Abstract
The Time-based One-Time Password (TOTP) algorithm is commonly used for two-factor authentication. In this algorithm, a shared secret is used to derive a One-Time Password (OTP). However, in TOTP, the client and the server need to agree on a shared secret (i.e., a key). As a consequence, an adversary can construct an OTP through the compromised key if the server is hacked. To solve this problem, Kogan et al. proposed T/Key, an OTP algorithm based on a hash chain. However, the efficiency of OTP generation and verification is low in T/Key. In this article, we propose a novel and efficient Merkle tree-based One-Time Password (MOTP) algorithm to overcome such limitations. Compared to T/Key, this proposal reduces the number of hash operations to generate and verify the OTP, at the cost of small server storage and tolerable client storage. Experimental analysis and security evaluation show that MOTP can resist leakage attacks against the server and bring a tiny delay to two-factor authentication and verification time.
Highlights
Traditional authentication schemes based on usernames and passwords are affected by security vulnerabilities since they require users to provide usernames and passwords to prove their identity.Again, since a person chooses a password, such a password could be related to personal privacy and affected by some regularity [1]
We implemented Merkle tree-based One-Time Password (MOTP) initialization and the One-Time Password (OTP) generation function using Android to evaluate the performance of MOTP on mobile devices
The parameter configuration of the implemented MOTP is shown in Table 3. hm and p were set to 10 and 1024, respectively, which ensures enough OTPs generated by MOTP; hs was set to seven as a balance between server storage and transmission traffic, and t gap was set to 30 s to balance security and availability [7]
Summary
Traditional authentication schemes based on usernames and passwords are affected by security vulnerabilities since they require users to provide usernames and passwords to prove their identity.Again, since a person chooses a password, such a password could be related to personal privacy and affected by some regularity [1]. Traditional authentication schemes based on usernames and passwords are affected by security vulnerabilities since they require users to provide usernames and passwords to prove their identity. An adversary can crack the password more efficiently, through consultations of and queries to a predefined password dictionary [2]. To remember a password quickly, most users use a fixed password for an extended period. With advances in the performance of processors, the possibility of the fixed password being cracked by brute force attacks increases. To verify a user’s identity, the server needs to store the password, but can all servers guarantee the security of the password stored? Six million plaintext passwords were exposed in the CSDN (China Software Developer Network) data breach, prompting users to Sensors 2020, 20, 5735; doi:10.3390/s20205735 www.mdpi.com/journal/sensors
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
