E-AUTHENTICATION SYSTEM USING A COMBINATION OF QR CODE AND OTP FOR

ENHANCED SECURITY

1
Abstract

In the proposed scheme, the user can easily and efficiently login into the system. We analyze the

security and usability of the proposed scheme, and show the resistance of the proposed scheme to

hacking of login credentials, shoulder surfing and accidental login. The shoulder surfing attack can

be performed by the adversary to obtain the user’s password by watching over the user’s shoulder as

he enters his password. Since, we have come up with a secure system schemes with different degrees

of resistance to shoulder surfing have been proposed. In order to use this authentication system, user

need to first register himself into this system by filing up the basic registration details. After a

successful registration, user can access the login module where he/she need to first authenticate the

account by entering the email id and password which was entered while registration. Once the email

id and password is authenticated, the user may proceed with next authentication section where he/she

need to select the type of authentication as QR (Quick Response) Code or OTP (One Time

Password). Once the user selects the authentication type as QR Code, then system will generate a QR

Code and send it to user’s mail id over internet. If user select’s OTP, then SMS will be sent on

his/her registered mobile number. If the user passes the authentication, then system will redirect to

the main page. The QR Code and OTP are randomly generated by the system at the time of login.

2
 CHAPTER ONE

INTRODUCTION

1.1 BACKGROUND OF THE STUDY

When using services in a web environment, security is of great importance especially for both the

user and the provider. The information in use must be handled in a way that does not compromise its

security. Passwords are only secured as long as the user keeps them secret. Not everyone is aware of

the risk that comes with compromised passwords and other security leaks (Nilsson, 2012).

Lately, client side attacks on online banking and electronic commerce are on the rise due to

inadequate security awareness amongst end users. As a result, end user would not be aware if there is

vulnerability on their machine or platform that might lead to client side attack. The password remains

the most popular authentication mechanism in use today. In order to complete any web-based

transaction exchange, the online user will be required to enter his/her password into an online

system.

As technological advances continue to influence the way society makes payment for goods and

services, the requirement for more advanced security approaches for transaction verification in the

online environment increases.

In order to mitigate these security issues, this proposed dissertation proffers a solution to the problem

by integrating different authentications and methods to provide an improved and secure online

transaction between the client and the server. The thesis introduces an anti-form grabbing technique

which disallows the attacker from “grabbing” sensitive information and modifying it when they are

being sent to the server by the client and also protects the web contents. rough The system also

minimizes the risk of online attacks by using One Time Password (OTP), a password that is valid for

only one login session or transaction within a limited time along with the use of Email as a different

verification channel.

3
This thesis therefore intends to develop an E AUTHENTICATION SYSTEM USING QR CODE &

OTP.

1.2 RESEARCH MOTIVATION

Cyber criminals are using newer and more advanced methods to target online users. What makes

some online attacks difficult to detect from the client side is that any activity performed seems as

though it is originating from the legitimate user’s web browser and with this, it silently changes the

information of the user’s account details to the attacker’s account details which is most worrying. 

The losses attributed to financial fraud are alarming. The financial services industry has become a

primary target of cyber-attacks on a global scale and, in 2009 alone, suffered losses totalling $54

billion – an increase from $48 billion in 2008 (SafeNet, 2010).

In 2010, there has been an exponential increase in the number of online attacks against financial

institutions including the European consumer banking and U.S. corporate banking markets (RSA,

2011). The hackers target the most sensitive information such as the account number and the amount

and alter it for their own benefit. One must be able to trust the data that is transmitted to the bank

server which is why an enhanced web security application will be developed to tackle the online

security threat.

According to the Data Breach Investigation Report by Verizon Communications Inc., New York,

63,000 security incidents have been reported in the year 2014 from 95 countries all over the world

and authentication attacks are the highest threat to organizations

(http://www.verizonenterprise.com/DBIR/). The use of single factor knowledge based authentication

system such as username and password is inadequate for protecting against authentication attacks.

The various methods documented in the literature do not indicate unique or generic solutions for

providing accurate and secure authentication system. Nevertheless, these techniques have certain

4
limitations such as less accuracy and higher time consumption. There are multiple factors for

authentication using biometric traits and two dimensional barcodes.

Authentication based on possession is generally based on smart cards. The wide deployment of

mobile phones and smart devices has motivated the need for an authentication system based on

mobile phone and Quick Response code. The biometric template can be embedded in the Quick

response code for authentication. Authentication systems have to be equipped with smart devices to

enable faster and efficient authentication. One of the main disadvantages of biometric system is the

associated time taken for registration and identification. Extracting the biometric features from a

group of users is time consuming and inconvenient. Automatic authentication systems perform the

task without the knowledge of the user and hence more effective.

The increasing cyber attacks during online financial transactions have necessarily initiated a need for

secure and efficient means of authentication. Encrypted QR codes can be used for that purpose.

Several multimodal biometric systems have been reported in the literature. The modalities chosen in

them are vulnerable to spoofing attacks and hence, irrespective of the type of fusion, spoofing is

possible. There is a need for efficient fusion of vein based modalities as they are less

vulnerable.

Current research in the area of authentication focuses largely on the various methods of extracting

biometric traits from the user. The increase in number of internet users has also led to the subsequent

increase in various methods of authentication attacks. Thus, enhancing the security of authentication

systems emerges as an important issue to be addressed and this motivated the author to explore

different types of authentication systems. Emerging trends in the computationally demanding

application necessitate more effective algorithms for securing authentication.

1.3 RESEARCH AIM AND OBJECTIVES

5
The aim of this dissertation is to develop an E authentication system using QR code & OTP. The

research objectives of this proposed dissertation are to:

1. Develop anti-form grabbing technique to encode the user inputs as they are being entered.

2. Implement an authentication mechanism using One Time Password (OTP).

3. Develop a medium that make use of Email from the server for identity

Verification.

1.4 RESEARCH METHODOLOGY

The following are methods that were adopted for this research:

1. Develop the anti-form grabbing algorithm to encode user inputs.

2. Develop the OTP algorithm to authenticate the user.

3. Develop a medium that make use of Email from the server for identity verification.

4. Design the proposed system architecture to mitigate MitB attack.

5. Implement the proposed system.

6. Assess performance of the proposed system.

1.5 Significance of The Study

It is believed that at the completion of the study, the findings will be of great importance to

researcher who intends to carry out study in similar topic as the study will serve as a reference point.

Finally, the study will be of significance to academia, students, lecturers and the general public as the

findings will also contribute to the pool of knowledge.

1.6   Scope and Limitation of the Study

The scope of the study covers the impact of ICT and print media business in Nigeria but in the

course of the study there were some factors which militated against the scope of the study;
6
a)     Availability of Research Material: The research material available to the researcher is

insufficient, thereby limiting the study.

b)     Time:The time frame allocated to the study does not enhance wider coverage as the researcher

has to combine other academic activities and examinations with the study.

c)     Finance: The finance available for the research work does not allow for wider coverage as

resources are very limited as the researcher has other academic bills to cover.

