A Report on


“Two Factor Authentication”

Submitted by:

Under guidance of:

Department of Computer Engineering


This is to certify that the pre report on the project entitled

“Two Factor Authentication”

Submitted by:

A partial fulfillment for BACHELOR OF COMPUTER ENGINEERING degree course of Mumbai University for year 2009-2010.

INTERNAL GUIDE ( Prof.) (Prof.)





No project is ever complete without the guidance of those expert how have already traded this past before and hence become master of it and as a result, our leader. So we would like to take this opportunity to take all those individuals how have helped us in visualizing this project. We express out deep gratitude to our project guide Mrs.Amarja Adgaonkar for providing timely assistant to our query and guidance that she gave owing to her experience in this field for past many year. She had indeed been a lighthouse for us in this journey. We would also take this opportunity to thank our project co-ordinate Mr.Nitin Patkar for his guidance in selecting this project and also for providing us all this details on proper presentation of this project. We extend our sincerity appreciation to all our Professor form K.C.COLLEGE OF ENGINEERING for their valuable inside and tip during the designing of the project. Their contributions have been valuable in so many ways that we find it difficult to acknowledge of them individual. We also great full to our HOD Mrs.Amarja Adgaonkar for extending her help directly and indirectly through various channel in our project work. .

Thanking You, ________________

This project describes a method of implementing two factor authentication using mobile phones. The proposed method guarantees that authenticating to services, such as online banking or ATM machines, is done in a very secure manner. The proposed system involves using a mobile phone as a software token for One Time Password generation. The generated One Time Password is valid for only a short userdefined period of time and is generated by factors that are unique to both, the user and the mobile device itself. Additionally, an SMS-based mechanism is implemented as both a backup mechanism for retrieving the password and as a possible mean of synchronization. The proposed method has been implemented and tested. Initial results show the success of the proposed method..



Chapter 1 INTRODUCTION 1 .

Two factor authentication also have disadvantages which include the cost of purchasing. Mobile phones have traditionally been regarded as a tool for making phone calls. store contacts. etc. Mobile connectivity options have also increased. Some of which are very difficult to use and others might not meet the company’s security concerns. passing laws and forcing organizations and agencies to comply with these standards with non-compliance being met with wideranging consequences. and managing the tokens or cards. snooping. However. Most systems today rely on static passwords to verify the user’s identity. There are several issues when it comes to security concerns in these numerous and varying industries with one common weak link being passwords. But today. After standard GSM connections. etc. hackers have the option of using many techniques to steal passwords such as shoulder surfing. From the customer’s point of view. use the same password in multiple accounts. guessing. write the passwords or store them on their machines. Two factor authentication using devices such as tokens and ATM cards have been proposed to solve the password problem and have shown to be difficult to hack. etc. healthcare industry. educational institutions. mobile phones use have been expanded to send messages.INTRODUCTION Today security concerns are on the rise in all areas such as banks. given the advances in hardware and software. Several ‘proper’ strategies for using passwords have been proposed. governmental applications. mobile phones now have 2 . military organization. Furthermore. such passwords come with major management security concerns. Government organizations are setting standards. issuing. Users tend to use easy-to-guess passwords. etc. check emails. sniffing. using more than one two-factor authentication system requires carrying multiple tokens/cards which are likely to get lost or stolen.

The system consists of a server connected to a GSM modem and a mobile phone client running a J2ME application. distributing. stock trading. carry mobile phones for communication purpose. we propose and develop a complete two factor authentication system using mobile phones instead of tokens or cards. From being able to receive information on account balances in the form of SMS messages to using WAP and Java together with GPRS to allow fund transfers between accounts. and WLAN connectivity. and maintaining millions of tokens. if not all of us. Consequently. using the mobile phone as a token will make it easier for the customer to deal with multiple two factor authentication systems. Installing both vendor-specific and third party applications allow mobile phones to provide expanded new services other than communication. Two modes of operation are available for the users based on their preference and constraints. The second approach is an SMS-based approach that is also easy to use and secure. and cheap. The system has been implemented and tested. but more expensive. Bluetooth. 3G. secure. Most of us. Several mobile banking services available take advantage of the improving capabilities of mobile devices. In this paper. The first is a stand-alone approach that is easy to use.infra-red. 3 . and confirmation of direct payments via the phone’s micro browser. in addition it will reduce the cost of manufacturing.


