Secure authentication scheme to thwart known authentication attacks using Mobile Device

Abstract

Recently, the use of two-factors authentication (2FA) has increased to mitigate the risk of stealing user credentials. Most of 2FA use a mobile device to complete the authentication process, but many of them require an Internet connection or a subscriber identity module (SIM) chip to activate the synchronization of the One Time Password (OTP), which may not be guaranteed all the time or may not be equipped in the user's phone in the first place. Thus, this paper attempts to overcome this problem by adopting the camera of the mobile device and QR code to verify the OTP instead of relying on the Internet connection or cellular network. The proposed approach involves encrypting keys and secret codes with symmetric and asymmetric keys for added security, and using QR to exchange those codes fast and more easily, including a code suffix to prevent phishing attacks. Security analysis proves that the scheme is immune to many well-known attacks such as MITM, Shoulder surfing Keylogger, Phishing Attacks, etc. This scheme could contribute to adding a secure, practical, and easy-to-use option to diversify of 2FA if it is adopted by service providers such as Google, Meta, and Microsoft. Keywords: Authentication; Two-Factor Authentication (2FA); Mobile device ; One-Time-Password (OTP); Challenge Response Protocol and Quick Response (QR) Code