SECURING E-GOVERNMENT WEB PORTAL ACCESS USING ENHANCED AUTHENTICATION SYSTEM

Thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in Information Technology Engineering.

The Libyan Academy 

School of Engineering and Applied ScienceDepartment of Electrical and Computer

EngineeringDivision of Information Technology

By: Hamdi Ahmed Jaber

Under Supervision of: Dr. Elbahlul Fgee

The thesis proposes an advanced authentication solution that enhances the security of authenticate the users of the e-government web portal and avoids the drawbacks of two-factor authentication systems that has not been covered in the previous studies.

Introduction

User ID and password is the most commonly used authentication mechanism. • There are many shortcomings of a password authentication

mechanism• Passwords are at the edge of breaking down, especially in

the web environments. • It is not secure enough for huge sensitive systems like e-

government, banking and online payment systems.

Two-factor authentication is an approach for authentication that requires the presentation of two or more of the three authentication factors: • a knowledge factor (something only the user knows) • a possession factor (something only the user has) • an inherence factor (something only the user is).

After presentation of the first factor, the other party for authentication will be required to validate user identity.

Knows Has IS

Password Smart card Fingerprints

PIN Cryptographic key Retina

Secret question USB token Iris

SIM card Face

OTP Generator Hand geometry

Something a user

• Cryptographic attacks: These attacks directly target the cryptographic algorithms.

• Untrustworthy Interface - phishing: Trojans, viruses and key logging

• Theft/Loss of the authentication token• Man-in-the-middle-attacks• Eavesdropping: The communication

between two contactless devices can be eavesdropped from a certain distance.

Problem statement: Armor the e-government web portal with Two-factor authentication system avoids the following drawbacks of TFA

Motivation Provide shielding for e-government web portal and

their users from known security attacks that tries to gain

access to their accounts

Provide a strong secure e-government web portal

authentication system that avoid the drawbacks of

traditional two-factor authentication methods

Obtain a higher authentication security guarantee than

when using static password only or traditional two-

factor authentication technologies

Proposed Solution

This thesis contributes to propose an advanced

authentication system that has high security and decreases

the risk of illegal access to the E-government web portal

by using multi-step authentication system that involves

two authentication factors:

a. Something only the account owner (user) knows

b. Something only the account owner (user) has or get

It will also provide a special designed image based

authentication step as an added layer of security to resist

illegal authentication threats.

Internet portals general security needs• Authentication: Processes of verifying that the user is

who he say.• Authorization: Process to verify if the user has the

rights to do what is trying to do.• Confidentiality: Capability to prevent unauthorized

access to information • Integrity: Capability to prevent unauthorized

modification of the data• Traceability: Capability to log every transaction

details for auditing

Note: This thesis is about securing the authentication process.

• Replay attack1

• Session hijacking2

• Phishing3

• Man-in-the-middle4

• Insider attacks5

• Malware6

• Password discovery attacks7

• Shoulder surfing8

• Social engineering attacks9

Web portals authentication security threats

Two-factor authentication success criterion• Customer acceptance• Token management difficulty• Credential replacement• System costs

Also, Tamper evidence, detection and response play an important role for the security of authentication methods. The solution will provide a strong detection and response of any illegal try to access the system

• Shared secret 1

• Digital certificate2

• One-Time Password (OTP)3• Tokens with display (disconnected

tokens)4

• Connected tokens 5

• Magnetic stripe cards6

• Software tokens7

• Mobile phones8

• Biometrics9

• Image based authentication10

Authentication technologies

• One time password via SMS1

• One time password via phone calls2

•Mobile application/software token3

• Push notification4

• Mobile signature5

Methods used mobile phones

Targeted Solution

An advanced multi-step two-factor authentication system

that prevents any unauthorized access to the system and

reduce it even when the attacker has the correct login

credentials (ID/password) and can overcome the second

authentication factor.

