graphical one time password implemented on smart … · graphical one time password implemented on...
TRANSCRIPT
GRAPHICAL ONE TIME PASSWORD
IMPLEMENTED ON SMART BANKING
APPLICATIONS
NORASIDAH MD NOR
BACHELOR OF COMPUTER SCIENCE
(COMPUTER NETWORK SECURITY) WITH
HONOURS
UNIVERSITI SULTAN ZAINAL ABIDIN
2018
GRAPHICAL ONE TIME PASSWORD IMPLEMENTED ON SMART BANKING
APPLICATIONS
NORASIDAH MD NOR
Bachelor of Computer Science (Computer Network Security) with Honours
Faculty of Informatics and Computing
Universiti Sultan Zainal Abidin, Terengganu, Malaysia
AUGUST 2018
i
DECLARATION
This report is the results of my own investigation with supervise of my supervisor except for
quotations and citations, which are obtained from other sources, are fully referenced. I also
state that this project is not previously or concurrently submitted for any other degree final
year project at Universiti Sultan Zainal Abidin.
_______________________________________
Name : NORASIDAH BINTI MD NOR
Date : ………………………………….
ii
CONFIRMATION
This is to confirm that:
The research conducted and the writing of this report was under my supervision.
__________________________________
Supervisor : Dr Mohd Fadzil Bin Abdul Kadir
Date : ..................................................
iii
DEDICATION
In the Name of Allah, the Most Gracious and the Most Merciful.
Praise to Allah for blessing me in order to completing this report for final year project
of final year student. Here I would like to express my heartiest gratitude to everyone who
supported me in completing this report.
I would like to thanks my supervisor Dr. Mohd Fadzil Bin Abdul Kadir for the
continuous support and supervise in completing this project. Thank you for brainstorming the
ideas along the solution together for me illustrates the main idea and help in understanding
my project more. My appreciation to all members of panels for assessment for their valuable
feedback and their comment on improving my project for better purpose especially during my
project presentation that helps me improves my presentation skills and my project progress.
Not forget all lecturers of Faculty of Informatics and Computing for the patient to teach me
and guide me until this final year and also lending their hands in completing my project. Last
but not least, a lot of thanks for my beloved family for be very supportive and give advice for
brightening my spirit and encouragement for this project.
iv
ABSTRACT
The information has become one of the valuable things that have to be care off on this
century and also in the future. Many organizations have to provide high level of security in
order to secure the information of their customer especially in banking institution which
involves many parties and are usually will be the target of bad people. The function of
authentication system is very need to be considered of as it one of the defence from the cyber
security threat. Authentication system using graphical one time password is proposed to solve
the problem faced by the user. First, user has to create an account by sign up. In the
registration interface, the user has to enter the user id, phone number, email and some other
details that needed by the institution. This user id and phone number will be used to authorise
the user to access the system. Initially the user will be prompted with the login interface. In
this phase the user have to enter the User id as being registered before. Then the system will
check the username in the data store. Then the user have to click on the Request AIC to
enable the server send graphical password to the registered phone number that related to the
User id enter by the user on login phase. The user has to check their MMS to obtain the
graphical password. Next, the user has to choose the image on login phase based on image
receive on MMS within specific time. Then, the user has to click on login button to send the
login request to the server. The server will compare the password entered by the user with the
password send to the user phone number. If the password is match, then the user will be
directed to the homepage. As the increases of information technology, the threats that want to
steal the information are also increases. The problems that exist which are the purpose for
this project being developed are the unauthorised user can crack the login password for
authorized user easily, the login process is exposed to the man-in-the-middle attack, and the
lack of security in alerting the user about the unauthorised access of the account. In order to
propose the solution, the approach used is by using the combination of graphical password as
an one time password.
v
ABSTRAK
Maklumat telah menjadi salah satu perkara bernilai yang harus dilindungi pada
abad ini dan juga pada masa akan datang. Banyak organisasi perlu menyediakan tahap
keselamatan yang tinggi untuk memastikan maklumat pelanggan mereka terutama di institusi
perbankan yang melibatkan banyak pihak dan biasanya akan menjadi sasaran orang jahat.
Fungsi sistem pengesahan sangat perlu dipertimbangkan sebagai salah satu pertahanan dari
ancaman keselamatan siber. Sistem pengesahan menggunakan kata laluan satu masa graf
dicadangkan untuk menyelesaikan masalah yang dihadapi oleh pengguna. Pertama,
pengguna perlu membuat akaun dengan mendaftar. Pada bahagian pendaftaran, pengguna
perlu memasukkan id pengguna, nombor telefon, e-mel dan beberapa butiran lain yang
diperlukan oleh institusi tersebut. Id pengguna dan nombor telefon ini akan digunakan untuk
membenarkan pengguna mengakses sistem. Pada mulanya pengguna akan dibawa ke
bahagian login. Dalam fasa ini, pengguna perlu memasukkan id Pengguna sebagai
didaftarkan sebelum ini. Kemudian sistem akan memeriksa nama pengguna dalam stor data.
Kemudian pengguna perlu mengklik Permintaan AIC untuk membolehkan pelayan
menghantar kata laluan grafis ke nombor telefon yang terdaftar yang berkaitan dengan Id
pengguna yang dimasukkan oleh pengguna pada tahap login. Pengguna perlu menyemak
MMS mereka untuk mendapatkan kata laluan grafis. Seterusnya, pengguna perlu memilih
imej pada fasa log masuk berdasarkan imej yang diterima pada MMS dalam masa tertentu.
