DESIGN AND IMPLEMENTATION OF A 2FA LOGIN SYSTEM USING THE

GOOGLE AUTHENTICAOTR APPLICATION

(A CASE STUDY OF MUDASSIR & BROTHERS)

BY

ABDULRAHMAN AHMAD NID/CSE/22B/0078

MUHAMMAD IDRIS YAHYA NID/CSE/22B/0078
ABDULLAHI USMAN NID/CSE/22B/077
UMAR ZUBAIRU AHMAD NID/CSE/22B/0081

A PROJECT SUBMITTED TO THE DEPATMENT OF COMPUTER SOFTWARE

ENGINEERING
SCHOOL OF TECHNOLOGY

IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE AWARD OF

NATIONAL INNOVATION DIPLOMA (NID) IN COMPUTER SOFTWARE ENGINEERING
KATSINA STATE INSTITUDE OF TECHNOLOGY AND MANAGEMENT

JANUARY, 2025

1
 APPROVAL PAGE

This research report has been read and approved as meeting the requirements for the award of
National Innovation Diploma in Computer Software Engineering.

MAL. MUBARAK HASSAN MUNNIR

Project Supervisor Sign/Date

Project Coordinator Sign/Date

MALAMA. KHAUSAR
Head of Department Sign/Date

2
 DEDICATION

We humbly thank the Almighty God for having kept us for all these years and the energy to
come-up with this report. We dedicate this work to our parents and guardian for their tireless
efforts towards the success of this Diploma. We thank them for having supported us both
financially, parental care as wells in prayers. We also dedicate this work to our supervisor MAL.
MUBARAK HASSAN MUNNIR For the tireless work, supervision and guidance he has offered
us. It has been great working with him. God bless you abundantly. Also we want to thank all the
friends for their corporation, contributions and efforts rendered towards achieving this success.

3
 ACKNOWLEDGEMENT

We profoundly honored and exceedingly humbled to take this pleasure to acknowledge all the
people who contributed both morally, financially and academically to have our long-term dream.
We wish to extend our heartfelt and sincere gratitude to our parents, sisters and brother for their
contribution to our academic struggle; our friends especially course mates that provided us with
necessary information. We can never get the right words to express how grateful us. Also special
thanks go to our Supervisor MAL. MUBARAK HASSAN MUNNIR without whose
encouragement and criticism, we would not have been able to produce this report.

4
 TABLE OF CONTENTS

APPROVAL PAGE.........................................................................................................................2

DEDICATION.................................................................................................................................3

ACKNOWLEDGEMENT...............................................................................................................4

TABLE OF CONTENTS................................................................................................................5

ABSTRACT....................................................................................................................................8

ACRONYMS...................................................................................................................................9

CHAPTER ONE............................................................................................................................11

1.1 Background of the Study......................................................................................................11

1.2 Statement of the Problem.....................................................................................................13

1.3 Objectives of the Study........................................................................................................14

1.4 Significance of the Study.....................................................................................................14

1.5 Scope/Limitations of the Study............................................................................................14

Limitations of study...................................................................................................................14

1.6 Definition of Terms..............................................................................................................15

CHAPTER TWO...........................................................................................................................16

2.1 INTRODUCTION...............................................................................................................16

2.2 Conceptual Framework........................................................................................................16

2.3 Definition of two-factor authentication................................................................................18

2.3.1 Two-Factor Using SMS.................................................................................................19

2.3.2 Two-Factor Using Pre-Generated Passwords................................................................19

2.3.3 Two-Factor Using One-Time Password:.......................................................................20

2.4 OTP implementation versus other existing methods...........................................................22

2.4.1 OTPs versus other methods of securing data................................................................23

5
 2.5 Features of two-way mobile authentication systems...........................................................26

2.6 Empirical Review.................................................................................................................26

CHAPTER THREE.......................................................................................................................28

3.0 INTRODUCTION...............................................................................................................28

3.1 METHODOLOGY...............................................................................................................28

3.1.1 STRUCTURED SYSTEMS ANALYSIS AND DESIGN............................................28

3.1.2 PROBLEM IDENTIFICATION...................................................................................29

3.1.3 FEASIBILITY STUDIES.............................................................................................29

3.1.4 SYSTEM ANALYSIS..................................................................................................31

3.1.5 DESIGN PHASE...........................................................................................................31

3.1.6 IMPLEMENTATION...................................................................................................31

3.2 ANALYSIS..........................................................................................................................32

3.2.1 SYSTEM INVESTIGATION.......................................................................................32

3.2.2 ANALYSIS OF THE PRESENT SYSTEM.................................................................33

3.3 PROGRAMMING PROCESS.............................................................................................33

3.3.1 Programming Maintenance...........................................................................................34

CHAPTER FOUR.........................................................................................................................35

4.0 INTRODUCTION...............................................................................................................35

4.1 SYSTEM DESIGN..............................................................................................................35

4.1.1 System Flow Diagram...................................................................................................36

3.1.2 UML Diagram...............................................................................................................36

4.1.3 UML Use-Case Diagram...............................................................................................37

4.1.4 UML Activity Flow Diagram........................................................................................38

4.2 DATABASE SPECIFICATION..........................................................................................38

4.2 INPUT/OUTPUT DESIGN.................................................................................................39

6
 4.2.1 LOGIN PAGE...............................................................................................................39

4.2.2 REGISTER LOGIN PAGE...........................................................................................39

4.2.3 AUTHENTICATE PASSWORD PAGE......................................................................40

4.3 TESTING.............................................................................................................................41

4.3.1 Functional Tests............................................................................................................41

4.3.2 Performance Tests:........................................................................................................41

4.3.3 Black Box-White (Glass) Box Testing..........................................................................42

4.3.4 Test Activities................................................................................................................42

4.4 Procedure for evaluating the work.......................................................................................43

CHAPTER FIVE...........................................................................................................................47

5.1 CONCLUSION....................................................................................................................47

5.2 RECOMMENDATION.......................................................................................................47

REFERENCES..............................................................................................................................49

7
 ABSTRACT

The ever-increasing use of internet around the world has without doubt increased the usage
of internet-based services, e-business models, easier ways of communication and
information sharing. Such drastic increase in usage of network-based systems has made the
current cyber security systems old dated as the hackers and attackers of networked systems
is on the rise with new and modern attack methodologies. This has necessitated the need of
more secure ways of communications. The issues of Confidentiality, Integrity and the
Availability of systems are of prime importance and more research towards these issues has
been called for around the world. One of the major areas of security improvement is the way
in which authentication of users is carried out. Even though many organizations still rely on
static ID and password authentication system, this method is getting old and there is a
requirement for a better way of authentication which is required. One of the solutions for
this issue is the two factor authentication technique as a fundamental security function. Our
thesis proposal explores the two factor authentication technique and implementation issues
which can be used for the two factor authentication technique. Two-factor authentication
method is implemented in two main phases. In the first phase, the authenticator gets a
request generated by the application to authenticate a specified user.

