Multi-Factor Authentication

Abstract

Traditional authentication is synonym with verifying username and password. Conventional and successful attacks on passwords highlighted the importance of new authentication systems to suit mobile devices, increase security and maintain convenience. This paper proposes and implements a multi-factor authentication system. It evaluates the system in terms of simplicity and performance against different types of attacks. The system randomly selects two of the four stages that are required to successfully log into the system. In the first stage the user selects a pattern of boxes from a grid of boxes. In the second stage the user selects five characters out of ten according to a numeric code created at registration. In the third stage the user enters a passcode based on a seed value by using a secret formula installed on the user’s smartphone. The fourth stage presents the user with two security questions, that he must answer. We evaluate the system mathematically to gauge its immunity against brute-force attacks. The results show high user learnability, and the probability of a successful brute-force attack is less than 6.72E-25 for the first and second stages combined if you only select 8 items out of 36.