is a Programming language known as a server-side scripting language. It was used in the developing of this software.
20. Identification: The act of recognizing and naming someone or something.
21. Verification: Evidence that establishes or confirms the accuracy or truth of something.
22. Query language: A database query language and report writer allows users to interactively interrogate the database, analyze its data and update it according to the user’s privileges on data. It also controls the security of the database.
23. API: a set of functions and procedures that allow the creation of applications which access the features or data of an operating system, application, or other service.
REFERENCES
1. Michael Pearce, Ray Hunt, Sherali Zeadally. Assessing and Improving Authentication Confidence Management, University of Canterbury, New Zealand and University of the District of Columbia.
2. Suzumura T, Trent S, Tatsubori M, Tozawa A, Onodera T. Performance comparison of Web Service Engines in PHP, Java and C,IEEE International Conference on Web Services 2008.
3. Smartsmssolution SMS Gateway developer Api available at http://smartsmssolution.com/developers/api_http.php
4. George Schlossnagle, Advanced PHP programming.
5. Naphtali Rishe, Khaled Naboulsi, Ouri Wolfson, Bryon Ehlmann. An Efficient Web-based Semantic SQL Query Generator .High Performance Database Research Center, Florida International University.
6. Muhammad Saleem, Kyung-Goo Doh. Generic Information System Using SMS Gateway. Fourth International Conference on Computer Sciences and Convergence Information Technology 2009.
7. A.medrano,Online Banking Security-Layers of protection available at http://ezinearticles.com/?Online-Banking-Security---Layers-of-Protection&id=1353184