A study of user authentication using mobile phone

Abstract

The number of different identities and credentials used for authentication towards services on the Internet has increased beyond the manageable. Still, the most common authentication scheme is based on usernames and passwords which are neither secure nor user-friendly. Hence, better solutions for simplified, yet secure authentication, is required in the future. This thesis present an authentication scheme based on a One-Time Password (OTP) MIDlet running on a mobile phone for unified authentication towards any type of service on the Internet. The scheme is described in detail by an analysis and a design model. Based on the analysis and design an implementation of a prototype has been developed using Java. The security aspects of scheme are thoroughly evaluated in a security evaluation which identifies threats, security objectives and possible attacks. The proposed solution offers a strong authentication scheme which can substitute many of the authentication schemes we are using to day. Not only can it replace the standard username/password scheme, but due to its security services it can also replace stronger schemes such as existing OTP and smartcard solutions. Therefore the solution is suitable for many services on the Internet which requires authentication such as Internet banking, corporate intranet, Internet stores and e-Government applications.