(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 11, No. 7, July 2013
Design and Implementation of Multi Factor
Mechanism for Secure Authentication System
Khalid Waleed Hussein #1, Dr. Nor Fazlida Mohd. Sani *2, Professor Dr. Ramlan Mahmod #3
Dr. Mohd. Taufik Abdullah #4
Faculty Computer Science & IT, University Putra Malaysia (UPM)
Kuala Lumpur, Malaysia
[email protected]
[email protected]
[email protected]
[email protected]
Abstract: A secure network depends in part on user
authentication and regrettably the authentication systems
currently in use are not completely safe. However, the
user is not the only party that needs to be authenticated to
ensure the security of transactions on the Internet.
Existing OTP mechanism cannot guarantee reuse of
user's account by an adversary, re-use stolen user's device
which is used in the process of authentication, and nonrepudiation.
This paper proposed mechanism of multi factor for
secure electronic authentication. It intends to authenticate
both of user and mobile device and guarantee nonrepudiation, integrity of OTP from obtaining it by an
adversary. The proposal can guarantee the user’s
credentials by ensuring the user’s authenticity of identity
and checking that the mobile device is in the right hands
before sending the OTP to the user. This would require
each user having a unique phone number and a unique
mobile device (unique International Mobile Equipment
Identity (IMEI)), in addition to an ID card number. By
leveraging existing communication infrastructures, the
mechanism would be able to guarantee the safety of
electronic authentication, and to confirm that it
demonstrates excellence in non-repudiation, authenticate
user and mobile device which are used in the process of
authentication, certification strength and also in
comparison and analysis through experimenting with
existing OTP mechanisms.
KeywordSecurity,
authentication, IMEI,
non-repudiation,
multi
factor
1. INTRODUCTION
A credential is a piece of knowledge that enables
individual access to computer based information
systems[1]. User names and passwords are commonly
used by people during a log in process to prove
identity[2]. Passwords remain the most common
mechanism for user authentication in computer security
systems. This has various drawbacks, such as bad
choices by users and vulnerability to capture
[3],[4],[5]. An additional major problem is the fact that
users tend to reuse passwords for different sites [6].
Some studies indicate that more than 70% of phishing
activities are designed to steal user names and
passwords. According to the anti-phishing working
group (APWG)’s report [7], the number of malicious
web pages designed to steal users’ credentials at the
end of Q2 in 2008 had increased by 258% over the
same period in 2007. Therefore, protecting users’
credentials from fraud attacks is extremely important.
Many studies have proposed schemes to protect users’
credentials against theft [8],[9],[10].
When a website only uses a user name and password
as an authentication method, this method is known as
one factor authentication (OFA). Another method is
multi factor authentication (MFA). MFA means the use
of more than one authentication factor in the
authentication process [11],[12],[13].
Mobile authentication is one of the main methods of
multi factor authentication. It uses mobile devices
31
http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 11, No. 7, July 2013
(after install software token on mobile) for multi-factor
authentication in place of other authentication methods
such as hard tokens, smart tokens or smart chip cards.
This requires the installation of software on a mobile
device to generate a One Time Password
(OTP)[14],[15],[16]. An OTP is a password that is
valid for only one login session or transaction. OTPs
avoid a number of shortcomings that are associated
with traditional authentication (such as usernames and
passwords) [17].
Using a mobile device for authentication can be a
challenge for the user. Many solutions currently being
used by mobile applications either compromise
security or usability [18]. There are some common
drawbacks of using mobile devices to authenticate
users:
element that becomes the basis of certification
[23],[24],[25].
Classification
Type I
Description
Example
Password, PIN
Type II
Something
you
know
Something you have
Type III
Something you are
Type IV
Something you do
Mobile Phone,
Token, ID card
number
Iris,
Fingerprint
Voice
TABLE 1. CLASSIFICATION OF AUTHENTICATION TYPE
The user needs to enter a password periodically
to start mobile applications [19]. Complex
passwords are difficult to enter on mobile
devices, and require frequent password entry. As
a result of this the user will be compelled either
to save the passwords on their devices or choose
a weak password that they can easily enter onto
their devices
When the user’s device is lost or stolen, a
criminal can potentially get access to everything
stored on the device. This is generally true
nowadays for mobile phones and especially
smart phones, which now outsell personal
computers (PCs). Criminals have exploited this
feature by stealing mobile devices and trying to
sell them or access the user’s personal
information [20], If a user’s device is stolen, the
attacker can access the user’s mobile and use it
to generate OTPs. Meanwhile the attacker can
perform both software attacks and physical
attacks against the device.