Kemudian, pengguna perlu klik pada butang log masuk untuk menghantar permintaan log
masuk ke pelayan. Pelayan akan membandingkan kata laluan yang dimasukkan oleh
pengguna dengan kata laluan yang dihantar ke nombor telefon pengguna. Jika kata laluan
itu sepadan, maka pengguna akan diarahkan ke laman utama. Sebagai peningkatan teknologi
maklumat, ancaman yang ingin mencuri maklumat juga bertambah. Masalah yang wujud
yang menjadi tujuan untuk projek ini yang dibangunkan adalah pengguna yang tidak
dibenarkan boleh memecahkan kata laluan log masuk untuk pengguna yang diberi kuasa
dengan mudah, proses masuk didedahkan kepada serangan orang-in-the-middle, dan
kekurangan keselamatan dalam mengingatkan pengguna mengenai akses tanpa kebenaran
akaun. Untuk mencadangkan penyelesaian, pendekatan yang digunakan adalah dengan
menggunakan kombinasi kata laluan grafis sebagai kata laluan satu masa.
vi
CONTENTS
DECLARATION i
CONFIRMATION ii
DEDICATION iii
ABSTRACT iv
ABSTRAK v
CONTENTS vi
LIST OF FIGURE viii
LIST OF ABBREVIATIONS ix
LIST OF APPENDIX x
CHAPTER TITLE PAGE
1 INTRODUCTION
1.1 Project Background 1
1.2 Problem Statement 2
1.3 Objectives 2
1.4 Scopes 2
1.4.1 Scope of User 2
1.4.2 Scope of System 2
1.5 Limitation of Works 3
1.6 Report Outline 4
2 LITERATURE REVIEW
2.1 Introduction 5
2.2 Graphical Authentication System 6
2.3 Graphical One-Time Password(GOTP) 9
2.4 Survey on One Time Password 10
2.5 Summary 11
3 METHODOLOGY
3.1 Introduction 12
3.2 System Requirement and Specification 13
vii
3.2.1 Hardware 13
3.2.2 Software 13
3.3 System Design 14
3.3.1 Framework Design 14
3.4 Process Model 15
3.4.1 Context Diagram 15
3.4.2 Data Flow Diagram 16
3.5 Data Model 19
3.6 Algorithm 20
3.7 Summary 21
4 IMPLEMENTATION AND DISCUSSION
4.1 Introduction Implementation and Output 22
4.1.1 Deployment and Configuration 22
4.1.2 Interfaces 23
4.2 Test Analysis 28
5 CONCLUSION
5.1 Introduction 31
5.2 Expected Results 31
5.3 Conclusion 32
REFERENCES 33
APPENDIX A (Gantt Chart) 35
viii
LIST OF FIGURES
FIGURE TITLE PAGE
3.1 Waterfall Model 13
3.3.1 Framework of Authentication System 14
3.4.1 Context Diagram 15
3.4.2.1 Data Flow Diagram(DFD Level 1) 16
3.4.2.2 Data Flow Diagram(DFD Level 2: Register) 17
3.4.2.3 Data Flow Diagram(DFD Level 2: Login) 18
3.5 Entity Relationship Diagram(ERD) 19
3.6.1 Graphical One Time Password and Algorithm Framework 20
4.1.2 Interfaces
a. Sign Up Phase 1 23
b. Login Phase 25
4.1.3.4 Message received in form of MMS 27
ix
LIST OF ABBREVIATIONS / TERMS / SYMBOLS
AIC Access Image Code
CD Context Diagram
DFD Data Flow Diagram
E-Mail Electronic Mail
ERD Entity Relationship Diagram
FYP Final Year Project
GOTP Graphical One Time Password
MMS Multimedia Message Service
OTP One Time Password
SMS Short Message Services
x
LIST OF APPENDIX
APPENDIX TITLE PAGE
A Gantt Chart FYP 1 36
A Gantt Chart FYP 2 37
1
CHAPTER 1
INTRODUCTION
1.1 Project Background
Authentication is one of the important phases to secure the user account from being
attack by the threat. The password technique is used to achieve the authentication
procedure. As we know, the approach commonly used in few years ago is based on
textual or known as alphanumeric password. To provide a secure authenticity, the
password used must be strong and not a password that easy to be guess. However to
enable the password be strong it might be too long or very complex and it will give
problems to the user to remember the password. And if the password is too short and easy
to be remembering, it might be vulnerable to the attackers. However, years ago a new
password scheme was developed to solve this problem. The scheme was based on graphic
which is to help the user easily remember the password. However, even the technique can
defence the threats, the approach still has limitations which it still cannot avoid from
some attacks such as man-in-the-middle attack. Also the probability for the password
being guessing also possible for the attacker brute force. Thus graphical scheme is good
for the user but also give benefits to the shoulder attackers as it can easily remembered.
In order to create a highly secure authentication phase from attacks, graphical and
random code generator is proposed , which is One Time-based Password be implemented
together in this project. Basically, the main requirement will be almost same as numerical
OTP. The differences of this project compared to others system is the uses of image as
OTP. This increases the level of the security for authentication phase also the account will
more secure from attacks as the user has to enter the AIC sends through registered phone
number. Thus it does not give clues to the intruders to brute force and avoid the
unauthorized access and misuses the system.
2
1.2 Problem Statement
Whenever an establish institution wish to provide mobile applications for their
customers, the cyber threats also exist for both parties especially for banking institution
which can cause huge loss. A few threats that need to be looking forward which are the
reasons of this applications being developed are the unauthorised user can crack the login
password easily, the login process is exposed to the man-in-the-middle attack, and the
lack of security in alerting the user about the unauthorised access of their account. This
problems arise concurrently to the development of the information technology.