8
 ACRONYMS

2FA Two -Factor Authentication

2SV Two-Step Verification

AAA Authentication, Authorization and Accounting

CHAP Challenge-handshake authentication protocol

EAP Extensible Authentication Protocol

OTP One-Time Password

IDE Integrated Development Environment

APK Android application package

ADB Android Debug Bridge

SDK Software Development Kit

JWT JSON Web Token

TOTP Time-based One-Time Password

TEE Trusted Execution Environment

NTP Network Time Protocol

HTTPS Hypertext Transfer Protocol Secure

SQL Structured Query Language

JPQL Java Persistence Query Language

XSS Cross-Site Scripting

MITM Man-in-the-Middle Attack

SHA-256 Secure Hash Algorithm (Digest Size: 256)

AES Advanced Encryption Standard

OTP - One Time Password

2WAMS - 2 Way Mobile Authentication Systems

9
PHP - Hypertext Preprocessor
HTML- Hypertext Markup Language
SQL - Structured Query Language
GPRS - General Packet Radio Service
FIPS - Federal Information Processing Standard
SHA1 - Secure Hash Algorithm
DSA - Digital Signature Algorithm
DSS - Digital Signature Standard

10
 CHAPTER ONE

INTRODUCTION

1.1 Background of the Study

Security is a major concern today in all sectors such as banks, governmental applications,
military organization, educational institutions, etc. Government organizations are setting
standards, passing laws and forcing organizations and agencies to comply with these standards
with non-compliance being met with wide-ranging consequences. There are several issues when
it comes to security concerns in these numerous and varying industries with one common weak
link being passwords. The rapid growth in the number of online services leads to an increasing
number of different digital identities each user needs to manage. But passwords are perhaps the
most common type of credential used today. To avoid the tedious task of remembering difficult
passwords, users often behave less securely by using low entropy and weak passwords. Most
systems today rely on static passwords to verify the user’s identity. However, such passwords
come with major management security concerns. Users tend to use easy-to-guess passwords, use
the same password in multiple accounts or store them on their machines, etc. Furthermore,
hackers have the option of using many techniques to steal passwords such as shoulder surfing,
snooping, sniffing, guessing, etc. Moreover passwords can be written down, forgotten and stolen,
guessed deliberately being told to other people.
Several proper strategies for using passwords have been proposed. Some of which are very
difficult to use and others might not meet the company’s security concerns. Some solutions have
been developed to eliminate the need for users to create and manage passwords. A typical
solution is based on giving the user a hardware token that generates one-time-passwords, i.e.
passwords for single session or transaction usage.
Dynamic password (namely, One-Time-Password) technology is a sequence password system
and is the only password system proved non-decrypted in theory. Its basic idea is to add
uncertain factor in authentication so that users need to provide different messages for
authentication each time. By this way, the applications themselves can obtain higher security
guarantee than those use static password technology. The typical implementation methods of
OTP include Time Synchronization and Challenge/Response. No matter what methods are used
to realize dynamic property of password for each authentication, the core is to ensure the

11
randomness of factors added into the authentication. Many current OTP applications use
mathematic methods like Hash function for dynamic passwords but still will suffer potential
attacked risks Using static passwords for authentication, as it is commonly done, has quite a few
security drawbacks: passwords can be guessed, forgotten, written down and stolen, eavesdropped
or deliberately being told to other people. A better, more secure way of authentication is the so
called "two-factor" or "strong authentication" based on one time passwords, instead of
authenticating with a simple password. Strong authentication solutions using two identification
factors require often an additional device, which could be inconvenient for the user and costly for
the service providers. To avoid the usage of additional device, the mobile phone is used to
receive the onetime password.
By definition, authentication means using one or more mechanisms to prove that the person is
who he claims to be. Once the identity of the human or machine is validated, the access can be
granted. There are three universally recognized factors for authentication exist today are: what
you know (e.g. passwords, PIN’s), what you have (e.g. smart cards or tokens), and what you are
(e.g. figure prints, face recognition, biometrics, etc.). ―Two factor authentications is a
mechanism which implements two of the above mentioned factors and is therefore considered
stronger and more secure than the traditionally implemented one factor authentication system‖.
One of the examples of two factor authentication includes withdrawing money from an ATM
machine. When someone wants to draw money from the ATM, first he\she has to input his\her
ATM card i.e. what you have and again he\she has to enter the pin number i.e. what you know in
order to access his\her account.
Recent work has been done in trying alternative factors such as a fourth factor, e.g. somebody
you know, which is based on the notion of vouching. In [Roberto, Gianluigi & Maurizio, 2005]
an authentication mechanism is presented which requires both a Web and a GPRS connection.
The end user enters userid/password details using a web-based interface and gets an OTP via
short message service on his mobile phone, which he must then type in to be granted access to
the system. The General Packet Radio Service (GPRS) connection is not convenient for the user
since it can be very costly and network quality of service (including availability of network
coverage) is not always satisfactory. In addition, security of the scheme relies on information
(image) related to the user, but the underlying rationale needs to be expanded with further
arguments. The work of [Claessens, Preneel and Vandewalle, 2001] and [Khu-Smith and

12
Mitchell, 2002] are contributions are related to mobile payments and give some of the same
approaches to mobile user authentication. In [Claessens, Preneel and Vandewalle, 2001],
messages are routed to the mobile device via a GSM-SMS service and depend on the phone
number as a means of authentication. In [Claessens, Preneel and Vandewalle, 2001] the authors
develop a stronger authentication mechanism based on information stored in a Subscriber
Identity Module (SIM) card and the Authentication Centre of the subscriber's carrier. One
drawback of this approach is the necessity for the financial service provider to enter into a prior
agreement with the network carrier.
1.2 Statement of the Problem

Lots of world-famous companies have been attacked, including Sony, Adobe, Evernote, and
LinkedIn. The biggest data breach in history was revealed in December 2016 when Yahoo said 1
billion accounts were compromised in 2013 [2]. These cyber-attacks have enormous
consequences in terms of cost for the involved businesses. A research that Juniper published in
2015 predicts that cybercrime will cost businesses over US$2 trillion by 2019 [3]. Attacks on
large banks, retailers, and government agencies become worldwide news – but all business are
actually at risk. According to Symantec, 52.4% of phishing attacks carried out in December 2015
were against Entrepreneurship and Small and medium-sized enterprises (SMEs) [4]. The earlier
impact of these attacks has clearly shown that the consequences for SMEs who ignore security
risks can be disastrous.
In addition to the loss of revenue, cyber-attacks may also cause damages to business reputation,
breach of confidential information, and loss of customers. By increasing network security the
risk of privacy spoofing and identity or information theft are decreased. Improving network
security could be done in several ways. Creating a network security policy is certainly a good
first. A clear and comprehensive network security policy outlines a user policy and is meant to
govern data access, web-browsing habits, and use of passwords and encryptions. Keeping the
network up-to-date by updating the operating system, antivirus software, firmware, and device
drivers will strengthen the system against cybercriminals who launch their attacks by taking
advantage of known security flaws in old versions of the software. Additional actions include
installing a firewall, blocking users from installing software, and to adopting a strong password
policy. All of these actions can improve network security.

13
A report from Keeper [7] shows that over 50% of the 10 million passwords that were analyzed in
2016 are in the top 25 of the most common passwords and that nearly 17% of users are
safeguarding their accounts with “123456”.
One of the major areas of security improvement is the way in which authentication of users is
carried out. Even though many organizations still rely on static ID and password authentication
system, this method is getting old and there is a requirement for a better way of authentication
which is required. One of the solutions for this issue is the two factor authentication technique as
a fundamental security function.

1.3 Objectives of the Study

The main objective of this project is to come out with a secured yet effortless two-factor
authentication login system using Google Authenticator Application.

This project aims to improve the ease of use of two-factor verification to increase users
experience while implementing an extra layer of security. For extra security purposes, each code
can only be used once and also expires every 30 second.

1.4 Significance of the Study

This study will be of immense benefit to other researchers who intend to know more on this
study and can also be used by non-researchers to build more on their research work. This study
contributes to knowledge and could serve as a guide for other study.

