it security two factor authentication
TRANSCRIPT
Herman Engström 2015-10-28 Martin Larsson INFC40 - Information Systems Security Joel Wikberg
FACTORS IN TWO-FACTOR
AUTHENTICATION
INFC40 - Information Systems Security
2015-10-28
Herman Engström
Martin Larsson
Joel Wikberg
Supervisor: Anders Svensson
1.0 Introduction ............................................................................................................................................................. 1
2.0 Problem definition ................................................................................................................................................... 1
3.0 Objectives ................................................................................................................................................................ 2
4.0 Literature review ..................................................................................................................................................... 2
4.1 Passwords ............................................................................................................................................................ 2
4.2 Two-factor authentication .................................................................................................................................. 3
4.2.1 A cost for the organization – additional tokens ........................................................................................... 3
4.2.2 2FA from a user perspective ........................................................................................................................ 3
4.3 Second authentication factor devices/software explained ................................................................................. 4
4.3.1 Two-factor authentication ........................................................................................................................... 4
4.3.2 Common Access Card ................................................................................................................................... 4
4.3.3 Security token .............................................................................................................................................. 6
4.3.4 Biometrics .................................................................................................................................................... 6
4.3.5 Mobile authentication application and SMS ................................................................................................ 7
4.3.6 Radio frequency identification (RFID) .......................................................................................................... 7
4.4 Sustainability ....................................................................................................................................................... 8
5.0 Proposed methodology ........................................................................................................................................... 8
5.1 Data Collection .................................................................................................................................................... 8
5.1.1 Search criteria .............................................................................................................................................. 8
5.1.2 Data validation ............................................................................................................................................. 8
5.2 Data processing ............................................................................................................................................... 9
6.0 Methodology applied .............................................................................................................................................. 9
6.1 Comparative analysis between different authentication methods .................................................................... 9
6.2 Interview questions ............................................................................................................................................. 9
7.0 Summary of the problem, objectives, methodology and expected outcomes ..................................................... 10
7.1 Discussion .......................................................................................................................................................... 10
7.1.1 Value for the customer .............................................................................................................................. 10
7.1.3 The interview ............................................................................................................................................. 11
7.1.4 Study limitations ........................................................................................................................................ 11
8.0 References ............................................................................................................................................................. 12
9.0 Confirmation statement ........................................................................................................................................ 13
Herman Engström 2015-10-28 Martin Larsson INFC40 - Information Systems Security Joel Wikberg
1
1.0 Introduction The nature of security is that there is a never a perfect solution. The general apprehension between
security researchers is that we need to “kill the password” and get rid of it all together as soon as
possible. However, it cannot be forgotten that everybody isn’t a security researcher and that is why we
just cannot remove the password because the usability of the password is so great compared to the
other options out there. The problem with passwords is that they are not safe even if the user does use
a high-entropy password with uppercase characters, numbers and enough characters (more than 12).
They will still be vulnerable to attacks that steal the password. (Emiliano De Cristofaro et al. 2014)
That is why we need to have a supplement to the password and there are several different password
supplements on the market and in this paper we are going to find out what supplement that we think
will work best with a specific activity or a whole new approach to passwords. The supplements that we
will investigate in this paper is two-factor authentication (2FA) in different forms such as bio-metric,
mobile phone applications and tokens. To have 2FA functions is a rather new technology for the private
user and the adaptation to 2FA is far from being implemented in all businesses. According to
twofactorauth.org/ 37 of the 57 banks they investigated had not implemented any kind of 2FA, which
proves our statement and concludes that our orientation of this paper is important for both the user
and business stakeholders.
2.0 Problem definition Low-entropy passwords are one of the major problems that we have to co-exist today and the problem
will not be solved by replacing the password with one application, one token or one bio-metric solution
(De Cristofaro, E. et al. 2014). We are certain that different activities require different passwords
solutions depending on the information that the password protect. This leads us to our next statement,
which 2FA solution should you use to enhance your password?