1.3 Objectives
1) To study the applications of the graphical password and One Time-based
Password in real life.
2) To implement Graphical One Time-based Password (GOTP) in authentication
phase of an applications.
3) To test the authentication phase that applies graphical One Time-based Password
as a solution to improve the security of the login session in mobile applications.
1.4 Scopes
1.4.1 Scope of User
These applications involve the user and the external entity which are the mobile
operator.
1.4.1.1 User
1) Insert user id, email and phone number for registration.
2) Upload images during registration phase.
2) Insert generated AIC during login phase.
1.4.2 Scope of System
There are the scopes of system include:
1.4.2.1 Sign up
User have to sign up the applications by entering user id, phone number, email
and choose images at registration phase. The details and the image upload will be
3
stored into database. And the image will be used as graphical one time password
during login session.
1.4.2.2 Login
User has to enter the registered user id and request for the AIC. Then the AIC
generated will be sent to the user phone number via MMS. The user has to click the
displayed image sent to the registered phone number for that username in form of
MMS. If the user does not enter the correct password in some speculated time then the
AIC will be expires. If the users enter the match password on time, then the user will
be allowed to access the applications.
1.5 Limitation of Works
For this system, even it provide highly secure authentication phase for an applications
that needs very secured login phase, to provide a system with high level of security and
also very user friendly at the same time is almost impossible. The best way to achieve the
stability is by using MMS gateway, however the SMS/MMS gateway provider only
provide basic function for trial version which is only sending SMS. Not just that, it also
have limit time which 14 days trial. And to used email gateway, the version of the OS
must be enterprise version which it include software that need for solve the error occur.
Other than that, the needs of internet connection are important as to enable the client
server communication. However, this research is more focussed on the securing
authentication phase of mobile based applications.
4
1.6 Report Outline
This proposal consists of five chapters which each chapter consist of information,
description and each section has shown a different purposes. The first chapter in this
proposal is introduction. In chapter 1, the introduction of the report focuses on the project
background of the proposed secure authentication phase, Graphical One Time-based
Password, the problem statements for why this project being developed, objectives, scope
of the proposed project, and the milestones of this project clearly mentioned in this
chapter and lastly the report organization. The next chapter is Chapter 2, Literature
Review of the previous research about related topic through articles, journals, and others.
This chapter briefly explained about the technology, algorithm, technique, and methods
that had been implemented in the research or project. References are taken from valid
internet source, articles, research paper, journal, and also conference paper. The third
chapter is Chapter 3 discusses about the methodology implemented to the proposed
project. This chapter includes the system requirement which is a requirement for
proposed project to complete either hardware or software. Other than that, the system
design of the proposed project being illustrated in this chapter includes framework,
process model, and data model. The content of this chapter is the methodology used,
technique, approach, and algorithm that will employed for implementation of the next
chapter. In chapter 4, shows the implementation and testing whereby the system is being
developed and implement the algorithm and the process testing for the system. The last
chapter is chapter 5 which is the conclusion and discussion. In this chapter, the result of
the proposed system will be discussed and the conclusion was made. This chapter also
describes the achievement of the expected results, expectations and suggestion for
improvement the result of the proposed project.
5
CHAPTER 2
LITERATURE REVIEW
2.1 Introduction
This chapter discusses about literature review for Graphical One Time Password
implemented on Mobile Based Applications which are being proposed. Generally, a literature
review that been carried out for this proposed project is about graphical one-time password.
A literature review is about previous and current studies which related specifically to the
research problem, solution and methodology used to know the real condition of the research.
In a selected topic, the literature review shows the summary of the prior research that related
and linked to the project that being propose. A literature review included the process of
surveying books, international journals and articles, internet and any other sources which are
relevant to the research topic. It is a regulation in order to establish the credibility for the
better project.
6
2.2 Graphical Authentication System
2.2.1 Security in Graphical Authentication
According to paper [3], the first defence for computer systems is authentication.
Only a powerful technique of authentication and systematic access control can stop and
prevent the intruders. But users not too prefer complex security mechanism which can
cause their lives harder.
In traditional, the common technique used is based on alphanumeric text to create
username and password [7]. Which this technique is quite not secure in using because the
user might problem to remember the password if the password too long and complex and
whenever the password too simple and short it is vulnerable to attacks [18].
The human factor is the weakest link in security and authentication is part of critical point
as humans have important roles in security. Thus, the substitutes or supplements are
needed for old approach to have increases the security and the reliable authentication.
About year 2013, many new techniques being created and it can be implementing
together with conventional username and passwords. The authentication technique that
commonly used is knowledge-based technique which involves both text and picture-based
passwords.
As humans more easy to remember pictures compared to text, an alternative to the
traditional authentication is being suggested which called as graphical authentication
scheme. By using graphical authentication technique, the user does not have to remember
complex and difficult flow of characters. Instead the users can easily passing the
authentication procedure just only recognize or recreate the graphical password.
This paper[3] also mention about the three categories of the graphical authentication
scheme which are Drawmetric schemes, Searchmetric(Cognometric), and also Locimetric
system. There are also CAPTCHA, but it is not based on recognition or re-creation
password like the others graphical password but its relies on human (as opposed to
computer) abilities to recognize obfuscated text displayed in form of image. There are
also hybrid scheme which is made up of combination of two or more schemes.