1.5 Scope/Limitations of the Study

This study is on immorality in churches will cover all forms of immoral activities that exist in
churches today with a view of finding a lasting solution to the problem.

Limitations of study

1. Financial constraint: Insufficient fund tends to impede the efficiency of the researcher
in sourcing for the relevant materials, literature or information and in the process of data
collection (internet, questionnaire and interview).

14
2. Time constraint: The researcher will simultaneously engage in this study with other
academic work. This consequently will cut down on the time devoted for the research
work.

1.6 Definition of Terms

Two Factor Authentication: Two Factor Authentication, or 2FA, is an extra layer of protection
used to ensure the security of online accounts beyond just a username and password.
One Time Password:A one-time password (OTP), also known as one-time pin, is
a password that is valid for only one login session or transaction, on a computer system or other
digital device.

15
 CHAPTER TWO

LITERATURE REVIEW

2.1 INTRODUCTION

This chapter gives an insight into various studies conducted by outstanding researchers, as well
as explained terminologies with regards to Design and Implementation of a Two Factor
Authentication Login System Using Google Authenticator Application. The chapter also gives a
resume of the history and present status of the problem delineated by a concise review of
previous studies into closely related problems.

2.2 Conceptual Framework

Authentication to access a login account, accessing social engineering accounts, reading online
newspapers, online ticketing is carried out by Alpha- Numeric Password or Graphical password.
Alternative authentication came in the form of Biometric Authentication using finger print, iris
recognition and heat beat. Human tendency in creating easily rememberable password leans to
password pitfalls.
Passwords are known to be one of the easiest targets of hackers. Therefore, most organizations
are looking for more secure methods to protect their customers and employees. Biometrics are
known to be very secure and are used in special organizations, but they are not used much in
secure online transactions or ATM machines given the expensive hardware that is needed to
identify the subject and the maintenance costs, etc. Instead, banks and companies are using
tokens as a mean of two factor authentication.
A security token is a physical device that an authorized user of computer services is given to aid
in authentication. It is also referred to as an authentication token or a cryptographic token.
Tokens come in two formats: hardware and software. Hardware tokens are small devices which
are small and can be conveniently carried. Some of these tokens store cryptographic keys or
biometric data, while others display a PIN that changes with time. At any particular time when a
user wishes to log-in, i.e. authenticate, he uses the PIN displayed on the token in addition to his
normal account password. Software tokens are programs that run on computers and provide a

16
PIN that changes with time. Such programs implement a One Time Password (OTP) algorithm.
OTP algorithms are critical to the security of systems employing them since unauthorized users
should not be able to guess the next password in the sequence. The sequence should be random
to the maximum possible extent, unpredictable, and irreversible. Factors that can be used in OTP
generation include names, time, seed, etc. Several commercial two factor authentication systems
exist today such as BestBuy’s BesToken
[http://bizsecurity.about.com/od/mobilesecurity/a/twofactor], RSA’s SecurID
[http://www.softabar.com/home/content/view/46/68/], and Secure Computing’s Safeword
[http://smslib.org/].
BesToken applies two-factor authentication through a smart card chip integrated USB token. It
has a great deal of functionality by being able to both generate and store users’ information such
as passwords, certificates and keys. One application is to use it to log into laptops. In this case,
the user has to enter a password while the USB token is plugged to the laptop at the time of the
login. A hacker must compromise both the USB and the user account password to log into the
laptop.
SecurID from RSA uses a token (which could be hardware or software) whose internal clock is
synchronized with the main server. Each token has a unique seed which is used to generate a
pseudo-random number. This seed is loaded into the server upon purchase of the token and used
to identify the user. An OTP is generated using the token every 60 seconds. The same process
occurs at the server side. A user uses the OTP along with a PIN which only he knows to
authenticate and is validated at the server side. If the OTP and PIN match, the user is
authenticated. In services such as e-commerce, a great deal of time and money is put into
countering possible threats and it has been pointed out that both the client and the server as well
as the channel of communication between them is imperative.
In 2005 the National Bank of Abu Dhabi (NBAD) became the first bank in the Middle East to
implement two factor authentication using tokens. It employed the RSA SecurID solution and
issued its 19000 customers small hardware tokens. The National Bank of Dubai (NBD) made it
compulsory for commercial customers to obtain tokens; as for personal customers the bank
offered them the option to obtain the tokens. In 2005, Bank of America also began providing two
factor authentication for its 14 million customers by offering hardware tokens. Many

17
international banks also opted to provide their users with tokens for additional security, such as
Bank of Queensland, the Commonwealth Bank of Australia and the Bank of Ireland.
Authentication is the process of verifying the correctness of a claimed identity. It is a way of
ensuring that users are who they claim to be when they access systems. Authentication relies on
at least one of three types of information: something you know (e.g., Password or Pin),
something you have (e.g., Smartcards or Token), or something you are (e.g., a Finger prints or
Iris scan, Biometrics) [http://en.wikipedia.org/wiki/Authentication].
The traditional system only uses one level of authentication — the humble password. Two-factor
authentication requires that two pieces of data be presented, each being from a different category.
This dramatically reduces the risk of a system being compromised because the chance of both
authentication factors being broken or lost at the same time is minimal.
In this system, we are going to implement two factor authentication. Two-factor authentication
(TFA or 2FA) means using two independent means of evidence to assert an entity's identity to
another entity. Two factor authentications are referred to as possession factor and knowledge
factor. Authentication Mechanism may require users to provide a password (knowledge factor)
and a pseudorandom number, an OTP (possession factor). Two-factor authentication seeks to
decrease the probability that the requestor is presenting false evidence of its identity. It is
generally accepted that any independent two of these authentication methods (e.g. password +
OTP token value) is two-factor authentication. Two-factor authentication (T-FA) or (2FA) is a
system wherein two different factors are used in conjunction to authentication. Using two factors
as opposed to one factor generally delivers a higher level of authentication assurance. Two-factor
authentication typically is a signing-on or approving transaction process where a person proves
his or her identity with two methods.

2.3 Definition of two-factor authentication

Two-factor authentication employs a second method to authenticate the user, usually in addition
to the username/password pair. The second factor must be something variable or something that
has to be physically obtained. By using a second factor in authentication the user’s identity is
still safe even if an impostor finds out their password. This still doesn’t mean that the user can be
careless about their password. If it is revealed to others, the two-factor authentication becomes
just one-factor authentication and no additional security is present.

18
2.3.1 Two-Factor Using SMS: Using SMS as a second factor authentication is actually both
out-of-band and two-factor since the second piece of information is relayed via a different route
than the password is sent. This method also allows only the person who has access to the device
receiving the messages to log in, so partially fits into the something possessed category.
However, sometimes SMS is sent also to other devices; for example, if the user is using Apple
iPhone and has message delivery set up the SMS might also be transmitted to another device
linked to the user’s Apple account that may be in the possession of an impostor. There is also
another attack vector via the security of the servers handling the SMS transmitting to these other
devices.
Sending messages via the mobile network also imposes some costs, at least to the sender, and
mobile networks are not always available. Even in larger cities there may be areas where mobile
coverage for some operator is poor, or the user might be in a basement as many laboratories are.
The National Institute of Standards and Technology has recently deemed two-factor
authentication based on phone or SMS as deprecated and will not consider using them as secure
or advisable in the future. [National Institute of Standards and Technology, 2016]
2.3.2 Two-Factor Using Pre-Generated Passwords: Many banks use a pre-generated set of
passwords as the second factor authentication online. The passwords are printed out and they
may be used sequentially or randomly. They may also be one-time or multiple-use passwords.
Usually the password sheets will expire after a given time regardless of their use.
One method of generating these passwords is using a counter-based one-time password
algorithm. This way the server does not need the whole password sheet and only needs to keep
track of the secret key and the current counter value.
The major problem with these password sheets is obvious: if an attacker can have access to the
sheet even once, they can copy the contents and log in any time after that using the constant pre-
generated passwords. If the passwords are used sequentially, the user may keep track of which
password is next and notice if there is a discrepancy. If they are used randomly, and especially
multiple times, the user has no way of knowing if someone else has used their account with these
passwords.
In addition to this problem the password sheets must be given to the user securely. This may
cause extra costs and trouble compared to some more secure methods.

