Handheld hybrid offline OTP authentication framework

Abstract

Numerous applications are widespread on Internet and mobile communications that transfer personal information and money. Foolproof user authentication becomes imperative in such applications for confirming customer legitimacy. One pragmatic solution for user authentication is that of employing One Time Password (OTP) with validity for a single transaction or session. Two contextually active user authentication models for internet banking in Malaysia include i.) Receiving OTP over the phone via an SMS, ii.) Generating the OTP over a dedicated hardware token provided by the Bank. SMS OTPs are the most common means used for access control over different online applications, especially Internet banking. However, with this setup, the password generated remains afloat in an unsecured cellular network, thereby increasing the probability of security breaches. Additionally, users need to maintain two active communication channels (Cellular & Internet) with the Authentication Server for proving legitimacy. Other inherent problems include delay-in-delivery, coverage areas/unavailability of service, roaming restrictions, dependency on government regulations, etc. Usage of dedicated hardware for OTP generation is also quite popular. Some of these tokens can even generate OTPs asynchronously. However, this setup brings forth additional logistical and administrative burdens for the customers. Besides, users availing multiple service providers need to maintain distinct tokens for each service. The research focussed on developing a standalone authentication framework for generating unique OTPs from trusted handheld devices using a hybrid approach (based on time as well as challenge response strategy), complying with the degree of authentication assertion essential for Internet-banking applications. The prime intent is to eradicate dependence over additional cellular communication channels and eliminate the use of extra hardware tokens for generating/receiving OTPs by Internet banking clients without compromising the security traits of the system. The proposed authentication framework generates time-based dynamic authentication components (OTPs) in an offline manner (without requiring any cellular or internet connectivity) on user's smartphones by invoking possession, knowledge, and inherence factors of legitimate users. This is achieved by asynchronously operating secure random challenge formations as hash counters upon dynamic seeds, comprising of varying current timestamps, distinct device and identity profiles. It drastically reduces the operational costs, improves upon security, scalability, and convenience factors. Additionally, the system has been equipped to generate OTPs as three Bahasa Malaysia dictionary words as the usage of native language words during verification could help clients to feel more confident and secure compared to making foreign-language entries. The system has been implemented and examined for leading mobile/desktop platforms to ascertain its technical adoptability. The results of performance metrics obtained employing the confusion matrix with Accuracy = 98.55%, Error rate = 1.45%, Specificity = 100%, Alarm rate = 0%, Recall = 98.40% and Precision = 100% validate the authentication robustness. The generation and extraction aspects of the hybrid OTP design are comparatively analysed against prior asynchronous/synchronous OTP generation schemes. Furthermore, the authentication framework is comparatively comprehensively parsed for its ability to thwart common authentication attacks over the Internet.