7
 CHAPTER TWO
THEORETICAL BACKGROUND
2.1 Introduction to E-Authentication
Despite of wide use of current e-authentication system, it has many security holes as it’s based on
traditional password based model, no mutual authentication between user and bank server which
leads to threats like phishing (stealing passwords and using them for transactions), intercepting
communication lines, database hacking, etc. To make transactions more secure but also keeping them
easy for user, following authentication system can be useful.
In our proposed scheme, we assume the secure communication between the user (PC) service
providers and service provider’s certification authority.
The proposed authentication system ensures the user authentication and digital signatures using
authorized certificates by using https communication between user and server.

Using user’s transfer information (TI), requested transfer time (T) and the serial number (SN) of
user’s mobile device instead of security card, we generate QR-code, display it on user screen and
decode it with user’s mobile device to generate OTP.
OTP is generated on server side also and OTP generated by user device and by server are verified to
proceed. User database should also be encrypted to prevent data leakage.
The authentication process of proposed system is shown below:

8
Fig.. Working scenario for e-authentication system

1] User uses his/her own public certificate to login and then transfer information to start the
transfer transaction.

Transfer Information (TI) = TB||T||ATM

TB: Transfer Bank (Bank code)
TA: Transfer Account
TM: Transfer Money

2] Server indicates and then converted the information to a QR-code with random value (RN`)
on the screen using user enters the transfer information (TI), the requested time of transfer (T) and
random value (RN). At the same time, the server sent it to certification authority (CA) to inputted
code in the mobile device. If the information does not match, the transfer will be canceled.

9
3] Certification authority (CA) generated the OTP by received the transfer information (TI), the
requested time of transfer (T) and the user’s hashed serial number (SN).

4] User will convert the QR-code on the screen using their mobile device and it is divided into
two phases. First, user uses their mobile device (phones) to read the random value (RN) which show
on the screen to verify the random value (RN`).
If the random value is accurate, user will proceed to the next step. And then confirm the converted
the information of transfer. If the information is accurate, user will generate OTP hashed serial
number (SN) of user’s mobile device are shared with the certification authority (CA). And output the
generated OTP on the screen of mobile devices.

5] When user execute the generated OTP, mobile device generates the OTP by reads the transfer
information (TI), perceived value of time (T) and information of transfer (TI) and the requested time
of transfer (T).

6] User input the generated OTP code from mobile device on the screen.

7] Server (Bank) sent OTP to certification authority (CA) to received OTP from user.

8] Certification authority (CA) compared by received OTP code (OTP1) and generated the OTP
code (OTP2), sent to server (Bank) to for OTP code approval.

9] When the server (Bank) received approve of OTP from certification authority (CA), it will
verify the entered OTP code with user consistent value and user digital signature. If the approve of
OTP value does not receive, the transfer will be canceled. OTP is displayed on mobile screen and
user types it into desktop application. Desktop client then sends this OTP to server.

10] Authorized user signed his certificates to complete the transfer.

11] Server (Bank) to verify the digital signature and final approve of transfer.

2.2 Methodology

10
As we know, number of Internet users are increasing drastically. Now, people are using different
online services provided by banks, colleges/schools, hospitals, online utility, bill payment and online
shopping sites. To access online services, text-based authentication system is in use. The text-based
authentication scheme faces some drawbacks with usability and security issues that bring troubles to
users. The core element of computational trust is identity. The aim of the paper is to make the system
more compliable for the imposters and more reliable for the users, by using the graphical
authentication approach. In this paper, we are using the more powerful tool of encoding the options
in graphical QR format and also there will be the acknowledgment which will send to the user’s
mobile for final verification. The main methodology depends upon the encryption option and final
verification by confirming a set of pass phrase on the legal users, the outcome of the result is very
powerful as it only gives the result at once when the process is successfully done. All processes are
cross linked serially as the output of the 1st process, is the input of the 2nd and so on. The system is a
combination of recognition and pure recall based technique. Presented scheme is useful for devices
like PDAs, iPod, phone etc. which are more handy and convenient to use than traditional desktop
computer systems.

2.3 Relevance and implications

The findings and conclusions presented by this dissertation have both academic and practical
relevance. On one hand, they support the establishment of future research studies related to
E-Authentication system, uncovering new insights about user’s online behavior within this security
category. Namely, the different strategies users use while logging in for different websites and their
respective response to the presented stimuli. On the other hand, these new insights and information
about E-Authentication users are also important for the success of authenticator’s strategies and
respective online platforms. By better understanding the security procedure of e-authentication
system - from the strategies users use ate before login any website , to the actual logging security
process and finally to the post-logging evaluation – as well as some of the implications on security of
this e-authentication system versus a more traditional one, this study is expected to contribute to the
practical knowledge of authenticators allowing them to better adapt their system for authentication to
the expectations and behavior of users.

2.4 System Analysis And Planning

11
System analysis and design refers to the process of examining a business situation with the intent of
improving it through better procedure and method. System development can generally be thought of
as having two major components: -System analysis and system design.
System design is a process of planning a new system or replace or complement an existing system.
But before this planning can be done, we must thoroughly understand the existing system and
determine how computer can best be used to make its operation more effective. System analysis,
then, is the process of gathering and interpreting facts, diagnosing problems and using the
information to recommend improvement to the system.

2.3.1Requirement Analysis

Requirement analysis in system engineering and software engineering encompasses those tasks that
go into determining the need or conditions to meet for a new or altered product, taking account of the
possibly conflicting requirements of the various stack holders, such as beneficiaries or users.
Requirement analysis is critical to the success of a development project. Requirement must be
documented, actionable, measurable, testable related to identified business need or opportunity, and
define to a level of detail sufficient for system design.
Requirements are a description of how a system should behave or a description of system properties
or attributes. It can alternatively be a statement of what an application is expected to do. The
software requirement analysis process covers the complex task of eliciting and documenting the
requirement of all these users, modeling and analyzing these requirements and documenting them as
a basis for system design.

2.3.2 Steps in Requirement Analysis Process

➢ Fix system boundaries

➢ Identify the customer
➢ Requirement elicitation
➢ Requirement analysis process
➢ Requirements specification➢Requirement management

2.1.2Requirement Analysis Technique

Brainstorming Session

12
Brainstorming is a group creativity technique design to generate a large no. of idea for the solution of
a problem although brainstorming has become a popular group technique, when applied in a
traditional group setting; researchers have not found evidence of its effectiveness for enhancing
either quantity or quality of ideas generated. Because of such problems as distraction, social loafing,
evaluation, apprehension, and production blocking, conventional brainstorming group are little more
effective than other type of groups, and they are actually less effective than individual working
independently.

