it security two factor authentication

Herman Engström 2015-10-28 Martin Larsson INFC40 - Information Systems Security Joel Wikberg

FACTORS IN TWO-FACTOR

AUTHENTICATION

INFC40 - Information Systems Security

2015-10-28

Herman Engström

Martin Larsson

Joel Wikberg

Supervisor: Anders Svensson

1.0 Introduction ............................................................................................................................................................. 1

2.0 Problem definition ................................................................................................................................................... 1

3.0 Objectives ................................................................................................................................................................ 2

4.0 Literature review ..................................................................................................................................................... 2

4.1 Passwords ............................................................................................................................................................ 2

4.2 Two-factor authentication .................................................................................................................................. 3

4.2.1 A cost for the organization – additional tokens ........................................................................................... 3

4.2.2 2FA from a user perspective ........................................................................................................................ 3

4.3 Second authentication factor devices/software explained ................................................................................. 4

4.3.1 Two-factor authentication ........................................................................................................................... 4

4.3.2 Common Access Card ................................................................................................................................... 4

4.3.3 Security token .............................................................................................................................................. 6

4.3.4 Biometrics .................................................................................................................................................... 6

4.3.5 Mobile authentication application and SMS ................................................................................................ 7

4.3.6 Radio frequency identification (RFID) .......................................................................................................... 7

4.4 Sustainability ....................................................................................................................................................... 8

5.0 Proposed methodology ........................................................................................................................................... 8

5.1 Data Collection .................................................................................................................................................... 8

5.1.1 Search criteria .............................................................................................................................................. 8

5.1.2 Data validation ............................................................................................................................................. 8

5.2 Data processing ............................................................................................................................................... 9

6.0 Methodology applied .............................................................................................................................................. 9

6.1 Comparative analysis between different authentication methods .................................................................... 9

6.2 Interview questions ............................................................................................................................................. 9

7.0 Summary of the problem, objectives, methodology and expected outcomes ..................................................... 10

7.1 Discussion .......................................................................................................................................................... 10

7.1.1 Value for the customer .............................................................................................................................. 10

7.1.3 The interview ............................................................................................................................................. 11

7.1.4 Study limitations ........................................................................................................................................ 11

8.0 References ............................................................................................................................................................. 12

9.0 Confirmation statement ........................................................................................................................................ 13


1

1.0 Introduction The nature of security is that there is a never a perfect solution. The general apprehension between

security researchers is that we need to “kill the password” and get rid of it all together as soon as

possible. However, it cannot be forgotten that everybody isn’t a security researcher and that is why we

just cannot remove the password because the usability of the password is so great compared to the

other options out there. The problem with passwords is that they are not safe even if the user does use

a high-entropy password with uppercase characters, numbers and enough characters (more than 12).

They will still be vulnerable to attacks that steal the password. (Emiliano De Cristofaro et al. 2014)

That is why we need to have a supplement to the password and there are several different password

supplements on the market and in this paper we are going to find out what supplement that we think

will work best with a specific activity or a whole new approach to passwords. The supplements that we

will investigate in this paper is two-factor authentication (2FA) in different forms such as bio-metric,

mobile phone applications and tokens. To have 2FA functions is a rather new technology for the private

user and the adaptation to 2FA is far from being implemented in all businesses. According to

twofactorauth.org/ 37 of the 57 banks they investigated had not implemented any kind of 2FA, which

proves our statement and concludes that our orientation of this paper is important for both the user

and business stakeholders.

2.0 Problem definition Low-entropy passwords are one of the major problems that we have to co-exist today and the problem

will not be solved by replacing the password with one application, one token or one bio-metric solution

(De Cristofaro, E. et al. 2014). We are certain that different activities require different passwords

solutions depending on the information that the password protect. This leads us to our next statement,

which 2FA solution should you use to enhance your password?

There is a plethora of different 2FA solutions out there and some of them are safer than others but it

comes with a cost of usability. That is why we are going to do a comparison between the different

solutions for different activities, for instance you want to login on your daily news feed because you

want to see what the some of the newsfeed channels that you subscribe on for free. This site should not

require a token to get you logged in and should only use a password however not a low-entropy one but

just a password is enough because we do not want to lose too much usability. However, if you want to

login to your bank then you should use one of the different types of 2FA and which one you should use

will be explained in later in this paper.

