Analysis of the authentication scheme based on the use of QR-code and webcam for Smart-Mobile devices
Abstract
The paper analyzes the necessity and expediency of using the method of user authentication based on QR-code and webcam for Smart-Mobile devices. Phishing attacks are one of the most serious threats faced by Internet users. Existing authentication schemes are not able to provide an adequate protection from these attacks, as evidenced by statistics collected by the companies researching cybersecurity. Therefore, the task of developing a secure authentication scheme for users, which can effectively counteract various types of phishing attacks is very important. The paper proposes a new authentication scheme for users, which allows them to log in to their accounts without remembering passwords or presenting other authentication tokens. According to the messaging protocol in the proposed scheme, the user must scan the dynamically generated QR-code using a smartphone application, then take their own photo via the webcam, and send it to the smartphone via a message from the server. Thus, the full authentication procedure requires minimal user involvement and is performed automatically. The results of evaluation and practical testing show that the proposed authentication scheme is quite reliable and can be used as a secure user authentication scheme for Smart-Mobile devices. The proposed authentication protocol is not only able to cope with attacks such as Real Time Man-In-The-Middle and Controlled Relay Man-In-The-Middle, but can also protect users from the effects of malicious browser extensions and substitution of authentic applications by malicious variants. In addition, the proposed scheme does not require users to have any authentication tokens or credentials, as all they need is to scan the QR-code and verify the image taken by their own webcam. That makes the use of the proposed scheme more convenient and easy for users as compared to other known authentication schemes. Currently, the application of the proposed scheme requires the use of HTTPS websites for the exchange of all data involved. Thus, the proposed protocol can be implemented to manage cookies securely in order to prevent the interception of session data.
Downloads
References
E.E. Lastdrager. Achieving a consensual definition of phishing based on a systematic review of the literature, Crime Sci vol. 3, 2014, pp. 21-32, DOI:https://doi.org/10.1186/s40163-014-0009-y [in English]
А. Neda. Multi-label rules for phishing classification, Applied Computing and Informatics, vol. 11, 2015, pp. 29-46, DOI:https://doi.org/10.1016/j.aci.2014.07.002 [in English]
Banday M.T., Qadri J.A. Phishing - A Growing Threat to E-Commerce, The Business Review, vol. 12, 2011, pp. 76-83. [in English]
Badra M., El-Sawda S., Hajjeh I., “Phishing attacks and solutions”, in Proceedings of the 3rd International Conference on Mobile Multimedia Communications, MobiMedia 2007, Nafpaktos, Greece, August 27-29, 2007, pp. 42-43. [in English]
Rami M. M., Fadi T., Lee M., Tutorial and critical analysis of phishing websites methods, Computer Science Review, vol. 17, 2015, pp. 1-24, DOI:https://doi.org/10.1016/j.cosrev.2015.04.001 [in English]
Jagatic T., Nathaniel J., Menczer F. Social phishing, Commun, 2007, pp. 94-100. [in English]
Stronger security for your Google Account. Google., 2015. [Online]. Available: https://www.google.com/landing/2step/. [Accessed October 19, 2020]. [in English]
Multi-Factor Authentication. SAASPASS., 2019. [Online]. Available: https://saaspass.com/. [Accessed October 20, 2020]. [in English]
Secure authentication scheme to thwart RT MITM, CR MITM and malicious browser extension based phishing attacks. Gaurav V., Manoj M., Pradeep A., 2018. [Online]. Available: https://www.sciencedirect.com/science/article/abs/pii/S2214212618300140. [Accessed October 20, 2020]. [in English]
Seung-Hyun K., Daeseon C., Seung-Hun J., Sung-Hoon L., “Geo-location based QR-Code authentication scheme to defeat active real-time phishing attack”, in Proceedings of the 2013 ACM workshop on Digital identity management (DIM '13). Association for Computing Machinery, New York, NY, USA, 2013, pp. 51–62. DOI:https://doi.org/10.1145/2517881.2517889 [in English]
Mukhopadhyay S., Argles D., “An Anti-Phishing mechanism for single sign-on based on QR-code”, in Proceedings of the International Conference on Information Society (i-Society 2011), London, 2011, pp. 505-508, DOI:10.1109/i-Society18435.2011.5978554 [in English]
Dodson B., Sengupta D., Boneh D., Lam M.S., “Secure, Consumer-Friendly Web Authentication and Payments with a Phone”, in Proceedings of the MobiCASE 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 76. Springer, Berlin, Heidelberg. DOI:https://doi.org/10.1007/978-3-642-29336-8_2 [in English]
Leung C., “Depress phishing by CAPTCHA with OTP”, in Proceedings of the 3rd International Conference on Anti-counterfeiting, Security, and Identification in Communication, Hong Kong, 2009, pp. 187-192, DOI:10.1109/ICASID.2009.5276926. [in English]
Your key to the fastest, safest login. Yubico., 2019. [Online]. Available: https://www.yubico.com/why-yubico/for-individuals/. [Accessed October 21, 2020]. [in English]
G. Varshney and M. Misra, "Push notification based login using BLE devices", in Proceedings of the 2nd International conferences on Information Technology, Information Systems and Electrical Engineering (ICITISEE), Yogyakarta, 2017, pp. 479-484, DOI: 10.1109/ICITISEE.2017.8285554. [in English]
M. Xie, Y. Li, K. Yoshigoe, R. Seker and J. Bian, "CamAuth: Securing Web Authentication with Camera", in Proceedings of the 16th International Symposium on High Assurance Systems Engineering, Daytona Beach Shores, FL, 2015, pp. 232-239, DOI:10.1109/HASE.2015.41. [in English]
Lastpass remembers all your passwords. Lastpass., 2019. [Online]. Available: https://www.lastpass.com/. [Accessed October 21, 2020]. [in English]
Ross B., Jackson C., Miyake N., Boneh D., Mitchell JC., Stronger password authentication using browser extension. Baltimore, MD, USA, 2005, pp. 17-32. [in English]
White paper preventing man in the middle phishing attacks with multi-factor authentication. Tricipher., 2019. [Online]. Available: https://www.globaltrustit/documents/press/phishing/ PhishingSolutionWhitepaper.pdf. [Accessed October 22, 2020]. [in English]
Yahoo sign in. Yahoo., 2016. [Online]. Available: https://login.yahoo.com/. [Accessed October 23, 2020]. [in English]
RSA SecurID. Beal V., 2019. [Online]. Available: https://www.webopedia.com/TERM/R/ rsa_secure_id.html/. [Accessed October 23, 2020]. [in English]
B. B. Zhu, J. Yan, G. Bao, M. Yang and N. Xu, "Captcha as Graphical Passwords—A New Security Primitive Based on Hard AI Problems," in ", in Proceedings of the Transactions on Information Forensics and Security, vol. 9, no. 6, pp. 891-904, June 2014, DOI:10.1109/TIFS.2014.2312547. [in English]
J. Bonneau and S. Preibusch, "The password thicket: technical and market failures in human authentication on the web," in Proc. WEIS 2010, pp 1-48. [in English]
J. Bonneau, C. Herley, P. C. v. Oorschot and F. Stajano, "The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes," in Proceedings of the Symposium on Security and Privacy, San Francisco, CA, 2012, pp. 553-567, DOI:10.1109/SP.2012.44. [in English]