2.2SRS Document

A Software Requirement specification (SRS) is a complete description of the behavior of the system
to be developed. It includes a set of use case that describes all the interaction the user will have with
the software. Use cases are also known as functional requirements. In addition to use cases, the SRS
also contains non-functional requirements. Non-functional requirements are requirements which
impose constraint on the design or implementation (such as performance requirement, quality
standard or design constraints).
Goals of SRS are: -

➢ It provides feedback to the customer. An SRS is the customer’s assurance that the
development organizations understand the issues or problems to be solved and the software behavior
necessary to address those problems.

➢ It decomposes the problem into component parts. The simple act of writing down software
requirements in a well design format organizes information, places borders around the problem,
solidifies ideas, and help break down the problem into its component part in an orderly fashion.

➢ It serves as an input to the design specification. Therefore, the SRS must contain sufficient
detail in the functional system requirement so that the design solution can be devised.

2.2.1 Non Functional Requirements:

It consists of following parameters: -

Reliability:The system will consistently perform its intendedfunction.

For e.g. The important information must be validated.

13
Efficiency: Unnecessary data will not be transmitted on the networkand database server will be
properly connected.

Reusability: The system can be reused in any organization or site ofthe same group, by defining the
organization master definition under software license agreement.

Integrity: Only System Administrator has rights to access thedatabase, not every user can access all
the information. Each user will be having rights to access the modules.

2.2.2 Used Tools and Platform

Software Specification:

Front-end Tool: - HTML, CSS, C#, ASP.NET, Bootstrap, JavaScript

➢
User friendly

➢
Low Cost Solution

➢
GUI feature

➢
Better designing aspects

Back-end Tool:- Microsoft SQL Server 2008

➢
Security

➢
Portability

➢
Quality

Platform:

14
Windows platform like: 2000 professional, XP & Vista,7, 8, 8.1,10etc

Hardware Specification:

➢
Intel Pentium and Celeron class processor

➢
Processor Speed - 1.2 GHz or above

➢
RAM - 512 MB

➢
HDD - 40 GB

➢
Monitor-14SVGA

➢
Printer -Laser Printer

➢
Mouse- Normal

➢
Keyboard- Normal

2.3Feasibility Study

An outlier is an observation that lies an abnormal distance from other values in a random sample
from a population. In a sense, this definition leaves it up to the analyst to decide what will be
considered abnormal.
Outlier detection is a task that finds objects that are dissimilar or inconsistent with respect to the
remaining data. It has many uses in applications like fraud detection, network intrusion detection and
clinical diagnosis of diseases. Clustering algorithms are frequently used for outlier detection. The
clustering algorithms consider outlier detection only to the point they do not interfere with the
clustering process. In this proposed approach, outliers are detected using 5-95% method in which 5%
of data from minimum side and 5% data from maximum side are detected and removed from the
dataset.
A k-means has sensitivity over outlier data but can be still used with OFT for the detection of outlier
data. Outlier Finding Technique (OFT) is a hybridized form of both distance based and density based

15
outlier finding technique. Here after cluster formation has taken place with the help of k-means
clustering then we are left with the cluster of data points and the cluster center. The experimental
results prove that Modified k-Means clustering algorithm with outlier detection and removal
improves the accuracy of k-means algorithm.
Outlier detection is used in various domains in data mining. This has resulted in a huge and highly
diverse literature of outlier detection techniques. A lot of these techniques have been developed in
order to solve problems based on some of the particular features, while others have been developed
in a more generic fashion.

2.4System Planning

The purpose of project planning is to identify the scope of the project, estimate the work involved,
and create a project schedule. Project planning begins with requirement that define software to be
developed. The project plan reflects the current status of all project activities and is used to monitor
and control the project.
The Project Planning task ensures the various element of the project are coordinated and therefore
guide the project execution and project planning is crucial to the success of the project.
Careful planning right from the beginning of the project can help to avoid costly mistakes. It
provides an assurance that the project execution will accomplish its goal on schedule and within the
budget.

2.3.1 Preliminary Evolution

➢
The preliminary investigation starts as soon as someone either a user or a member of
a particular department recognizes a problem or initiates a request, to modify the current
computerized system, or to computerize the current manual system.
➢
An important outcome of the preliminary investigation is determining whether the system is
feasible or not.

2.3.2 Project Scheduling

GANTT CHART

16
➢ Gantt chart is also known as Time Line Charts. A Gantt chart can be developed for the entire
project or a separate chart can be developed for each function.

➢ A tabular form is maintained where rows indicate the tasks with milestones and columns
indicate duration (weeks/months).

➢ The horizontal bars that spans across columns indicate duration of the task.

17
 CHAPTER THREE
SYSTEM DESIGN
Software design is a process of problem solving and planning for a software solution. After the
purpose and specifications of software are determined, software developers build design or employ
designers to develop a plan for a solution. It includes low-level component and algorithm
implementation issues as well as the architectural view. Software design can be considered as putting
solution to the problem(s) in hand using the available capabilities.
Hence the main difference software analysis and design is that the output of the analysis of a
software problem will be smaller problems to solve and it should deviate so much even if it is
conducted by different team members or even by entirely different groups. But since design depends
on the capabilities, we can have different designs for the same problem depending on the capabilities
of the environment that will host the solution. The solution will depend also on the used development
environment.

3.1 Flow Chart

A flowchart is a type of diagram that represents an algorithm or process, showing the steps as boxes
of various kinds, and their order by connecting them with arrows. Process operations are represented
in these boxes, and arrows; rather, they are implied by the sequencing of operations. Flowcharts are
used in analyzing, designing, documenting or managing a process or program in various fields.
The two most common types of boxes in a flowchart are:

➢A processing step, usually called activity, and denoted as a rectangular box ➢A decision usually
denoted as a diamond.

18
Fig: Flow Chart of E-Authentication Login Process
19
20
Fig: Flow Chart of E-Authentication Login and Code Generation Process

3.2 Data Flow Diagram

DFD is used to show how data flows through the system and the processes that transform the input
data into output. Data flow diagrams are a way of expressing system requirements in a graphical
manner. DFD represents one of the most ingenious tools used for structured analysis. It is also
known as a bubble chart.
The DFD at simplest level is referred to as a CONTEXT ANALYSIS DIAGRAM. These are
expended by level, each explaining its process in detail. Processes are numbered for easy
identification and are normally labeled in block letters.

21
Fig: Data Flow Diagram of E-Authentication
3.3 Activity Diagram

Activity diagrams are a loosely defined diagram technique for showing workflows of stepwise
activities and actions, with support for choice, iteration and concurrency. In the Unified Modeling
Language, activity diagrams can be used to describe the business and operational step-by-step
workflows of components in a system. An activity diagram shows the overall flow of control. They
consist of:
➢ Initial node.

➢ Activity final node.

➢ Activities

The starting point of the diagram is the initial node, and the activity final node is the ending.

22
Fig: Activity Diagram

23
3.4 SYSTEM IMPLEMENTATION DETAILS

3.1 MODULES:

This project contains following modules:

1. Registration
2. Login
3. OTP Verification
4. Scan QR codes
5. Main page access

MODULE DESCRIPTION:

3.1.1 Registration:

- To access the system, user need to first register by entering the basic registration details like
name, email id, mobile number, gender, etc.