This paper[3] also included a little bit about security analysis such as shoulder surfing,
Brute force attacks, spyware which this attack might be threats to the security breach.
7
Every graphical password scheme use different technique was mentioned in section
security features of graphical passwords. In the paper also mentioned that the stability of
security and usability must be attained in order to develop a quality system.
However it is not easy to achieve that needs. Some of the technique might provide
high usability but less secures or can be highly secure but lack of usability. By mixing a
few security features, the degree of secure should be increases. Almost all the format of
the graphical password has decoys and randomly assigned features to reduce the familiar
attacks. The place of the images also can be shuffling and not same for every
authentication.
Other security features which can be found in the Jetafida scheme which is limit the
login trial. The user will be blocked from accessing the next page after several fail login
trial. The attackers usually will not try to guess the any mixture of username and the
password to pass the authentication phase. In one-time password techniques have features
by generate random passwords and commonly used for CAPTCHAs. The user have to
insert the random characters generated that complement to pass-image.
By using graphical password scheme, it can provide highly secure authentication
process by enable the users to remember the complex password easily. And also can be
used as defence to the shoulder surfing, Spybot and similar compromises of user systems.
The highly secure authentication system can be achieved by adding some security
features in graphical user authentication.
2.2.2 The Shoulder Surfing Resistant Graphical Password Authentication Technique
This paper [2] discusses that the password approach is used to authenticate users. The
traditional method which is textual password or commonly known as alphanumeric
password quite have limitation in achieving authentication. This traditional method is too
vulnerable to attacks and nearby threats.
Other than that, many people use the same password for all accounts or devices as
they can easily remembered it. However, this action causes the level of the security
decreases. The new technique which is graphical password is developed as the alternative
of the traditional method.
In this paper, two types of password approach using graphic is mentioned. The first
one is recognition based and the second one is the recall based.
For Recognition Based, many pictures will be displayed at the interface and from that
user need to identify the true image in a right sequence. While for Recall Based, user have
8
to re-enter the password that had been chosen or been created before which is during
registration.
In the paper, stated that as image is used as password thus it make the user easier to
remember the password at the same time, the password also is difficult to be guess by the
outsider. The benefits make it be best replacement for traditional password. However, this
new technique has few constraints and the biggest threat is vulnerable to the shoulder
surfing attacks. Thus the new approach for graphical password is proposed which is
secured from the attack above and also from others possible attacks. The new approach is
collaboration of two approaches which are recognition and recall based approach.
Based on paper [2], there are also some explanations about recognition based techniques.
In this technique, a set of random images will be displayed to the user during sign up.
Then, a few images have to be selected to create a password. In login session, the user has
to recognize the image that had being chosen before during registration in correct flow.
There are also some examples of recognition based techniques which are Jensen et
al.technique, ImagePass technique, ColorLogin technique.
Other than recognition, there is also some explanation and examples of recall based
techniques. For this technique, to be authenticate the user have to enter (recall) the
password that same as the password that he/she have create during sign up. There are two
categories which are Pure Recall Based Techniques and Cued Recall Based Techniques.
The examples for Pure Recall Based Techniques are Passdoodle technique, Draw-a-
Secret (DAS) technique, Signature technique. And examples for Cued Recall Based
Techniques are Blonder technique, PassPoints technique,, Passlogix V-Go technique. The
techniques mentioned are studied based on the basis of the security and usability metrics.
However some techniques are fulfil the security requirement but not completely fills the
usability metrics. And usually many of the approach are weak from being attack by
shoulder surfing attack. This paper tells about the proposed technique are resistant to all
types of possible attacks typically for shoulder surfing attack. The balance of the trade-off
between both metrics also had been tried.
There are two steps to make the user identity is verified. Firstly, the sign-up phase.
And the second one is login phase. There are also some analyses of how the systems will
works.
9
2.3 Graphical One-Time Password ( GOTP)
2.3.1 Graphical Password as an OTP
This paper [3] studies on the implementation of graphical password as an one time
password. Authentication mechanism that often being used is the combination of usernames
and passwords which is based on alphanumerical. However, this traditional approach had
shown some disadvantages. The significant consequences of the approach are the user might
choose simple password for authentication process or the user can create a strong password
however it is hard to be remembered by the user itself. They said that to overcome the
consequences the graphical password is proposed by some researcher. Graphical password is
knowledge –based authentication mechanisms. This approach use pictures as alternative of
textual password. The authentication system that uses graphical password works by letting
the user select the pictures in the correct sequences as being selected at registration the
password. Graphical based password was classified into four main categories which are
recognition based system, pure-recall based system, clue-recall based system, hybrid system
and existing system. From this study, the recognition based system (cognometric systems)
involves the identifying of the image that being selected previously during registration of the
authentication details.
Graphical authentication mechanism based on hash visualization technique is
proposed by Dhamija and Perring(2000). In the proposed scheme, the user will have to
choose a few pictures from a group of random pictures generated by a program. Then, the
user has to identify the selected images during registration before in order to be authenticated.
In their research, by using graphical authentication the outcome shows that 90% of all the
participants success the authentication session while only 70% succeeded using text-based
password and PINS. However, this proposed technique uses more time than the traditional
approach in terms of average log in time. They also mention the disadvantage of this
technique is there are needs to store the details of the images of each user in plaintext in the
server.
The second category of the graphical password is pure-recall based system. In this
system, the user has to recreate their registered password without being given any clue,
indicator or suggestion. For this system, the user must click on a few items in the image in
correct sequence to be authenticated. Next is clue-recall based system or Icon metric System.