An International Mobile Equipment Identity (IMEI)
is a unique number to identify 3rd Generation
Partnership Projects (3GPP). The IMEI number is used
by a Global System for Mobile Communications
(GSM) network to identify valid devices and therefore
can be used for preventing access to a network from a
stolen phone [21],[22].
In general, methods of certification are considered an
essential requirement to authenticate a user when
he/she requested service from the service provider, are
divided into four, as in Table 1, depending on the
32
An OTP mechanism creates a password only once
along with additional features such as user certification
and electronic transaction security to protect the user’s
information against leakage and at the same time solve
the problem of having a static password mechanism.
However, for electronic authentication it is not possible
to establish face to face communication. In order to
confirm the identity of a person accessing the system,
the existing OTP mechanism faces problems such as
not being able to guarantee certification (the identity of
authenticity) and non repudiation [26],[27],[28].
This paper proposes a mechanism to improve the
problems of existing OTP authentication and to
guarantee certification and non-repudiation of users.
The proposed system requires that each user register
his or her personal information such as their ID card
number, mobile number, IMEI, and PIN into the
system. The server should offer this practical service.
Server generate a one-time-password by combining
the user’s various forms of personal information (as
above) and transmitting the created OTP to the user by
encoding it after executing an Advanced Encryption
Standard (AES) for it. The user registers his or her
personal information at the registration phase. During
the registration phase the server will verify IMEI
validity, with reference to whether there is a valid
IMEI number. The user will then transfer to the login
phase for authentication by username and password.
When the user inserts a correct username and
password, the server will transfer the user to a second
authentication phase (a new layer) which is known as
the confirmation phase. During this phase, the user will
be compelled to insert his original personal information
that had previously been provided for the system. This
http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 11, No. 7, July 2013
layer combines two factors; something the user knows
and something user has, after the user confirms these
two factors and submits them to the server. The server
will then generate an OTP and send it to the user by
encrypted SMS. At this phase the server will
verification the IMEI’s validity while simultaneously
providing certification guarantee and non repudiation
because the OTP will not be sent directly to the user,
while the server will check if the mobile device is in
the same user's hand or not.
This paper is organized in the following order.
Chapter 2, which follows the Introduction in Chapter 1
describes the existing research into OTPs, and Chapter
3 discusses secure authentication methods proposed in
this research, Chapter 4 describes the experimental
environment and the results of comparisons with
existing mechanisms. Last but not least, Chapter V
describes the conclusion of this research and some
possible future research directions.
II. RELEVANT STUDIES
OTP authentication mechanisms are applied by
utilizing various tools such as a hardware device (token
device), or a software token (mobile phone) [29].
A. Hardware device (token device)
A token device is used to prove the user's identity in
electronic authentication. This is done in some
commercial transactions or in e-government services
like that of New Zealand [30]. It is used in addition to
or instead of a static login-ID to prove that the user is
who they claim to be. The token acts like an electronic
key in order to confirm the identity of a user when
he/she is accessing the system[31].
Tokens contain some secret information that can be
used to prove identity such as a static password token,
a synchronous dynamic password token (The token and
the authentication server must have synchronized
clocks), and an asynchronous password token (by
generating an OTP) [32],[33] ,[1].
A hardware token is considered more secure to use
than user ID or passwords. It enhances the image of the
organization by securing user credentials more
effectively. However, the hardware may cause certain
problems such as users always needing to carry the
33
token with them and requiring multiple tokens for
multiple websites. This does not provide full protection
from man-in-the-middle attacks, and the hardware
involves additional costs, such as the cost of the token
and any replacement fees [14],[33],[34].
B. Software token (mobile phone)
A software token is a form of multi-factor
authentication. Software tokens are stored on hardware
devices such as mobile phones. Therefore, they are
vulnerable to threats such as viruses and software
attacks [33]. However, mobile phones are easily lost or
stolen, if the mobile phone is in the wrong hands, a
criminal can easily use personal data and most of the
information is available without a great effort through
services such as SMS [35].
