Enhancing Passwords Security Using Deceptive Covert Communication

  • Mohammed H. AlmeshekahEmail author
  • Mikhail J. Atallah
  • Eugene H. Spafford
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 455)


The use of deception to enhance security has shown promising results as a defensive technique. In this paper we present an authentication scheme that better protects users’ passwords than in currently deployed password-based schemes, without taxing the users’ memory or damaging the user-friendliness of the login process. Our scheme maintains comparability with traditional password-based authentication, without any additional storage requirements, giving service providers the ability to selectively enroll users and fall-back to traditional methods if needed. The scheme utilizes the ubiquity of smartphones; however, unlike previous proposals it does not require registration or connectivity of the phones used. In addition, no long-term secrets are stored in any user’s phone, mitigating the consequences of losing it. Our design significantly increases the difficulty of launching a phishing attack by automating the decisions of whether a website should be trusted and introducing additional risk at the adversary side of being detected and deceived. In addition, the scheme is resilient against Man-in-the-Browser (MitB) attacks and compromised client machines. We also introduce a covert communication mechanism between the user’s client and the service provider. This can be used to covertly and securely communicate the user’s context that comes with the use of this mechanism. The scheme also incorporates the use of deception that makes it possible to dismantle a large-scale attack infrastructure before it succeeds. As an added feature, the scheme gives service providers the ability to have full-transaction authentication.

With the use of our scheme, passwords are no longer communicated in plaintext format to the server, adding another layer of protection when secure channels of communication are compromised. Moreover, it gives service providers the ability to deploy risk-based authentication. It introduces the ability to make dynamic multi-level access decisions requiring extra authentication steps when needed. Finally, the scheme’s covert channel mechanisms give servers the ability to utilize a user’s context information — detecting the use of untrusted networks or whether the login was based on a solicitation email.


Authentication Smartphone Deception Covert channel 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Adham, M., Azodi, A., Desmedt, Y., Karaolis, I.: How to attack two-factor authentication internet banking. In: Financial Cryptography (2013)Google Scholar
  2. 2.
    Almeshekah, M.H., Atallah, M.J., Spafford, E.H.: Back channels can be useful! – layering authentication channels to provide covert communication. In: Christianson, B., Malcolm, J., Stajano, F., Anderson, J., Bonneau, J. (eds.) Security Protocols 2013. LNCS, vol. 8263, pp. 189–195. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  3. 3.
    Almeshekah, M.H., Spafford, E.H.: Planning and integrating deception into computer security defenses. In: New Security Paradigms Workshop (NSPW 2014), Victoria, BC, Canada (2014)Google Scholar
  4. 4.
    American Banking Association (ABA). Popularity of Online Banking Explodes, September 2011Google Scholar
  5. 5.
    Chang, H., Atallah, M.J.: Protecting software code by guards. In: Sander, T. (ed.) DRM 2001. LNCS, vol. 2320, p. 160. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  6. 6.
    Clarke, D., Gassend, B., Kotwal, T., Burnside, M., van Dijk, M., Devadas, S., Rivest, R.L.: The untrusted computer problem and camera-based authentication. In: Mattern, F., Naghshineh, M. (eds.) PERVASIVE 2002. LNCS, vol. 2414, pp. 114–124. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  7. 7.
    Drimer, S., Murdoch, S.J., Anderson, R.: Optimised to fail: card readers for online banking. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 184–200. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  8. 8.
    Drokov, I., Punskaya, E., Tahar, E.: System and Method For Dynamic Multifactor Authentication (2006)Google Scholar
  9. 9.
    Falcarin, P., Collberg, C., Atallah, M., Jakubowski, M.: Software Protection. IEEE Software 28(2), 24–27 (2011)CrossRefGoogle Scholar
  10. 10.
    Fazio, N., Nicolosi, A.: Cryptographic accumulators: Definitions, constructions and applicationsGoogle Scholar
  11. 11.
    Harini, N., Padmanabhan, T.R.: 2CAuth: A New Two Factor Authentication Scheme Using QR-Code. International Journal of Engineering and Technology (2013)Google Scholar
  12. 12.
    Lampson, B.W.: A note on the confinement problem. Communications of the ACM 16(10), 613–615 (1973)CrossRefGoogle Scholar
  13. 13.
    Lee, Y., Kim, J., Jeon, W., Won, D.: Design of a simple user authentication scheme using QR-code for mobile device. In: Park, J.H.J., Kim, J., Zou, D., Lee, Y.S. (eds.) Information Technology Convergence, Secure and Trust Computing, and Data Management. LNCS, vol. 180, pp. 241–247. Springer, Dordrecht (2012) CrossRefGoogle Scholar
  14. 14.
    Lee, Y.S., Kim, N.H., Lim, H., Jo, H., Lee, H.J.: Online banking authentication system using mobile-OTP with QR-code. In: 2010 5th International Conference on Computer Sciences and Convergence Information Technology (ICCIT), pp. 644–648. IEEE (2010)Google Scholar
  15. 15.
    Li, S., Sadeghi, A.-R., Heisrath, S., Schmitz, R., Ahmad, J.J.: hPIN/hTAN: a lightweight and low-cost e-banking solution against untrusted computers. In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 235–249. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  16. 16.
    Liao, K.-C., Lee, W.-H.: A novel user authentication scheme based on QR-code. Journal of Networks 5(8), 937–941 (2010)CrossRefGoogle Scholar
  17. 17.
    Mimoso, M.: Two-Factor Authentication No Cure-All for Twitter Security WoesGoogle Scholar
  18. 18.
    M’Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., Ranen, O.: RFC 4226 - HOTP: An HMAC-Based One-Time Password Algorithm. Technical report, IETF (2005)Google Scholar
  19. 19.
    M’Raihi, D., Machani, S., Pei, M., Rydell, J.: RFC 6238 - TOTP: Time-Based One-Time Password Algorithm. Technical report, IETF (2011)Google Scholar
  20. 20.
    Mukhopadhyay, S., Argles, D.: An Anti-Phishing mechanism for single sign-on based on QR-code. In: 2011 International Conference on Information Society (i-Society), pp. 505–508. IEEE (2011)Google Scholar
  21. 21.
    Pintor Maestre, D.: QRP: An improved secure authentication method using QR codes (2012)Google Scholar
  22. 22.
    Risk Analytics. \({\$70}\) Million Stolen From U.S. Banks With Zeus TrojanGoogle Scholar
  23. 23.
    Starnberger, G., Froihofer, L., Goeschka, K.M.: QR-TAN: Secure mobile transaction authentication. In: International Conference on Availability, Reliability and Security, 2009. ARES 2009, pp. 578–583. IEEE (2009)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2015

Authors and Affiliations

  • Mohammed H. Almeshekah
    • 1
    Email author
  • Mikhail J. Atallah
    • 1
  • Eugene H. Spafford
    • 1
  1. 1.Computer Science Department and CERIASPurdue UniversityWest LafayetteUSA

Personalised recommendations