10
In this systems, the user will be present with a hint for help he or she to recall his/her
password. This system is based in clued click point. It offers cued-recall and introduces visual
cases that directly alert the valid users if they have made a mistake during click the point. A
wrong click causes an incorrect path which leads to the authentication failure. Hybrid system
is the combination of several authentication schemes. While for the existing system is about
the generation of secure on-time password based on image authentication.
From this study, they also mention about some security issues that be threat for user in
authentication system. The issues are brute force attack, dictionary attack, guessing attack,
spyware attack shoulder surfing attack, and also social engineering attack. This threat might
be challenge in order to secure the user information in the cyber world. Two phase exists in
the proposed system are registration phase and login phase. They show in details the flow of
the process for login and sign up. In the implementation phase, they display the interface of
the system. They also show the result when the user enter correct items and the output of
every action. In the paper also were display the comparison of the existing system which
shows which techniques are resistance or not to possible attacks. From the research, they
aims to provide extra layer of security for the existing authentication system by using
combination of graphical password scheme and one-time password. Even the technique can
degrade the performance, but it can help increase the level of security to secure the
authentication session of any system.
2.4 Survey on One Time Password
This study [4] shows about the survey that being carried out to gain more information
about one-time password technique. From paper [7], authentication is a process which is used
to protect the resources from the unauthorised user. However, this technique has some
disadvantages to the user itself. To solve the problems, multi-factor authentication is
implemented in the authentication session. From the paper, there were three types of methods
which are knowledge based authentication, token based authentication and biometric
authentication. Each of the types were briefly describes how it function the authentication
phase.
In knowledge based authentication, there are two types of password authentication
technique which are Alphanumeric password and Graphical password. Alphanumeric can be
easy to be guess if the password is too simple or easily to be remembered. If the password is
11
strong then it might be difficult to be remembered by the user itself. To solve the problems of
the alphanumeric password, the graphical password being used. However, graphical
password also exposed to the threat such as shoulder surfing attack. In order to solve the
problems of the alphanumeric password and also graphical password, the researchers have
conduct a comprehensive survey of the existing OTP generation techniques which the
technique probably can solve the problems. From the survey, they found out that many banks
authentication system are currently using the technique to secure their banking environments.
OTP is valid only for one login session. They also say that basically OTP divided into two
approach. First one is based on the time-synchronization token and the second one is based
on mathematical algorithm. In the journal also describes about that two approach briefly.
The first approach is based on time-synchronization between the authentication server
and the client. A time-synchronization OTP is uses a piece of hardware called security token.
In the token there is an accurate clock which is synchronized with the clock on server. For the
second approach, the mathematical algorithm is used to generate a new unique password for
every login session. OTP generated based on a challenge of random number which chosen by
authentication server. From this paper, they conclude that the growing of the uses of one time
password is can help in order provide strong authentication process. They said that there is a
need to implement a mechanism that can generate one time passwords which are more
randomness and which the password will expires before the attacker can recover the
password.
2.5 Summary
In this chapter, it discusses about the previous research, journal and articles that
related to the proposed project. It consists of research about the authentication system,
graphical password and also some of algorithm that being proposed for the project which
provides ideas and guidelines to be used for the project. This chapter highlight the feasibility
study of the previous research and also the important things that need to be look at in the
study. The source from this study is mentioned in the reference list. from this reading, the
refinement of the project will be one.
12
CHAPTER 3
METHODOLOGY
3.1 Introduction
This methodology is the description in the research to achieve the objectives by
describing the development of the project. Suitable methodology can make the system more
systematic and effective and performing theoretical analysis of the methods applied to a field
of studies.
The methodology used to develop this proposed project is Waterfall model. Waterfall
model is a sequential software development model in which the development flows or steps
are steadily downwards like a waterfall through several phases. Every step of development
proceeds in strict order, without any overlapping in Waterfall model’s steps include
requirement analysis, system design, implementation, testing, deployment, and maintenance.
The advantages of waterfall model is easy to understand and use, easy to be manage due to
the rigidity of the model, works prefect for smaller projects where the needs are very well
understood. The requirement analysis is the process in gathering the data and requirement by
studies of the existing systems or related journal or article and literature review. Then, the
development moves from concept to design. While system design is the design of the system
that include the Context Diagram(CD), Data Flow Diagram(DFD) and Entity Relationship
Diagram(ERD). And then the development moves to implementation phase which this phase
is the phase to start develops the system in small units which is the break of the large program
to smaller programs. The units from the implementation phase will be used in the next phase.
in next phase which is testing, the main system will be built by combination of smaller unit
which had been developed before. In this phase, the testing and evaluation will be done after
the implementation phase complete. Once the testing phase which consist of functional and
non-functional testing have done, the development will go to the next phase which is
deployment. And the last phase is maintenance. In maintenance, there will have evaluation
for added enhancement and the successfulness of the system is quantified.
13
Figure 3.1 Waterfall model
3.2 System Requirement and Specification
3.2.1 Hardware
Laptop with:
Processor: Intel Core i5 7th
Generation
RAM: 8 GB
OS version: Windows 64 bit
External Hard Disk
USB Drive
3.2.2 Software
1) Notepad++
2) Xampp
3) PhpMyAdmin
4) Node.js
5) Cordova-plugin
6) Android-studio
7) Windows 10 64 bit
8) Mozilla Firefox/Google Chrome
14
9) Microsoft Word 2010
10) Microsoft PowerPoint 2010
3.3 System Design
3.3.1 Framework Design
This figure is the framework of Authentication system which involves user, interface which is
login and registration phase, and the inner process which related between data store, random
code generator and MMS gateway. The proposed system will be developed on mobile-based
environment.