The solution also needs to be sustainable in the future, because customers will not buy a product if it

only will be secure for a few years and that is why we need to use the right solution to the right activity

and also is it worth it to use 2FA, or could there be a different solution?


2

3.0 Objectives The objectives are identified for this paper are:

1. To compare different kinds of two-factor authentication implementations and how they affect

usability and user acceptance.

2. To discover when it’s and when it isn’t suitable to force the use of two-factor authentication.

4.0 Literature review

4.1 Passwords An easy way to protect confidential information is the use of passwords, however this solution often

involves a compromise between security and convenience. Long or complex password are hard to

remember, which sometimes results in that an organization settles with more simple rules. (Watts, S. et

al. 2014)

Most computer systems today use identification and authentication through username and password as

the first line defense. The combination of username and password is a mechanism that has become

routine for users when they start a session on their computer. The username and password mechanism

is also widely accepted not too difficult to implement however managing password security can be quite

expensive. When looking for protection do not underestimate the user’s role in password protection. A

common way of getting unauthorized access to a system is by obtaining a valid password. (Gollman, D.

et al 2011, p51)

This risk of an attacker guessing a valid password cannot be eliminated however you can try to lower

probability of such an event. An attacker may follow two basic strategies.

Brute force – try all possible combinations of valid symbols up to a certain length.

Intelligent search – try passwords that are somehow associated with a user e.g. name, names of

friends, car brand, phone number and passwords that are generally popular etc.

As a user you can protect yourself by:

Change default passwords.

Password length.

Password format.

Avoid obvious passwords. (Gollman, D. et al 2011, p52)


3

4.2 Two-factor authentication Two-factor, or multi-factor, authentication is an alternative for improving security by requiring the user

to provide more than one so-called authentication factor, i.e. more than only a password. There are

three general authentication factors:

Knowledge – something the user knows, e.g. a password.

Possession – something the user has, e.g. a hardware based security token.

Inherence – something the user is, e.g. a biometric characteristic, like a fingerprint. (De

Cristofaro, E. et al. 2014)

4.2.1 A cost for the organization – additional tokens

In financial terms additional tokens also results in additional costs. Tokens first cost is when purchasing

them, if they break they have to be replaced and if they get stolen or are lost they have to be exchanged.

These devices also have a set-up cost and a limited lifetime, which is also a cost for the organization. The

market does however provide other alternatives that are worth considering, such as the possibilities

made by smartphones. Smartphones are carried by their owners almost at all times both at and outside

work, which makes 2FA solutions possible. Instead of using an additional token for authentication

purposes a dynamically generated passcode can be sent to the end device via e.g. SMS, email or an

application. (Watts, S. et al. 2014)

Tokenless 2FA solutions is in place in organizations such as the London Royal Borough of Kensington and

Chelsea, which illustrates the benefits of a 2FA solution. The borough employs thousands of civil

servants to take care of needs of approximately 150 000 inhabitants. For many years the non-office staff

carried a physical token with them that granted them access codes for network authentication. The use

of the dedicated physical token showed to be time-consuming and insecure, because the tokens were

frequently lost or left behind which led to increased operating costs. Since the borough already had

equipped more than 1 000 employees with mobile phones they decided to make greater use of the

current technology and implemented a tokenless two-factor authentication procedure to access the

network via mobile phones. (Watts, S. et al. 2014)

2FA has been looked upon as a saviour of computer security for some years now, but organizations

haven’t adapted to the technology as quickly as expected due to one powerful reason – inconvenience.

2FA requires users to change their habits, e.g. by having to carry a physical passcode token or by having

to obtain a passcode through other time-consuming ways. (Kemshall, A. et al 2011)

4.2.2 2FA from a user perspective

Users that participated in a study where 2FA was investigated to obtain a general understanding of 2FA

technologies in use, the context in which this technology is deployed and why they are adopted. The

users in the study used 2FA because they were forced, wanted to or had an incentive and they did it in

certain contexts such as work-related (e.g. log on to a company VPN), personal (e.g. protecting their

social networking account), financial (e.g. log on to their banks online services). Most users adapted to

the technology because an employer or bank had forced them to do so, however some were unhappy

about being forced onto 2FA. A participant in the study said that it felt inconvenient to spend 5 minutes