g. physical token. to make it more difficult for unauthorized persons to use a “found” laptop to access secure data or systems.g. Two-factor authentication means using any independent two of these authentication methods (e. The requestor for access or entry shall authenticate himself based on proving authentically his identity by means of • • • What the requestor individually knows as a secret. what you have (e.Literature Survey By definition. such as biometric data. Authentication is generally required to access secure data or enter a secure area.g. The owner of secure data or the operator of such secure systems is implementing two-factor authentication for laptops first because of the inherent security risks in mobile computers. or What the requesting bearer individually is.g. Multi-factor authentication hence means two or more of the authentication factor required for being authenticated. such as a passport. Recent work has been done in trying 5 . and what you are (e. the quality of the problem does not change: A lost or left phone shall not be activated to enable the finder for unauthorized access to secure data or system. like a fingerprint or the face geometry. Once the identity of the human or machine is validated. passwords). such as a password or a Personal Identification Number (PIN). ATM card or tokens). authentication is the use of one or more mechanisms to prove that you are who you claim to be. biometrics). password + value from physical token) to increase the assurance that the bearer has been authorized to access secure systems. or What the requesting owner uniquely has. With mobile phones or smart phones. access is granted. Three universally recognized authentication factors exist today: what you know (e. or an ID-card.

while others display a PIN that changes with time. A security token is a physical device that an authorized user of computer services is given to aid in authentication. Tokens come in two formats: hardware and software. Two factor authentications is a mechanism which implements two of the above mentioned factors and is therefore considered stronger and more secure than the traditionally implemented one factor authentication system. It is also referred to as an authentication token or a cryptographic token. unpredictable.e.alternative factors such as a fourth factor. what you know. Withdrawing money from an ATM machine utilizes two factor authentication. OTP algorithms are critical to the security of systems employing them since unauthorized users should not be able to guess the next password in the sequence. i. The sequence should be random to the maximum possible extent.e. most organizations are looking for more secure methods to protect their customers and employees. the user must possess the ATM card. etc.g. he uses the PIN displayed on the token in addition to his normal account password. e. authenticate. and irreversible. Factors that can be used in OTP 6 . but they are not used much in secure online transactions or ATM machines given the expensive hardware that is needed to identify the subject and the maintenance costs. Hardware tokens are small devices which are small and can be conveniently carried. Biometrics are known to be very secure and are used in special organizations. At any particular time when a user wishes to login. Therefore. somebody you know. and must know a unique personal identification number (PIN). i. i. what you have. Software tokens are programs that run on computers and provide a PIN that changes with time. Some of these tokens store cryptographic keys or biometric data.e. Such programs implement a One Time Password (OTP) algorithm. Instead. which is based on the notion of vouching. banks and companies are using tokens as a mean of two factor authentication. Passwords are known to be one of the easiest targets of hackers.

BesToken applies two-factor authentication through a smart card chip integrated USB token. Each token has a unique seed which is used to generate a pseudorandom number. time. It has a great deal of functionality by being able to both generate and store users’ information such as passwords. RSA’s SecurID. 7 . A user uses the OTP along with a PIN which only he knows to authenticate and is validated at the server side. the user has to enter a password while the USB token is plugged to the laptop at the time of the login. This seed is loaded into the server upon purchase of the token and used to identify the user. An OTP is generated using the token every 60 seconds. and Secure Computing’s Safeword. One application is to use it to log into laptops. Several commercial two factor authentication systems exist today such as BestBuy’s BesToken. SecurID from RSA uses a token (which could be hardware or software) whose internal clock is synchronized with the main server. If the OTP and PIN match. the user is authenticated. A hacker must compromise both the USB and the user account password to log into the laptop.generation include names. In this case. The same process occurs at the server side. certificates and keys. a great deal of time and money is put into countering possible threats and it has been pointed out that both the client and the server as well as the channel of communication between them are imperative. seed. In services such as ecommerce. etc.


