The document proposes an advanced authentication solution for securing access to an e-government web portal. It suggests using a multi-step two-factor authentication system combining something the user knows (password) with something the user has (mobile phone). The system would generate one-time passwords and send them via SMS along with session details. An additional image-based step is included. Testing showed mobile SMS to have high delivery strength and usability for public users. The proposed solution aims to provide strong, usable authentication while avoiding drawbacks of traditional two-factor approaches.
Securing e-Government Web Portal Access Using Enhanced Authentication System
1. SECURING E-GOVERNMENT WEB
PORTAL ACCESS USING ENHANCED
AUTHENTICATION SYSTEM
Thesis submitted in partial
fulfillment of the requirements for
the degree of Master of Science in
Information Technology
Engineering.
The Libyan Academy
School of Engineering and Applied Science
Department of Electrical and Computer
Engineering
Division of Information Technology
By: Hamdi Ahmed Jaber
Under Supervision of: Dr. Elbahlul Fgee
2. The thesis proposes an advanced authentication solution that
enhances the security of authenticate the users of the e-
government web portal and avoids the drawbacks of two-
factor authentication systems that has not been covered in the
previous studies.
Introduction
3. User ID and password is the most commonly used
authentication mechanism.
• There are many shortcomings of a password authentication
mechanism
• Passwords are at the edge of breaking down, especially in
the web environments.
• It is not secure enough for huge sensitive systems like e-
government, banking and online payment systems.
4. Two-factor authentication is an approach for
authentication that requires the presentation of two or
more of the three authentication factors:
• a knowledge factor (something only the user knows)
• a possession factor (something only the user has)
• an inherence factor (something only the user is).
After presentation of the first factor, the other party for
authentication will be required to validate user identity.
Knows Has IS
Password Smart card Fingerprints
PIN Cryptographic key Retina
Secret question USB token Iris
SIM card Face
OTP Generator Hand geometry
Something a user
5. • Cryptographic attacks: These attacks
directly target the cryptographic algorithms.
• Untrustworthy Interface - phishing:
Trojans, viruses and key logging
• Theft/Loss of the authentication token
• Man-in-the-middle-attacks
• Eavesdropping: The communication
between two contactless devices can be
eavesdropped from a certain distance.
Problem statement:
Armor the e-government web portal
with Two-factor authentication system
avoids the following drawbacks of TFA
6. Motivation
Provide shielding for e-government web portal and their
users from known security attacks that tries to gain
access to their accounts
Provide a strong secure e-government web portal
authentication system that avoid the drawbacks of
traditional two-factor authentication methods
Obtain a higher authentication security guarantee than
when using static password only or traditional two-
factor authentication technologies
7. Proposed Solution
This thesis contributes to propose an advanced
authentication system that has high security and decreases
the risk of illegal access to the E-government web portal
by using multi-step authentication system that involves
two authentication factors:
a. Something only the account owner (user) knows
b. Something only the account owner (user) has or get
It will also provide a special designed image based
authentication step as an added layer of security to resist
illegal authentication threats.
8. Internet portals general security needs
• Authentication: Processes of verifying that the user is
who he say.
• Authorization: Process to verify if the user has the
rights to do what is trying to do.
• Confidentiality: Capability to prevent unauthorized
access to information
• Integrity: Capability to prevent unauthorized
modification of the data
• Traceability: Capability to log every transaction details
for auditing
Note: This thesis is about securing the authentication
process.
10. Two-factor authentication success
criterion
• Customer acceptance
• Token management difficulty
• Credential replacement
• System costs
Also, Tamper evidence, detection and response play
an important role for the security of authentication
methods. The solution will provide a strong detection
and response of any illegal try to access the system
11. • Shared secret1
• Digital certificate2
• One-Time Password (OTP)3
• Tokens with display (disconnected tokens)4
• Connected tokens5
• Magnetic stripe cards6
• Software tokens7
• Mobile phones8
• Biometrics9
• Image based authentication10
Authentication technologies
12. • One time password via SMS1
• One time password via phone calls2
•Mobile application/software token3
• Push notification4
• Mobile signature5
Methods used mobile phones
13. Targeted Solution
An advanced multi-step two-factor authentication system
that prevents any unauthorized access to the system and
reduce it even when the attacker has the correct login
credentials (ID/password) and can overcome the second
authentication factor.