4

for doing small purchases. Some of the participants felt that it was annoying to have to remember

security tokens. There were two different views on the physical security token within the group, one

part said that they did not prefer a security token since it could easily be lost and one part of the group

preferred tokens since they are easier to use compared to mobile applications where you have to do a

number of activities as unlocking the screen in order to navigate to the application. (De Cristofaro, E. et

al. 2014)

Researchers conducted a study in an online banking context. The findings were that the steps required

for online banking authentication were crucial for the participants. An ideal authentication process

would involve as few steps as possible without having them to carry some kind of token. Banks should

offer customers a choice since they have different capabilities, needs and preferences. The banks could

offer them to optionally replace hardware tokens to receive passcodes via SMS, an application, and/or

restrict their use to setting up payments above a certain amount. (Kat Krol, et al. 2015)

4.3 Second authentication factor devices/software explained

4.3.1 Two-factor authentication

The requirement for a two-factor authentication solution to work is that two parts of data needs to be

accessible, each being from a different category. It is a secure identification process in which the user

provides the device with two types of data, e.g. one that is a physical credit card and one that is a

memorized PIN. With a specific perspective there is two factors involved that are considered "something

you have" and "something you know" (G.Prakash, M.Kannan, 2014)

4.3.2 Common Access Card

Common access cards have the size of a normal credit card and it works as an identifier for personnel

who needs access to restricted areas and other privileged activities. In most cases the card has a

memory of 144k in an integrated circuit chip (ICC) which allows quick authentication of the owner of the

card. The card does not contain any password or information about the user, it only contains

information about what the user is allowed to do, fingerprint pictures, social security number, public key

infrastructure and organization affiliation. However, this can vary depending on the organization policy.

The card is in need of a card reader to verify the card that has been swiped or chip that has been

inserted into the reader. When the card has been swiped with the magnetic stripe or inserted to the

card reader, the user needs to enter a Personal Identification Number(PIN) which is sent through

Internet Protocol(can also vary) and then the information entered in the card reader and the

information in the organizations database are compared. The session continues until the card is

removed and then either access is denied or allowed.

However, there are some drawbacks to using CAC, it increases security at the cost of productivity and

there is a case where the US Department of Defence spent 10,4 million dollars on time lost because

people forget their cards and they couldn’t access their email at home. (Emiliano De Cristofaro et al

2014)


5

In our case we have interviewed a person who have 35 years in the healthcare and have seen many

different types of security systems, but right now they are using a “beefed up” version of Common

Access Card.

1. Do you have access to all the rooms?

"No, I only have access to the rooms that involve my work on this clinic, so I do not have access to other

rooms on other clinics. Also some cabinets are locked down because they contain sedatives that are

addictive and only personnel with the right privileged can access. Also every login in you do with your

card is being logged."

2. Do you get access to the journal system?

"Yes, this is also very restricted and the system that we use is called Obsterix which is unique system for

our occupation and to access the computer that runs the journal system you need to have RSID code

that is six digits which is unique for me. In addition to the six-digit code we need to have a password that

we can choose ourselves, but it needs to contain at least 3 digits and 3 characters. When we are logged

in on the computer and want to access the journal system we need to insert our CAC into the computer

and now we can use the journal system."

3. Do you use a password with your CAC and if so, do you have a personal code or does everybody

have the same code?

"Everybody has their own code"

4. Any major problems with the CAC?

"It is a lot of passwords to remember and it takes some time to get used to"

5. For how long have your hospital been using the CAC and what system did you use before?

"This system was installed 2009, we have been using it for about six years."

6. Do the staff often forget their CAC at home and is that time consuming?

"If you forget your CAC at home you need to call into the reception and show your ID and you will get a

loan card which have basic access, for instance toilets etc."


6

7. Picture

A picture of the CAC

8. Additional information

"Every time we enter the building we need to put our CAC in front of a card reader and then you need to

enter a four-digit code. The CAC can also be used an ID, just like a driver license."

4.3.3 Security token

Security tokens, or sometimes called authentication tokens, are hardware devices that can interact with

Common Access Cards or without depending on the context. The token could take shape of a little

device that have different functions, for instance you can have a sign-, login and logoff button and if you

click on any button you will be prompt with a message that you need to enter a control code.

As an example, if you want to log on to your internet bank then you will be prompted with a six-digit

code which you need to enter on your token and then the token will follow an algorithm that will spit

out a nine-digit code that you can enter on the banks website. If the code is correct you will be accepted

to enter. For security reasons you only have about 2-3 minutes to enter the code and if the user does

not manage that you need to refresh the website and enter the new control code on the token.