Researchers try to solve the problems of security of
authentication either by utilizing mobile phones as
software tokens to generate an OTP which is then sent
to the server[15],[36], or by using mobile phones as
tools to receive an OTP from servers through SMS. In
this case the system requires that the users log in to the
system with a username and password and by correctly
inserting credentials. Then the OTP code will be sent
by mobile phone via SMS [37]. In both cases (the
mobile phone as soft token and using a mobile phone
just for receiving SMS) the authentication systems
suffer from not guaranteeing the user’s certification
and non-repudiation [26],[27].
III. PROPOSED SYSTEM
By
leveraging
existing
communication
infrastructures, no additional costs are required for the
proposed system. In any system of processing of
electronic authentication, the identity, authenticity and
non-repudiation of transactions are particularly
important [38]. This paper resolved the problem of non
repudiation during the authentication process and will
contribute to the increased security of multi factor
authentication process by sending the OTP only to
trusted users.
A. Registration Phase
In the registration phase users are compelled to use
their personal information (username, password, a 4-6
http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 11, No. 7, July 2013
digit PIN, email, ID card number, and mobile number)
in addition to International Mobile Equipment Identity
(IMEI). Some algorithms will check IMEI for the
user’s mobile phone. If the IMEI not real, the user will
be prevented from becoming registered in the system
(system not safe wrong data). Thus the user is
compelled to insert a real IMEI in the registration
phase. Also, if IMEI and the mobile number are
repeated (when registered by another user) the user will
not able to complete his or her registration. The use of
this method will ensure that every user has one mobile
number and one IMEI number in addition to their ID
card number. Mostly, authentication systems which are
users of OTP authentication allow users to possess
many accounts with the same mobile number. This will
not happen in the proposed system, which will work to
control the management of users’ accounts and to
reduce the errors in the users’ information in the
database. After the user is successfully registered, they
will transfer to the login phase.
B. Traditional Login Phase
In this stage user will login into the system by using
his username and password, if user insert wrong
credentials (username and password) he will not able to
accessing as in traditional login phase and he will still
in this phase till insert correct one. After the user
inserts a correct username and password as he or she
enters the registration phase, the system will transfer
the second user authentication phase (New layer of
authentication).
C. New Layer (Confirmation Phase)
The creation of this layer will prevent the generation
of the OTP by the server and prevent it being sent to
user until the user confirms his or her personal
information (PIN, mobile number, IMEI) which was
registered in the previous phase (registration phase).
Also, this layer will ensure the identity of authenticity
and realize non-repudiation. In other authentication
systems, after users submitted their credentials
(username and password) to the system they can
receive OTPs directly from the server by SMS. The
proposed system will not generate OTPs and will not
send anything to the user until the system ensures that
the mobile device is in the right hand (in the hand of
same user who request authentication). In this way the
system will ensure the liability of the person that
34
misuses the system. This layer combines two factors;
something the user knows (PIN) and something user
has (mobile number and IMEI). Applying this in one
layer to confirm the identity of the user is considered a
new idea.
Also, at this point the user can choose a method of
receiving the OTP. If the user prefers not to receive the
OTP by SMS he or she can receive it by email. Thus,
in this layer the user will choose the method of
receiving the OTP depending on what he prefers. If the
user prefers to receive OTP by email, he demands to
enter his email, PIN, and ID card number. In both cases
(when the user prefers to receive OTP by SMS or by
email) the user will receive an encrypted OTP by using
Rijndael AES 256 and the decryption of the OTP will
be conducted by PIN, which is a symmetric key
between the user and the server. In case the user inserts
the wrong information in confirmation phase server
will redirect the user to the first login (traditional login)
and the process of authentication will begin again.
If an adversary try to impersonate legal user shall get
all user’s information such as username and password
(to pass from first login), steal user’s mobile phone (to
pass from confirmation phase and receive SMS), user’s
ID card number, user’s email (username and password
to access email), and PIN which is required in
confirmation phase and for decrypt SMS or email.
D. Generating & Sending OTP
After the user passes through the confirmation
phase, which will deal with the user reliably, the server
will generate an OTP from the user’s information. This
may happen in two ways. The user may prefer to
receive the OTP by mobile phone or may prefer to
receive OTP by e-mail. This means that if users prefer
to use mobile phones to receive OTPs, the elements
which are demanded from user at the confirmation
phase will contribute to the generation of OTP and the
elements which are required from the user in the
confirmation phase when he or she intends to receive
OTP by email will contribute to the generation of OTP.