19
Regardless of these issues this method is used for example by major Nordic banks. In their case
the login has actually three parts of secret information: login ID, password and the password
sheet. Nobody else should know any of these, since banking is completely private service as
opposed to collaborative services where the user’s login name may be visible to others.
2.3.3 Two-Factor Using One-Time Password: One-time passwords are usually retrieved from
devices without any connection to any network so they will work everywhere. There are
specialized devices that only give out passwords and there are also applications for multifunction
devices. The former may be more secure since to get any data out of it the attacker has to
disassemble the device. Using mobile application, it is theoretically possible to get data out of
the device via other installed applications or security holes in the operating system. Therefore,
the OTP application has to take these into consideration.
Special devices have to be present when the user logs in so they add to the items the person has
to take care of. Users usually have mobile phones with them anyway so using an application
doesn’t require carrying anything extra. Also, the application can be easily updated and changed,
unlike a hardware solution and is a lot cheaper to produce and distribute.
One-time passwords are generated with a function that takes a secret key and some variable that
causes the result to be different each time. The secret must be known to both sides of the
authentication and is the weak point. It must never be disclosed to anyone and preferably even
the user shouldn’t know it.
The algorithm used to generate the passwords may or may not be public. Usually the algorithms
are public since it helps determine their strength and possible weak points. An authentication
method should be strong based on its algorithm and secret keys, not based on obscurity, i.e.
nobody knowing how it is generated. The same applies for physical locks: they are patented and
usually anyone can get a hold of the patent to read how it works. The difficulty is in creating
keys that would fit that specific lock you want to open.
There are two main types of one-time passwords in use currently: counter and time based
[https://tools.ietf.org/html/rfc4226, https://tools.ietf.org/html/rfc6238]. Counter based method
uses an incrementing counter as the input and time based uses the current time. Counter based
methods may get out of sync if the user requests passwords but doesn’t input them. This causes
the requirement of resynchronization between the server and the generator. Time-based generator

20
has no such problems, but it requires both sides to have synchronized clocks. This is usually no
problem since mobile phones synchronize their clocks automatically, as do servers.
There are several systems for dealing with two way mobile authentication. They may differ
in delivering the password to the authorized user or a different entity based on the security
constraints. Some of them are as follows:
1. Tokens: A token is a device used to authorize the user with the services. A token may be
software or hardware. Software tokens are used to identify the person electronically, i.e. it may
be used as a password to access something. Hardware tokens are small hand held devices which
carry the information which stores cryptographic keys, digital signatures or even bio-metric data
by which we can send generated key number to a client system. Mostly all the hardware tokens
have a display capability. The hardware tokens include a USB, digital pass etc.
Drawbacks:
A token shall be carried all the time.
Special software is required to read the token.
Anyone can access the information that has the token i.e. in case of theft.
2. Biometrics: A biometric authentication is the advanced form of authentication. A biometric
authentication is nothing but it scans the user’s characteristics such as finger print and eye retina
and stores in the form of a string. When the user tries to authenticate it matches with the stored
data and then gives access when a commonality is achieved and when the user has gained access,
he can enter the password to view the required information.
Drawbacks
Biometric authentication is convenient only for limited applications, since the system becomes
very slow for a large number of users.
Finger prints can be taken on a small tape and can be provided for the hardware.
Additional hardware is required to detect the fingerprints and eye retinas.
3. Mobile ID
Mobile Id offers a strong two way authentication by authenticating the user to the service and
service to the user. The mobile id works is such a way that the user is required to send the code
generated by the application after which the Mobile id generates a code to identify the user with
the service [http://www.deepnetsecurity.com/products2/mobileid.asp].

21
Drawbacks
Mobile phones with 2.5 G and third generation only are supported.
Software is to be installed into the mobile device.
2.4 OTP implementation versus other existing methods

One of the method used in generation of OTP (One Time Passwords) is by using a mathematical
algorithm to generate a new password based on the previously generated password (i.e., OTP
(One Time Passwords) are, effectively a chain and must be used in a predefined order). This is
not secure because once if hacker finds what sequence of passwords is using by the user, he can
easily trace out the future OTP (One Time Passwords).
The cheapest way would be generating a One-time password and then delivering it on a piece of
paper which is already known by someone who generates the OTPs on a device. The reason for
this is these systems avoids the costs of SMS messaging .Even though delivering the OTPS by
this way is cheap, it is not feasible because of the time to deliver the password to the user is too
long. Dynamic password (namely, One-Time-Password) technology is a sequence password
system and is the only password system proved non-decrypted in theory. Its basic idea is to add
uncertain factor in authentication so that users need to provide different messages for
authentication each time. By this way, the applications themselves can obtain higher security
guarantee than those use static password technology.
The other systems rely on electronic tokens which are algorithm-based. The OTP generators
must handle the situation when a token is not properly synchronized with the server when the
system requires the OTP to be entered on a default timeout which leads to additional
development costs. Time-synchronized systems, avoid this at the cost of having to maintain a
clock in the electronic tokens. Whether or not OTPs are time-synchronized is basically irrelevant
for the degree of vulnerability, but avoids the need of re-entering the passwords if the server is
expecting the last or next code that the token should have, because the server and token have
drifted out-of-sync.
Compared to hardware tokens, as far as one has a phone or a mobile device, we can eliminate the
need of carrying an extra item which would be of no use other than generating the one time
passwords. In terms of costs also using a phone as a token provides with the best convenience
that it is not necessary to deliver devices to each end-user. For most users, a mobile phone can be

22
trickle-charged to save the charging for at least some time in a day, but most proprietary tokens
cannot be trickle-charged. However, most proprietary tokens have tamper-proof features.
2.4.1 OTPs versus other methods of securing data

One-time passwords increases the vulnerability to social engineering .The attacks in which the
phishers attempts to find the already used OTPs that they used in the past. In the year 2005 and
2006 these kind of attacks was used in Sweden and US. Also the time-synchronized one time
passwords are vulnerable to phishing in two methods: The password can be used by the attacker
as the original user must use the OTP, if the attacker gets the one time password in plaintext. The
other kind of attack -- which may be compromised if the OTP system implements using the hash
chain as above -- is that after the phisher uses the social engineering, the phisher should then use
the past OTP codes to predict the OTP codes which may be used in the future.
Even though OTPs are most secured than the passwords we usually remember, The users of OTP
systems are still vulnerable to MIM attacks, the OTPs shouldn’t be shared with the others and the
use of an OTP in layered security is more safer instead of using the OTP alone; we can achieve
[http://ezinearticles.com/?Online-Banking-Security] layered security by using an OTP in
combination with a password that is memorable to the user.
The benefits of using layered security is that a single sign-on in combination with one master
password is safer than using only one layer of security during the sign-on, and thus the
inconvenience of password fatigue can be avoided if we have long sessions with many
passwords that needs to be entered during the mid-session. however, the drawbacks of using
different kinds of security during a single sign-on is that one have the problems with security
precautions every time they log in even if one is logging into the computer to access data which
doesn't need as much security as some other sensible transactions that computer is used for. The
following table shows how 2WMAS performs better than the other existing systems in terms of
cost, complexity and protection.