In many cases. they will only worry about their mobile phones instead of worrying about several hardware tokens. While tokens provide a much safer environment for users. and maintain a million tokens. Hence. Replacing a token is a lot more expensive than replacing an ATM card or resetting a password. Furthermore. or broken. We propose a mobile-based software token that will save the organizations the cost of purchasing and maintaining the hardware tokens. token production and distribution. as for personal customers the bank offered them the option to obtain the tokens. it can be very costly for organizations. such as Bank of Queensland. Many international banks also opted to provide their users with tokens for additional security. The banks have to also be ready to provide replacements if a token breaks or gets stolen. For example. install. the customers are charged for each token. 9 . The National Bank of Dubai (NBD) made it compulsory for commercial customers to obtain tokens. stolen. the Commonwealth Bank of Australia and the Bank of Ireland. It employed the RSA SecurID solution and issued its 19000 customers small hardware tokens.In 2005 the National Bank of Abu Dhabi (NBAD) became the first bank in the Middle East to implement two factor authentication using tokens. Bank of America also began providing two factor authentication for its 14 million customers by offering hardware tokens. Furthermore. user and token authentication. a bank with a million customers will have to purchase. Using tokens involves several steps including registration of users. and user and token revocation among others. will allow customers to install multiple software tokens on their mobile phones. having an account with more than one bank means the need to carry and maintain several tokens which constitute a big inconvenience and can lead to tokens being lost. From the customer’s prospective. In 2005. the bank has to provide continuous support for training customers on how to use the tokens.


11 . Sun Wireless toolkit for J2ME. NetBeans 6 and above. 2. Software: 1. JDK 6 and above. Processor: Pentium 4. 4. RAM: 512 MB or more. 2. Hard disk: 16 GB or more. 3. 3.Hardware and Software requirements Hardware: 1. GSM modem.


Requirement gathering and Analysis phase: This phase started at the beginning of our project.Software development Life Cycle The entire project spanned for duration of 6 months. In order to effectively design and develop a cost-effective model the Waterfall model was practiced. Important points of consideration were 13 . we had formed groups and modularized the project.

TimeLine 14 . 9 Define Gantt charts and assign time span for each phase. 7 Define strategies to avoid this risks else define alternate solutions to this risks.1 Define and visualize all the objectives clearly. 5 Define coding strategies. 3 Consider the technical requirements needed and then collect technical specifications of various peripheral components (Hardware) required. 2 Gather requirements and evaluate them. Below is the Gantt chart of our project. 6 Analyze future risks / problems. 8 Check financial feasibility. 4 Analyze the coding languages needed for the project. By studying the project extensively we developed a Gantt chart to track and schedule the project.

Task Name ID Start Finish Durati Requirement gathering 1 7/29/09 8/19/09 3 Wee Problem definition 2 8/12/09 8/19/09 1 We Literature survey 3 8/19/09 9/16/09 4 Wee Analysis 4 9/2/09 9/16/09 2 Wee Flowchart 5 9/16/09 9/23/09 1 We Block diagram Cost Estimation 6 9/30/09 10/14/09 2 Wee H/W specification 7 10/7/09 10/14/09 1 We S/W specification 8 10/7/09 10/14/09 1 We Each week begins on Wednesday 15 .

42 1.23 16 1.15 1.88 0.00 1.13 1.00 1.00 1.17 1.91 0.04 cost Drivers Product attributes Required software reliability Size of application database Complexity of the product Hardware attributes Run-time performance constraints Memory constraints Volatility of the virtual machine envir onment Required turnabout time Personnel attributes Analyst capability Applications experience Software engineer capability Virtual machine experience Programming language experience Project attributes Use of software tools Application of software engineering methods Required development schedule Very Low 0.82 0.07 1.87 1.10 1.10 1.83 1.90 0.30 1.70 Very Extra High High 1.00 1.15 1.29 1.14 1.95 0.85 1.24 1.30 1.00 1.15 0.00 1.00 1.15 1.40 1.82 0.00 1.86 0.24 1.06 1.56 0.21 1.65 1.00 1.75 0.08 1.00 1.07 0.30 1.00 0.Cost estimation is done using cocomo model Ratings Nomin Low al High 0.91 0.86 0.08 1.46 1.00 1.00 1.94 0.66 1.11 1.00 1.19 1.71 0.10 1.16 1.00 1.10 .21 1.70 1.87 0.91 1.