In this way the future OTP cannot be predicated
because the OTP will be totally different from one user
to another. Also the OTP will be taken randomly from
the user’s info, so that the user will not get the same
OTP when he or she uses the proposed system. In this
paper the processes of Multi Factor Mechanism for
http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 11, No. 7, July 2013
Secure Authentication System are shown in the
Figure1.
Non-repudiation: Because the proposed mechanism
works to authenticate the user and his or her mobile
phone (IMEI plus mobile number), so the proposed
system has all important information about the user
such as ID card number, mobile number, and IMEI, all
of which are unique. Thus the proposed system can
ensure the liability of the person that misuses the
system.
Long term password: A long password for
authentication is generally considered to be more safe
than a short one. However, humans have difficulty
remembering complex or meaningless passwords [39].
At the confirmation phase, the user needs only to
rewrite long term passwords such as (IMEI, the mobile
number, or the ID card number) which they are already
possess, or he/she can take it from his/her ID card or
mobile phone, while the other system needs the user to
remember these details.
Tracking user: Most authentication systems which
generate OTP through the server and send the OTP to
user by SMS cannot track whether the user is
tampering with system because the authentication
system only has the user’s mobile number, in addition
to their username and password. Thus a criminal could
tamper with the system by receiving OTP through
SMS and could then change or throw away the SIM
card. While the proposed system can determine the
Fig. 1. Procedure of Proposed System
The server will send the encrypted OTP in the manner
favoured by the user (SMS or email). After the user
receives an encrypted message by OTP, he or she will
transfer to another screen to prove the validity of his
PIN and at the same time to decrypt the OTP (a
symmetric key for encryption and decryption). If the
PIN is wrong the session will end.
IV. COMPARISION ANALYSIS
A. Comparison and Analysis
In order to conduct a performance analysis of the
proposed mechanism and the existing mechanism,
comparison and analysis were executed on totally 8
performance evaluation elements such as non
repudiation, long term password, tracking user, the
block user’s mobile phone, authenticated user and
mobile phone, users’ information reuse prevention, cell
phone reuse prevention, and certification type.
35
liability of the person that misuses or tampering
with system by using user's ID card number
(unique number), in addition of mobile number
(every user has unique mobile number and unique
IMEI).
Block user’s mobile: An International Mobile
Equipment Identity (IMEI) is a unique number used by
a Global System for Mobile Communications (GSM)
network to identify valid devices. An IMEI can
determine the position of a mobile device and also can
blacklisting the device so that it becomes unusable on
any network. The proposed system requires inserts in
the IMEI to authenticate the user’s device and to taking
the necessary precautions in the event of tampering
with the system. If the administrator of the proposed
system discovers any attempts to tamper with the
system he will be able to cancel the user's account and
block the user and his or her mobile device from
registering in the system. While an existing OTP
system cannot prevent the use of the same device, the
illegal user can return to register himself (if the
http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 11, No. 7, July 2013
administrator discovers illegal attempts being carried
out by the user) as a legal user to access the system.
Authenticating users & mobile phones: Compared
with other authentication systems which utilize mobile
phone to generate OTPs or for receive SMS, these
systems attempt to authenticate the user and neglect
other parties which are used in the process of electronic
authentication such as the user’s mobile phone.
However, the user is not the only party that needs to be
authenticated to ensure the security of transactions on
the Internet [40]. The proposed system works to
authenticate both the user and mobile device, in
addition to mutual authentication between the user and
the server through a Secure Socket Layer (SSL).
User’s information Reuse Prevention: The proposed
system achieves a one-time password approach. Every
user has totally unique information, which means there
should be no need to separate the data as in other
systems. This enhances privacy protection and
minimises the probability of data matching.
can ensure the liability of the user that misuses the
system. This mechanism requires the users presenting
more information to prove proof their identity (in order
to prove to the system that this user is the same user
with the same device which is already registered in the
system) unlike existing methods (such as utilizing the
user's mobile phone to receive OTPs). Therefore the
proposed method is suitable for areas in which security
is crucial, such as providing authentication for internet
banking, authentication for electronic payment,
electronic governments authentication, and cloud
computing authentication.
REFERENCES
[ 1]
[2]
[3]
Cellphone Reuse Prevention: The proposed system
can prevent the cell phone from reuse by a criminal
because the proposed system requires that every user
has a unique phone number and a unique mobile device
(IMEI), while indicating that the user’s cell phone be
lost or stolen. The attacker cannot use this by accessing
system till gets other elements such as user’s PIN or
user’s ID card number for the pass confirmation phase.