Figure 3.3.1 Framework of Authentication System
15
3.4 Process Model
3.4.1 Context Diagram
Figure 3.4.1 Context Diagram
Context diagram is a diagram that defines generally the interaction of the entities with
the system and also the limits of the system. This diagram is the level view of the system. For
this project, there are two entities involves in the system which are user and mobile operator.
The data flow for incoming data flow from the user is represented the information about the
user and also input from user which is the user id entered during login phase. And for out
coming data flow to user is represents the information displayed to the user. While, the
incoming data flow to mobile operator is the information related to the authentication system.
And the out coming data flow is AIC generated by the Apache server.
16
3.4.2 Data Flow Diagram (DFD)
3.4.2.1 (DFD Level 1 - User)
Figure 3.4.2.1 DFD (Level 1 - User)
This level defines the process that user must do in this system scope. The user must
register for first use of the system. The login input is only the unique user id that being
registered before. This user id then will be matched with the data in the User data store. User
then will receive the AIC via MMS. Then user have to enter the AIC (Access Image and
Access Code) to be matched with the server. User will receive the feedback success login and
homepage will be displayed.
17
3.4.2.2 DFD (Level 2 – Proses 1.0: Register)
Figure 3.4.2.2 DFD - Level 2 (Proses 1.0: Register)
This level describes the processes involves in Register Process. The user has
to insert the registration details to Register process. The entered details will be
checked by retrieving the data from the User data store. If there are no error occurs,
then the system will proceed to add Registration Details process and feedback will be
display to the user. In this phase also, the user need to upload images which later the
images will be used as Access Image during login session.
18
3.4.2.3 DFD (Level 2 – Proses 2.0: Login)
Figure 3.4.2.3 DFD (Level 2 – Proses 2.0: Login)
This level describes the processes that take part in Login process. The user has
to enter the user id that had being registered before and sending the request for the
AIC from the server for Login. The entered details will be checked by retrieving data
from user database. If there are no error occurs, the system will proceed by sending
AIC to the registered phone number. Then, the user has to enter the Access Image and
Access Code to continue the Login process. The password will be checked and if
there are no error occurs, the system will proceed to Display Homepage process and
the feedback will be prompted to the user.
19
3.5 Data Model
Figure 3.5 ERD of Graphical One Time Password implemented on Mobile Based
Applications
20
3.6 Algorithm
Figure 3.6.1 Graphical One Time Password Algorithm Framework
For this project, the algorithm used is Graphical One Time Password. Graphical One
Time Password is an image that will be the password that is valid for once login session only
at that time. GOTP can be deliver to the user via a few ways either MMS or email. In this
system, user needs to enter user id that had being registered before and the server will
generate the Graphical One Time Password. The type of the approach used is Time-based
Graphical One Time Password. The server side has synchronized clock which will
synchronize with client’s GOTP clocks. The password generated by the server only valid for
certain of time only. This algorithm is implemented to increase the level of security for
authentication phase by reducing the possibilities of brute force, eavesdropping and avoiding
any sensitive information being stolen by unauthorized party.
21
3.7 Summary
In this section, the methodology used is Waterfall Model which is suitable for any
project. The requirement for the system includes hardware and software which are play
important role to fulfil the project requirements. For this project, I am using mobile-based as
the platform to implement the authentication system to smart banking applications. Main
language being used to develop this system is HTML and PHP. And cordova-plugins is used
to make it as mobile applications. This project accompanied by documentation for each need,
which enables the users to review it for validation.
22
CHAPTER 4
IMPLEMENTATION AND DISCUSSION
4.1 Introduction Implementation and Output
The implementation process is one of the methods that have to be carried out and to
execute the project after the system design. The developed project must be implemented in
real prototype or integrated programs based service for the end-user. After implementation
phase, the project is executed to test the functionality and level of effectiveness of the project.
During this phase, the algorithm that being proposed is applied along the development of the
project. This chapter is discussing about the implementation, deployment an also the result of
the whole project. After the development phase complete.
4.1.1 Deployment and Configuration
For phase deployment and configuration, the deployment takes place during
deploying the system requirements which it help to make the development of the system run
smooth as planned. The hardware requirement being setup and tested to find out either the
hardware used is suitable and compatible to the requirements of the system being developed.
The project is converted to mobile applications by using cordova to make it able to be display
on mobile phone as mobile applications. The process deployment of XAMPP as a localhost
which has Apache web server, PHPMyAdmin, and MySQL that need to be configure and
being deployed to make it as hybrid applications. The configuration and deployment of the
One Time Password being implemented by using random password generator that being
included in the file to generate OTP. Meanwhile, to enable the AIC being send via MMS,
API of NowSMS is implemented in the project. And, to enable sending the OTP via SMS, the
library of Vianett being used.
23
4.1.2 Interfaces
The interfaces are the central parts of mobile based applications development where it will
display the flow of interfaces of a system.
a. Sign Up Phase
The sign up phase for this system consists of two sections. The first section, user has
to enter the details about the user and the second section is where the user haves to upload
images where the images will be used during the login phase as Graphical One Time
Password or called as Access Image.
Figure 4.1.2.1 Sign Up (phase 1)
For first phase, the user has to create account by enter user id, phone number, user
email and account type for the smart banking applications. This details the will be stored in
bank data store for being used in Login Phase. Data will be stored once the user fills in the
valid details and click on Register button.
