User perspective and security of a new mobile authentication method

This paper describes a new mobile authentication method which is based on an Open ID Connect standard and subscriber identity module card. The proposed solution enables users to access websites, services and applications without the need to remember passwords, responses or support of any equipment. The proposed method is evaluated from the users’ perspective as well as from the security viewpoint. Moreover, we compare it with the two most popular existing authentication schemes i.e. static passwords and SMS OTP (one time password). In order to evaluate user’s view on various authentication methods a questionnaire was prepared and distributed among 40 participants. Obtained results revealed that the new authentication scheme yielded better results than the existing methods. Finally, we also performed a security analysis with respect to all abovementioned authentication solutions to assess whether there are any major risks related to the proposed method.


Introduction
Along with the dynamic development and utilization of the self-care services, such as banking, e-commerce, healthcare, or e-government, there has been an increasing demand to properly authenticate users in a secure manner. It is vital to authenticate users as currently almost 46% of the global population has access to the Internet [1] and cybercriminals impersonate legitimate users, conduct frauds and steal data on a daily basis.
Despite many attempts to improve security in the communication networks, it is still humans that are the weakest link in the security chain. Fortunately, the awareness of online privacy and security protection among the network users is slowly awakening. One of the most common fears of Internet users is an identity theft attack. However, in most cases users are not fully aware of its risks and causes since they simply lack experience in the field of network security, which prevents them from protecting themselves effectively. Typically, users do not know basic means that can be used in order to protect one's identity. On the other hand, most well-known and common authentication methods are quite troublesome especially for the end users who represent low level of technical skills.
In general, current authentication processes rely on: • something the user knows (e.g. static passwords, PIN, challenge questions etc.); • something the user has (e.g. smart cards, hardware tokens, immobilizers etc.); • something the user is (e.g. biometrics such as fingerprints, face or voice recognition, keystroke dynamics etc.).
The password-based authentication relying on something the user knows is probably the oldest and still most commonly used user authentication method. On one hand it is utilized very often, but on the other hand rarely used properly. For example, nowadays, it is common knowledge that static passwords should be long, complex and should not be reused between various services and providers that the user utilizes. But from the users' perspective such an approach is typically overcomplicated and annoying to apply in practice. This, in turn, leads to the point where people typically use simple and easily guessable passwords that can be broken with a (very basic) dictionary attack.
The main negative aspect of the methods that rely on something the user has is that the authentication process requires the user to carry appropriate equipment with them. Moreover, for example in the smart vehicle scenario it may happen that, for instance, when the user is near his car with an immobilizer the car opens without the owner being aware of it.
Finally, the weakness of popular biometric systems (something that user is) consists in poor coping with changes. In case of stealing a fingerprint, a face shape or a scan of retina, the user cannot replace it with another one that was not previously stolen. Another thing is that people tend to leave this kind of data everywhere.
From another perspective, multi-factor authentication that combines all above mentioned methods is desirable in order to obtain desired Level of Assurance (LoA) defined by ISO/IEC 29115. The aim of multi-factor authentication is to enhance the strength of the authentication process. It usually increases the security level, especially if the authentication method forms a hybrid of what the user has, knows and is. Still, it should be noticed that a high LoA is not required in all cases. There is no point in using all authentication possibilities everywhere, especially if raising a number of authentication factors affects the user's perception. Unfortunately, it seems to be a rule that the more effective the confirmation of one's identity is (thus successful attacks are less probable), the less comfortable it is for the user.
On the other hand, designed authentication methods should not be susceptible to user errors. Therefore, the interaction between the user and the log in process should be prepared in a way so that it has both secure and user-friendly (ergonomic) authentication process.
Considering above, the aim of this paper is to evaluate the proposed mobile authentication method from the user perspective as well as from the point of view of security. Therefore, we focus both on user's comfort and security. The novel solution described in this paper is based on what the user has. Mobile phones with the Secure Element (SE), such as a smart card based on UICC (Universal Integrated Circuit Card), usually called just a 'SIM (Subscriber Identity Module) card', are almost omnipresent. SIM card seems to be a perfect carrier to provide authentications and digital signatures in a user's everyday life. Nowadays, carrying a mobile phone is not problematic for its user. To increase security the authentication process is based on a SIM card, and not only on security relying on the applications and the operating system. The proposed solution enables users to access websites, services and applications without the need to remember passwords, responses or a support of any equipment. The described method is based on a low LoA, which is still easy to be increased by adding more authentication factors, while utilizing the same idea. Considering the above, the main contribution of this paper is to demonstrate an innovative authentication solution that focuses on the usage that is at the same time comfortable and secure. This new authen-tication method was designed, developed and evaluated in comparison with other most common methods.
The rest of the paper is structured as follows. First, the related work in the field authentication of mobile users (chapter 2) is reviewed. Chapter 3 describes in detail the new authentication model and the corresponding remote architecture. In the next section (Sect. 4) an experimental methodology to capture user perspective is outlined. Obtained results of the aforementioned studies are shown in Sect. 5. Section 6 is devoted to security analysis of the proposed solution including potential risks and attacks identification and how to protect against them. Finally, Sect. 7 concludes the work.