3.1.2 Login:

- Here, user need to enter the login credentials to access the system.

- If the login credentials are validated by the system, the page will be redirected to user
authentication page where user need to select any one authentication type as OTP or QR Code.

3.1.3 OTP Verification:

- If user select’s OTP authentication, then system will send an OTP in the form of SMS on the
registered mobile number which was provided by the user at the time of registration.

3.1.4 Scan QR Code:

24
- If user select’s QR code, then code is generated in backend and sent on the user’s email id.

- User need to scan the QR Code using system webcam to validate the QR Code sent over the
mail.

3.1.5 Main Page Access:

- If the user passes the authentication process, then the page will be redirected to Main Page
else, it will redirect to login page.

3.2 RELATED WORK

3.2.1 Calculation of OTP:

One Time Password (OTP) can be used. One time password system can be solution for this weakness
which would generate new password every transaction and is based on two important factors:

(a) A PIN to unlock the OTP generator (something you know) (b) the OTP smart card itself
(something you have).

Here in this system, QR code generated by bank server is displayed on client screen and is decoded
by user mobile device. QR code is embedded with the information regarding current transaction,
timestamp and data unique for every user device like imei-number.
We can get data string from QR code; append it with IMEI number which can be obtained from
mobile device. Then hashing function like SHA-256 is used to create hashed string of that data.
Other hashing algorithms also can be used. But longer the hash code, more it is difficult to guess the
OTP for an attacker. Hashed string comprised of both digits and characters. We will select any 6 or 8
digits/character or both of generated hash and use it as OTP.

25
 Fig. OTP creation and validation

Same hash of the data will be created on server side also and compared for equivalence, ensuring
mutual authentication. If both OTPs are same, transaction is permitted.
Advantages of using hashing algorithm like SHA is same hash is never generated for same data in
consecutive attempts, so intercepting data and calculating hash won’t be possible for an attacker.

SHA-256("The quick brown fox jumps over the lazy dog")

0xd7a8fbb307d7809469ca9abcb0082e4f8d5651e4 6d3cdb762d02d0bf37c9e592

SHA-256("The quick brown fox jumps over the lazy dog.")

0xef537f25c895bfa782526529a9b63d97aa631564d 5d789c2b765448c8635fb6c

So as per system, OTP for above will be: 53725895 (using first 8 digits).

And timestamp ensures that OTP for transaction generated at different times will be different.
This OTP can also be called HOTP as hashing technique is used. We can also use H-MAC codes but
it would need an extra input to generate output.

26
3.2.2 Database encryption:

One of the major security holes in many critical systems is database security. Though attacker gets
invalid access to database, one more level of security can be added by encrypting database. While
displaying contents we’ll decrypt data and send it to user.

Any of the available encryption algorithms can be used but as there will be many database requests
for banking application, encrypting-decrypting every time might put large overhead on the
application. So care should be taken to choose an algorithm which would provide
sufficient security with little overhead.

Base-64 is one of the choices. Algorithm converts data in byte-code. Standard data representation is
of 8-bits. We can take 6-bit groups and convert them into characters and replace the original data.
Padding can be added in the end of data if necessary. It would represent data by 2^6=64 possible
characters, so named base-authentication63.

Along with security, another advantage of base 64 is that many internet system don’t allow all 128
characters in 8-bit representation so, base-64 can be beneficial can be used for this purpose. It
embeds HTTP data in SSL (Secure Socket Layer) packets. SSL group data into small chunks
compresses them and then encrypts using asymmetric keys.
Asymmetric keys provide high level of security for communication as one key is used for encryption
and another for decryption. For management of keys, digital certificates are used which legitimate
documents are provided by certification authority (CA) containing user information and keys.
For asymmetric key generation, RSA (Rivets-Shamir-Adelman) algorithm is used. Public keys are
embedded in digital certificates of each end. Data is sent by encrypting it with public key of receiver
but can be decrypted only with private key of receiver which is kept secret,
thus providing high level of security.

27
 Fig. Base-64 working

3.2.3 Secure Communication Channels:

As important as application security, secure communication channels also of equal importance. Most
promising way to do this would be use of digital certificates using PKI architecture for application.
PKI provides an additional encryption and signature. HTTPS communication.

5.3 QR-code processing:

The features of this code symbol are large capacity, small printout size and high speed scanning. QR
code comprised of following patterns:
Finder pattern, timing pattern, format information, alignment pattern, and data cell.

28
 Fig Structure of QR Code

Use of QR code ensures that data will be decoded by legitimate user only as decoding device will be
required to decode it.

3.2.1 Generating QR-code: QR-code is generatedusing transactioninformation, timestamp, random

number using following steps:

(I)Conversion into binary format:

First we select mode in which QR-code to be generated depending on type of data:

Extended Channel Interpretation (ECI) Mode
1. Numeric Mode
2. Alphanumeric Mode
3. 8-bit Byte Mode
4. Kanji Mode
Each of the modes has got different conversion functions to convert data into binary format.

(II)Appending error correction code words:

29
Divide the code word sequence into the required number of blocks to enable the error correction
algorithms to be processed. Generate the error correction code words for each block, appending the
error correction code words to the end of the data code word sequence.
One of the 4 levels of error recovery (L, M, Q, and H) is chosen to generate code words.

(III)Code word placement in matrix

Data blocks are arranged into QR-code according to chosen strategy: either into rectangular blocks or
irregular blocks which can accommodate more data.

(IV)Masking:

Data is XORed with predefined bit-string to encode, for dark and light modules to be arranged in a
well-balanced manner in the symbol.

(V)Appending format information:

The Format Information is a 15 bit sequence containing 5 data bits, with 10 error correction bits
calculated using the (15, 5) BCH code.

(VI)Appending version information:

The Version Information is an 18 bit sequence containing 6 data bits, with 12 error correction bits
calculated using the (18, 6) BCH code.
For error detection and correction “reed-solomancodes of data are also embedded in QRcode. It
gives error correction up to 30%.The generator polynomial g(x) is defined by having α, α 2, …, αt as
its roots, i.e.,
Scanning can be done by using following five steps:

(I)Pre-processing:

The gray level histogram calculation is adopted.

(II)Corner marks detection:

30
Three marked corners are detected using the finder pattern.

(III)Fourth corner estimation:

The fourth corner is detected using the special algorithm.

(IV) Inverse perspective transformation:

Inverse transformation is adopted based on the obtained corner geometry positions to normalize the
size of the code.