24
Figure 4.1.2.1 Sign Up (phase 2)
And for the second phase, the user has to choose at least 7 images. The images have
to be more than 7 as the image will randomly be used as the Access Image in login phase.
The more the image is used, the more secure the login section as the number of chances to
brute force increases.
25
b. Login Phase
The login phase of this system consists of 3 sections specifically. The first phase of login, the
user have to enter the user id only.
Figure 4.1.3 1 Login (phase 1)
In login phase, firstly the user needs to insert the user id on the first login phase. The system
will check either the User id is valid and exist in the data store. If the data is match, the user
will be directed to the second login phase.
26
Figure 4.1.3 2 Login (phase 2)
In this second phase, the users have to send request for the AIC from the server. The AIC will
be sent via MMS to the registered phone number that associated with the user id. Once the
user has check on the password receive on MMS inbox, the user can select image as in MMS
received. The authentication is success when the selected Access Image and Access Code
entered matching the AIC send to the phone number.
Figure 4.1.3.3 Login (phase 3)
27
Figure 4.1.3.4 Message received in form of MMS
28
4.2 Test Analysis
4.2.1 Types of Testing
In system testing, there are many types of system testing that can be applied to know
either the system achieving the user requirements in during testing phase. Types of testing
used must be suitable to be used to test the functionality of the whole system that being
develop. In this process each section of the system will be tested and the evaluation will be
made to figure out the differences of given input an expected output, features and
applications. The verification process is the process to clarify the effectiveness of the
applications to satisfies all the requirements of the system from during the first phase of
developing the project. While the process validating is the process defines the applications
meets the specified requirements of the planned project at the final phase of development. In
this project, the applications are tested using black box testing and white box testing whereas
the testing is focusing on the design, interfaces, basic functionality, and security.
4.2.1.1 Black Box Testing
Black box testing is a testing technique to analyse and focusing on the structure or
components of the applications. being used to test the internal structure or functionality of the
applications or the implementations that is unknown to the tester or user. In simple words, the
tester will test the applications without knowing the code or internal structure of the system.
This testing should be done by user’s points of view without knowing the background process
or mostly knows as front-end. This process is to detect the error or dysfunctional interfaces
error, system performance, or behavioural error, external database access error and data
structure of the application, interface error and missing functions of the applications.
4.2.1.2 White Box Testing
White box testing also known as Code-Based Testing in which this technique will
testing the internal structure or implementation which are known to the users. This testing is
is focusing on the system or the structure of the system components. This technique is carried
out on the integration and it involves the user or tester to possess the understanding of the
29
internal structure of the program. This testing is used to detect the flow of specific input and
output by analyse the code, the syntax or poor performance in the codes, expected functions
and functionality of the applications.
4.2.2 Test Case
Test Case 1
Test Case Name: Sign Up
Application: Smart Banking Applications
Step Procedures Expected Results Result
1 Insert User Id, Phone
Number, Email and choose
Account Type
Save the insert data into
database
Success
2 Click ‘Next’, button Application proceed to the
step 2 of registration phase
Success
3 Click ‘Choose Files’,
button
Application will open
gallery of images
Success
4 Click ‘Sign Up’, button The selected images saved
into database
Success
5 Repeat step 1 until step 4
without fill in the form.
Cannot proceed to the next
phase.
Success
6 Log Out Account Log out redirected to
Logout page with Login
possibilities.
Success
Table 4.2.2.1 Test Case for Sign Up and Logout
Based on table 4.2.2.1 only the user that complete both step of registration can
proceed to the next phase.
30
Test case 2
Test Case Name: Login
Application: Smart Banking Applications
Steps Procedures Expected Results Results
1 Insert correct User Id Verify the user Success
2 Click ‘Login’ button Applications redirect the
user to step 2 of login.
Success
3 Repeat step1 and 2 with false
username
Applications display error
message
Success
4 Click ‘Request AIC’ Applications send AIC to
phone number
Failed
Table 4.2.2.2 Test Case for Login
Based on Table 4.2.2.2 user will enter AIC which consist of Access Image and Access
Code received via MMS into login session. And then they will be verified.
31
CHAPTER 5
CONCLUSION
5.1 INTRODUCTION
This section concludes the documentation of this project in the aspect of concept,
algorithm, methodology and design.
5.2 EXPECTED RESULTS
The expected result of this project is the authentication phase of the mobile
applications can help the user secured their important information. Also this system provides
the user with one of the effective and efficient authentication phase. And also can be
implemented on any of mobile based applications proposed by important institution which
really need to have secure their customer information and need to protect their value data.
32
5.3 CONLUSION
This chapter will discuss about the overall summary of this project, expected results,
and suggestion to improve the project to be better in future. Graphical One Time Password
has met its aims by providing high security level to the user from threat. This project consists
of four sections. First is about planning which include feasibility study and also review of
previous research or projects. Secondly, the design and proposed solution methodology
which include waterfall model, system requirement, process model, data model and proposed
approach. This phase is important because the data will be used for the next step. Next
session is implementation, testing, and results. In this phase, the implementation of the
system design and approach will be developed to form a prototype. And the last session is the
discussion and conclusion of the overall project. This project is expected to help all users to
have highly secure authentication system to secure their information. For the future work, this
project is expected to be upgraded into more secure system and at the same time user friendly
with the usability and the security is in balance that can be used for every people. Hopefully
this project will have additional functions which are the details about the device that request
for the AIC will be sent to the registered email which are the alternative from the phone
number which the info can be used for forensic task if the unauthorized use occur to the
account and much more benefits that can make user life easier at the same time provide high
level of security.