There is a plethora of different 2FA solutions out there and some of them are safer than others but it
comes with a cost of usability. That is why we are going to do a comparison between the different
solutions for different activities, for instance you want to login on your daily news feed because you
want to see what the some of the newsfeed channels that you subscribe on for free. This site should not
require a token to get you logged in and should only use a password however not a low-entropy one but
just a password is enough because we do not want to lose too much usability. However, if you want to
login to your bank then you should use one of the different types of 2FA and which one you should use
will be explained in later in this paper.
The solution also needs to be sustainable in the future, because customers will not buy a product if it
only will be secure for a few years and that is why we need to use the right solution to the right activity
and also is it worth it to use 2FA, or could there be a different solution?
Herman Engström 2015-10-28 Martin Larsson INFC40 - Information Systems Security Joel Wikberg
2
3.0 Objectives The objectives are identified for this paper are:
1. To compare different kinds of two-factor authentication implementations and how they affect
usability and user acceptance.
2. To discover when it’s and when it isn’t suitable to force the use of two-factor authentication.
4.0 Literature review
4.1 Passwords An easy way to protect confidential information is the use of passwords, however this solution often
involves a compromise between security and convenience. Long or complex password are hard to
remember, which sometimes results in that an organization settles with more simple rules. (Watts, S. et
al. 2014)
Most computer systems today use identification and authentication through username and password as
the first line defense. The combination of username and password is a mechanism that has become
routine for users when they start a session on their computer. The username and password mechanism
is also widely accepted not too difficult to implement however managing password security can be quite
expensive. When looking for protection do not underestimate the user’s role in password protection. A
common way of getting unauthorized access to a system is by obtaining a valid password. (Gollman, D.
et al 2011, p51)
This risk of an attacker guessing a valid password cannot be eliminated however you can try to lower
probability of such an event. An attacker may follow two basic strategies.
Brute force – try all possible combinations of valid symbols up to a certain length.
Intelligent search – try passwords that are somehow associated with a user e.g. name, names of
friends, car brand, phone number and passwords that are generally popular etc.
As a user you can protect yourself by:
Change default passwords.
Password length.
Password format.
Avoid obvious passwords. (Gollman, D. et al 2011, p52)
Herman Engström 2015-10-28 Martin Larsson INFC40 - Information Systems Security Joel Wikberg
3
4.2 Two-factor authentication Two-factor, or multi-factor, authentication is an alternative for improving security by requiring the user
to provide more than one so-called authentication factor, i.e. more than only a password. There are
three general authentication factors:
Knowledge – something the user knows, e.g. a password.
Possession – something the user has, e.g. a hardware based security token.
Inherence – something the user is, e.g. a biometric characteristic, like a fingerprint. (De
Cristofaro, E. et al. 2014)
4.2.1 A cost for the organization – additional tokens
In financial terms additional tokens also results in additional costs. Tokens first cost is when purchasing
them, if they break they have to be replaced and if they get stolen or are lost they have to be exchanged.
These devices also have a set-up cost and a limited lifetime, which is also a cost for the organization. The
market does however provide other alternatives that are worth considering, such as the possibilities
made by smartphones. Smartphones are carried by their owners almost at all times both at and outside
work, which makes 2FA solutions possible. Instead of using an additional token for authentication
purposes a dynamically generated passcode can be sent to the end device via e.g. SMS, email or an
application. (Watts, S. et al. 2014)
Tokenless 2FA solutions is in place in organizations such as the London Royal Borough of Kensington and
Chelsea, which illustrates the benefits of a 2FA solution. The borough employs thousands of civil
servants to take care of needs of approximately 150 000 inhabitants. For many years the non-office staff
carried a physical token with them that granted them access codes for network authentication. The use
of the dedicated physical token showed to be time-consuming and insecure, because the tokens were
frequently lost or left behind which led to increased operating costs. Since the borough already had
equipped more than 1 000 employees with mobile phones they decided to make greater use of the
current technology and implemented a tokenless two-factor authentication procedure to access the
network via mobile phones. (Watts, S. et al. 2014)
2FA has been looked upon as a saviour of computer security for some years now, but organizations
haven’t adapted to the technology as quickly as expected due to one powerful reason – inconvenience.
