Abdelmunem
Abuhasan and Adwan Yasin
Department
of Computer Science, Arab American University, Jenin, Palestine
ABSTRACT
Despite
their proven security breaches, text passwords have been dominating all other methods
of human authentication over the web for tens of years, however, the frequent
successful attacks that exploit the passwords vulnerable model raises the need
to enhance web authentication security. This paper proposes BMBAT; a new
authentication technique to replace passwords, that leverages the pervasive
user mobile devices, QR codes and the strength of symmetric and asymmetric
cryptography. In BMBAT, the user’s mobile device acts as a user identity prover
and a verifier for the server; it employs a challenge-response model with a
dual mode of encryption using AES and RSA keys to mutually authenticate the
client to the server and vice-versa. BMBAT combats a set of attack vectors
including phishing attacks, man in the middle attacks, eavesdropping and session
hijacking. A prototype of BMBAT has been developed and evaluated; the
evaluation results show that BMBAT is a feasible and competitive alternative to
passwords.
KEYWORDS
Web
Authentication, Mobile Authentication, phishing, User Identity, Password.