33
REFERENCES
[1] Robert G.RittenHouse, Junaid Ahsenali Chaudry and Malrey Lee, “Security in
Graphical Authentication”, International Journal of Security and Its Applications, Vol.
7, No. 3, May 2013
[2] Mrs. Aakansha S.Gokhale, Prof Vijaya S.Waghmare, “The Shoulder Surfing Resistant
Graphical Password Authentication Technique”, 7th
International Conference on
Communication, Computing and Virtualization 2016, Procedia Computer Science 79
(2016) 490 – 498.
[3] Veena Rathanavel, Swati Mali, “Graphical Password as an OTP”, International
Journal of Engineering And Computer Science ISSN: 2319-7242, Vol. 6, Issue 1 Jan.
2017, 200090-200095
[4] Nilesh Khankari and Geetanjali Kale, “Survey on One Time Password”, International
Journal of Computer Engineering and Applications, Vol. IX, Issue III, March 15.
[5] Neha Vishwakarma and Kopal Gangrade, “Secure Image Based One Time Password”
International Journal of New Innovations in Engineering and Technology, ISSN :
2319-6319, Vol. 6, Issue 1, October 2016.
[6] Salim Istyaq* and Lovish Agrawal, “A New Technique For User Authentication
Using Numeric One Time Password Scheme”, International Journal of Advanced
Trends in Computer Science and Engineering, E-ISSN: 2347-2693, Vol 4, Issue 5,
June 2016.
[7] Nurul Afifah Binti Asri, “Android Based Mosque Management Application” Final
Year Project 2017.
[8] Nur Farah Afifah Binti Ahmad Sukri, “Lab Scheduling System (LSS) using Genetic
Algorithm, Final Year Project 2015
[9] R.Selva Bhuvaneshwari et al, “Secured Password Management Technique Using
One-Time Password Protocol In Smartphone”, International Journal of Computer
Science and Mobile Computing , Vol.3 Issues.3, March 2014.
34
[10] Ting-Yi Chang et al., “A graphical-based password keystroke dynamic authentication
system for touch screen handheld mobile devices”, Journal of Systems and Software,
Volume 85, Issue 5, May 2012.
[11] Jones et al., “System and Method for Authenticating A User Using A Graphical
Password”, United States Patent, US 8,347,103,B2, Jan 2013.
[12] Haichang Gao et al., “A New Graphical Password Scheme Resistant to Shoulder-
Surfing”, International Conference on Cyberworlds, December 2010.
[13] Wazir Zada Khan et al., “A Graphical Password Based System for Small Mobile
Devices”, IJCSI International Journal of Computer Science Issues, Vol. 8, Issue 5, No
2, September 2011.
[14] Hsin-Yi Chiang and Sonia Chiasson, “Improving User Authentication on Mobile
Devices: A Touchscreen Graphical Password”, MOBILE HCI 2013-SECURITY
AND PRIVACY, August 2013.
[15] Won et al., “Apparatus and Method for Inputting Graphical Password Using Wheel
Interface In Embedded System”, Unites State Patent, August 2011.
[16] Mennes et al., “Strong Authentication Token Generating One-Time Passwords and
Signature Upon Server Credential Verification”, Unites States Patent, October 2012/
[17] Sarohi et al., “Graphical Password Authentication Schemes: Current Status and Key
Issues”, International Journal of Computer Science Issues (IJCSI), Vol. 10, Issue 2
Part 1, Mar 2013.
[18] https://www.google.com/search?q=waterfall+model&client=firefox-
b&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjCyonCvpjbAhXFOY8KHVPyDi
IQ_AUICigB&biw=1708&bih=818#imgrc=SGUEr1iCRVRQHM:
[19] https://www.google.com/search?q=MMS+API&client=firefox-b-
ab&source=lnms&tbm=isch&sa=X&ved=0ahUKEwjF8tabnODcAhXEfysKHTaoBV
EQ_AUICygC&biw=1252&bih=600#imgdii=fTgQgjsdTi0ZiM:&imgrc=vEPWhk5b
2Vr8xM:
35
APPENDIX A
GANTT CHART
36
Activity Week
1 2 3 4 5 6 7 8 9 1
0
1
1
1
2
1
3
1
4
1
5
1
6
Discuss the title of the final
year project with supervisor
Submission of the title and
abstract of the project
Specification of problem
statement, objectives, scope
and literature review
Preparation for proposal
presentation
Proposal presentation
Proposal correction and
proposed solution
methodology
Design CD, ERD and DFD
Documentation of proposal
Report submission to the
supervisor(Chapter 1 &
Chapter 2)
Report submission to the
supervisor(Chapter 3)
Designing the interface
Prepare slide for final
proposal presentation
Final presentation for FYP1
Final report submission to
supervisor
Final Report submission
Gantt Chart (FYP 1)
37
Activity Week
1 2 3 4 5 6 7 8 9 10
Project Meeting with Supervisor
Project Development
Project Meeting with Supervisor
Project Progress Presentation
Project Development and Project Testing
Report and Seminar Registration
Project Meeting with Supervisor
Online Submisssion of Poster Link
Seminar Presentation & Panle’s
Evaluation
Submission of Full Report to Supervisor
Finalizing Report and Documentation of
The Project
Submission of Hardcover to FYP
Coordinator
Report, Logbook Submission
Gantt Chart (FYP 2)