2FA requires users to change their habits, e.g. by having to carry a physical passcode token or by having
to obtain a passcode through other time-consuming ways. (Kemshall, A. et al 2011)
4.2.2 2FA from a user perspective
Users that participated in a study where 2FA was investigated to obtain a general understanding of 2FA
technologies in use, the context in which this technology is deployed and why they are adopted. The
users in the study used 2FA because they were forced, wanted to or had an incentive and they did it in
certain contexts such as work-related (e.g. log on to a company VPN), personal (e.g. protecting their
social networking account), financial (e.g. log on to their banks online services). Most users adapted to
the technology because an employer or bank had forced them to do so, however some were unhappy
about being forced onto 2FA. A participant in the study said that it felt inconvenient to spend 5 minutes
Herman Engström 2015-10-28 Martin Larsson INFC40 - Information Systems Security Joel Wikberg
4
for doing small purchases. Some of the participants felt that it was annoying to have to remember
security tokens. There were two different views on the physical security token within the group, one
part said that they did not prefer a security token since it could easily be lost and one part of the group
preferred tokens since they are easier to use compared to mobile applications where you have to do a
number of activities as unlocking the screen in order to navigate to the application. (De Cristofaro, E. et
al. 2014)
Researchers conducted a study in an online banking context. The findings were that the steps required
for online banking authentication were crucial for the participants. An ideal authentication process
would involve as few steps as possible without having them to carry some kind of token. Banks should
offer customers a choice since they have different capabilities, needs and preferences. The banks could
offer them to optionally replace hardware tokens to receive passcodes via SMS, an application, and/or
restrict their use to setting up payments above a certain amount. (Kat Krol, et al. 2015)
4.3 Second authentication factor devices/software explained
4.3.1 Two-factor authentication
The requirement for a two-factor authentication solution to work is that two parts of data needs to be
accessible, each being from a different category. It is a secure identification process in which the user
provides the device with two types of data, e.g. one that is a physical credit card and one that is a
memorized PIN. With a specific perspective there is two factors involved that are considered "something
you have" and "something you know" (G.Prakash, M.Kannan, 2014)
4.3.2 Common Access Card
Common access cards have the size of a normal credit card and it works as an identifier for personnel
who needs access to restricted areas and other privileged activities. In most cases the card has a
memory of 144k in an integrated circuit chip (ICC) which allows quick authentication of the owner of the
card. The card does not contain any password or information about the user, it only contains
information about what the user is allowed to do, fingerprint pictures, social security number, public key
infrastructure and organization affiliation. However, this can vary depending on the organization policy.
The card is in need of a card reader to verify the card that has been swiped or chip that has been
inserted into the reader. When the card has been swiped with the magnetic stripe or inserted to the
card reader, the user needs to enter a Personal Identification Number(PIN) which is sent through
Internet Protocol(can also vary) and then the information entered in the card reader and the
information in the organizations database are compared. The session continues until the card is
removed and then either access is denied or allowed.
However, there are some drawbacks to using CAC, it increases security at the cost of productivity and
there is a case where the US Department of Defence spent 10,4 million dollars on time lost because
people forget their cards and they couldn’t access their email at home. (Emiliano De Cristofaro et al
2014)
Herman Engström 2015-10-28 Martin Larsson INFC40 - Information Systems Security Joel Wikberg
5
In our case we have interviewed a person who have 35 years in the healthcare and have seen many
different types of security systems, but right now they are using a “beefed up” version of Common
Access Card.