The solution will be usable with E-government web portal
and can be distributed among the public users of such
huge system. Affordable and easy to implement and use
for the ordinary people.
14. Thesis gathered data from:
• Tests of methods that are widely used in Two-
factor authentication systems
• Online survey
• Previews studies
• Technical comparisons and trade-offs
• Designed solution implementation
15. Required criterions for e-government web
portal TFA system
• Easy of distribute to the public
• Cost effectiveness
• Usability
• Strength of delivery
• Authentication process time
16. Compared second factor authentication
methods:
• Disconnected hardware token
• Connected hardware token
• Short messaging system (SMS)
• Mobile phone software token
• Smartphone push notification
• E-mail message
• Biometric (Finger print)
• Biometric (Iris recognition)
17. Tested authentication methods:
• Mobile phone software token
• Short messaging system (SMS)
• Smartphone push notification
• E-mail message
18. Technical aspects: Cost effectiveness for the
system owner and system users
• Implementation cost
• Token issuance cost
• Maintenance cost
• Token replacement cost
22. Technical aspects: Usability attributes per
ISO 9241-11
• Effectiveness: The users can do the tasks
without making mistakes
• Efficiency: The users can complete the tasks
in a reasonable time and effort
• Satisfaction: The user finds the product to be
effective and efficient
23. Technical aspects: Two-factor authentication
usability criterions
• Need of special end user hardware token
• Need of special end user reader
• Need of special software/driver
• Need of end user training/special instructions
• Need of configuration by the end user
• End user ability to edit configuration
• Access the portal without PC (Only with smart
phone)
• Token mobility with the end user
• Loss portability
25. Online survey
Online digital survey created and distributed to the public
via web to gain information from random sample of people
and collect the required information that helps in
identifying the importance, acceptance and most-liked
methods that a normal person may prefer to use as a
second authentication method for e-government web portal
26. Online survey: participants age range
Age range Persons participated
18 – 25 year 39
26 – 33 year 54
34 – 40 year 48
41 – 48 year 21
49 – 56 year 9
57 – 64 year 3
More than 64 years 0
Total 174
27. Online survey: participants qualification
Qualification Persons participated
Below average education 2
average education 7
High school 53
High diploma 44
Bachelor degree 65
Graduate studies 3
Total 174
28. Online survey: participants daily internet usage
Internet usage Persons participated
Less than 30 minutes 27
30 Minutes – 1 Hour 31
1 Hour - 2 Hours 21
2 Hour - 4 Hour 38
More than 4 hours 57
Total 174
30. Online survey: Other results
• 33% of the participants (58 person) are using internet
services that uses confidential data or runs sensitive
transactions
• 54% of the participants (94 person) welcomed to carry
additional hardware token
• 42% of the participants (73 person) welcomed to buy
additional hardware to scan biometrics while 58% (101
person) denied that.
• 37% (65 person) are welcomed to install additional
software or drivers to their personal computers or smart
phones to gain access to e-government web portal
• 99% (172 person) said they need to access e-government
web portal from their smart phones or tablet PCs
31. Two-factor authentication methods test
Two cloud TFA service providers services on two
different geographic locations in Libya (Tripoli city
and Benghazi city) tested during this thesis
preparation to use the tests output and verify the
deference between the suggested TFA methods and
help choose the best one for e-government web
portal.
The methods tested are:
• Mobile phone software token
• Short messaging system (SMS)
• Smartphone push notification
• E-mail message
32. Test results - Software token
Strength of delivery and Time of process:
• The software token is a previously installed
and configured software on a smart phone
• It has a high strength of delivery and zero
time of process as it is working in the
background in the smart phone
• It generates a new OTP every 60 seconds that
can be used any time just after opened the
software token application.
