|
Development of an authentication scheme based on qr code and totp
|
| bet | 2/3 | | Sana | 22.05.2024 | | Hajmi | 16,81 Kb. | | #250481 |
Bog'liq Документ Microsoft Word ElektrotexnikavaelektronikaUslubiykorsatma202203 30 Murakkabelektrzanjirlari[1], BIZNES SAMARADORLIGINI BOSHQARISH, sssssssssssss1.2. Purpose
The scope of this development will be to analyze the old scheme by using threat modeling and security attack, then secure it by using cryptography and TOTP, and finally implement the new authentication scheme.
Static password S and initialization key K are chosen because they are considered easy to remember, and TOTP was chosen because it is more secure and simple to use for authentication.
It is expected that the proposed scheme will facilitate users who are concerned about security, privacy, and also simplicity of authentication. Because with the proposed scheme, secret information that is stored at the backend system only contains a static password S and also an initialization key K. The other keys and information are only for users who will use it to encrypt TOTP keys (i.e. QR Code) and also TOTP to obtain the ephemeral password T. With this, it will keep the confidentiality of secret data and can be used by users.
This scheme is proposed for users to be able to authenticate the systems by using an ephemeral password that will prevent and mitigate password replay attack, MITM, and also various attacks that will use a static password.
1.3. Scope
The main purposes of the project are to provide a higher level of security with better user convenience and improve the traditional web-based authentication system. User convenience refers to the user only needing to initiate the login process without having to wait or enter credentials on the client side. In the existing system, users have to enter their login credentials (userid and password) on the client side before they can establish a session with the server. In our project, we assume the user has already launched the web application from the computer terminal, meaning the user has physical possession of the device. The server will generate a QR code for the user to scan using a mobile device. After scanning the QR code, the mobile device will prompt the user to launch an application that was installed on the mobile device. Once the application is launched, the mobile device will automatically establish a session with the server. The user does not need to enter any credentials on the mobile device. They will be given the option to enter a predefined PIN if the mobile device is stolen, so that the stolen device can be disabled from producing the OTP. This option will be useful for future improvements to include the QR code to support any other authentication mechanism. OTP will be generated based on the mobile device credentials in the existing system and the mobile device registration in the system. The OTP will be sent along with the device IP, IP location, and an image snapshot from the device camera. If the mobile device is in an idle state, the OTP will be stored on the device and uploaded to the server once the device successfully establishes a session with the server. The user can simultaneously log in using different mobile devices to generate OTPs. They can also use the mobile device to generate OTPs for other users, as the OTP is only tied to the device, device registration, and the user credentials used to enter the mobile device. By doing so, the specific user does not need to enter the OTP to establish a session with the server. On the other user side, the OTP will provide user information and confirmation, but it does not change anything on the user side. Since the OTP is only tied to the device, the user can still access the system by entering the device IP and requesting another OTP for user information and confirmation. We need to take into consideration the possibility that in the future, people around the world may want to have on-screen touch mobile devices and deploy a custom phone with their own phone number. This scenario could lead to the mobile devices suspending data communication if there are multiple changes in the device IP with data charges occurring. A solution to this problem in our project is to track the device location of the user through device registration in the existing system and request information from the user if there is any suspension of device data communication.
2. QR Code Authentication
|
| |