(V) Scanning of code:

Sample the inside of code and output the normalized bi-level code data to host CPU. The input image
has a deformed shape because of being captured from the embedded camera device, and we use the
inverse perspective transformation to normalize the code shape. This equation is shown as follows:

u =c0x+c1x+c2 c6x+c7y+1

v =c3x+c4x+c5 c6x+c7y+1

g(x)=(x-α)(x-α2)….(x-αt)=g0+g1x+……+gt-1xt-1+xt

The transmitter sends the N − 1 coefficients of S(x) =p(x) g(x), and the receiver can use polynomial
division by g(x) of the received polynomial to determine whether the message is in error; a non-zero
remainder means that an error was detected. Let r(x) be the non-zero remainder polynomial, then the
receiver can evaluate r(x) at the roots of g(x), and build a system of equations that eliminates s(x) and
identifies which coefficients of r(x) are in error, and the magnitude of each coefficient's error.

3.2.2 Scanning of QR-code:

The processing of QR-code detection consists of five procedures starting from image captured from
camera to data extraction. Thing that makes this task challenging is that captured image may not be
of good quality or might be deformed either by limitation of device or naïve user.

31
 Fig. 5. Steps in QR-code scanning

Where u, v coordinates is original image coordinate which is deformed and x, y coordinate is the
normalized coordinate. In the above equations, coefficients c0 ∼c7 can be obtained from the
following four point pairs,
A(x0, y0)⇔A_ (u0, v0),
B(x1, y1)⇔B_ (u1, v1),
C(x2, y2)⇔C_ (u2, v2),
D(x3, y3)⇔D_ (u3, v3)

3.2.3 QR-code decoding:

QR-code is encoded with encryption key, which is then decoded by private key at user and data is
obtained. Decoding would be the exact opposite of the encoding scanning different sections
according to format of QR-code, checking data with error correction codes, recovering lost data from
redundant locations is done while decoding.
Random number is matched with the number sent along with the message and if the match, message
is valid. Timestamp is read from the message to get synchronized with the server. From information
in QR-code like TI and T and IMEI-number of the mobile device, OTP is generated in the device and
displayed to user. User then will enter it into desktop application and is sent to CA where also OTP
for current transaction is generated and matched with the one sent by user application. If they are
same transaction is completed.
32
Other functionalities required by any banking application should be added into the applicant like user
registration, managing user accounts, viewing transaction summary, etc. and application confirming
authentic, secure transaction, storage and communication can be developed.

3.3 Authentication Scheme

There are four types of authentication schemes: local authentication, centralized authentication,
global centralized authentication, global authentication and web application (portal).

When using a local authentication scheme, the application retains the data that pertains to the user's
credentials. This information is not usually shared with other applications. The onus is on the user to
maintain and remember the types and number of credentials that are associated with the service in
which they need to access. This is a high risk scheme because of the possibility that the storage area
for passwords might become compromised.

Using the central authentication scheme allows for each user to use the same credentials to access
various services. Each application is different and must be designed with interfaces and the ability to
interact with a central system to successfully provide authentication for the user. This allows the user
to access important information and be able to access private keys that will allow he or she to
electronically sign documents.

Using a third party through a global centralized authentication scheme allows the user direct access
to authentication services. This then allows the user to access the particular services they need.

The most secure scheme is the global centralized authentication and web application (portal). It is
ideal for E-Government use because it allows a wide range of services. It uses a single authentication
mechanism involving a minimum of two factors to allow access to required services and the ability
to sign documents

System consists of a web service that will generate alpha-numerical OTPs using pseudorandom
numbers and current timestamp. Use of timestamp further assures security and uniqueness of OTP.
The alpha-numerical password string is then encrypted using Advanced Encryption Standard
(AES).The key for the algorithm will be ATM pin of the user since it is unique for every user and
can be obtained by Bank Server in every login session through account number. The AES algorithm
is used here since not only it provides higher security but also it improves performance in such
critical systems. The encrypted string is then converted to QR image by the Bank Server. It is then

33
sent to the concerned user using email as transmission medium via SMTP. User then downloads the
QR code image and uploads it in standard application that is made available to him by net banking
provider. The application provides space for QR image to be uploaded and user then enters his ATM
pin which is used to decrypt the string read from QR code. The validation of the pin is carried out by
sending request to the bank server. If the ATM pin is entered correctly, application displays the OTP
that was generated for the session. User then enters the OTP for net-banking and completes
authentication. Then any type of transaction can be carried out online on the service provider
website.

Fig. : Sequence diagram for proposed authentication scheme

34
 Fig. : Workflow of proposed authentication scheme

Fig. : OTP in the form of an AES encrypted QR code.

35
 Fig. : Decrypting encrypted QR code using QR code reader

3.4 Authentication Factors

There are three generally accepted factors that are used to establish a digital identity for electronic
authentication, including:

36
• Knowledge factor, which is something that the user knows, such as a password, answers to
challenge questions, ID numbers or a PIN.
• Possession factor, which is something that the user has, such as mobile phone, PC or token
• Biometric factor, which is something that the user is, such as his or her fingerprints, eye scan
or voice pattern

• Out of the three factors, the biometric factor is the most convenient and convincing to prove
an individual's identity.

• However, having to rely on this sole factor can be expensive to sustain. Although having their
own unique weaknesses, by combining two or more factors allows for reliable authentication.

• It is always recommended to use multifactor authentication for that reason.

37
 CHAPTER FOUR

CODING & TESTING

4.1 Coding

The design must be translated into a machine-readable form. The code generation step performs this
task. If the design is performed in a detailed manner, code generation can be accomplished without
much complication.

4.1.1 Code Inspection

An inspection is one of the most common sorts of review practices found in software projects. The
goal of the inspection is for all of the inspectors to reach consensus on a work product and approve it
for use in the project. Commonly inspected work products include software requirements
specifications and test plans. In an inspection, a work product is selected for review and a team is
gathered for an inspection meeting to review the work product. A moderator is chosen to moderate
the meeting. Each inspector prepares for the meeting by reading the work product and noting each
defect. The goal of the inspection is to identify defects. In an inspection, a defect is any part of the
work product that will keep an inspector from approving it. For example, if the team is inspecting a
software requirements specification, each defect will be text in the document which an inspector
disagrees with the stages in the inspections process are: Planning, Overview meeting, Preparation,
Inspection meeting, Rework and Follow-up. The Preparation, Inspection meeting and Rework stages
might be iterated.

➢ Planning: The inspection is planned by the moderator.

➢ Preparation: Each inspector examines the work product to identify possible defects.
➢ Inspection meeting: During this meeting the reader reads through the work product, part by part
and the inspectors point out the defects for every part.
➢ Rework: The author makes changes to the work product according to the action plans from
the inspection meeting.
➢ Follow-up: The changes by the author are checked to make sure everything is correct.

4.1.2Source code: please refer to Appendix [A]

38
4.2 Testing
Software testing is any activity aimed at evaluating an attribute or capability of a program or system
and determining that it meets its required results. Although crucial to software quality and widely
deployed by programmers and testers, software testing still remains an art, due to limited
understanding of the principles of software. The difficulty in software testing stems from the
complexity of software: we cannot completely test a program with moderate complexity. Testing is
more than just debugging. The purpose of testing can be quality assurance, verification and
validation, or reliability estimation. Testing can be used as a generic metric as well. Software testing
is a trade-off between budget, time and quality.