EAF Using above calculation we found that The total time period of the project is around 6 months.72.12. so the total comes to be Rs. the per month cost comes out to be Rs.000 .The Intermediate Cocomo formula now takes the form: E=ai(KLoC)(bi).000 17 .

The 18 .Chapter 6 ALGORITHM In this Project. The system will have two modes of operation: • Connection-Less Authentication System: A onetime password (OTP) is generated without connecting the client to the server. and (3) a GSM modem connected to the server. The proposed system is secure and consists of three parts: (1) software installed on the client’s mobile phone. we propose a mobile-based software token system that is supposed to replace existing hardware and computer-based software tokens. (2) server software.

The server checks the SMS content and if correct. the mobile phone can request the one time password directly from the server without the need to generate the OTP locally on the mobile phone. Note that these factors must exist on both the mobile phone and server in order for both sides to generate the same password. or the client and server are out of sync.mobile phone will act as a token and use certain factors unique to it among other factors to generate a one-time password locally. Users seem to be willing to use simple factors such as their mobile number and a PIN for services such as authorizing mobile micropayments. Therefore. its very important to develop a secure OTP generating algorithm. the password is rejected. The client may submit the password online or through a device such as an ATM machine. Several factors can be used by the OTP algorithm to generate a difficult-to-guess password. the generated OTP must be hard to guess. returns a randomly generated OTP to the mobile phone. or trace by hackers. the following factors were chosen: • IMEI number: The term stands for International Mobile Equipment Identity which is unique to each mobile phone allowing each user to be 19 . OTP Algorithm In order to secure the system. • SMS-Based Authentication System: In case the first method fails to work. information unique to the user. A program will be installed on the client’s mobile phone to generate the OTP. The server will have all the required factors including the ones unique to each mobile phone in order to generate the same password at the server side and compare it to the password submitted by the client. retrieve. In order for the server to verify the identity of the user. In the proposed design. Note that this method will require both the client and server to pay for the telecommunication charges of sending the SMS message. the mobile phone sends to the server. via an SMS message. The user will then have a given amount of time to use the OTP before it expires.

In order for the PIN to be hard to guess or bruteforced by the hacker. since some users need more than a minute to read and enter the OTP. 20 . • PIN: This is required to verify that no one other than the user is using the phone to generate the user’s OTP. • Day: Makes the OTP set unique to each day of the week. This will ensure the correct time synchronization between both sides. Note that the software can modified to allow the administrators to select their preferred OTP validity interval.and lower-case characters. This is used together with the PIN to protect the user in case the mobile phone is stolen. They are just used to generate the OTP and discarded immediately after that. a minimum of 8-characters long PIN is requested with a mixture of upper. • Hour: This allows the OTP generated each hour to be unique. • Username: Although no longer required because the IMEI will uniquely identify the user anyway. The PIN together with the username is data that only the user knows so even if the mobile phone is stolen the OTP cannot be generated correctly without knowing the user’s PIN.identified by his device. An alternative solution is to only use the first digit of the minute which will make the password valid for ten minutes and will be more convenient for the users. The time is retrieved by the client and server from the telecommunication company. digits. Note that the username and the PIN are never stored in the mobile’s memory. hence the OTP would be valid for one minute only and might be inconvenient to the user. • Year/Month/Date: Using the last two digits of the year and the date and month makes the OTP unique for that particular date. • Minute: This would make the OTP generated each minute to be unique. This is accessible on the mobile phone and will be stored in the server’s database for each client. and symbols.