4.3.4 Biometrics

Biometrics is an authentication factor that recognizes humans by identifying their different physical

attributes, for instance it is possible to identify a person’s iris, fingerprint, face structure, walking

movement and handprint. All of these have one thing in common and that is they all need the person

look the same all the time, for instance if we have a facial recognition system that scans the users face

structure, if that person has lost some weight then more of the cheekbones will be visible and that could

possibly cause a false alarm and the person will not be let authenticated. There are more drawbacks, for

instance if you need to sit in front of the camera for a couple of minutes to scan the users face then the

user will become frustrated and maybe will start do workarounds, for instance never logout of the

system. "I still don't need to remember. I think 5 seconds or 10 maximum not beyond 10 seconds - I'd

freak out ' I’d prefer to remember.". (Kat Krol, et al. 2015)


7

4.3.5 Mobile authentication application and SMS

Google, Facebook, Amazon and many other big companies that require username and password have

some sort of two factor authentication. The most common one is a Time-based One-Time Password

algorithm application or SMS, both are based on TOTP but they have different ways of delivering the

code/password. In theory it is a rather easy concept, when the user enters the correct username and

password then the current time is saved at the client and sent to the server which through a algorithm

spit out a code and sends this back to the user. When correct code is entered the server checks if the

code is correct the user allowed to access whatever site they want to enter. Since this is a time based

system the code is only valid for about 30-60 seconds depending on what policy the provider has. This

method of authentication is a rather new two factor authentication and have lately been applied to

many services because of its simplicity and the increase of mobile phone usage. For instance, more and

more banks moving towards TOTP solutions where SMS is the medium which delivers the code to the

user.

4.3.6 Radio frequency identification (RFID)

RFID is a tiny microchip that, for example, can be implanted under the skin and within the chip there is

integrated circuit that can contain different sorts of information depending on preferences. This

technology is widely used to identify animals, passport controls and to some extent humans. The RFID

works exactly the same as a Common Access Card, only it is a lot smaller and can be implanted under

the skin and not be rejected by the body, or inserted into almost any object. However, there is a

problem, the chip usually contains sensitive information about the user and these chips can have a

range from 10 cm to 100 meters, depending on if it is passive or active. (Haotian Li. 2014)

The picture below is a picture from 2007 and at the time this was cutting edge technology, but now, 8

years later, these small RFID's can contain a lot more information.

RFID chip


8

4.4 Sustainability Not so long ago Microsoft had their so called "Patch Tuesday", which meant that all the users of

Microsoft products got an update which could take a long time to complete depending on the update.

These updates could sometimes take more than 10 minutes depending on the update, hardware and

internet connection speed. And why do we bring this up when we are talking about sustainability?

Because every time we update our operating system millions of dollars are lost. Let us build a scenario

where a patch cost about 0.001 dollars in electricity and productivity and times a billion Windows

machines, which equals 1 million dollars (Godefroid, P. et al. 2012). Something that costs a lot more is if

a malware would leak information from your servers, which is why it is so important to have a good

security policy and a good technological supplement in terms of a 2FA.

5.0 Proposed methodology We decided to try to find an answer to our research problem by doing a meta-study on existing research

in the field of information security, with a focus on research regarding two-factor authentication.

5.1 Data Collection All data, except the course literature and a few web resources, was mainly collected through LUBsearch

and some through Google Scholar. LUBsearch is a search engine for all of Lund University’s library’s joint

resources and is available to all students at the university. Google Scholar is a search engine for scholarly

literature across an array of publishing formats, provided by Google. Our goal was to find as many

relevant and interesting articles we were able to and then decide if they were good enough to use for

our article.

5.1.1 Search criteria

To locate articles that were relevant to our subject and would allow us to find an answer to our research

problem, we used a small set of keywords. The words “two factor authentication” were used in different

combinations with the following: user acceptance, usability, sustainability, vulnerability. We also did

some searches where the publishing date of the articles was limited to the last two years, so that we

would not miss any of the latest and most relevant research.

5.1.2 Data validation

We approached the articles critically and set a few “rules” for validating them, since having correct and

unbiased sources were of great importance to us.

Does the author correctly reference other works correctly?