23
Method Password OTP + Password Digital Certificates/PKI

Advantages Widely used and Two-factor authentication Bi-directional

supported by the compatible with password authentication
largest number of based infrastructure: zero Can provide two-factor.
applications client footprint option Non-repudiation
Technology easily
understood by
users

Disadvantages Relies on Requires possession of Certificate

human OTP generation management cost
protection and software/hardware or can be prohibitive for
management of the access to a secondary large user base.
secret. channel for OTP Heavy footprint to
transmission manage on client.
Not compatible with small
devices.
Requires distribution of
certificate/smart card to
client.

Key Brute force Man-in-the-middle/client User override of warnings

Vulnerabilities Man-in the insertion Client insertion (reduced)
middle/client Phishing (reduced to one
insertion time action)
Phishing
Over the shoulder
Keystroke loggers

Applicability Lower risk B2C Commerce Highly secure

environments Enterprise Security (VPN) environments

24
 Legacy Environments not suited for Monetary or
environments PKI (e.g. password based legal
No network usage application infrastructure) transactions where
or protected nonrepudiation is a
network usage required feature
Environments where
mutual authentication is
required.

Two Way Mobile Authentication System (2WMAS) is an innovative authentication system that
provides access to Web-based resources by using a two way user authentication through the
existing personal mobile phones. It is used to solve the security flaws of the web based Internet
and Intranet, by involving the users to authenticate themselves using their personal mobile
phones. The registration of the users has to be done in a secured manner before he can actually
use the system.
It is designed to provide security to Web-based Internet and Intranet applications, and requires
users to authenticate themselves with two unique criterion - a username and password, and a
code which they get only during authentication [Harris, 2002] (a one-time password OTP sent to
their mobile phone) before they are permitted to access a secured web resource. With 2WMAS,
we can positively identify users and deliver services easily and in a most secured way to users,
without having the need of an additional security system. End users can have the advantages of a
very simple process that omits the need to remember multiple passwords.
As the Web-based Internet becomes the most important tool for financial transactions, the level
of security becomes a major concern in an organization's transaction system. Transactions in
these days are secured using passwords. Institutions spend huge amounts of money on secure
SSL solutions to make sure the passwords are not tracked. But, in majority of cases security
violations occurs above the reach of PKI and SSL solutions.

2.5 Features of two-way mobile authentication systems

Double-criterion to check the identity of the User: It provides a cost-effective solution to

provide the web resources with a double criterion authentication system. [Roberto, Gianluigi, &
25
Maurizio, 2005] Through a browser, a user requests permission to access a Web resource which
needs an additional authentication code required for the Web Application. It then generates a
one-time access code and sends it to the mobile phone registered to the user by an SMS text
message. The user has to enter the access code into the Web-browser to finish the authentication.
After the user enters the authentication information, the system determines if the information
submitted is valid or not. If valid it goes ahead with the Web Application thereby allowing the
user to perform the necessary transactions, otherwise not .By separating Web Application with
Authentication server, we can also divide the responsibilities to decrease the internal fraud.
Protecting the existing authentication system: The 2WMAS could not [Harris, 2002] replace
the existing authentication system, but instead serves as an added layer of security that protects
and enriches the existing authentication system, either software or hardware.
Protecting against Internal fraud: The system’s core authentication and messaging engine is
such that it provides with a good level of security to safeguard from reverse engineering and
program transformation of the software. A security platform is never secured if someone has the
access to the parts of the application and its security algorithm, modify the content of code to
reveal security flaws or even create a backdoor entry.

2.6 Empirical Review

In 2016, Shauna Beaudin at the Nova Southeastern University conducted an empirical study of
different authentication methods to secure e-learning systems against impersonation fraud. The
researcher refers to a previous work by Apampa, Wills, and Argles [Apampa, Wills, and David,
2010] to identify authentication control methods based upon their strength for e-learning
activities that have a high potential for impersonation. The researcher performed quantitative
research and the results of this research showed that e-learners perceive that the levels of
authentication must vary in strength based upon the activity being considered. According to this
researcher, summative e-assessments need a stronger authentication method than SFA, which
should at least include authentication based on biometrics or a live proctor.
A comparative usability study of 2FA by De Cristofaro et al. [De Cristofaro, Honglu, Freudiger,
and Norcie, 2014] was done to measure the usability of three popular 2FA solutions, namely
codes generated by tokens, one-time PINs received via email or SMS, and dedicated smartphone
apps. They performed a quantitative study on 219 users that showed that 2FA technologies are

26
perceived as highly usable and that a user’s perception of 2FA is correlated with individual
characteristics of gender, age, and background. The study provides a starting point for follow-up
qualitative studies and is applicable to this thesis as UX is one of the aspects analyzed in this
thesis to select the best 2FA option.
Altinkemer and Wang are the authors of the first paper that attempts to understand the decision
of authentication systems from an economic point of view. The authors state that every
authentication system can be seen as non-repairable or biometric. Non-repairable means that as
time passes, there is a greater chance of the system failing. For instance, a password is non-
repairable because it could be lost or stolen. Their study shows the expected costs and losses of
different authentication methods and that managers who wish to implement 2FA need to take
into account the implementation costs, the market share the company has, and the composition of
customers.
A study carried out by ENCAP security in 2012 compares the costs of authentication methods
for enterprise for secure employees’ access to the enterprise applications. The company analyzed
the average cost of the six most prevalent 2FA approaches for an enterprise with 3,000 users
over a three years period. The study reveals that a smart device-based software solution is 95
percent cheaper than a hardware OTP solution. According to Thomas Bostrøm Jørgensenhen,
CEO of ENCAP, the time for hardware-based authentication has passed.

27
 CHAPTER THREE

METHODOLOGY AND SYSTEM ANALYSIS

3.0 INTRODUCTION

In the dynamic world, the subject system analysis and design mainly deals with software
development activities. In this chapter, the necessary steps in developing the 2FA Login System
Using Google Authenticator Application will be discussed.

3.1 METHODOLOGY

This is defined as a framework that is used to structure, plan, and control the process of
developing an information system (Wikipedia, 2008). It is used to refer to a specific 26 series of
steps or procedures which govern the analysis and design of a particular project. Methodology
includes the methods, techniques and procedures which are used to collect and analyze
information. Various methodologies include:

3.1.1 STRUCTURED SYSTEMS ANALYSIS AND DESIGN

METHODOLOGY (SSADM)
The methodology adopted in this study is the Structured Systems Analysis and Design
Methodology (SSADM). It is a systems approach to the analysis and design of information
systems. SSADM is a waterfall method by which an information systems design can be arrived
at. SSADM starts with a definition of problem, followed by feasibility studies. An analysis of the
present system is performed before the design of the new system. The analysis consists of
investigation of the present system, definition of the new system and establishment of constraints
(Osuagwu, 2008). The implementation and maintenance of the new system completes the
methodology. It divides an application development project into modules, stages, steps and tasks
and provides a framework for describing projects in a fashion suited to managing the project. Its
objectives are to:
I. Improve project management and control.
ii. Make more effective use of experienced and inexperienced development staff

28
iii. Develop better quality systems.
The process methodology of SSADM includes the following:
• Problem identification
• Feasibility studies
• System analysis
• Design phase
• Implementation phase

3.1.2 PROBLEM IDENTIFICATION

This is the first stage of this methodology process. Here, the definition of the existing system
must be prompted by the need to solve and observe problems which have been identified. Using
this methodology, the study revealed the following inadequacies:
TIME-CONSUMING: Firstly, it would be time consuming as the clients would have to be
physically present at the agency, and if one agency does not prove to be satisfactory, they will
have to get up and go search for another agency, which hopefully could satisfy’ their needs. The
process would go on and on, until the client finally found a satisfactory agent.
EXCESSIVE SPENDINGS: Then, in order to hunt for the agencies, much money will have to be
spent for the purpose of transportation. Such a hassle will not have to be undergone if the client
does it through the net.

