The Use of Internet in Electronic Authentication

For decades, humans have employed the use of password-based schemes as the main modes of authentication into websites and other electronic platforms. The password authentication system primarily prevents unauthorized access. However, the many number cases of thefts and hacks exposed the various security weaknesses in these schemes, which forced improvements that include use entities such as ownership, knowledge, and inherence as main factors which are combined with secondary factors such as mobile phones to guarantee improved security assurances. Many daily activities and services such as banking have transformed drastically into internet services. Moving sensitive data services to the internet requires strong authentication to provide adequate security and privacy.

Today’s pervasive nature of computing means most people rely on public computers and electronic devices to conduct online business, which makes it a preferred area for many electronic services such as electronic banking and electronic commerce, a fact that makes security an important enabler. To guarantee top security and privacy, electronic authentication based on Quick Response code and One Time Passwords makes life harder for potential intruders to access restricted resources. As a result, various QR and OTP schemes have been designed using SMS, smartcards, and time-synchronized tokens. An increase in more daring attacks from hackers and cyber criminals makes security risks more pressing. Therefore, systems based on single factors such as passwords authentication become prone to vulnerabilities, which forces the use of electronic authentication using multiple factors. This research paper analyzes electronic authentication systems that use QR code and OTP and finds that such schemes are very secure and can serve many types of services such as banking transactions.

Introduction

Today, the attempts to secure the entire online services system keep advancing in development in wake of the many people that try to take advantage by accessing certain systems illegally. Despite the many efforts and measures designed to ensure safety, there still exists unnoticed system loopholes. Different eras come with different modification to the authentication systems that range from text passwords to graphical passwords. These measures have proven ineffective in guaranteeing security and privacy as everyday attackers design and find new ways and routes to exploit. Today, there is a vast number of internet users, a number that keeps increasing drastically with time. As a result, people now can use different online services offered by hospitals, online shopping sites, banks, colleges, and bill payments. Accessing these and other online services requires a text-based authentication system. While the text-based authentication system proves functional, it has some flaws affecting its usability and security issues, which negates identity, the cornerstone of electronic trust.

The electronic authentication approach is meant to block away potential imposters and at the same time be more reliable to the user. The main function of a security system is controlling the movement of people in and out of certain areas such as information systems, national borders as well as physical buildings among others. Elsewhere, psychology studies teach that the brain recognizes and remembers a physical image than text. This means that computers and electronic security systems must have in mind human factors like accessibility and ease of use. In fact, the electronic authentication system’s main flaws are because the systems do not consider the importance of human factors when it comes to security. As such, an ideal security system must prioritize usability, security, and human factors in order to increase its users from well trained and skilled users to include other wider parameters.

Background to the Study

Validation services deal with authentication and authorization, which means their primary focus, is on security and resultant issues. Therefore, it is important that electronic authentication services remain consistent, stay updated with the latest technology and at the same time have minimum risk of security breaches. This makes security and time aspects a top priority when designing electronic authentication services. For instance, electronic banking applications inform customers of the status of their accounts and provide them with the opportunities to confirm their balance as well as undertake transfers out of their accounts. This makes the account’s security a major factor when accepting the use of the applications. Although time is an important factor, most users might not put much emphasis on it if security in the transaction is assured so that other parties cannot access the account information and therefore cannot initiate further transfers. Authentication platforms such as login and secure communications utilize cryptographic algorithms to guarantee private client-server relations, ensure transactions are never repudiated, as well as ensure data communicated between them is not only complete but also valid (Liao & Lee, 2010).

Statement of the Problem

Validation services function by comparing two values. A user provides the input value and the system compares it with the previously entered value (Gemalto, n.d). A direct match of the input and the saved values grants access to resources such as bank accounts, websites, or building sites. As such, designers of these systems must carefully consider the system’s goals. For instance, for bank transactions, security ranks as the top issue, which means the authentication process must involve certain validation checks before authorization of access and transactions. The seriousness of financial transactions makes time a secondary factor, which users readily accept. However, there are some situations where time is more critical thus requiring a fast and secure electronic authentication system.

Authentication

The use of internet in electronic authentication has many advantages such as speed and user interface. Despite these advantages, using internet for authentication creates vulnerabilities to cybercriminals, unprincipled threats, and hackers that come in terms of repudiation, unauthorized access, and manipulations on stored content as well as unprivileged activities (Kennedy, 2010). This makes it very important to design and implement strong solutions that authenticate identities before a user can access certain services and resources. To prove a user’s identity, the three factors used include ownership, knowledge, and inference. The user must provide his/her evidence such as a fingerprint, the card, or password to support each factor (Kennedy, 2010).

A common situation today is the importance of authentication when accessing certain buildings. Physical location’s authentication is based on older methods such as security guards that crosscheck one’s validity as an entity against a set list of people’s names with access to the facility. Due to its manual nature, the process tends to be time-consuming. Other electronic authentication systems employ the use of videos or voice sessions between recipients and arrivals thus providing the visiting party with the medium to authenticate themselves from where the recipient decides to grant or deny access to the building.