Related work
A growing body of evidence clearly demonstrates that there is a problem to identify mobile users on the Internet. There are many works that deal with this topic, such as [2], which proposes an ID-based communication framework, where IP addresses play a significant role, not only in locating hosts and in routing the traffic, but also in the identification of hosts and services. In this paper, we adopt a MSISDN-based (Mobile Station International Subscriber Directory Number) user's identity. This allows finding the mobile device (SIM card) quickly while maintaining the integrity and the uniqueness. But in the future any other identifier can be chosen for this purpose.
Many studies have proposed an innovative authentication schemes based on different assumptions. One of the several possibilities are MAI (Message Authentication Image) [3] or other intelligent image-based authentication framework that falls under the "What you know" type of authentication [4]. Moreover, the article [5] proposes an authentication system using OTP (One Time Password) or QR codes (Quick Response Code). Papers [6] and [7] rely on a certificate-based authentication. The exchange of certificates is done on the basis of asymmetric encryption while the digital certificates are issued by a certification authority (CA). However, these works add the additional aspect which requires user attention. Thereby the convenience of the authentication process is lowered.
In order to secure mobile devices against different threats, biometrics has been applied. It seems to be a very effective way of authentication. In the last years, research has provided ample support for the assertion that biometrics is the future of authentication. There are plenty of works based on fingerprint [8], gait, face, voice, gesture, iris, typing pattern, signature [9] or even electrocardiograms acquired by mobile sensors [10]. All these solutions use an authentication method based on the data about "what user is". There are also works in the field of Wireless Sensor Network, where sensors are either attached to or embedded in the human body and communicate wirelessly with each other and with other components such as network towers, processors, servers, etc. [11]. It must be admitted that biometrics uses a very convenient way of authentication. However, in this paper, we focus on a single factor authentication, but any biometrics method could be developed in order to add another factor utilizing the described idea. Although, for now, due to many frauds and data leaks, biometrics was left for future work. The weakness of biometrics is that in case of data leakage we cannot change it, and this type of personal data can be left everywhere. Furthermore, biometric mobile applications are vulnerable to some types of attacks that can decrease their security [12]. Evidence presented in [12], which is based on the research into facial and fingerprint mobile authentication applications, shows that such mobile applications are vulnerable to several attacks, which poses a serious threat to the overall system security and user privacy.
In this paper, we focus on authentication method that relies on something the user has, meaning the SIM card. A lot of works have focused on such authentication [13][14][15][16][17][18][19][20][21]. They propose a SIM based protocol as an authentication tool over existing GSM technology through GPRS [14], for SIP [15,16]. Other papers describe an anonymous remote user authentication with a key agreement scheme based on smart card using chaotic maps [17] or other cryptographic operations [18][19][20][21]. There are several methods that provide user anonymity and traceability with solutions based on mobile cloud networks [22,23]. Unfortunately, all the papers mentioned above consider the secure exchange of information between the mobile device and the servers, and do not analyze human users' perspective. That is why, this paper focuses on introducing the authentication method which is both comfortable and safe. Security is an important matter; however, user convenience should be taken into consideration as well.
According to paper [24], which focuses on how to create an end-to-end secure channel between the digital services, the biggest open issue is how to design the user interaction in terms of data input and output in a way that users can reliably and unobtrusively be aware of which application part they are communicating with. Paper [25] pays greater attention to this issue. In this work, however, the solution is mainly described in terms of Man-in-the-middle (MitM) attack and is not based on standards.
There has also been research into the perception of users. Such studies are mostly done with the use of a survey questionnaire [26]. Evaluation of different authentication methods has been performed in the paper [27]. Three devices in the generation of one-time passcodes (OTPs) were compared. But only hardware tokens which are an additional device for the user to carry were included. Very precise research in this area is conducted in locking the smartphone screens [28]. Also, a questionnaire was used which was distributed among the users via online and offline means. Unfortunately, only widely used methods were evaluated, which allowed investigating a greater number of respondents. However, in this paper we present a method which is not yet available for the users widely.
To summarize, in contrast to the existing works mentioned above in this paper we propose a novel authentication method and we evaluate it in terms of user comfort and security. Moreover, we conduct its comparative analysis with two well-known existing solutions i.e. static passwords and SMS OTP (One Time Password).