4.2.1 Testing Objectives

It is a process of executing a program with the intent of finding errors

➢ A good test case is one that has a high probability of finding an as-yet-undiscovered error.
➢ A successful test is one that uncovers an as yet undiscovered error.

4.2.2 Black Box Testing

When computer software is considered, black box testing alludes to tests that are conducted at the
software interface. Although they are designed to uncover errors, black box tests are used to
demonstrate that the software functions are optional, that input are properly accepted and output is
correctly produced, and that the integrity of external information (e.g. a database) is maintained.

4.2.2 White Box Testing

White box testing of software is predicated on close examination of procedural detail. Providing test
case that exercise specific sets of conditions and/or loops tests logical paths through the software.
The main disadvantage with white box testing is even for smaller programs the number of logical
paths can be very large.

39
 CHAPTER FIVE

CONCLUSION & FUTURE ENHANCEMENT

After analyzing the data collected, it is imperative to theoretically conclude on the relevant findings,
as well as their respective implications for the industry and body of academic research in question.
Moreover, this chapter presents the study and guidelines for future research.

5.1 Conclusions & Suggestions

➢ In our project we have proposed a secure and reliable authentication scheme for net-banking
through QR codes and OTPs. In recent years there has been a steep increase in the number of net-
banking users.
➢ Hence the proposed system satisfies the high security requirements of the online users and
protect them against various security attacks. Also the system does not require any technical pre-
requisite and this makes it very user friendly.
➢ Hence E-Authentication system proves to be versatile at the same time beneficial for both the
customers in terms of security and for vendors in terms of increasing their efficiency. Hence it is
most widely used to advertise and market the products by most businesses.

OTPs are transmitted in the form of an image which makes it complex for intruder to detect the
presence of secured information. OTP is send to the concerned user through an email message. Net-
banking users can conveniently access their email accounts and obtain the QR code containing the
encrypted OTP. Hence under a secure transmission of the QR code it can only be interpreted by
application software deployed by the bank with the QR image. Usage of AES algorithm for
encrypting one-time password further enhances the security of the system. Proposed scheme has
higher degree of complexity than all existing systems and clearly the time required to crack the
scheme will be more than the useful lifetime of OTPs.
OTPs are generated for a session and have a short lifetime. It’s not possible to use the OTP after their
expiry. Popularity of QR codes makes the method user friendly. Even a trivial user having basic
understanding of using a computer system can adapt to it.

40
5.2. Future Enhancement

Now a days, use of e-authentication application are increased. Security is an important issue for
handling such services. Current system provide security card based facility to authenticate user but
this is not much more secure and will not be available for any time or situation. To overcome such
type of issues we propose e-authentication system using QR-code and OTP. The bank generates the
QR-code using user input transfer information and then user need to recognize as to read the code
using their mobile phone, after generate the OTP code using transfer information and the hashed
user’s mobile device number in their mobile phone. Finally, terminate the transfer by user typing of
generated OTP code on the screen.
For any system, security it provides and system overhead are two sides of a coin and should be
considered equally while developing critical information of transfer (TI) and the requested time of
transfer (T).
Visual cryptography is the method through which an image is converted into two or more images.
Original image can be obtained by overlaying all these images over one another physically. Act of
overlaying an image over another can also be performed through software programs. Visual
cryptography can be applied to convert the qr code into two images and both these images can then
be transmitted separately. Even if intruder manages to get one of the images, he won’t be able to
crack the scheme without the knowledge of the other corresponding part of the image. Thus visual
cryptography can be applied to further enhance the security of the entire system. Further, java
application to decrypt the qr code image can be deployed as a cloud application and can be made
available to intended audience easily.

41
 APPENDIX [A] – SOURCE CODE
/////////////-------------Login Page---------/////////////

using System;
using System.Collections.Generic; using System.Linq; using System.Web; using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data; using System.Data.SqlClient; using System.Net.Mail; using QRCoder; using
System.IO; using System.Drawing;
using System.Drawing.Imaging;

public partial class production_e_login :System.Web.UI.Page {

SqlConnectioncon = new SqlConnection(@"data source=.;initial
catalog=e_authentication;integrated security=true;");

protected void Page_Load(object sender, EventArgs e)

{

if (btnlogin.Visible == true)
{
Session.Remove("otp");
Session.Remove("u_name");
Session.Remove("id");
Session.Remove("u_mobile");
Session.Remove("u_email");
}

if (!IsPostBack)
{

if (Session["user_id"] == null)
{
Response.Redirect("index.aspx");
} else
{
Label1.Visible = false; chkqrcode.Visible = false; chkotp.Visible = false;
btnproceed.Visible = false;
}
}

}
protected void btnlogin_Click(object sender, EventArgs e)
{
SqlDataAdapteradap = new SqlDataAdapter("select * from u_registration where
u_email='" + txtid.Value + "' and u_password='" + txtpassword.Value + "'", con);
DataTabledt = new DataTable();
adap.Fill(dt);
42
 if (dt.Rows.Count> 0)
{
Session["id"] = txtid.Value;
Session["unique_id"] = dt.Rows[0]["id"].ToString();
Session["u_name"] = dt.Rows[0]["u_name"].ToString();
Session["u_mobile"] = dt.Rows[0]["u_mobile"].ToString();
Session["u_email"] = dt.Rows[0]["u_email"].ToString(); Session["date"] =
dt.Rows[0]["date"].ToString(); txtid.Disabled = true; txtpassword.Disabled = true;
btnlogin.Visible = false; Label1.Visible = true; chkqrcode.Visible = true;
chkotp.Visible=true;
btnproceed.Visible = true;
} else {
Response.Write("<script>alert('Invalid Id Or Password')</script>");
}
}

protected void chkqrcode_CheckedChanged(object sender, EventArgs e)

{
if (chkqrcode.Checked == true)
{
chkotp.Checked = false;
}
}

protected void chkotp_CheckedChanged(object sender, EventArgs e)

{
if (chkotp.Checked == true)
{
chkqrcode.Checked = false;
}
}

protected void btnproceed_Click(object sender, EventArgs e)

{
//try
//{
if (chkotp.Checked == true)
{
otp();

using (MailMessagemailMessage = new MailMessage())

{
mailMessage.From = new MailAddress(Session["user_id"].ToString());
mailMessage.Subject = "OTP For Log In"; mailMessage.Body = lblotp.Text;
mailMessage.IsBodyHtml = true;
mailMessage.To.Add(new MailAddress(Session["id"].ToString()));

43
SmtpClientsmtp = new SmtpClient(); smtp.Host = "smtp.gmail.com";
smtp.EnableSsl = true;
System.Net.NetworkCredential NetworkCred = new System.Net.NetworkCredential();
NetworkCred.UserName = mailMessage.From.Address; NetworkCred.Password =
Session["u_pass"].ToString();
smtp.UseDefaultCredentials = true; smtp.Credentials = NetworkCred;
smtp.Port = 587;
smtp.Send(mailMessage);