The solution will be usable with E-government web portal

and can be distributed among the public users of such

huge system. Affordable and easy to implement and use

for the ordinary people.

Thesis gathered data from:

• Tests of methods that are widely used in Two-factor authentication systems

• Online survey• Previews studies • Technical comparisons and trade-offs• Designed solution implementation

Required criterions for e-government web portal TFA system• Easy of distribute to the public• Cost effectiveness• Usability• Strength of delivery• Authentication process time

Compared second factor authentication methods:• Disconnected hardware token • Connected hardware token • Short messaging system (SMS)• Mobile phone software token• Smartphone push notification• E-mail message• Biometric (Finger print)• Biometric (Iris recognition)

Tested authentication methods:

• Mobile phone software token• Short messaging system (SMS)• Smartphone push notification• E-mail message

Technical aspects: Cost effectiveness for the system owner and system users• Implementation cost • Token issuance cost • Maintenance cost • Token replacement cost

Technical aspects: cost effectiveness for the system owner

Technical aspects: cost effectiveness for the system users

Technical aspects: Outcome cost effectiveness for the system owner and system users

Technical aspects: Usability attributes per ISO 9241-11• Effectiveness: The users can do the tasks

without making mistakes• Efficiency: The users can complete the tasks

in a reasonable time and effort• Satisfaction: The user finds the product to be

effective and efficient

Technical aspects: Two-factor authentication usability criterions• Need of special end user hardware token• Need of special end user reader• Need of special software/driver• Need of end user training/special instructions• Need of configuration by the end user• End user ability to edit configuration• Access the portal without PC (Only with smart

phone)• Token mobility with the end user • Loss portability

Technical aspects: Total usability value of the eight suggested methods (Higher is better)

Online survey

Online digital survey created and distributed to the public

via web to gain information from random sample of people

and collect the required information that helps in

identifying the importance, acceptance and most-liked

methods that a normal person may prefer to use as a

second authentication method for e-government web portal

Online survey: participants age range

Age range Persons participated18 – 25 year 39

26 – 33 year 54

34 – 40 year 48

41 – 48 year 21

49 – 56 year 9

57 – 64 year 3

More than 64 years 0

Total 174

Online survey: participants qualification

Qualification Persons participated

Below average education 2

average education 7

High school 53

High diploma 44

Bachelor degree 65

Graduate studies 3

Total 174

Online survey: participants daily internet usage

Internet usage Persons participated

Less than 30 minutes 27

30 Minutes – 1 Hour 31

1 Hour - 2 Hours 21

2 Hour - 4 Hour 38

More than 4 hours 57

Total 174

Online survey: participants preferred second factor authentication method

Method Participate votesBiometric (Finger

print)135

Mobile Phone SMS 112Mobile Phone Software

token105

Biometric (Eye retina) 90Mobile Phone Push 67

E-mail Message 59Connected Hardware

Token43

Disconnected Hardware Token

24

Online survey: Other results

• 33% of the participants (58 person) are using internet services that uses confidential data or runs sensitive transactions

• 54% of the participants (94 person) welcomed to carry additional hardware token

• 42% of the participants (73 person) welcomed to buy additional hardware to scan biometrics while 58% (101 person) denied that.

• 37% (65 person) are welcomed to install additional software or drivers to their personal computers or smart phones to gain access to e-government web portal

• 99% (172 person) said they need to access e-government web portal from their smart phones or tablet PCs

Two-factor authentication methods testTwo cloud TFA service providers services on two different geographic locations in Libya (Tripoli city and Benghazi city) tested during this thesis preparation to use the tests output and verify the deference between the suggested TFA methods and help choose the best one for e-government web portal.

The methods tested are:• Mobile phone software token• Short messaging system (SMS)• Smartphone push notification• E-mail message

Test results - Software tokenStrength of delivery and Time of process: • The software token is a previously installed

and configured software on a smart phone • It has a high strength of delivery and zero

time of process as it is working in the background in the smart phone

• It generates a new OTP every 60 seconds that can be used any time just after opened the software token application.