1. Do you have access to all the rooms?
"No, I only have access to the rooms that involve my work on this clinic, so I do not have access to other
rooms on other clinics. Also some cabinets are locked down because they contain sedatives that are
addictive and only personnel with the right privileged can access. Also every login in you do with your
card is being logged."
2. Do you get access to the journal system?
"Yes, this is also very restricted and the system that we use is called Obsterix which is unique system for
our occupation and to access the computer that runs the journal system you need to have RSID code
that is six digits which is unique for me. In addition to the six-digit code we need to have a password that
we can choose ourselves, but it needs to contain at least 3 digits and 3 characters. When we are logged
in on the computer and want to access the journal system we need to insert our CAC into the computer
and now we can use the journal system."
3. Do you use a password with your CAC and if so, do you have a personal code or does everybody
have the same code?
"Everybody has their own code"
4. Any major problems with the CAC?
"It is a lot of passwords to remember and it takes some time to get used to"
5. For how long have your hospital been using the CAC and what system did you use before?
"This system was installed 2009, we have been using it for about six years."
6. Do the staff often forget their CAC at home and is that time consuming?
"If you forget your CAC at home you need to call into the reception and show your ID and you will get a
loan card which have basic access, for instance toilets etc."
Herman Engström 2015-10-28 Martin Larsson INFC40 - Information Systems Security Joel Wikberg
6
7. Picture
A picture of the CAC
8. Additional information
"Every time we enter the building we need to put our CAC in front of a card reader and then you need to
enter a four-digit code. The CAC can also be used an ID, just like a driver license."
4.3.3 Security token
Security tokens, or sometimes called authentication tokens, are hardware devices that can interact with
Common Access Cards or without depending on the context. The token could take shape of a little
device that have different functions, for instance you can have a sign-, login and logoff button and if you
click on any button you will be prompt with a message that you need to enter a control code.
As an example, if you want to log on to your internet bank then you will be prompted with a six-digit
code which you need to enter on your token and then the token will follow an algorithm that will spit
out a nine-digit code that you can enter on the banks website. If the code is correct you will be accepted
to enter. For security reasons you only have about 2-3 minutes to enter the code and if the user does
not manage that you need to refresh the website and enter the new control code on the token.
4.3.4 Biometrics
Biometrics is an authentication factor that recognizes humans by identifying their different physical
attributes, for instance it is possible to identify a person’s iris, fingerprint, face structure, walking
movement and handprint. All of these have one thing in common and that is they all need the person
look the same all the time, for instance if we have a facial recognition system that scans the users face
structure, if that person has lost some weight then more of the cheekbones will be visible and that could
possibly cause a false alarm and the person will not be let authenticated. There are more drawbacks, for
instance if you need to sit in front of the camera for a couple of minutes to scan the users face then the
user will become frustrated and maybe will start do workarounds, for instance never logout of the
system. "I still don't need to remember. I think 5 seconds or 10 maximum not beyond 10 seconds - I'd
freak out ' I’d prefer to remember.". (Kat Krol, et al. 2015)
Herman Engström 2015-10-28 Martin Larsson INFC40 - Information Systems Security Joel Wikberg
7
4.3.5 Mobile authentication application and SMS
Google, Facebook, Amazon and many other big companies that require username and password have
some sort of two factor authentication. The most common one is a Time-based One-Time Password
algorithm application or SMS, both are based on TOTP but they have different ways of delivering the
code/password. In theory it is a rather easy concept, when the user enters the correct username and
password then the current time is saved at the client and sent to the server which through a algorithm
spit out a code and sends this back to the user. When correct code is entered the server checks if the
code is correct the user allowed to access whatever site they want to enter. Since this is a time based
system the code is only valid for about 30-60 seconds depending on what policy the provider has. This
method of authentication is a rather new two factor authentication and have lately been applied to
many services because of its simplicity and the increase of mobile phone usage. For instance, more and
more banks moving towards TOTP solutions where SMS is the medium which delivers the code to the
user.
