Architectural Design of a Strong Bi-Factor Re-

Authentication Paradigm in Cloud Environment

1Jyotika Chhetiza ,2Nagendra Kumar
1Research Scholar, Shri Ram Institute of Science and Technology, CS Department, Jabalpur, India
2Assistant Professor, Shri Ram Institute of Science and Technology, CS Department, Jabalpur, India

Jyotika.kshetija@gmail.com, ns0761@gmail.com

ABSTRACT

Cloud computing is a provision of allocated processing resources and information to computers

and other devices over the internet on demand. Although it seems highly of use and reasonable,
there is always the protection and privacy concerns related to cloud as data can be accessed by
cloud service providers at any time. Information could be transmuted or excised or dispensed
with third parties if required for the purpose of law and order without any previous notice.
Authentication plays a majority role for data security that is a mechanism to prove one’s identity
to get system access. In this paper, we discuss a new multi-factor authentication model based on
the combination of knowledge as well as possession factors and a CAPTCHA technique which will
ensure highly secured and strong user authentication during cloud access.

Index terms – One time passwords, SMS API, CAPTCHA, Login key, knowledge factor, possession factor, MFA,
bi-factor

I. INTRODUCTION

Cloud security is a sub-arena of security in computers, networks and more specifically of information
security. It encompasses a wide range of policies, technologies, and controls applied to protect data,
applications, and the associated infrastructure of cloud computing. When a corporation selects to save
data or host applications on a public cloud, it cannot physically access the servers that hosts its data. For
making limited usage of the resources, decreasing costs and maintaining efficiency, cloud service
providers practice the storage of data of multiple customers on the same server. Consequently, it is
possible that one user's private data could be viewed by other users. To circumvent such sensitive
situations and avoid data leakages and hacks, cloud service providers should manage proper data
isolation and logical storage sorting [1]. It is much essential that information security controls be selected
and practiced according to the risks, typically by evaluating the threats, vulnerabilities and effects.

The process of authentication encompasses the comparison of provided credentials to those in the
database of authorized users’ data on a local operating system or within an authentication server. If these
credentials match, the process completes and the user is permitted authorization for access. Strong
authentication is a familiar term which could be detailed as any method of verifying the identity of a user
or device that is inherently firm enough to ensure the security of the system it protects [2].

Multifactor authentication (“MFA”) is an extension of two-factor authentication and a form of magnifying

IT security that mandates end users to provide multiple ways of identification to confirm their identity
for acquiring access to corporate resources and applications, as well as perform online transactions [3].
By requiring an additional authentication factor or combinations of different factors beyond a simple
password for example a fingerprint, a voiceprint, login codes or tokens, etc., MFA technology makes it
more difficult for hackers to exploit the login process and create havoc by leaking corporate, customer or
partner data, even when a password has been known or shared among different services by an end user.
II. RELATED WORK

Use of static passwords for user authentication is now a treacherous thing. This is well proved from the
latest incidents of security invasion faced by big organizations. Around 6.5 million SHA1 hashed LinkedIn
passwords were exposed in June 2012 [4]. Dropbox gave a confirmation that it was hacked in July 2012
and that is why chose two-factor authentication from October 2012 [5]. Twitter, Skype, New York Times
and Wall Street Journal faced security breaches in 2014 [6].

Various researches have been performed over authentication and its different techniques in order to
make cloud safer for access. But due to ever growing internet data, the security breaches have become
more intelligent than before. S.H Khan et al. developed a verification system combining human inherence
factor with standard knowledge factor [7]. Algorithms used were signature matching system, feature
extraction and distance measurement. Wenyi Liu et al. implemented a privacy preserving multifactor
authentication system based on Multiple Access with Collision Avoidance algorithm [8]. Jiangshan Yu et
al. upgraded 2-factor mechanism to formal 3-factor scheme in which a fingerprint based fuzzy vault
system was developed [9]. Many other techniques like single sign on, key stroke analysis, graphical
authentication, usage of smart cards and biometrics features have been previously implemented so as to
provide secure access.
III. AUTHENTICATION FACTORS USED IN PROPOSED SYSTEM

We have already witnessed and frequently used password based methods which comes under the
category of single factor authentication. These mechanisms are no longer proved to provide an overall
security to have an efficient access to cloud. To authenticate a user for a legitimate access, MFA
mechanism supports five well-known factors:
i. Knowledge factors - Information that a user must be able to provide in order to log in such as
passwords.
ii. Possession factors - Information that a user must have in their possession to log in such as OTP or
SIM numbers.
iii. Inherence factors - Biological traits of the user that are confirmed for login such as fingerprint,
palm, and retina scans.
iv. Location factors – keeping a track of user’s general Login and current location with the use of GPS
technology.
v. Time factor – User’s current time and location such as a customer can't physically use their ATM
in America, in case and then in Europe 15 minutes later. These logical locks can prevent cases of
online bank fraud.
 Fig 1. Authentication Factors of proposed Algorithm

In the proposed system, we use a combination of two of the above mentioned factors which are
knowledge and possession factor. Formerly, there would be a conventional username/password
authentication along with the answer to user specific secret question both of which are subsets of
knowledge factors. Later, having the user’s phone number as a parameter, an OTP will be sent to user’s
mobile. Adding, having phone’s IMEI number as a parameter a login key will be sent to user’s mobile. The
combination of OTP and login key serves as a possession factor. Along with both the factors we do the
mathematical calculations to check if the user is a bot and prevent it for logging in to add an additional
security for cloud access.
IV. PROPOSED SYSTEM DESIGN

While logging in for cloud we take into consideration, three phases as the core of the system. They are
Registration phase, Authentication phase and key generation phase, as described in the figure 2 below.

