Secure User Authentication System Using Image-Based OTP and Randomize Numeric OTP Based on User Unique Biometric Image and Digit Repositioning Scheme

Das, Ramkrishna; Manna, Sarbajit; Dutta, Saurabh

doi:10.1007/978-981-10-8585-7_8

Cited by 5 publications

(1 citation statement)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Several approaches have been proposed to provide secure OTP authentication methods. Das et al [43] combined the image with numeric values to ensure the unpredictable feature for each OTP. They selected a pseudo-random value as the first part and then randomly selected pixels of user biometric image as the second part.…”

Section: Re L a T E D W O R Kmentioning

confidence: 99%

Fine with “1234”? An Analysis of SMS One-Time Password Randomness in Android Apps

Kim

et al. 2021

2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

A fundamental premise of SMS One-Time Password (OTP) is that the used pseudo-random numbers (PRNs) are uniquely unpredictable for each login session. Hence, the process of generating PRNs is the most critical step in the OTP authentication. An improper implementation of the pseudorandom number generator (PRNG) will result in predictable or even static OTP values, making them vulnerable to potential attacks. In this paper, we present a vulnerability study against PRNGs implemented for Android apps. A key challenge is that PRNGs are typically implemented on the server-side, and thus the source code is not accessible. To resolve this issue, we build an analysis tool, OTP-Lint, to assess implementations of the PRNGs in an automated manner without the source code requirement. Through reverse engineering, OTP-Lint identifies the apps using SMS OTP and triggers each app's login functionality to retrieve OTP values. It further assesses the randomness of the OTP values to identify vulnerable PRNGs. By analyzing 6,431 commercially used Android apps downloaded from Google Play and Tencent Myapp, OTP-Lint identified 399 vulnerable apps that generate predictable OTP values. Even worse, 194 vulnerable apps use the OTP authentication alone without any additional security mechanisms, leading to insecure authentication against guessing attacks and replay attacks.

show abstract

Section: Re L a T E D W O R Kmentioning

confidence: 99%