System architecture
The purpose of the solution proposed in this paper is to provide a secure and user-friendly authentication method designed for mobile web applications of any service provider. In fact, the solution used here enables both: authorization and authentication of the end users. The main idea is to push a selection form to the user's mobile device to establish whether the user would like to be authenticated or not. In order to achieve this, an applet on the SIM card has been used. In this work, a standard applet was utilized, installed on the SIM card of one of the Polish mobile operators. The user, having provided only a login name to any website authentication form, is prompted to confirm the authentication process on their mobile device with a SIM card. After successful confirmation he is automatically redirected to the website he wanted to log in.
The log in process is based on an OpenID Connect standard [29] which is a simple identity layer on top of the OAuth 2.0 protocol [30]. OpenID Connect standard has been chosen as the base protocol and framework because of its openness and robustness. It can work on almost any device that has a web browser with access to the Internet. It works regardless of the operating system of the device. The OpenID Connect Specification is set by the OpenID Foundation, and is constantly evolving.
The proposed solution consists of four types of components, each performing different well-defined functions ( Fig. 1): • Authorization system This back-end system is used to provide a sign-on mechanism. The authorization system is responsible for handling users' data. In this work the LDAP was used as a database which contains users' credential information. In order to ensure security of the transferred data, communication channels are secured with HTTPS. • Over the air (OTA) system OTA is a standard for the transmission and reception of the application-related information in a wireless communications system. OTA Fig. 1 The logging process is commonly used in conjunction with the Short Messaging Service (SMS), which allows the transfer of small text files. For the purpose of this work the mobile operator OTA server was used. OTA messages are encrypted to ensure user privacy and data security. In this solution the class 0 SMS has been used. In the mobile signature solutions, the mobile operator establishes communication with the secure element (SIM card) remotely (using encrypted SMS messages) bypassing the mobile terminal. • Applet deployed on a SIM card Its purpose is to receive the requests from OTA. The interface with a SIM card is based on the SIM Application Toolkit (commonly referred to as STK). It is a standard in the GSM system which enables the SIM to initiate actions that can be used for various value-added services. STK requests are implemented differently on different operating systems, which will be described further in detail in the Sect. 6.3. • Service provider Any external application developed in a technology that allows the usage of Authorization System. It may be a web application (from a bank, ecommerce etc.) where it is necessary to authenticate the user. Such applications should redirect the user to the Authorization System.
Protocols between the components are characterized as follows: HTTPS-in communication between Browser-Service Provider, Service Provider-Authorization Server, Browser-Authorization Server; WML and HTTPS-in communication between OTA and Authorization Server; Encrypted messages-between OTA and SIM card; STK push-between a SIM card and Mobile device screen which will be described thoroughly in Sect. 6.3. The process of logging into the web application from the user perspective has been presented in Fig. 1.
The detailed flow of the logging into the external application integrated with the Authorization System using described method is as follows (Figs. 1, 2): 1. First, the user tries to enter the Service Provider site via a web browser. The user clicks "Log in" in the web application in order to access the service (phase 1). 2. Then, the Application makes an authentication request to the Authorization Server using OpenID based on OAuth 2.0 and redirects user to the Authorization Server to perform authentication and authorization. The user is displayed with the HTML page from the Authorization Server (phase 2). 3. The user has to input proper User Name. The Authorization Server gets the User Name and maps it into MSISDN, which is a format expected by OTA system in order to send push to the proper user's device (phase 3). 4. The Authorization Server sends request to OTA to authenticate the user. The OTA System sends reques to the applet on the SIM card, recognized by the MSISDN (phase 4). 5. Next, the applet on a SIM card responds to the command and displays the proper screen for the user's acceptance. The user is presented with a simple screen to decide whether to confirm his identity or to reject the request. Then the user confirms a willingness to log in to the service provider (phase 5).
6. After user's confirmation on the device, the SIM Applet responses to the OTA System. The OTA receives this information from the SIM Applet and sends a response to the Authorization Server with user's confirmation (phase 6). 7. The Authorization Server redirects the user back to the Service Provider by HTTP 302 Redirection. From the user perspective after clicking on the device there is an automatic redirection to the Service Provider web application via a web browser (phase 7).
8. Finally, Service Provider checks the user with the Token request according to the OpenID Connect standard. In order to do this the OTA sends a back-end request to the Authorization Server for the Token and user's information (phase 8).
In this paper the Authorization Server is deployed on a WebLogic server belonging to one of the Polish mobile operators, which is designed to be user-friendly, reliable and secure. We assume that the operating environment is secure. In this sense there is no malware. However, it is worth noting that there are no extra assumptions for the user authentication using this method, such as: • There is no need for the user to install any mobile application on the mobile device, • There is no application running in the background and waiting for notifications or requests.
In order to improve LoA, additional actions based on push STK may be implemented. The best solution that fits into this architecture is to implement a PIN (Personal Identification Number) entering instead of a single confirmation on the device. The PIN should be held only on the SE, not in any database. This way it is very secure, because the OTA system only requests the SIM card to verify the PIN, and then returns the information about the successful operation. No passwords are sent over the network. This way, if necessary, two or more factors authentication process can be created thereby increasing LoA. The objective of this paper, however, is to show the concept of creation of the authentication process based on the SIM card.