3.1.3 FEASIBILITY STUDIES

A feasibility study is an evaluation of a proposal designed to determine the difficulty of carrying

out a designated task. Generally, a feasibility study precedes technical development and project
implementation. In other words, a feasibility study is an evaluation or analysis of the potential
impact of a proposed project. (Bentley I. et al, 28 2007). All projects are feasible given unlimited
resources and infinite time. Unfortunately, the development of computer-based systems in many
cases is more likely to be plagued by scarcity of resources and delivery dates.
I. Technical feasibility Technical feasibility centers on the existing computer system
(Hardware and Software etc.) and to what extent it supports the proposed addition. For example,
if the current computer is operating at 80 percent capacity, then running another application

29
could overload the system or require additional Hardware. This involves financial considerations
to accommodate technical enhancements. If the budgets are a serious constraint, then the project
is judged not feasible. In this project, all the necessary cautions have been taken care to make it
technically feasible. Using a key, the display of text/object is very fast. Also, the tools, operating
system and programming language used in this localization process are compatible with the
existing one.
ii. Economic feasibility: For any system if the expected benefits equal or exceed the
expected costs, the system can be judged to be economically feasible. In economic feasibility,
cost benefit analysis is done in which expected costs and benefits are evaluated.
Economic analysis is used for evaluating the effectiveness of the proposed system: Economic
analysis is the most frequently used method for evaluating the effectiveness of the candidate
system. More commonly known as cost/benefit analysis, the procedure is to be determining the
benefits and
1. Savings that are expected from a candidate and compare them with costs. If benefits outweigh
costs, then the decision is made to design and implement the system.
iii. Legal feasibility: It includes study concerning contracts, liability, violations, and legal
other traps frequently unknown to the technical staff.
iv. Operational feasibility: The question of who will operate the system arises here. And is
the available manpower equipped with the necessary skill to use the system. Operational
feasibility is mainly concerned with issues like whether the system will be used if it is developed
and implemented. Whether there will be resistance from users that will affect the possible
application benefits? The essential questions that help in testing the operational feasibility of a
system are as follows.
1. Does management support the project?
2. Are the users not happy with current business practices? Will it reduce the time
(operation) considerably? If yes, then they will welcome the change and the new system.
3. Have the users been involved in the planning and development of the project? Early
involvement reduces the probability of resistance towards the new system.
4. Will the proposed system really benefit the organization? Does the overall response
increase? Will accessibility of information be lost? Will the system affect the customers in a
considerable way? (freetutes.com, 2011).

30
3.1.4 SYSTEM ANALYSIS

A system is a set of interacting or interdependent entities forming an integrated whole (Michael

Pidwimy, 2007). Systems are created to solve problems. One can think of the system ap3roach as
an organized way of dealing with a problem. A system is seen as a combination of interrelated
elements that work together to execute a specific task. Systems do not exist in isolation.
Analysis is the crucial observation of an object of consideration under areas such as objectives,
behavior and response to different situations. System analysis is a methodology that involves the
application of systematic approaches to collect facts about an existing system with the aim of
improving it with a more efficient system within the context of available resources.

3.1.5 DESIGN PHASE

This is the most important stage in the work. There are several tools and techniques used for
designing. Some of the critical steps used in the design phase are as follows:
1. Stating the objective of the design.
2. Drawing/developing the control center.
3. The database specification such as the type of database used which includes the database
used (MySQL) and the data table used to comprise of data type and data size.

3.1.6 IMPLEMENTATION

This is the stage where the new system is put into use where theory is turned into practice. This
stage involves the following:
i. Preparation of the physical site (for the server hardware)
ii. Preparation of the documentation and operating procedures
iii. Preparation of a test plan
iv. Running the new and old systems on a parallel basis.
v. The training of appropriate personnel
vi. The preparation of backup procedures

31
3.2 ANALYSIS

Analysis of the flail description of the manual or existing system with objectives of the proposed
system usually led to a full specification of the usual requirement. Requirement determination is
the first step in developing a reliable system if carried out perfectly. This also involves the
analysis of all the steps in an operation in order to decide how or find out how it works. To be
able to make a good design, the present system must be evaluated to find out what weaknesses
are to be amended to produce a viable and reliable new system. The analysis of the system
includes the following:

 System investigation
 Analysis of the present system
 Weaknesses of the present system
 Expectations of the new system.

3.2.1 SYSTEM INVESTIGATION

A system is a combination of interrelated elements. It is a set of elements which operate together

to accomplish an objective (Osuagwu, 2008). The system investigation is concerned with the
study and understanding of the underlying principles of the existing system and noting the basic
information requirements of the present system.
This involves the analysis of all the steps in an operation in order to decide how to find out how
it works. To be able to make a good design, the present system must be evaluated to find out
what weaknesses are to be amended to produce a viable and reliable new system. To discover all
the weaknesses, some questions would have to be asked: Are there bottlenecks that could be
removed or improved upon, what does the data flow look like? Is the organization’s database
efficient, without redundancy? System investigation is the detailed examination of the present
system. The comprehensive study carried out on the existing system is to enable one to arrive at
relevant facts that would be helpful in the design of the new system. The techniques employed
include:
1. Interview method
2. Observation method

32
1. Interview Method: This aims at obtaining facts and opinions from those who are concerned
with the operation of the system. It involves verbally questioning several people from various
levels of organization and taking note of their responses. During interviews, questions regarding
the services rendered, effectiveness of the service agencies etc. General questions about the
system’s inputs, output procedures, data control and storage were also asked.
2. Observation Method: This involves a process in which the system investigator sees firsthand,
how people in the system handle certain documents and how various practices and procedures
are followed under different conditions.

3.2.2 ANALYSIS OF THE PRESENT SYSTEM

System analysis can be defined as the process of analyzing a system with the potential goal of
improving it. It is the study of sets of interacting entities of a system. It is an explicit formal
inquiry carried out to help the decision maker identify better course of action than he might
otherwise have made (Tom Richey, 2006)

3.3 PROGRAMMING PROCESS

Below are the steps to be followed to demonstrate two way mobile authentication systems:
1. Create a project flow design.
2. Design good looking and attracting web pages and site flow with Hypertext markup
language (HTML) and Cascading Style sheets (CSS).
3. Decide the database structure to store the registered user’s contact, log-in and account
details.
4. Develop the code needful to navigate the application dynamically.
5. Integrate the Google Authenticator API to our system to generate OTP.
6. Test the application to locate and remove any bugs.
7. Compile the tested application and deploy the files in the server.