• The drawback of this method comes from the
need of smart phone to work. If the user have
normal old-fashioned mobile phone, he
simply could not use the software token
36. Test results - Mobile phone SMS
The excellence of the mobile phone SMS
method comes from the fact that almost
everyone is using the mobile phone services
and this method can work on any mobile
network and any mobile phone device from
second generation to the fourth generation
without any need of internet connection,
special software or even a smart phone.
The drawback if there is no mobile phone
service in the area the user trying to login to
the system from it.
37. Test results - Mobile push
Strength of delivery:
• Mobile push has optimum strength of
delivery without any loss in the process.
• The drawback in mobile push method is it
does not work if the user does not have a
wireless internet connection or mobile
broadband
• Also as the software token, it is originally a
mobile application that has to be installed
and configured previously on the smart
phone
39. Test results - E-mail message
Strength of delivery of email system is very
high unless the received e-mail considered spam
by the email system the user are using it.
41. Note: Biometrics and hardware tokens have a very good strength
of delivery and low process time, but it has other drawbacks in
usability, cost and other discussed requirements when
implementing two-factor authentication with E-government web
portal.
42. Proposed authentication system
• This thesis propose a solution that is using strong
multi-step two-factor authentication by utilizing
mobile phone SMS technology.
• Turning a phone into an authentication device
quickly solves the need and additional cost and
delays of sending out hardware tokens.
• The mobile phone SMS is used to send randomly
generated time based One-Time-Password as a
second authentication factor
• Authentication server generation algorithm
generating the OTP. Mobile SMS gateway service
to deliver it to the user.
43. Proposed authentication system
Beside the one-time password, the system send the
following information in the SMS:
• Session ID (each login attempt has its own session
ID that has assigned OTP)
• Login request time
• Login request location (the system determine it by
IP address)
• Browser type
• Operating system platform
These details are sent to make sure that the user is
aware of the login he or she is verifying. This is vital
to avoid any possibility of man-in-the-middle and
real-time phishing/pharming attacks
44. Proposed authentication system
• The suggested solution is using Libyan
government national ID that is a unique number
assigned to each Libyan citizen that never changes
during his life and password to initiate the login
process.
• To protect the users from key-logging and similar
attacks. The password are only writeable by the
portal’s built-in on-screen keyboard
45. Proposed authentication system
In the final process step, the system uses an image-
based authentication technology that:
• Displays 12 picture from 12 deferent categories
(National, ancients, desert, animals, flowers, cars,
electronics, furniture, buildings, tools, people and
food).
• The user should select a photo that belongs to the
category that assigned to his account during the
account creation.
This step add an additional layer of protection to the
authentication process against attacks may happened
after theft of the mobile device and compromise the
password by the attacker.
46. Proposed authentication system
Every successful and failed login attempt details sent
to account owner default mobile phone via SMS and
default e-mail address. These details are the same of
the first message with the status of login (succeeded
or failed)
This confirmatory feedback feature is helping in
detect tampering and illegal login attempts. This will
allow the account owner to take required action or
actions and report such incident quickly to the e-
government authority.
47. Proposed alternative authentication method to
be used as a backup
Any good system should have a high level of
usability, minimum effort of administration and of
course a good plan for emergencies
• A procedure contains a few steps should be
implemented to recover the forgotten password
without any interaction of the system
administrators
• E-mail service will be used to deliver OTP in case
the user lost his mobile phone by steal, damage, or
just he cannot reach it. He should follow another
procedure to receive OTP via E-mail service
55. Results summary
The proposed solution protects the e-government web
portal access from security threats using strong multi-step
two-factor authentication system that:
• Provide strong multi-step two-factor authentication
using National ID and password that only writeable by
the portal’s built-in on-screen keyboard
• Use one-time password that the system generate it and
send it via SMS or e-mail (including login session ID,
login request time, login request location, used browser
and OS details)
• Use image based authentication step that uses image
category recognition.