Details of the experimental methodology
For the proposed authentication method two types of useroriented experimental evaluations were performed. The first is focused on establishing users' subjective perception of the proposed solution. In order to investigate overall users' awareness and attitude of usability, convenience and security towards different authentication processes the following experiment was designed. A questionnaire was prepared which allowed to determine the difference in users' perception for three different authentication approaches based on: static passwords, OTP (One-Time Password) SMS, and SIM card. The implementation of all three was based on OAuth 2.0 standard. All the evaluated methods are summarized briefly in Table 1.
The experimental methodology was as follows: a user was asked to use all three methods mentioned in Table 1 and successfully log in. The user has to log in to three web applications using Chrome browser on the laptop. Each web In case of failure in any method, the experiment for adequate authentication approach was repeated. After completing successfully these tasks, the user was asked to fill in a questionnaire. The questionnaire was composed of 23 questions and its form is presented in the appendix. Each question was formulated in order to capture users' perception of the abovementioned authentication methods from different angles. Furthermore, the same set of questions was asked for each method, which means that the user had to go through the same 23 questions three times. The respondents have been asked to answer each question by choosing one of the five proposed answers (so called 5-Likert scale [31]), which is usually used to determine participants' attitudes or feelings about something. This time it was used to measure the level of respondents' satisfaction or consent rate. Each participant had to choose one from the following answers: 1-Strongly disagree 2-Tend to disagree 3-No opinion 4-Tend to agree 5-Strongly agree All 23 questions were divided into four groups representing different aspects of the evaluated authentication methods: convenience, usefulness, security and difficulties. The appendix shows how the questionnaire looks like-there all the questions related to the similar topic have been rearranged in order to increase the reliability. These questions with the respective groups they represent, and the number in the correct order form the questionnaire are presented in Table 2.
The participants of the survey were balanced by age and gender. Forty respondents-thirty men and ten womentook part in the experiment with filling the questionnaire. The participants' age was between 20 and 50. Technical knowledge was highly diversified: from experts in the field of security to ordinary computer users. The participants represented various professional groups consisted of both students and IT employees as well as people completely unrelated to the IT industry, such as lawyers, pharmacists, builders, financiers or mechanics. Responders were explained the consecutive steps of the log in process without details related to the technical aspects of the methods.
Another aspect that was investigated is related to the time needed to conduct the whole log in process. The aim was to measure the time that a user needs to authenticate successfully. There was no point in measuring the log in time of the static password-based authentication. This is because this time would vary considerably depending on the complexity and length of the password (no security policy when setting the static password has been forced). This means that sometimes the duration of the whole process was really short, and if the participant chose a complex, more secure password then this time was obviously longer. That is why the time needed for each participant to log in has been measured only for OTP SMS and SIM methods.
For the purpose of these experiments the respondent has to put their login name (MSISDN) in the HTML form and confirm it by clicking the "Next" button, which is the moment the time measurement is initiated for both methods. Then, depending on the method, the participant sees another HTML form to put the OTP SMS or an HTML form with instructions to confirm the log in on the device. Copying the SMS OTP had to be approved by clicking on the HTML form. While confirming with SIM, the second HTML vanishes automatically. Typing in the correct OTP or confirming authentication with SIM resulted in redirecting the user to the Service Provider site, where the user tried to log in. The login time was calculated up to this point.
For experiments with SIM card-based authentication, 80 participants were asked to log in while the corresponding time was measured. It is also worth noting that for the OTP SMS-based authentication, the calculated log in duration has been performed on actual customers of one of the major mobile operators in Poland.

