Abstract
Phishing attacks are one of the most serious threats faced by the users on the internet the attackers try to steal sensitive information such as login details, credit card details, etc. by deceiving the users to enter sensitive information on the phishing websites and thus leading to huge financial losses. Many schemes have been proposed to detect phishing attacks but the amount of such attacks has not decreased. New attacks like Active Man-In-The-Middle (MITM) phishing attacks have emerged which include Real-Time Man-In-The-Middle (RT MITM) and Controlled Relay Man-In-The-Middle (CR MITM) phishing attacks. These attacks allow the attackers to obtain the users’ account details and relay them in real-time. Similarly, the attacker can lure the user to enter details on a spoofed app and thus gain access to the user’s account. The existing popular authentication schemes fail to address these attacks. In this paper, we propose a novel user authentication scheme that enables the user to log into his/her account without memorizing any password or any other authentication token. In the proposed scheme, the user has to scan a dynamically generated QR-code using the smartphone app and then verify the image, captured by the webcam and sent it on the smartphone via push notification. Thus, the complete authentication procedure requires minimal user involvement and implements automatically. We have implemented and evaluated the proposed scheme in terms of usability, deployability, and security parameters and the results depict that the proposed authentication scheme performs well and can be used as a secure user authentication scheme.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Lastdrager E (2014) Achieving a consensual definition of phishing based on systematic review of the literature. Crime Sci 3:9
Abdelhamid N (2007) Multi-label rules for phishing classification. Appl Comput Inform 11:29–46
Banday MT, Qadri JA (2011) Phishing—a growing threat to e-commerce. arXiv preprint arXiv: 1112.5732
Badra M, El-Sawda S, Hajjeh I (2007) Phishing attacks and solutions. In: Proceedings of the 3rd international conference on mobile multimedia communications, p 42
Mohammad RM, Thabtah FT, McCluskey L (2015) Tutorial and critical analysis of phishing websites methods. Comput Sci Rev 17:1–24
Jagatic TN, Johnson NA, Jakobsson M, Menczer F (2007) Social phishing. Commun ACM 50:94–100
EMC (2019) RSA monthly fraud report dec 2018 @ ONLINE (Feb). https://www.rsa.com/content/dam/premium/en/e-book/rsa-fraud-report-q4-2018.pdf
(APWG), A.P.W.G.: Phishing activity trends report 2018 @ONLINE. https://www.antiphishing.org/resources/apwg-reports/
(APWG), A.P.W.G.: Phishing activity trends report 2017 @ONLINE. https://www.antiphishing.org/resources/apwg-reports/
Google (2015) Stronger security for your Google account @ ONLINE (Oct). https://www.google.com/landing/2step
SAASPASS (2019) Multifactor authentication @ ONLINE (Jan). https://saaspass.com/
Varshney G, Misra M, Atrey P (2018) Secure authentication scheme to thwart RT MITM, CR MITM and malicious browser extension based phishing attacks. J Inf Secur Appl 42:1–17. https://doi.org/10.1016/j.jisa.2018.07.001, http://www.sciencedirect.com/science/article/pii/S2214212618300140
Kim SH, Choi D, Jin SH, Lee SH (2013) Geo-location based qr-code authentication scheme to defeat active real-time phishing attack. In: Proceedings of the 2013 ACM workshop on digital identity management. ACM, pp 51–62
Mukhopadhyay S, Argles D (2011) Ananti-phishing mechanism for single sign-on based on qr-code. In: 2011 international conference on information society (i-Society). IEEE, pp 505–508
Dodson B, Sengupta D, Boneh D, Lam MS (2010) Secure, consumer-friendly web authentication and payments with a phone. In: International conference on mobile computing, applications, and services. Springer, pp 17–38
Dodson B, Boneh D, Lam MSL (2012) Method and system for making digital payments. https://patents.google.com/patent/US20130185210A1/en
Bakdi I (2013) Method, devices, and system for authentication with respect to a server. https://patents.google.com/patent/EP3053317A1/en
Venkat R, Qiao Y, Vazquez H (2013) Sight codes for website authentication. https://patents.google.com/patent/US9887992B1/en
Nunn JW, Mathews C (2014) System and method for authenticating a computer session on a mobile device using a two dimensional barcode. https://patents.google.com/patent/US9203824
Leung CM (2009) Depress phishing by captcha with OTP. In: 2009 3rd international conference on anti-counterfeiting, security, and identification in communication. IEEE, pp 187–192
Yubico (2019) Your key to a safer internet @ ONLINE (Jan). https://www.yubico.com/
Varshney G, Misra M (2017) Push notification based login using BLE devices. In: 2017 2nd international conferences on information technology, information systems and electrical engineering (ICITISEE), pp 479–484 (Nov). https://doi.org/10.1109/ICITISEE.2017.8285554
Xie M, Li Y, Yoshigoe K, Seker R, Bian J (2015) Camauth: Securing web authentication with camera. In: 2015 IEEE 16th international symposium on high assurance systems engineering. IEEE, pp. 232–239
Lastpass (2019) Lastpass remembers all your passwords, so you don’t have to @ONLINE (Jan). https://www.lastpass.com/
Ross B, Jackson C, Miyake N, Boneh D, Mitchell JC (2005) Stronger password authentication using browser extensions. In: Usenix security, Baltimore, MD, USA, pp 17–32
Tricipher (2019) White paper preventing man in the middle phishing attacks with multi-factor authentication @ONLINE (Jan). https://www.globaltrustit/documents/press/phishing/PhishingSolutionWhitepaper.pdf
Yahoo (2016) Yahoo sign in @ ONLINE. https://login.yahoo.com/
Beal V (2019) RSA secure id @ ONLINE (Jan 2019). https://www.webopedia.com/TERM/R/rsa_secure_id.html/
Zhu BB, Yan J, Bao G, Yang M, Xu N (2014) Captcha as graphical passwords A new security primitive based on hard AI problems. IEEE Trans Inf Foren Secur 9(6):891–904
Bonneau J, Preibusch SR (2010) The password thicket: technical and market failures in human authentication on the web. In: WEIS, pp 1–48
Bonneau J, Herley C, Van Oorschot PC, Stajano F (2012) The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: 2012 IEEE symposium on security and privacy. IEEE, pp 553–567
Android Developers (2016) Android keystore system @ ONLINE (Mar). http://developer.android.com/training/articles/keystore.html
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Jindal, S., Misra, M. (2021). Multi-factor Authentication Scheme Using Mobile App and Camera. In: Hura, G.S., Singh, A.K., Siong Hoe, L. (eds) Advances in Communication and Computational Technology. ICACCT 2019. Lecture Notes in Electrical Engineering, vol 668. Springer, Singapore. https://doi.org/10.1007/978-981-15-5341-7_60
Download citation
DOI: https://doi.org/10.1007/978-981-15-5341-7_60
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-15-5340-0
Online ISBN: 978-981-15-5341-7
eBook Packages: EngineeringEngineering (R0)