• Mutually-authenticated and speak over SHA-2 256bit
Transport Layer Protocol (TLS) encrypted channels
between client and server
56. • Avoid the known drawbacks of two-factor
authentication systems
• Provide a cost-effective, user-friendly and high secure
authentication.
• Use the mobile phone SMS as the user’s second
authentication token.
• Use the e-mail system as a backup second
authentication token.
• Easy to use for any regular user with no additional use
of hardware or special training.
• Easy to deploy solution for large enterprise
• Does not rely on username and password only
authentication that is not secure anymore in such
enterprise system.
Results summary
57. It overcomes the security limitations of traditional two-
factor authentication systems and vulnerabilities of
mobile device like:
• Untrustworthy Interface
• Theft/Loss of the Device
• Man-in-the-middle-attacks
• Cryptographic attacks
• Eavesdropping
• human vulnerability factors like compromised
password also covered by the proposed solution.
Security limitations that are solved by the proposed
solution
58. Implement E-mail message as a backup two-factor
authentication method when:
• The GSM gateway service provider’s servers are down
and could not sent OTP to the user even though he is a
genuine user.
• The user’s mobile network service provider terminates
the connection due to the delay in bill payments
• The user is in a poor signal of the network area.
• Theft/steal of the mobile phone device of the user
Mobile phone SMS two-factor authentication
limitations the proposed solution overcomes
59. Thesis conclusion
This thesis develops an authentication mechanism For the
Libyan E-government web portal that combines the
strength of the three popular authentication approaches:
multilevel, multi-channel, and multi-factor. These three
authentication approaches were merged to form an
authentication mechanism that can highly protect e-
government user accounts from illegal authentication.
Also gives protection from using a compromised account
credentials.
60. Thesis conclusion
Research objectives:
• Objective 1: Review the most commonly used
authentication classes, authentication mechanisms, and
authentication attacks.
• Objective 2: Review the usability and acceptability
aspects of authentication mechanisms and the evaluation
techniques used to decide high secure and easy to use two-
factor authentication solution for Libyan e-government
portal.
61. Thesis conclusion
Research objectives:
• Objective 3: With respect to e-government web portal
needs, discuss the currently used authentication
mechanisms and identify their weaknesses, showing how
they fail to protect customer accounts against different
attacks identified in objective 1.
• Objective 4: Propose an authentication solution that
addresses the security and usability problems identified
and listed in objective 2. Theoretically evaluate the
security of this solution and identify all features needed
for implementation.
62. Thesis conclusion
Research contribution:
The contribution is proposing a new multi-step, multi-
channel two-factor authentication system that:
• Increase security while maintain the usability of Libyan
E-government web portal authentication.
• Utilize a backup authentication mechanism
• Other features and guidelines were included to
complement and facilitate the actual implementation of
the proposed authentication solution.
63. Thesis conclusion
Future Work
• More Usable Channels: Other possible usable
communication channels can also be used to support
two-factor authentication. This includes and not limited
to chatting software.
• Two-factor authentication for the disabled people:
Disabled users might find it difficult to utilize two-
factor authentication for their e-government
transactions.
64. Final Word
The proposed authentication system protects the Libyan e-
government web portal user accounts from authentication
attacks that other two-factor authentication mechanisms
fail to address. Improves the security while maintaining
usability.
The guidelines and recommendations provided in this
thesis will provide guidelines to implement a strong and
more secure and usable authentication system for the
Libyan e-government web portal.
65. ADDITIONAL READING AVAILABLE IN
THE THESIS BOOK
• Detailed technical aspects
• Online survey
• Tests
• Solution Implementation
• User account creation and first
login steps and flowcharts
• Normal login steps and flowcharts
• Emergency user account login steps
and flowcharts
• References (35)