Results of the experimental evaluation concerning convenience
This chapter presents the results of research. We presented the results of the questionnaire survey and then the times of logins respectively.

Utility (questionnaire)
The sample of 40 respondents consisted of two groups of 20 participants. The groups were formed based on the respondents age, i.e. first group gathered participants of 25 years old  19 or less, and the other group of more than 25 years. They were also balanced for gender, with 10 (25%) females. The experiment has been performed between July and December 2016. The average time taken to complete the questionnaire was about 20 minutes. All users have used the SIM card-based authentication for the first time, while the other methods were previously known. The results have been divided into four following aspects of the investigated methods seen from the participants' perspective: difficulties, security, functionality and inconvenience. The mean individual attribute scores for the three investigated methods are shown in Table 3.
Starting from the "difficulties" group of questions, as expected, it turned out that the method with confirmation of identity by using the SIM card-based method was found the easiest one for participants. Respondents, while questioned directly about easiness of the method's usage, voted quite definitely in favor of the SIM card-based authentication as shown in Fig. 3. Surprisingly, despite the fact that this In addition to the direct question about the ease of use of SIM card-based method, in the questionnaire there were also similar questions to determine the authentication simplicity. These questions were focused on the potential negative feelings that the participants could have toward this solution. The results are presented in Fig. 4. It has been found that the proposed method has been widely accepted by users. Interviewees indicated that they did not have to focus much on it and that the process was clearly the least complicated, even though it was new for them. It is widely believed that in gen- Fig. 4 Difficulties in use eral people fear novelty or newness as it typically involves some kind of change for them. However, by analysing the presented results we can conclude that the SIM-based method was very convenient and easy to use. Only one question related to instructions got negative response. The most likely explanation of this result is that respondents very often use the other methods and do not need any tips on how to use it. Because they had never used such type of authentication which relies on a single click only, they needed some guidance on what to do.
Another set of nine questions concerned the usefulness of the authentication methods (Fig. 5). It can be easily seen that the method based on SIM card authentication yielded very good results. Respondents were keen to utilize this method in the future and consider it useful in their everyday life. This, in turn, means that they are more and more conscious about the issues associated with authentication in their everyday interaction with protocols/services and they would want to change it. Although the method was used by them for the first time, the participants described it as solid. Nevertheless, they could also see areas that could be improved. However, when it comes to questions about users' friendliness and convenience, it is the SIM-based method that gained the greatest appreciation among respondents. The results in this case showed a very significant difference in opinions. The issues related to the time of logging methods are pre- Fig. 6 Inconvenience sented in the next section, but here, the results show that the static password-based method seems to be as fast as the SIMbased one. But it may also indicate the lack of security while using this method. It is our belief that the responders most probably had written down passwords which they use very frequently and know how to quickly type them into the login form. As mentioned earlier, due to the lack of any password policy during experiments, the password could have been of any length and complexity. Therefore, they were mostly short. For instance, it turned out that one of the participants used only one-character password.

