A Two-factor Authentication Mechanism Using Mobile Phones

Mobile devices are becoming more pervasive and more advanced with respect to their processing power and memory size. Relying on the personalized and trusted nature of such devices, security features can be deployed on them in order to uniquely identify a user to a service provider. In this paper, we present a strong authentication mechanism that exploits the use of mobile devices to provide a two-factor authentication method. Our approach uses a combination of one-time passwords, as the first authentication factor, and credentials stored on a mobile device, as the second factor, to offer a strong and secure authentication approach. We also present an analysis of the security and usability of this mechanism. The security protocol is analyzed against an adversary model; this evaluation proves that our method is safe against various attacks, most importantly key logging, shoulder surfing, and phishing attacks. Our usability evaluation shows that, although our technique does add a layer of indirectness that lessens usability, participants were willing to tradeoff that usability for enhanced security once they became aware of the potential threats when using an untrusted computer. ∗This and other LERSSE publications can be found at lersse-dl.ece.ubc.ca