4.3.6 Radio frequency identification (RFID)
RFID is a tiny microchip that, for example, can be implanted under the skin and within the chip there is
integrated circuit that can contain different sorts of information depending on preferences. This
technology is widely used to identify animals, passport controls and to some extent humans. The RFID
works exactly the same as a Common Access Card, only it is a lot smaller and can be implanted under
the skin and not be rejected by the body, or inserted into almost any object. However, there is a
problem, the chip usually contains sensitive information about the user and these chips can have a
range from 10 cm to 100 meters, depending on if it is passive or active. (Haotian Li. 2014)
The picture below is a picture from 2007 and at the time this was cutting edge technology, but now, 8
years later, these small RFID's can contain a lot more information.
RFID chip
Herman Engström 2015-10-28 Martin Larsson INFC40 - Information Systems Security Joel Wikberg
8
4.4 Sustainability Not so long ago Microsoft had their so called "Patch Tuesday", which meant that all the users of
Microsoft products got an update which could take a long time to complete depending on the update.
These updates could sometimes take more than 10 minutes depending on the update, hardware and
internet connection speed. And why do we bring this up when we are talking about sustainability?
Because every time we update our operating system millions of dollars are lost. Let us build a scenario
where a patch cost about 0.001 dollars in electricity and productivity and times a billion Windows
machines, which equals 1 million dollars (Godefroid, P. et al. 2012). Something that costs a lot more is if
a malware would leak information from your servers, which is why it is so important to have a good
security policy and a good technological supplement in terms of a 2FA.
5.0 Proposed methodology We decided to try to find an answer to our research problem by doing a meta-study on existing research
in the field of information security, with a focus on research regarding two-factor authentication.
5.1 Data Collection All data, except the course literature and a few web resources, was mainly collected through LUBsearch
and some through Google Scholar. LUBsearch is a search engine for all of Lund University’s library’s joint
resources and is available to all students at the university. Google Scholar is a search engine for scholarly
literature across an array of publishing formats, provided by Google. Our goal was to find as many
relevant and interesting articles we were able to and then decide if they were good enough to use for
our article.
5.1.1 Search criteria
To locate articles that were relevant to our subject and would allow us to find an answer to our research
problem, we used a small set of keywords. The words “two factor authentication” were used in different
combinations with the following: user acceptance, usability, sustainability, vulnerability. We also did
some searches where the publishing date of the articles was limited to the last two years, so that we
would not miss any of the latest and most relevant research.
5.1.2 Data validation
We approached the articles critically and set a few “rules” for validating them, since having correct and
unbiased sources were of great importance to us.
Does the author correctly reference other works correctly?
Has the article been peer-reviewed?
If it includes a study, is the sample size appropriately sized?
If the author can be interpreted to be biased, is there still factual information that can be
extracted from the article?
Herman Engström 2015-10-28 Martin Larsson INFC40 - Information Systems Security Joel Wikberg
9
5.2 Data processing
After we had collected and validated articles, the information about subjects relevant to our research
problem was extracted and entered under “Literature review”. That information was then used as a
base for our comparative analysis and discussion.
6.0 Methodology applied
6.1 Comparative analysis between different authentication methods We have collected data from a couple of different studies and made the following analysis, we ranked
some the subjects from 1-5 where 1 means very low and 5 very high. The following studies have been
used: (Emiliano De Cristofaro et al. 2009), (G.Prakash et al. 2013), (Catherine S. Weir et al. 2009) and
(Soonduck Yoo et al. 2013).