The three phases are explained below:

1) Registration phase: This is a mandatory step for further logins in cloud and saving required files
as well. This step requires the filling of a sign up form through which the details and necessary
credentials for further login are collected. The information and data to be collected is desired
username, password and a user-specific secret question along with its answer. Apart from this,
we implement a CAPTCHA technique to ensure the user being a human. This step also requires
the user to register with his/her SIM number as well as Phone’s IMEI number, so as to combine
the factors enhancing high level authentication.

2) Authentication phase: In this step, we ensure re-authentication each time a user logs in. This
includes the OTP to be entered (OTP generation is explained in Key generation phase), which
takes SIM as a parameter and will be delivered to user’s phone as a message. Along with OTP we
have a login key which will be sent by cloud to phone taking IMEI number as a parameter and this
combination of OTP and login key, username and password along with CAPTCHA mechanism
serves as a main authentication protocol.

3) Key generation phase: The OTP and login keys are the most essential aspect of our bi-factor
scheme. For OTP to be received on the registered phone number, we need to develop an SMS-API
which will interact with cloud to send it as a message. Also, when the user registers his/her
phone’s IMEI number, the secret login key will be delivered tracing the IMEI number of the same.
Key generation phase is a sub-realm of authentication in mobile cloud computing framework
[10].
 Fig 2. Flow chart for the proposed system
V. INITIAL RESULTS

To develop a personal cloud space we have used PHP based mechanisms and the SMS-API is an Android
based application for interaction with cloud. WAMP server is an appropriate package for the PHP-mySQL
database connectivity. The proposed system design will ensure high-level of authentication with a user-
friendly approach. The user by any chance will not be needed to involve into any details of technicalities
deployed ensuring an optimum usability. In-case of any compromise with the password, further steps for
login key and OTP will be disabled and hence access will not be granted to unauthorized user. Further,
the use of a CAPTCHA technique in this protocol will prevent any bot or malicious device to gain control
over the user account.
VI. CONCLUSION

In this paper we proposed a bi-factor authentication system that can preserve authentication score using
the combination of two vivid technologies of two different factors. We emphasized that using multiple
user-friendly factors have attractive applications. The low computational and communication complexity
of our proposed system makes it executable almost in real-time for users. We also modified the basic
protocol to enhance security in the instance of a malicious device. Our proposed protocol in this case, has
a complexity growing fractionally with the size of the user profile. We argue that it is a reasonable
authentication using implicit and explicit factors with protection against bots. A complete
implementation of the system will be our future work.
VII. REFERENCES

[1] M. Haghighat, S. Zonouz and M. Abdel-Mottaleb, “CloudID: Trustworthy cloud-based and cross-
enterprise biometric identification,” Expert Systems with Applications, vol. 42, no. 21, pp. 7905-
7916, 30 November 2015.

[2] A. Ruiz-Martinez, R. Marin-Lopez and F. Pereniguez-Garcia, Architectures and Protocols for

Secure Information Technology Infrastructures, Hershey, Pennsylvania: IGI Global, 2013, pp. 1-
45.

[3] Y. Shah, V. Choyi and L. Subramanian, “Multi-factor Authentication as a Service,” Mobile Cloud
Computing, Services, and Engineering (MobileCloud), pp. 144-150, 2015.

[4] P. Kamp, P. Godefroid, M. Levin, D. Molnar, P. McKenzie,R. Stapleton-Gray, B. Woodcock, and G.

Neville-Neil, “Linkedin password leak: Salt their hide,” Queue, vol. 10, no. 6, p. 20, 2012.

[5] J. Brodkin, “Dropbox confirms it got hacked, will offer two-factor

authentication,”http://arstechnica.com/security/2012/07/, 2012, [Online; accessed 07-June-
2016].

[6] B. Lord, “Keeping our users secure,”https://blog.twitter.com/2013/keeping-our-users-

secure,2013, [Online; accessed 06-June-2016]

[7] S. H. Khan and M. A. Akbar, “Multi-Factor Authentication on Cloud,” Digital Image Computing:
Techniques and Applications (DICTA), 2015 International Conference, pp. 1-7, 2015.

[8] W. Liu, A. S. Uluagac and R. Beyah, “MACA: A privacy-preserving multi-factor cloud authentication
system utilizing big data,” Computer Communications Workshops (INFOCOM WKSHPS), pp. 518-
523, 2014.

[9] J. Yu, G. Wang, Y. Mu and W. Gao, “An Efficient Generic Framework for Three-Factor
Authentication With Provably Secure Instantiation,” IEEE Transactions on Information Forensics
and Security, vol. 9, no. 12, pp. 2302-2313, December 2014.

[10] M. Alizadeh, W. H. Hassan and T. Khodadadi, "Feasibility of Implementing Multi-factor

Authentication Schemes in Mobile Cloud Computing," 2014 5th International Conference on
Intelligent Systems, Modelling and Simulation, Langkawi, 2014, pp. 615-618.
AUTHORS PROFILE

Jyotika Chhetiza is an M.Tech student in CSE department of Shri Ram Institute of

Science and Technology, Jabalpur, India, affliated to Rajiv Gandhi Proudyogiki
Vishwavidyalaya (State Technical Unviersity of Madhya Pradesh, India). This paper
is being published in the partial fulfilment of completion of her Master’s thesis.