Has the article been peer-reviewed?

If it includes a study, is the sample size appropriately sized?

If the author can be interpreted to be biased, is there still factual information that can be

extracted from the article?


9

5.2 Data processing

After we had collected and validated articles, the information about subjects relevant to our research

problem was extracted and entered under “Literature review”. That information was then used as a

base for our comparative analysis and discussion.

6.0 Methodology applied

6.1 Comparative analysis between different authentication methods We have collected data from a couple of different studies and made the following analysis, we ranked

some the subjects from 1-5 where 1 means very low and 5 very high. The following studies have been

used: (Emiliano De Cristofaro et al. 2009), (G.Prakash et al. 2013), (Catherine S. Weir et al. 2009) and

(Soonduck Yoo et al. 2013).

Function/ Property

Passwords

Physical token

Fingerprint

Voice Face recognition

SMS authentication

Common access card

Mobile application authentication

Iris/eye recognition

Definition Character based usually 6-20 chars

Physical algorithm device

Scans human fingerprint

Voice Recognition

Scans for face structure and patterns

TOTP based codes, delivery through SMS

A card that lets you access restricted areas

Software that generates login codes

Scans the human iris

Advantages

Convenient by most people

Not bound to a location

Fingerprints are unique to the user

Unique for the user

Unique for the user

Easy to use and available everywhere

Safe and quick to use

Quick and easy to use

Unique for the user

Drawbacks

Can be forgotten and could be easy to guess

Device is required to login

Sometimes difficult to scan fingerprints

Background noise might disturb the

process

Not very adaptable with change

Require a mobile phone

Cause trouble if forgotten

In need of an internet connection

Expensive

Security 2 5 3 4 4 4 5 3 5 Usability 5 2 3 2 2 5 4 5 2 Input time

3-10 sec 10-20 sec

10-20 sec 10-20 sec 10-20 sec 5-10 sec 5-10 sec

5-10 sec 10-20 sec

Acceptance

5 2 3 3 3 5 5 5 3

6.2 Interview questions The questions that we asked our source are based on what we concluded from all the articles that we

have read which makes them relevant to this paper.


10

7.0 Summary of the problem, objectives, methodology and expected

outcomes

7.1 Discussion A lot of users tend to use single factor authentication e.g. a password since it’s more convenient and

faster for them. Users have been using passwords for many years and therefore it’s hard to make them

change their behavior and habits unless they are forced to do so, e.g. their bank, employer or so forces

them to accept the new technology. If users are forced to use 2FA they should have an option of how

they want to do so, e.g. through a token or smartphone application such as the widely used application

“Mobilt bankID” here in Sweden.

A question that should be discussed before using/implementing 2FA is if the information you want to

protect really is worth the cost, both in time and money. Poorly executed 2FA solutions, e.g. a physical

token, can be a problem if it is being forced onto a user and is lacking in quality, like being manufactured

with cheap materials or comes with badly written instructions, this definitely affects the perception of

the solution by the end user.

A simple solution for how more users could adapt to 2FA is to use the smartphone as an authenticator,

since many companies already offers phones for free to their employees therefore it would be cost-

efficient and make more sense to use technology that has already been made available and use them to

send passcodes via text message or an application.

7.1.1 Value for the customer

At the end of the day security is not useful if no body uses it and that is why it is important to create

value for the customer. By that we mean the user needs to have the sensation that this security

measure is really important not only for the user, but also for the organization. If we go back to our

comparative analysis we can see that there many different security options and they vary in security,

usability and acceptance. Usually when security goes up the usability goes down and this synergy seems

to be inseparable, because in every study that we have read where users had been interviewed they

also complain about the complexity to login of a certain type of system because of the security

measures. This we did not expect at all, our perception was that people would be happy if more security

measures were used, especially when it comes down to money, business secrets and private

information. However, this was not the case at all, users usually just want to go along with their work as

smoothly as possible and not worry about different security measures. This perception also seems to

vary depending on what country the study was made in, people that was interviewed in the USA had a

more "annoyed" view against security. However, if we would make a study in Sweden we think people

would be more understanding and happy that their work place hade good security. The reason why we

believe this is because in the USA "Trust thy neighbour and love thy neighbour" saying is deeply rooted

in their culture and why we should we use security? However, we believe this will change rapidly due

the conflicts in the world and bigger cyber-attacks against governments.