Certification type: Existing methods which utilize the
user’s mobile phone to receive SMS or to generate
OTPs rely on what the user knows, while the proposed
system depends on a combination of two factors - what
the user knows and what the user owns (IMEI), In
addition this method uses a new way to authenticate
the use of a cell phone. It also works enhances security
and operates as multi factor authentication inside multi
factor
authentication
(nested
multi
factor
authentication).
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
V. CONCLUSION
[12]
This paper proposed a mechanism of action for OTP
authentication which can reinforce the security of
authentication and the mechanism of guaranteeing nonrepudiation by authenticating the user and the device
which is used to receive encrypt OTPs. This cannot
completely ensure the proper use of the system, but it
[13]
36
[14]
[15]
Shon Harris, Access Control, in Mike Meyers' CISSP(R)
Certification Passport, Information Security Magazine,
Editor 2002, McGraw-Hill Osborne Media. p. 422.
Bander AlFayyadh, et al., Improving Usability of
Password Management with Standardized Password
Policies, 2011, Queensland University of Technology,:
Australia,. p. 8.
John Brainard, et al., Fourth-factor authentication:
somebody you know. ACM, 2006: p. 1-11.
Abdulaziz S. Almazyad and Y. Ahmad, A New Approach
in T-FA Authentication with OTP Using Mobile Phone.
Springer 2009. 58: p. 9-17.
Jiří Sobotka and Radek Doležel, Multifactor
authentication systems. elektro revue, December 2010.
1(1213-1539): p. 1-7.
R.R.Karthiga and K.Aravindhan, Enhancing Performance
of User Authentication Protocol with Resist to Password
Reuse Attacks. International Journal Of Computational
Engineering Research (IJCER), 2012. 2(8): p. 106-115.
Chun-Ying Huang, Shang-Pin Ma, and Kuan-TaChen,
Using one-time passwords to prevent password phishing
attacks. Science Direct, 2011.
Chuan Yue and HAINING WANG, BogusBiter: A
Transparent Protection Against Phishing Attacks. ACM,
2010. 10(2): p. 31.
Scott Garriss, et al., Trustworthy and Personalized
Computing on Public Kiosks, in 6th international
conference on Mobile systems, applications, and services,
2008, ACM: USA. p. 199-210.
Heng Yin, et al., Panorama: capturing system-wide
information flow for malware detection and analysis, in
ACM conference on Computer and communications
security2007, ACM: USA. p. 116-127.
Jing-Chiou Liou and Sujith Bhashyam, A feasible and
cost effective two-factor authentication for online
transactions, 2010, IEEEXplore: Chengdu, China p. 4751.
Jae-Jung Kim and Seng-Phil Hong, A Method of Risk
Assessment for Multi-Factor Authentication. Journal of
Information Processing Systems, 2011. 7: p. 187-198.
Do van Thanh, et al., Strong authentication with mobile
phone as security token. IEEEXplore, 2009: p. 777-782.
Trupti Hemant Gurav and Manisha Dhage, Remote Client
Authentication using Mobile phone generated OTP.
International Journal of Scientific and Research
Publications, 2012. 2(5): p. 4.
Havard Raddum, Lars Hopland Nestas, and K.J. Hole',
Security Analysis of Mobile Phones Used as OTP
Generators, in international conference on Information
http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 11, No. 7, July 2013
Security and Privacy of Pervasive Systems and Smart
Devices, , International Federation for Information
Processing (IFIP), Editor 2010, ACM: Berlin. p. 324-331.
[16]
[17]
[18]
[19]
[20]
[21]
[22]
[23]
[24]
[25]
[26]
[27]
[28]
[29]
[30]
[31]
[32]
[33]
Gianluigi Me, Daniele Pirro, and R. Sarrecchia, A mobile
based approach to strong authentication on Web, in
International Multi-Conference on Computing in the
Global Information Technology2006, IEEE Xplore. p. 67
K.Aravindhan and R.R.Karthiga, One Time Password: A
Survey. International Journal of Emerging Trends in
Engineering and Development, 2013. 1(3): p. 613-623.
Hung-Min Sun, Yao-Hsin Chen, and Y.-H. Lin, oPass: A
User Authentication Protocol Resistant to Password
Stealing and Password Reuse Attacks. IEEEXplore, 2012.
7(2): p. 651- 663.