33
3.3.1 Programming Maintenance

This updating may be a result of the users request or a change in the way the program needs to
operate. Program Maintenance is a term used for the updating of a program after the program is
put into use.

34
 CHAPTER FOUR

SYSTEM DESIGN & IMPLEMENTATION

4.0 INTRODUCTION

A system is a regularly interacting or independent group of components forming a unified whole

for achieving a specified task. The development of 2FA System is a tedious task and hence
proper care should be taken in the process of developing this logistics system.
This is the most important stage in the work. There are several tools and techniques used for
designing. Some of the critical steps used in the design phase are as follows:
I. Stating the objective of the design.
ii. Drawing/developing the control center.
iii. The database specification such as the type of database used (MySQL) and the data table used
to comprise of data type and data size.

4.1 SYSTEM DESIGN

In this section, an overview of the system design will be described. The topics covered are
system flow diagram, activity flow event and UML diagrams such as activity diagram, class
diagram as well as use-case diagram.

35
4.1.1 System Flow Diagram

Figure 1Diagram 3.2.1: System Flow Diagram

3.1.2 UML Diagram

The Unified Modeling Language allows the software engineer to express an analysis model
using the modeling notation that is governed by a set of syntactic semantic and pragmatic rules.
Use case Diagrams depict the control flow of a functional system from a user’s point of view.
Use cases are used during requirements gathering and analysis to represent the functionality of
the system. Use cases focus on the behavior of the system from external point of view.

36
Actors are the users that interact with the system. Examples of actors include users like
administrator, bank customer …etc., or another system like central database.

4.1.3 UML Use-Case Diagram

Figure 2 UML Use-Case Diagram

37
4.1.4 UML Activity Flow Diagram

Figure 3 Activity Flow Diagram

4.2 DATABASE SPECIFICATION

Database is known as the collection of records i.e., the storage and management of data to avoid
duplication and inconsistencies in the data held. Therefore, during the development, a database
was required for the storage of data. Certain requirements were considered before selecting the
database system to be used for this development. These are the need for Data Security, Data
Integrity, Data Consistency, Data Sharing, and Reduction in Data Redundancy. There are a great
number of credible relational database management systems that possess these requirements such
as Oracle, Sybase, MySQL, Microsoft SQL Server, etc. The database used in the development of
this control system is MySQL Database Management System because of its ability to support
web component functions of the system, it is an open-source software, and it possesses all the
requirements needed.

38
4.2 INPUT/OUTPUT DESIGN

Data and storage are the heart of information. The computer cannot accept data in human
readable form, such as speech or handwritten document. It is necessary therefore to present data
to the computer in a way which provides easy convention into its own electronic pulse—base
forms. This is achieved by supplying. Data using input devices such as keyboard, which converts
it into machine sensible and produce output through monitor and printer.

4.2.1 LOGIN PAGE

This page checks whether the username submitted already exists in the database, if exists then, it
will again redirect to register page.

4.2.2 REGISTER LOGIN PAGE

This is the registration page of a new user to the system, where the user enters his login and
contact details. This program performs basic client side (JavaScript) validations of the details
entered. On submitting this page will redirect to LOGINFORM

39
4.2.3 AUTHENTICATE PASSWORD PAGE

This page asks the user to enter the Codes generated by his mobile Google Authenticator
Application.

40
4.3 TESTING

Testing Objectives
In light of the diversity of existing software testing, it is advantageous to consider the types of
tests as they become available to a designer. This will also help identify the scope of a particular
test and clarify its main advantages and disadvantages as well as make the developer aware
about the limitations of this test.
4.3.1 Functional Tests: Are used to exercise the code with nominal inputs (input values) for
which the expected values are available. We also know the boundary conditions for these inputs.
For instance, functional testing of matrix multiplication can involve some data (matrices) for
which the results are known in advance.
4.3.2 Performance Tests: Are utilized in order to determine the widely defined performance of
the software system such as an execution time associated with various parts of the code,
response time(in case of embedded systems),and device utilization. The intent of this type of
testing is to identify weak points of a software system and quantifying its shortcomings, leading
to further improvements.

41
4.3.3 Black Box-White (Glass) Box Testing: As the name suggests, the criterion leading to this
type of discrimination specifies whether the internal (logical) structure of the system is available
for testing purposes. If so, we are concerned with white box testing. If the internal structure is
not available or exercised when developing the test suite, we confine ourselves to black box
testing. Depending which way was selected, the points of view on testing are also radically
different. In black box testing we are interested to test what the system is supposed to do. The
testing is worked out from input data perspective; subsequently we see if the outputs (actions) of
the software match the expected values. Functional, stress, and performance tests fall under this
general category. In white box testing, testing concentrates on what the system does. Essentially,
using detailed knowledge of code, one creates a battery of tests in such a way that they exercise
all components of the code (say, statements, branches, paths). Structural testing sub schemes
white box testing.

4.3.4 Test Activities

In software testing we encounter a number of key activities:

Test plans, Test design, Test Cases, Test procedure, Test execution, Test report
A test plan indicates the scope, approach, resources and the schedule of testing activity. At this
stage, one indicates what is to be or not to be tested and which tasks to perform. In addition, it is
necessary to identify the sources and levels of risk in testing. Software testers are also identified.
Test planning may begin as soon as the requirements are completed.
It is difficult to determine when to stop testing or when a reasonable number of faults have been
detected. For these reasons, criteria should be provided as a guideline for test completion. A test
design refines the approach in a test plan. Test design also identifies specific features to be tested
by the design, and define the associated test cases. It is strongly suggested that tests should be
designed for regression testing (test previously executed can be repeated at a later point in
development and maintenance).the test cases and test procedures are constructed in an
implementation phase. One should strive for the most compact (smallest) collection of test cases
(batteries) that still meet the goal. Good test cases have a high probability of detecting
undiscovered errors. A test procedure identifies all steps required to operate the system and
exercise the specified test cases to implement the already defined test design. Test execution is
performing the test procedures. Test execution starts from the component level and moves up to

42
the integration, system and acceptance level. A test report summarizes all outcomes of testing
and highlights the discrepancies detected. Sting activities are distributed across the entire
software life-cycle as shown in the figure.

4.4 Procedure for evaluating the work

Now-a-days one of the most common problems now-a-days some applications are facing is
authenticating a user to a specific application and some other problems as we mentioned in
motivation. So to overcome those problems one has to use the two-factor authentication. So, this
model basically uses an online password and an additional form of authentication (such as using
one time password) for online security. This approach authenticates users but does not enable
them to confirm that they are communicating with legitimate online site. So we planned to
develop a system which will generate a onetime password that any bank customer can use it as a
second factor authentication, so that user is authenticated strongly and also it will free all
customers from above mentioned all attacks.

43
We have studied about ―how traditional passwords are broken‖ and what should we have to do
in order to avoid the password cracking. We did some research on this and found a way so that is
very hard (almost impossible) to crack the password we generate and deliver it to the user in a
secure way.

To achieve the above said we need a demo bank application. So, we started creating the bank
[8] [7]
application. We used PHP, HTML, CSS and JavaScript for creating the application since
capability of PHP as a web service engine in both qualitative and quantitative aspects while
comparing it with other web service engines implemented in java and C. To store the user data,
we used SQL. The details about how the information is passing from one page to another page
were explained in the implementation section.

Now the website is ready and we need something to take the data from the web server to the
user. There are different ways we can send the generated one time password to the user. We can
print the password on a paper and give it to user or we can email the password and some other
ways to achieve this. The easiest and cheapest way of doing this is sending the password to users
GSM device i.e., usually a mobile phone. The reasons for why we have chosen the mobile phone
were explained in comparison of other technologies section. Now the problem is to deliver the
password from the web server to the user’s mobile device.