Fig. 5 Usability
The final study related to the questions that were supposed to measure the users' inconvenience is presented in Fig. 6. Based on the presented results it can be concluded that the participants find the SIM-based authentication in contrast to other methods, and think that it is harder to generate an error and repeating the steps in the log in process occurs less frequently. Errors in prescribing or entering passwords in the SIM-based method are totally eliminated. This confirms that this solution is convenient and simple to use. At the same time, the SIM-based authentication was selected by the participants as least stressful or frustrating. This confirms the positive impact the method has on its users.
The analysis and results of the questionnaire indicates that the authentication method based on SIM card could replace existing solutions, previously favored by users. One of the big advantages of this method is that it is easy and enjoyable to use. The next subsection proves that it is also fast.

Duration of the login process
A study was conducted to compare the login time for SIMbased and OTP-based methods. First, eighty participants, aged 25-50, have been asked to go through the whole log in process using the SIM-based method. For the SIM-based approach we captured the log in duration for 185 authentication instances. For the OTP-based method participants of the experiment were recruited among customers of a mobile operator. In this case we were able to gather 2198 instances of successful log in operations. Table 4 shows the results of the average duration of the log in operation for both authentication solutions. The experimental results match the expectation that the SIM-based method is really fast. The big difference when it comes to results for the OTP and SIM-based approaches comes from the fact that the user logs in with just one click. The complexity and length of the OTP would only decrease or increase the given difference.

Security analysis
This section presents the proposed method from the perspective of security. The previous sections have shown that the participants of the experiment, in general, like the SIMbased method. In this section, users' perception is described in terms of security (Sect. 6.1), and then a full security analysis of the new method has been made, in relation to network (Sect. 6.2) and mobile environment (Sect. 6.3). At the end of this section the well-known threats are presented along with a comparison of the authentication methods.

Users' perception
As it was mentioned above, it is commonly believed that people are typically afraid of novelties and innovations. Still, the results related to assessing the security of the method prove that it is not so obvious. Figure 7 shows that the SIM-based authentication does not deviate significantly from the other approaches. Quite on the contrary-it has never been pointed as the weakest solution. The security analysis has not been explained to responders before the experiments. The aim of this study was just to examine their general feelings and opinions. The results revealed that people do not have knowledge about authentication security solutions (which is not surprising). It is worth noting that there were contradictory answers about the OTP-based authentication: some respondents find it the most secure and later state that it is the easiest to break. Therefore, a more detailed analysis related to the security is presented in the next subsections.