}
Response.Write("<script>alert('OTP Sent')</script>");
Response.Redirect("~/production/otp.aspx");
}
else if (chkqrcode.Checked == true)
{

Random r = new Random();

string charset =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890#@&";
string code = new string(Enumerable.Repeat(charset, 6).Select(a => a[r.Next(a.Length)]).ToArray());
;
QRCodeGeneratorqrGenerator = new QRCodeGenerator();
QRCodeGenerator.QRCode qrCode= qrGenerator.CreateQrCode(code,
QRCodeGenerator.ECCLevel.Q);
System.Web.UI.WebControls.Image imgBarCode = new
System.Web.UI.WebControls.Image(); imgBarCode.Height = 150; imgBarCode.Width =
150;
using (Bitmap bitMap = qrCode.GetGraphic(20))
{

Guid unique=new Guid();

bitMap.Save(Server.MapPath("~/Production/Images2/'"+unique+"'.png"),ImageFormat.Png);

using (MailMessagemailMessage = new MailMessage())

{
mailMessage.From = new MailAddress(Session["user_id"].ToString());
mailMessage.Subject = "OTP For Log In";
mailMessage.Body = " <html><body><p> QR code as below</p><p><img
src='http://localhost:1091/gentelella-master/production/Images2/'" + unique + ".png' alt='QR
Code'/></p></body></html> ";
mailMessage.IsBodyHtml = true;
mailMessage.To.Add(new MailAddress(Session["id"].ToString()));
Attachment data = new Attachment(unique.ToString());
mailMessage.Attachments.Add(data);

SmtpClientsmtp = new SmtpClient(); smtp.Host = "smtp.gmail.com";

smtp.EnableSsl = true;

44
System.Net.NetworkCredential NetworkCred = new
System.Net.NetworkCredential();
NetworkCred.UserName = mailMessage.From.Address; NetworkCred.Password =
Session["u_pass"].ToString();
smtp.UseDefaultCredentials = true; smtp.Credentials = NetworkCred;
smtp.Port = 587;
smtp.Send(mailMessage);

}
Response.Write("<script>alert('QR-CODE Sent')</script>");
Response.Redirect("~/production/otp.aspx");
}
}
//catch (Exception ex)
//{
//}
}

protected void otp()

{
Random r = new Random();
string charset =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890#@&";
lblotp.Text = new
string(Enumerable.Repeat(charset,6).Select(a=>a[r.Next(a.Length)]).ToArray()); Session["otp"]
= lblotp.Text;
}

protected void qr_code()

{
Random r = new Random();
string charset =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890#@&";
string code = new string(Enumerable.Repeat(charset, 6).Select(a => a[r.Next(a.Length)]).ToArray());
;
QRCodeGeneratorqrGenerator = new QRCodeGenerator();
QRCodeGenerator.QRCode qrCode= qrGenerator.CreateQrCode(code,
QRCodeGenerator.ECCLevel.Q);
System.Web.UI.WebControls.Image imgBarCode = new
System.Web.UI.WebControls.Image();
imgBarCode.Height = 150;
imgBarCode.Width = 150;

using (Bitmap bitMap = qrCode.GetGraphic(20))

{
using (MemoryStreamms = new MemoryStream())
{

45
bitMap.Save(ms, System.Drawing.Imaging.ImageFormat.Png); byte[] byteImage =
ms.ToArray();
imgBarCode.ImageUrl = "data:image/png;base64," +
Convert.ToBase64String(byteImage);
}
plBarCode.Controls.Add(imgBarCode);

}
}
}
/////////////-------------Login Page---------/////////////

/////////////-------------Home Page---------/////////////

using System;
using System.Collections.Generic; using System.Linq; using System.Web; using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data; using System.Data.SqlClient;

public partial class production_home :System.Web.UI.Page

{
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
if (Session["user_id"]== null)
{
Response.Redirect("index.aspx");
}
}

}
}
/////////////-------------Home Page---------/////////////

46
////////////--------------

Admin Login Page----------/////////////

using System;
using System.Collections.Generic; using System.Linq; using System.Web; using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data; using System.Data.SqlClient;

public partial class production_index :System.Web.UI.Page {

SqlConnectioncon = new SqlConnection(@"data source=.;initial
catalog=e_authentication;integrated security=true;"); protected void Page_Load(object sender,
EventArgs e)
{

}
protected void btnlogin_Click(object sender, EventArgs e)
{
SqlDataAdapter adap = new SqlDataAdapter("select * from log_in where
user_id='"+txtid.Value+"' and password='"+txtpassword.Value+"'",con);
DataTabledt = new DataTable();
adap.Fill(dt);
if (dt.Rows.Count> 0)
{
Session["user_id"] = txtid.Value;
Session["u_pass"] = txtpassword.Value;
Response.Redirect("home.aspx");
} else {
Response.Write("<script>alert('Invalid Id Or Password')</script>");
}
}
}

////////////--------------Admin Login Page----------/////////////

OTP Page----------/////////////
using System;

47
////////////--------------

using System.Collections.Generic; using System.Linq; using System.Web; using System.Web.UI;

using System.Web.UI.WebControls;
using System.Web.UI.HtmlControls;

public partial class production_otp :System.Web.UI.Page

{ int second = 0;
protected void Page_Load(object sender, EventArgs e)
{
HtmlMeta meta = new HtmlMeta(); meta.HttpEquiv = "Refresh"; meta.Content =
"30;url=e_login.aspx"; this.Page.Controls.Add(meta); if (!IsPostBack)
{
if (Session["user_id"] == null)
{
Response.Redirect("~/production/index.aspx");
}
}
}
protected void btnlogin_Click(object sender, EventArgs e)
{ try
{
if (Session["otp"].ToString() == txtotp.Value)
{
Response.Redirect("~/production/Profile.aspx");
} else
{
Response.Write("<script>alert('Invalid OTP')</script>");
Response.Redirect("~/production/e_login.aspx");
Session.Remove("otp");
Session.Remove("u_name");
Session.Remove("id");
}
}
catch (Exception ex)
{
}
}
}

////////////--------------OTP Page----------/////////////
Profile Page----------/////////////

using System;
using System.Collections.Generic; using System.Linq; using System.Web; using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data; using System.Data.SqlClient;

48
////////////--------------

public partial class production_Profile :System.Web.UI.Page {

SqlConnectioncon = new SqlConnection(@"data source=.;initial
catalog=e_authentication;integrated security=true;"); protected void Page_Load(object sender,
EventArgs e)
{
if (Session["user_id"] == null)
{
Response.Redirect("index.aspx");
}

lblname1.Text =Session["u_name"].ToString();
lblmob1.Text=Session["u_mobile"].ToString(); lblmailid1.Text=Session["u_email"].ToString();
lbldate1.Text = Session["date"].ToString();
}
protected void btnproceed_Click(object sender, EventArgs e)
{
Session.Remove("u_name");
Session.Remove("u_mobile");
Session.Remove("u_email");
Session.Remove("date");
Response.Redirect("~/production/e_login.aspx");
}
protected void btnchangepass_Click(object sender, EventArgs e)
{
Response.Redirect("~/production/change_password.aspx");
}
}

