Abdelmunem Abuhasan1
and Adwan Yasin2
1Department of Computer Science, Arab American University, Jenin, Palestine
2Department of Computer Science, Arab American University, Jenin, Palestine
ABSTRACT
Despite their proven security breaches, text passwords have been dominating all other methods of human
authentication over the web for tens of years, however, the frequent successful attacks that exploit the
passwords vulnerable model raises the need to enhance web authentication security. This paper proposes
BMBAT; a new authentication technique to replace passwords, that leverages the pervasive user mobile
devices, QR codes and the strength of symmetric and asymmetric cryptography. In BMBAT, the user’s
mobile device acts as a user identity prover and a verifier for the server; it employs a challenge-response
model with a dual mode of encryption using AES and RSA keys to mutually authenticate the client to the
server and vice-versa. BMBAT combats a set of attack vectors including phishing attacks, man in the
middle attacks, eavesdropping and session hijacking. A prototype of BMBAT has been developed and
evaluated; the evaluation results show that BMBAT is a feasible and competitive alternative to passwords.
KEYWORDS
Web Authentication, Mobile Authentication, phishing, User Identity, Password
No comments:
Post a Comment