Evidently, this and other mentioned authentication systems take more time. However, today’s advancement in technology makes it possible to use certain devices to design new, faster, and more secure ways of electronic authentication when accessing buildings, and other complex electronic services such as website accounts and online banking. These authentication systems must be easy to implement and at the same time guarantee maximum security. Using current existing devices and software to design QR and OTPs in electronic authentication instances proves to be cost-effective and more secure as compared to other means such as graphical passwords. Using QR and OTPs during electronic authentication would clearly and straightforwardly differentiate authorized and unauthorized users and at the same time make it possible for a user to use multiple computers and mobile devices.

Electronic Authentication

Electronic authentication involves instituting confidence in user identities electronically. Also known as digital authentication, the process confirms or certifies a certain user’s identity (IT, 2009). The process presents people with a more secure way of verifying a user’s identity when performing transactions and other activities online, which proves helpful especially given today’s increase in fraud and identity theft cases. E-authentication provides many options when authenticating a user’s identity such as passwords and multifactor authentication.

The model was developed by NIST and authenticates people and accounts regardless of jurisdiction or physical location. The authentication process starts with a user’s application to a CSP. The Credential Service Provider must prove the applicant’s identity so that the applicant receives a ‘subscriber’ status. The system then provides an authenticator such as credential and tokens, which takes many forms such as username. The Credential Service Provider manages the credential and the user’s enrolment data from where the user is tasked with maintaining the authenticators. This means that for a user who uses a certain computer to conduct online banking to access their accounts using a different computer; he must verify their identity to CSP because the authenticator is absent. Verification to the CSP at such times might be in terms of having to answer a challenge question successfully to get access.

One Time Password (OTP)

One Time Passwords are passwords used only once for transactions or sessions either on computers or other digital appliances. In this sense, OTP circumvents many shortcomings affecting traditional passwords systems. The main advantage of OTPs over static passwords is that OTPs are invulnerable to replay attacks. As such, a potential intruder in possession of a user to log in OTP cannot abuse it because using it once makes it invalid for further use. An equally important advantage is that using a similar password on multiple systems by a user does not make the account vulnerable on all systems in case one of these passwords is gained by a potential intruder.

Trying to impersonate or intercept a session fails because the system is able to notice a trend of unpredictable data that does not match the data created in previous sessions, which further reduces the attack surface. The effectiveness of OTPs creates a possible replacement and improvement of traditional passwords. On the other hand, the complex nature of OTPs makes them too difficult for people to memorize, which means their efficiency relies on additional technology.

Quick Response (QR) code

QR codes are trademarks for certain matrix barcodes that represents information by using black and white squares that join to form a large square. QR codes have a white background and are readable by any imaging devices such as cameras. The information stored in QR codes is extracted from patterns appearing in the code’s horizontal and vertical components. QR codes originated in Japan who originally designed them for their automotive industry in 1994. Barcodes are optical labels with information on certain items from which they are attached. Encoding modes used by QR codes to store data includes kanji, byte, numeric and alphanumeric. The QR not only has fast readability but also has greater storage capacity than UPC barcode (Dey, 2018). As a result, the system became very popular in automotive and it eventually found its way into other industries that apply it in multiple ways.

A QR code

For example, there are many urban spaces that utilize Billboard advertisements with QR codes to provide future potential customers with information. Elsewhere, Korean based supermarket Tesco boosted online shopping and penetrated the Southern Korea market using QR codes (Ebling & Caceres, 2010). Mobile payments also utilize QR codes by making it possible to buy a product/service by scanning the attached code, a method called ‘one-click’ payment (Ebling & Caceres, 2010). In conjunction with other methods of security improvement, QR codes can control physical access. Other uses include product tracking, time tracking, and item identification, and document management. Such a combination includes QR codes and OTP.

Literature Review

In his research, Blonder (1996) was the original describer of passwords. His description involved the appearance of an image on the screen from where the user would be required to click certain regions of the picture. Authentication would result only if the user clicks the correct regions. Presented in GUI format, graphical password authentication system operates by selecting certain images in a specific order. The resulting Graphical User Identification defines graphical password used in the graphical interface for authentication. Since 1996, Blonder’s work has inspired many techniques in the field of graphical password.

Today, electronic authentication technology presents people with the main mode of guaranteeing information remains secure (Salim, 2016). In his research that proposed a hybrid graphical password that used an audio signature, Salim’s (2016) work found that alphanumeric passwords are not only the most common but also the most convenient electronic authentication method. What drives these systems’ design is the fact that the brain recalls graphical objects better than texts, an assumption supported even by psychological studies. Technology advancements make it easier as it oversees touch-based devices like tablets, mobile phones, and touch screen monitors. These devices make the alphanumeric method inconvenient. As such, the graphical password method provides a better system as its authentication requires only a touch in the screen’s correct regions. It is also hard to crack in graphical passwords.

In a separate research, Jansen’s (2003) work proposed the implementation of graphical passwords in mobile devices. In this system, a user would be prompted to select a theme such as a cat or a sea. These themes would have thumbnail photos that the system would register in images as passwords. As such, authentication would require the user to input these images in the right order. The main issue with this technique is that thumbnail images cannot exceed 30, which greatly reduces the password space. The system assigns a numeric value to each thumbnail image, which triggers the generation of a numeral based on the sequence of selection.