The conclusion we always end up with is that different business needs different security supplements to

their normal password, for instance the bank is in need of a 2FA both for the security of the business


11

and for the customer. A bank without a 2FA is not that trustworthy in our opinion, 2FA is not 100% safe

but it is a lot safer than without 2FA. However, a news site with a code generating token is not

necessary either because the usability is more important than security in most cases. At the end of the

day it is up to the stakeholders if they want to be secure or not, they might save money in the short run

but in the long run something will happen, just look at the Sony incident where billions where lost in

damage due to poor security. If they just invested 1/10 of that sum in security it probably would not

happen.

7.1.3 The interview

As we can read in the interview, security measures taken at the hospital are pretty serious comparing to

other occupations but after all it is a hospital and we think that people would want their hospital to be

secure. However, this system was introduced in 2009 and before that they only had one PIN code to

access the different rooms, journals etc. and now they have about four different codes to remember

and a very important CAC which without they cannot work. The CAC plastic case also have social security

number and card number blacked out, just that little detail means that nothing has been left unnoticed

and we were impressed that they had this level of security but yet again it is a hospital and a lot of

sensitive information and drugs are stored here. We do not have a figure how much this system cost but

we expect it is pretty expensive and here the stakeholders took the decision to have a secure system to

avoid any incidents.

7.1.4 Study limitations

We would like to do more of our own studies where we interviewed users of different systems and

compare them to each other and see if there is any pattern when it comes to 2FA security, do bigger

companies use more security and do smaller companies use less security?


12

8.0 References Emiliano De Cristofaro, Honglu Du, Julien Freudiger, Greg Norcie (2013). A Comparative Usability Study

of Two-Factor Authentication. arXiv:1309.5344v2 [cs.CR].

Christina Braz, Jean-Marc Robert (2006). Security and Usability: The Case of the User Authentication

Methods. IHM ’06 Proceedings of the 18th International Conference of the Association Francophone

d’Interaction Homme-Machine. Pages 199-203.

Watts Steve (2014). Intelligent combination – the benefits of tokenless two-factor authentication.

Network Security August 2014 2014(8):17-20.

Kemshall Andy (2011). Why mobile two-factor authentication makes sense. Network Security. Apr2011,

Vol. 2011 Issue 4, p9-12. 4p.

G.Prakash, M.Kannan (2013). A Generic Framework to Enhance Two-Factor Authentication in

Cryptographic Smart-card Applications. International Journal of Engineering and Technology Vol 5 No 6

Dec 2013-Jan 2014.

Kat Krol, Eleni Philippou, Emiliano De Cristofaro, M. Angela Sasse (2015). “They brought in the horrible

key ring thing!” Analysing the Usability of Two-Factor Authentication in UK Online Banking.

arXiv:1501.04434 [cs.CR]

Haotian Li (2015). The Obstacles Facing the Implanted Microchip.

Gollman, Dieter (2011). Computer Security. 3rd edition. John Wiley & Sons, Ltd. West Sussex. ISBN 978-0-

470-74115-3.

Catherine S. Weir, Gary Douglas, Tim Richardson, Mervyn Jack a (2009). Usable security: User

preferences for authentication methods in eBanking and the effects of experience. Interacting with

Computers 2010 22(3):153-164.

Soonduck Yoo, Seung-jung Shin and Dae-hyun Ryu (2013). An Innovative Two Factor Authentication

Method: The QRLogin System. International Journal of Security and its Applications. (International

Journal of Security and its Applications, 2013, 7(3):293-302).

Patrice Godefroid, Michael Y. Levin, David Molnar (2012). SAGE: Whitebox fuzzing for security testing:

SAGE has had a remarkable impact at Microsoft. Queue. (Queue, January 2012, 10(1):20-27)

Online references

Davis, Josh n.d. Two Factor Auth (2FA). Available from: <https://twofactorauth.org/> [25 October 2015].

Rouse, Margaret n.d. Security token (authentication token) definition. Available from:

<http://searchsecurity.techtarget.com/definition/security-token> [26 October 2015].


13

9.0 Confirmation statement All students in our group has contributed to finishing this paper. No specific portion of the paper can be

accredited to one person only.

………………………………………………….

Herman Engström

………………………………………………….

Joel Wikberg

………………………………………………….

Martin Larsson

it security two factor authentication

Documents