Network
First of all, it should be noticed that this solution uses a SSL/TLS. All traffic from the servers is encrypted.
In order to prevent cookies from being observed by unauthorized parties due to the transmission, the Authorization Server adds the secure flag while sending a new cookie to the user within an HTTP Response. As an additional flag, the HttpOnly flag is also included in a Set-Cookie HTTP response header, which helps mitigate the risk of client-side script accessing the protected cookie [32].
In addition to the application layer, at the Authorization Server the IP white lists are utilized. Only predefined IP addresses for both OTA server and Service providers servers are allowed. Moreover, the addresses of service providers are correlated with its IDs.
Furthermore, there is a time-counter started at the Authorization Server for the response from OTA. There is also a user lock after three failed attempts.

Mobile environments
When it comes to the mobile device, the SIM card communicates with the display differently depending on the operating system.
The STK requests are executed sequentially by layers: rild is responsible for direct contact with the SIM card TelephonyManager (CatService) and the application supports STK (usually com.android.stk). Newer versions of Android introduced a security feature that prevents operation of STK by any application while adding privilege RECEIVE_STK_COMMANDS.
In the iOS system applications cannot have a direct interaction with STK, which is operated by SimToolki-tUI an extension of SpringBoard. The sandbox prevents applications from taking any actions in the system (usually applications are limited only to run in a specific, dedicated area), in particular to intercept STK messages.
When it comes to Windows Phone, the STK is supported by the SIM Toolkit service. Applications cannot make an interaction with other processes, particularly with SIM Toolkit service.
Performing jailbreak (iOS, Windows Phone) or root (Android) that allows STK messages interception is an expensive and technically complicated operation.

Threats
In addition, in the following part, we will investigate each method's resistance to many possible known attacks (Table  5).
A significant threat to the proposed authentication method seems to be the screen or keyboard sniffing. If the application is able to take administrator rights or gain enough permissions to capture messages intended for STK, it will be able to automatically authorize requests with the proposed method. That is why it is suggested to use multifactor authentication.
The additional threat to consider is an overlay attack. This attack permits an attacker to draw anything on top of any window and application running on the infected device. Once the attacker detects a STK push, the malware will redraw an exact login screen on top of the legitimate one or something completely new, into which the user clicks. Quite an effective method to defend against an overlay attack is to use personalized images or texts which the user can choose once and see every time when logging in. In case of screen overlay the user does not see their chosen image and, as a consequence, would not want to continue logging in.
Although the solution seems technically secure, it should be noticed that again the weakest link is a human user. Using the lowest LoA, it may happen that the user accidentally clicks and confirms their identity and thereby successfully finishes the authentication process. Therefore, for sensitive services it is recommended to use an additional authentication factor, such as PIN on SE.

Conclusion and future work
Authentication while using mobile device is an essential part of everyday life. In this paper the possibilities of using mobile devices such as mobile phones as a secure and very userfriendly way of confirming its user's identity were analyzed. Confirming the identity using a smartphone when trying to log in seems to be a very promising way for the future. That is why in this paper we proposed an innovative authentication scheme which relies on the Secure Element which is a SIM card. Performed experiments proved that the proposed authentication method can be very comfortable and user-friendly. In addition, it has been verified that this solution is extremely fast. Finally, potential security issues were analyzed with conclusion that it is a secure authentication approach. Future work includes completing the process with next authentication factors, which will rely on something the user knows, something the user has, and something the user is. In the future SIM cards will probably be replaced by eSIM, which would allow remote management of the applet.
Pawel Laka is a Ph.D. student and holds M.Sc degree (2015) in telecommunications from the Warsaw University of Technology (WUT), Warsaw, Poland. His rese arch interests include: multi-factor authentication and network security.
Wojciech Mazurczyk is an associate professor at the Institute of Telecommunications in the Faculty of Electronics and Information Technology at the Warsaw University of Technology, Poland and a researcher at the FernUniversitaet in Germany. His research interests include network security, information hiding, and network forensics. Mazurczyk received a Ph.D. and a D.Sc in telecommunications from the Warsaw University of Technology.