Function/ Property
Passwords
Physical token
Fingerprint
Voice Face recognition
SMS authentication
Common access card
Mobile application authentication
Iris/eye recognition
Definition Character based usually 6-20 chars
Physical algorithm device
Scans human fingerprint
Voice Recognition
Scans for face structure and patterns
TOTP based codes, delivery through SMS
A card that lets you access restricted areas
Software that generates login codes
Scans the human iris
Advantages
Convenient by most people
Not bound to a location
Fingerprints are unique to the user
Unique for the user
Unique for the user
Easy to use and available everywhere
Safe and quick to use
Quick and easy to use
Unique for the user
Drawbacks
Can be forgotten and could be easy to guess
Device is required to login
Sometimes difficult to scan fingerprints
Background noise might disturb the
process
Not very adaptable with change
Require a mobile phone
Cause trouble if forgotten
In need of an internet connection
Expensive
Security 2 5 3 4 4 4 5 3 5 Usability 5 2 3 2 2 5 4 5 2 Input time
3-10 sec 10-20 sec
10-20 sec 10-20 sec 10-20 sec 5-10 sec 5-10 sec
5-10 sec 10-20 sec
Acceptance
5 2 3 3 3 5 5 5 3
6.2 Interview questions The questions that we asked our source are based on what we concluded from all the articles that we
have read which makes them relevant to this paper.
Herman Engström 2015-10-28 Martin Larsson INFC40 - Information Systems Security Joel Wikberg
10
7.0 Summary of the problem, objectives, methodology and expected
outcomes
7.1 Discussion A lot of users tend to use single factor authentication e.g. a password since it’s more convenient and
faster for them. Users have been using passwords for many years and therefore it’s hard to make them
change their behavior and habits unless they are forced to do so, e.g. their bank, employer or so forces
them to accept the new technology. If users are forced to use 2FA they should have an option of how
they want to do so, e.g. through a token or smartphone application such as the widely used application
“Mobilt bankID” here in Sweden.
A question that should be discussed before using/implementing 2FA is if the information you want to
protect really is worth the cost, both in time and money. Poorly executed 2FA solutions, e.g. a physical
token, can be a problem if it is being forced onto a user and is lacking in quality, like being manufactured
with cheap materials or comes with badly written instructions, this definitely affects the perception of
the solution by the end user.
A simple solution for how more users could adapt to 2FA is to use the smartphone as an authenticator,
since many companies already offers phones for free to their employees therefore it would be cost-
efficient and make more sense to use technology that has already been made available and use them to
send passcodes via text message or an application.
7.1.1 Value for the customer
At the end of the day security is not useful if no body uses it and that is why it is important to create
value for the customer. By that we mean the user needs to have the sensation that this security
measure is really important not only for the user, but also for the organization. If we go back to our
comparative analysis we can see that there many different security options and they vary in security,
usability and acceptance. Usually when security goes up the usability goes down and this synergy seems
to be inseparable, because in every study that we have read where users had been interviewed they
also complain about the complexity to login of a certain type of system because of the security
measures. This we did not expect at all, our perception was that people would be happy if more security
measures were used, especially when it comes down to money, business secrets and private
information. However, this was not the case at all, users usually just want to go along with their work as
smoothly as possible and not worry about different security measures. This perception also seems to
vary depending on what country the study was made in, people that was interviewed in the USA had a
more "annoyed" view against security. However, if we would make a study in Sweden we think people
would be more understanding and happy that their work place hade good security. The reason why we
believe this is because in the USA "Trust thy neighbour and love thy neighbour" saying is deeply rooted
in their culture and why we should we use security? However, we believe this will change rapidly due
the conflicts in the world and bigger cyber-attacks against governments.
The conclusion we always end up with is that different business needs different security supplements to
their normal password, for instance the bank is in need of a 2FA both for the security of the business
Herman Engström 2015-10-28 Martin Larsson INFC40 - Information Systems Security Joel Wikberg
11
and for the customer. A bank without a 2FA is not that trustworthy in our opinion, 2FA is not 100% safe
but it is a lot safer than without 2FA. However, a news site with a code generating token is not
necessary either because the usability is more important than security in most cases. At the end of the
day it is up to the stakeholders if they want to be secure or not, they might save money in the short run
but in the long run something will happen, just look at the Sony incident where billions where lost in
damage due to poor security. If they just invested 1/10 of that sum in security it probably would not
happen.