Final Results:
[5]
We are using SHA1 algorithm to generate the one time password. SHA1 is basically a secure
hash algorithm that will give a 160bit fixed output for any arbitrary input of data. So basically we
are generating a random number by using the inbuilt random function that PHP has and giving
the output of that random function as input to the SHA1 algorithm and just taking the first 6 bits
as the onetime password.

Now the next question arises is the ―how secure is the password if we use SHA1 algorithm? For
instance, SHA1 creates hash values of 160 bits. There are therefore 2 160 different hash values,
and although some data records may have the same hash value, it is only a remote possibility.

44
So, If we obtain a hash value and somehow manage to try out 2 160 random messages, we are very
likely to get one with the same hash value. However, this process would take far more than 100
million years with the hardware currently in use. Recent statistics says that the 160 bit hash value
can be cracked even in less time. If this is the case, it can be broken if the attacker knows the
160bit hash value. In our case we are not using the whole 160bit value we are just using the first
6 bits so it is impossible to crack the password and find what the input was given. So by this
explanation we can say that our OTP was 100% secure.

Use of the mobile device in this application:

ANS: In day to day life mobile phones have become the most important and cheapest means of
communication. There are many applications using this technology to simplify human life in
terms of cost and time. The growth of the mobile phones in the present generation is astonishing.

The system we designed generates an OTP which is used for the authentication for the user. The
generated OTP can be delivered to the user by phone, e-mail, post etc, but delivering the OTP to
the user or client is the easiest way.

So the 2WMAS uses the mobile phones as a device for authentication system which makes the
human avoiding the need for carrying an external mobile device by using the mobile phone as an
authentication device for secure transactions or access secured data. It also increases the
assurance that only the bearer of the mobile device has been authorized to access.

Cryptanalysis of OTP:
SHA-1 algorithm abbreviates for secure hash algorithm. It takes any arbitrary input and
generates a fixed output. SHA-2 is a family of two similar hash functions, with different block
sizes, known as SHA-256 and SHA-512. They differ in the word size; SHA-256 uses 32-bit
words where SHA-512 uses 64-bit words. There are also truncated versions of each standardized,
known as SHA-224 and SHA-384. From the generated 160 bit hash value we are using the only
first six characters.

So there is no need to go for SHA-2 because it is not possible for an attacker to find the similar
hash value if he knows all the 160bit hash value. Even if there is one bit change in the input then
the sha1 will provide a different output. E.g.

45
SHA1 ("The quick brown fox jumps over the lazy dog")
= 2fd4e1c6 7a2d28fc ed849ee1 bb76e739 1b93eb12
SHA1 ("The quick brown fox jumps over the lazy cog")
= 2fd4e1c6 d25e1b3a fad3e85a 0bd17d9b 100db4b3
By seeing the above example we can conclude that even if the first six characters are
same but the input to the SHA-1 algorithm are different. Even if the attacker finds a collision
[5]
then also, he cannot make use of it because the input to the SHA-1 function is a random
function. The input is not same every time, it will be different every time. So it will generate a
different hash value. Another important thing is that it is impossible to guess what will be the
next value that is generated by that random function.

Applications: There are a lot of places where we can implement our system. Here are some of
the examples described.

Online banking system: In this project we have developed a demo banking application where
we can use this system for authenticating a user to bank that he himself is the right person to
access his account.

Mobile number verification: Now-a-days buying or selling in online has become the common
thing. In order to do that a user has to create an account before using that service. At the time of
registration some websites have the phone field as a mandatory field. So, the website won’t allow
the user to access its services until the user’s phone number is verified. So, we can use this
application directly to validate the user and verify his phone number.

This system can also be used in Enterprise solutions which include secure remote access,
Enterprise authentication and B2B Transactions. For consumer: Online banking, e-commerce
and common authentication.

46
 CHAPTER FIVE

CONCLUSION AND RECOMMENDATION

5.1 CONCLUSION

Using only something you know like a password is very vulnerable to common hacking
techniques especially social engineering. However, multi-factor authentication processes are
often monotonous. Even until today, there are still many people that prefer not to enable 2FA on
their account to save themselves some hassle.

2FA are widely used by the industry, even the big technology companies like Google and
Facebook. However, these 2FA that were introduced cannot get away with requiring user many
steps to setup and also to use it. Besides that, the most common 2FA that is being used in the
industry currently is OTP (One-time Password). OTP cannot avoid user for typing it out again
especially when user is browsing in desktop client and the OTP is sent to his mobile device. This
is where our system has the edges over these traditional 2FA systems. Our system is extremely
easy to setup, with just one scan of a QR Code, and the time required to perform a 2FA is
extremely quick as well, with just one touch of a finger. In additional to that, our system also
uses a combination 3 factors of credentials while the traditional 2FA systems only uses 2 factors.

This two-factor authentication system is a user-friendly authentication system which can be a

new alternative for online shopping authentication system. This system authenticates you by
using your password (Something you know), a private key assigned to your mobile app
(Something you have). This system has the capability of providing a secured authentication
system while minimizing the hassle of using 2FA.

5.2 RECOMMENDATION

Probing deeper, the demo application in this thesis also provide a strong foundation for future
work in Two Factor authentication for security applications. Future developments include a more
user friendly GUI and extending the OTP algorithm so that password can be generated based on
different cryptographic functions. In addition to that we can add features such as giving as choice

47
to the user to choose from different ways to authenticate him to the system to which he was
supposed to authenticate.

48
 REFERENCES

1. Abbott, T. (2016). Where to Store your JWTs – Cookies vs. HTML5 Web Storage.

[online] Available at: https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-

html5-web-storage [Accessed 4 Aug. 2018].

2. Convery, S. (2007). Network Authentication, Authorization, and Accounting: Part One -

The Internet Protocol Journal - Volume 10, No. 1. [online] Cisco. Available at:

https://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table-

contents35/101-aaa-part1.html [Accessed 12 Aug. 2017].

3. developer.android.com. (2018). Android 6.0 APIs. [online] Available at:

https://developer.android.com/about/versions/marshmallow/android-6.0#fingerprint-

authentication [Accessed 4 Aug. 2018].

4. Garrod, C. (2006). System Analysis and Design. 3rd ed. John Wiley & Sons, Inc., p.46.

5. Henry, A. (2016). The Difference Between Two-Factor and Two-Step Authentication.

[online] Lifehacker.com. Available at: http://lifehacker.com/the-difference-between-two-

factor-and-twostep-authenti-1787159870 [Accessed 13 Aug. 2017]. Moore, P. (2014).

6. ‘M'Raihi, D. (2011). TOTP: Time-Based One-Time Password Algorithm. [online]

Available at: https://tools.ietf.org/html/rfc6238 [Accessed 4 Aug. 2018].

7. The difference between two-factor and two-step authentication. [online] Paul Moore.

Available at: https://paul.reviews/thedifference-between-two-factor-and-two-step-

authentication/ [Accessed 14 Aug. 2017].

8. Web.mit.edu. (2015). Kerberos: The Network Authentication Protocol. [online] Available

at: https://web.mit.edu/kerberos/ [Accessed 13 Aug. 2017].

49
9. www.sun.com. (2005) Architecting and Designing J2EE Applications. [online] Available

at: http://java.boot.by/scea5-guide/ch02s02.html. [Accessed 4 Aug. 2018].

50