The program can run on any J2ME-enabled mobile phone. IMEI.g. e. The program has an easy to-use GUI that is developed using the NetBeans drag and drop interface. or (2) requesting the OTP from the server via an SMS message. The default option is the first method which is cheaper since no SMS messages are exchanged between the client and the server. The OTP program has the option of (1) generating the OTP locally using the mobile credentials. However. In 22 . the user has the option to select the SMS-based method.Client Design A J2ME program is developed and installed on the mobile phone to generate the OTP.

are retrieved and stored in the database.g. 23 . The server consists of a database as described in Section 3. e. The second thread is responsible for verifying the SMS information. the OTP algorithm will not be traced.C and is connected to a GSM modem for SMS messages exchange. In order to setup the database. The password field will store of the 10 minute password. unique symmetric key. The software is configured to connect to the server’s GSM modem in case the SMS option is used. and generated OTP are never stored on the mobile phone. in addition to the username and PIN. Server Design A server is implemented to generate the OTP on the organization’s side.order for the user to run the OTP program. Should the database be compromised the hashes cannot be reversed in order to get the passwords used to generate those hashes. A third thread is used to compare the OTP to the one retrieved using the connection-less method. the client must register in person at the organization. mobile IMEI number. IMEI. password. It will not store the password itself. PIN. A unique symmetric key is also generated and installed on both the mobile phone and server. and generating and sending the OTP. Both parties are ready to generate the OTP at that point. The first thread is responsible for initializing the database and SMS modem. pin. The server application is multithreaded. Database Design A database is needed on the server side to store the client’s identification information such as the first name. The client’s mobile phone/SIM card identification factors. the user must enter his username and PIN and select the OTP generation method. and the mobile telephone number for each user. The username. Hence. last name. The J2ME OTP generating software is installed on the mobile phone. username. and listening on the modem for client requests.

DFD Using J2ME application send password request SMS Incorrect Server VerifyIncorrect details 24 Send Incorrect Details SMS Send ServerOTP Password via generate SMS OTP .

Correct Mobile Server SYSTEM ARCHITECTURE J2ME Application for sending details SMS 25 SMS OTP Password generator GSM Modem .

FLOWCHART Client Sends SMS with necessary details ATM Server Verify all details 26 .

Correct Check details in DB Wrong Send OTP Password Send Incorrect details message Do Login using new OTP Password Stop 27 .

1. 2.Chapter 8 ADVANTAGES ADVANTAGES:Safe Authentication. 3. More Secure online transactions are possible. Inexpensive. 28 .

29 .

Chapter 9 APPLICATION 30 .

2. Online Shopping. Chapter 10 31 . 3. Online Secure Authentication. Banking.APPLICATION:1.


With 3G connection through face recognition OTP password can be generated. 33 .

Two factor authentication has recently been introduced to meet the demand of organizations for providing stronger authentication options to its users. Easy-to-guess passwords. passwords.g. single factor authentication. are easily discovered by automated password-collecting programs. a hardware 34 . In most cases. e. is no longer considered secure in the internet and banking world.Conclusion Today. such as names and age.

either using a free and fast connection-less method or a slightly more expensive SMS based method. The increasing number of carried tokens and the cost the manufacturing and maintaining them is becoming a burden on both the client and organization. In addition to the use of Bluetooth and WLAN features on mobile phones for better security and cheaper OTP generation. Both methods have been successfully implemented and tested. Palm. an alternative is to install all the software tokens on the mobile phone. Chapter 11 35 . The proposed system has two option of running. It provides the reader with an overview of the various parts of the system and the capabilities of the system. and shown to be robust and secure.token is given to each user for each account. Since many clients carry a mobile phone today at all times. and Windows-based mobile phones. The system has several factors that makes it difficult to hack. Future developments include a more user friendly GUI and extending the algorithm to work on Blackberry. This will help reduce the manufacturing costs and the number of devices carried by the client. This paper focuses on the implementation of two-factor authentication methods using mobile phones.

insight.co. D. Available at http://www.BIBILIOGRAPHY BIBLOGRAPHY 1. de Borde.Security Solutions.pdf 36 .” Siemens Enterprise Communications UK.uk/files/whitepapers/Twofactor %20authentication%20(White%20paper). “Two-Factor Authentication. 2008.

J2ME Complete Reference. 4. 37 . Java Complete Reference. 3.2. Wikipedia engine search.

Chapter 12 SCREENSHOTS 1. GUI 38 .

39 .2.GUI WITH WRONG INPUTS Next Screen on authentication.

40 .

Chapter 13 SOURCE CODE 41 .

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.