Xing Fang and Justin Zhan, Online Banking
Authentication Using Mobile Phones, in 5th International
Conference on Future Information Technology
(FutureTech),2010, IEEEXplore: Busan p. 1 - 5
Mahendra Singh Bora and Amarjeet Singh, Cyber Threats
and Security for Wireless Devices. Journal of
Environmental Science, Computer Science and
Engineering & Technology (JECET), 2013. 2: p. 277284.
Jörg Eberspächer, et al., GSM Architecture, Protocols
and Services 2009, John Wiley & Sons: UK. p. 327.
GSM Association, IMEI Allocation and Approval
Guidelines, Official Document TS.06 (DG06), Editor
2011. p. 33.
Jae-Jung Kim and Seng-Phil Hong, A Method of Risk
Assessment for Multi-Factor Authentication. Journal of
Information Processing Systems,, 2011. 7: p. 187--198.
Kumar Abhishek, et al., A Comprehensive Study on
Multifactor Authentication Schemes. 2013. 177: p. 561568.
Jing-Chiou Liou and S. Bhashyam, On Improving
Feasibility and Security Measures of Online
Authentication. International Journal of Advancements in
Computing Technology, October 2010. 2(4.1): p. 11.
Hyun-chul Kim, et al., Design and Implementation of
Multi Authentication Mechanism for Secure Electronic
Commerce, 2009, IEEEXplore: Seoul, South Korea, . p.
215-219.
Milovanovic, M., et al., Choosing Authentication
Techniques in e-Procurement System in Serbia, in
International Conference on Availability, Reliability and
Security2010, IEEE Xplore. p. 374- 379.
Chii-Ren Tsai, Non-Repudiation In Practice, 2002,
Second International Workshop for Asian Public Key
Infrastructure (IWAP’02),: Taipei,Taiwan. p. 5.
Jing-Chiou Liou and Sujith Bhashyam, A feasible and
cost effective two-factor authentication for online
transactions, in 2nd International Conference of Software
Engineering
and
Data
Mining
(SEDM)2010,
IEEEXplore: Chengdu, China p. 47 - 51
Yu-Cheng Tu and C. Thomborson, Preliminary Security
Specification for New Zealand's igovt System. Australian
Computer Society, Inc, 2009. 98: p. 10.
Nermin Hamza and Dr.Bahaa El-Din M.Hassan, A
Dynamic ID-based authentication scheme with smart
token, in Computer Engineering & Systems, 2009. ICCES
2009.2009, IEEEXplore: Cairo p. 294 - 299
H. Karen Lu and Asad Ali, Communication Security
between a Computer and a Hardware Token in Third
International Conference on Systems, ICONS 2008,
IEEEXplore: Cancun p. 220 - 225
Manav Singhal and Shashikala Tapaswi, Software Tokens
Based Two Factor Authentication Scheme. International
Journal of Information and Electronics Engineering,
2012. 2: p. 383-386.
37
[34]
Gauri Rao and Dr. S.H. Patil, THREE DIMENSIONAL
VIRTUAL ENVIRONMENT FOR SECURED AND
RELIABLE AUTHENTICATION. Journal of Engineering
Research and Studies (JERS), 2011. 2(2): p. 68-73.
[35]
David Lisoněk and Martin Drahanský, SMS Encryption
for Mobile Communication. IEEEXplore, 2008: p. 198201.
Fadi Aloul, Syed Zahidi, and Wassim El-Hajj, Two
Factor
Authentication
Using
Mobile
Phones.
IEEEXplore, 2009: p. 641-644.
D.Parameswari and L.Jose, SET with SMS OTP using
Two Factor Authentication. Journal of Computer
Applications (JCA), 2011. 4(4): p. 4.
Xian-ge Huang, Lei Shen, and Yan-hong Feng, A User
Authentication Scheme Based on Fingerprint and USIM
Card, in International Conference on Intelligent
Information Hiding and Multimedia Signal Processing
(IIHMSP),2008, IEEEXplore: Harbin p. 1261 - 1264.
Sonia Chiasson, et al. Multiple Password Interference in
Text Passwords and Click-Based Graphical Passwords.
in 16th ACM conference on Computer and
communications security (CCS). 2009. New York: ACM.
Audun Jøsang, et al., Service Provider Authentication
Assurance, in Tenth Annual International Conference on
Privacy, Security and Trust2012, IEEE Xplore. p. 203210.
[36]
[37]
[38]
[39]
[40]
http://sites.google.com/site/ijcsis/
ISSN 1947-5500