7.1.3 The interview
As we can read in the interview, security measures taken at the hospital are pretty serious comparing to
other occupations but after all it is a hospital and we think that people would want their hospital to be
secure. However, this system was introduced in 2009 and before that they only had one PIN code to
access the different rooms, journals etc. and now they have about four different codes to remember
and a very important CAC which without they cannot work. The CAC plastic case also have social security
number and card number blacked out, just that little detail means that nothing has been left unnoticed
and we were impressed that they had this level of security but yet again it is a hospital and a lot of
sensitive information and drugs are stored here. We do not have a figure how much this system cost but
we expect it is pretty expensive and here the stakeholders took the decision to have a secure system to
avoid any incidents.
7.1.4 Study limitations
We would like to do more of our own studies where we interviewed users of different systems and
compare them to each other and see if there is any pattern when it comes to 2FA security, do bigger
companies use more security and do smaller companies use less security?
Herman Engström 2015-10-28 Martin Larsson INFC40 - Information Systems Security Joel Wikberg
12
8.0 References Emiliano De Cristofaro, Honglu Du, Julien Freudiger, Greg Norcie (2013). A Comparative Usability Study
of Two-Factor Authentication. arXiv:1309.5344v2 [cs.CR].
Christina Braz, Jean-Marc Robert (2006). Security and Usability: The Case of the User Authentication
Methods. IHM ’06 Proceedings of the 18th International Conference of the Association Francophone
d’Interaction Homme-Machine. Pages 199-203.
Watts Steve (2014). Intelligent combination – the benefits of tokenless two-factor authentication.
Network Security August 2014 2014(8):17-20.
Kemshall Andy (2011). Why mobile two-factor authentication makes sense. Network Security. Apr2011,
Vol. 2011 Issue 4, p9-12. 4p.
G.Prakash, M.Kannan (2013). A Generic Framework to Enhance Two-Factor Authentication in
Cryptographic Smart-card Applications. International Journal of Engineering and Technology Vol 5 No 6
Dec 2013-Jan 2014.
Kat Krol, Eleni Philippou, Emiliano De Cristofaro, M. Angela Sasse (2015). “They brought in the horrible
key ring thing!” Analysing the Usability of Two-Factor Authentication in UK Online Banking.
arXiv:1501.04434 [cs.CR]
Haotian Li (2015). The Obstacles Facing the Implanted Microchip.
Gollman, Dieter (2011). Computer Security. 3rd edition. John Wiley & Sons, Ltd. West Sussex. ISBN 978-0-
470-74115-3.
Catherine S. Weir, Gary Douglas, Tim Richardson, Mervyn Jack a (2009). Usable security: User
preferences for authentication methods in eBanking and the effects of experience. Interacting with
Computers 2010 22(3):153-164.
Soonduck Yoo, Seung-jung Shin and Dae-hyun Ryu (2013). An Innovative Two Factor Authentication
Method: The QRLogin System. International Journal of Security and its Applications. (International
Journal of Security and its Applications, 2013, 7(3):293-302).
Patrice Godefroid, Michael Y. Levin, David Molnar (2012). SAGE: Whitebox fuzzing for security testing:
SAGE has had a remarkable impact at Microsoft. Queue. (Queue, January 2012, 10(1):20-27)
Online references
Davis, Josh n.d. Two Factor Auth (2FA). Available from: <https://twofactorauth.org/> [25 October 2015].
Rouse, Margaret n.d. Security token (authentication token) definition. Available from:
<http://searchsecurity.techtarget.com/definition/security-token> [26 October 2015].
Herman Engström 2015-10-28 Martin Larsson INFC40 - Information Systems Security Joel Wikberg
13
9.0 Confirmation statement All students in our group has contributed to finishing this paper. No specific portion of the paper can be
accredited to one person only.
………………………………………………….
Herman Engström
………………………………………………….
Joel Wikberg
………………………………………………….
Martin Larsson