////////////--------------Profile Page----------/////////////

49
////////////--------------Registration Page----------/////////////

using System;
using System.Collections.Generic; using System.Linq; using System.Web; using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data; using System.Data.SqlClient;
public partial class production_registration :System.Web.UI.Page {
SqlConnectioncon = new SqlConnection(@"data source=.;initial
catalog=e_authentication;integrated security=true;"); protected void Page_Load(object sender,
EventArgs e)
{
if (!IsPostBack)
{
if (Session["user_id"] == null)
{
Response.Redirect("~/production/index.aspx");
}
}
}
protected void btnsubmit_Click(object sender, EventArgs e)
{ try {
SqlCommandcmd = new SqlCommand("registration", con); cmd.CommandType =
CommandType.StoredProcedure; cmd.Parameters.AddWithValue("@u_name",
txtname.Text); cmd.Parameters.AddWithValue("@u_email", txtmailid.Text);
cmd.Parameters.AddWithValue("@u_mobile", txtmob.Text);
cmd.Parameters.AddWithValue("@date", txtdate.Text);
cmd.Parameters.AddWithValue("@u_password", txtpass.Text); con.Open();
cmd.ExecuteNonQuery();
con.Close(); txtname.Text = ""; txtmailid.Text = ""; txtmob.Text = "";
txtpass.Text = ""; txtdate.Text = "";
Response.Write("<script>alert('User Registered Successfully')</script>");
}
catch (Exception ex)
{
}
}
}
///////////--------------Registration Page----------///////////// ////////////--------------Update
Page Of User----------/////////////

using System;
using System.Collections.Generic; using System.Linq; using System.Web; using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data; using System.Data.SqlClient;

public partial class production_user_update :System.Web.UI.Page {

50
SqlConnectioncon = new SqlConnection(@"data source=.;initial
catalog=e_authentication;integrated security=true;"); protected void Page_Load(object sender,
EventArgs e)
{
if (!IsPostBack)
{
if (Session["user_id"] == null)
{
Response.Redirect("~/production/index.aspx");
} else
{ bind();
}
}
}
protected void GridView1_RowDeleting(object sender, GridViewDeleteEventArgs e)
{
Label lblname = (Label)GridView1.Rows[e.RowIndex].FindControl("lblname");
Label lblnumber = (Label)GridView1.Rows[e.RowIndex].FindControl("lblnumber");
Label lblid = (Label)GridView1.Rows[e.RowIndex].FindControl("lblid");
SqlCommandcmd = new SqlCommand("delete from u_registration where
u_name='"+lblname.Text+"' and u_mobile='"+lblnumber.Text+"' and u_email='"+lblid.Text+"'",
con); con.Open(); cmd.ExecuteNonQuery();
con.Close(); bind();
}
protected void bind()
{
SqlDataAdapteradap = new SqlDataAdapter("select * from u_registration", con);
DataSet ds = new DataSet(); adap.Fill(ds);
GridView1.DataSource = ds;
GridView1.DataBind();
}
}
////////////--------------Update Page Of User----------///////////// ////////////--------------
Change PassWord Page----------/////////////

using System;
using System.Collections.Generic; using System.Linq; using System.Web; using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data; using System.Data.SqlClient;

public partial class production_change_password :System.Web.UI.Page {

SqlConnectioncon = new SqlConnection(@"data source=COMPAQ-PC;initial
catalog=e_authentication;integrated security=true;"); protected void Page_Load(object sender,
EventArgs e)
{

}
protected void btnsubmit_Click(object sender, EventArgs e)
51
 {
con.Open();
SqlCommandcmd = new SqlCommand("update u_registration set u_password='" +
txtnewpass.Text.Trim() + "' where id=" + Session["unique_id"].ToString() + " and u_name='"
+ Session["u_name"].ToString() + "'"); cmd.ExecuteNonQuery();
Response.Redirect("~/production/Profile.aspx"); con.Close();
}
}

////////////--------------Change PassWord Page----------/////////////

APPENDIX [A] – OUTPUT SCREENSHOTS
1. Home Page

2. Login Page

52
3. New Registration

53
4. Update User

5. Login via OTP or QR Code

54
6. Login via OTP

7. OTP on Mail

55
8. OTP Verification

9. Welcome User

56
10. Login via QR-Code

11. QR-Code on Mail

57
 REFERENCES

1] Young Sil Lee, Nack Hyun Kim, Hyotaek Lim, HeungKuk Jo, Hoon Jae Lee,”
EAUTHENTICATION Authentication System using Mobile-OTP with QR-code”, Page(s):
644 – 648, Nov. 30 2010-Dec. 2 2010, E-AUTHENTICATIONISBN : 978-89-88678-30-5.

2] IETF RFC 4226, HOTP: An HMAC-Based One-Time Password Algorithm, Dec. 2005.

3] Anti Phishing Group, “Phishing Activity Trends Report”, from: http://www.antiphishing.org,

dec. 2008.

4] Mohammad Mannan, P. C. Van Oorschot, “Security and Usability: The Gap in RealWorld e-
authentication”, NSPW’07, North Conway, NH, USA, Sep. 18-21, 2007.

5] EisakuOhbuchi, Hiroshi Hanaizumi, Lim Ah Hock,” Barcode Readers using the Camera
Device in Mobile Phones”, IEEE paper.

6] Aidong Sun, Yan Sun, Caixing Liu,” The QR-code reorganization in illegible snapshots taken
by mobile phones”, IEEE paper

7] D. M'Raihi, M. Bellare, F. Hoornaert, D. Naccache, O. Ranen ,”HOTP: An HMAC-Based

One-authenticationTime Password Algorithm” , , RFC 4226, December 2005.

8] Teoh Chin,YewMazleena,SallehSubariah Ibrahim, ”Spatial Resource Analysis of Two

Dimensional Barcodes”, IEEE Paper.

9] R.L. Rivest, A. Shamir, and L. Adleman,"A Method for Obtaining Digital Signatures and
Public-Key Cryptosystems",http://people.csail.mit.edu/rivest/Rsapaper.pdf.

10] Robert P. McEvoy, Francis M. Crowe, Colin C. Murphy,

William P.
Marnane,"Optimisation of the SHA-2 Family of Hash Functions on FPGAs".

58
11] R. Fielding, J. Gettys, J. C. Mogul, H. Frystyk, L. Masinter, P. Leach, T.
BernersLee,"Hypertext Transfer Protocol -- HTTP/1.1",Network Working Group, Request for
Comments: 2616

12] David Wagner, Bruce Schneier,"Analysis of the SSL 2.0

protocol",http://www.schneier.com/paper-ssl.pdf.

59