• The drawback of this method comes from the need of smart phone to work. If the user have normal old-fashioned mobile phone, he simply could not use the software token

Test results - Mobile phone SMSStrength of delivery:

Test results - Mobile phone SMSStrength of delivery:

Test results - Mobile phone SMSTime of process:

Test results - Mobile phone SMS

The excellence of the mobile phone SMS method comes from the fact that almost everyone is using the mobile phone services and this method can work on any mobile network and any mobile phone device from second generation to the fourth generation without any need of internet connection, special software or even a smart phone.

The drawback if there is no mobile phone service in the area the user trying to login to the system from it.

Test results - Mobile push

Strength of delivery: • Mobile push has optimum strength of

delivery without any loss in the process. • The drawback in mobile push method is it

does not work if the user does not have a wireless internet connection or mobile broadband

• Also as the software token, it is originally a mobile application that has to be installed and configured previously on the smart phone

Test results - Mobile pushTime of process:

Test results - E-mail messageStrength of delivery of email system is very high unless the received e-mail considered spam by the email system the user are using it.

Test results - E-mail message

Note: Biometrics and hardware tokens have a very good strength of delivery and low process time, but it has other drawbacks in usability, cost and other discussed requirements when implementing two-factor authentication with E-government web portal.

Proposed authentication system

• This thesis propose a solution that is using strong multi-step two-factor authentication by utilizing mobile phone SMS technology.

• Turning a phone into an authentication device quickly solves the need and additional cost and delays of sending out hardware tokens.

• The mobile phone SMS is used to send randomly generated time based One-Time-Password as a second authentication factor

• Authentication server generation algorithm generating the OTP. Mobile SMS gateway service to deliver it to the user.

Proposed authentication system

Beside the one-time password, the system send the following information in the SMS:• Session ID (each login attempt has its own session

ID that has assigned OTP)• Login request time• Login request location (the system determine it by

IP address)• Browser type• Operating system platform

These details are sent to make sure that the user is aware of the login he or she is verifying. This is vital to avoid any possibility of man-in-the-middle and real-time phishing/pharming attacks

Proposed authentication system

• The suggested solution is using Libyan government national ID that is a unique number assigned to each Libyan citizen that never changes during his life and password to initiate the login process.

• To protect the users from key-logging and similar attacks. The password are only writeable by the portal’s built-in on-screen keyboard

Proposed authentication system

In the final process step, the system uses an image-based authentication technology that:• Displays 12 picture from 12 deferent categories

(National, ancients, desert, animals, flowers, cars, electronics, furniture, buildings, tools, people and food).

• The user should select a photo that belongs to the category that assigned to his account during the account creation.

This step add an additional layer of protection to the authentication process against attacks may happened after theft of the mobile device and compromise the password by the attacker.

Proposed authentication system

Every successful and failed login attempt details sent to account owner default mobile phone via SMS and default e-mail address. These details are the same of the first message with the status of login (succeeded or failed) This confirmatory feedback feature is helping in detect tampering and illegal login attempts. This will allow the account owner to take required action or actions and report such incident quickly to the e-government authority.

Proposed alternative authentication method to be used as a backupAny good system should have a high level of usability, minimum effort of administration and of course a good plan for emergencies

• A procedure contains a few steps should be implemented to recover the forgotten password without any interaction of the system administrators

• E-mail service will be used to deliver OTP in case the user lost his mobile phone by steal, damage, or just he cannot reach it. He should follow another procedure to receive OTP via E-mail service

Proposed authentication system

Step 1: Initial login step

Proposed authentication system

Step 2: Choosing mobile number to receive OTP

Proposed authentication system

Step 3: Receiving SMS message contains OTP and login session details

Proposed authentication system

Step 4: Entering the received one-time password

Proposed authentication system

Step 5: Image based authentication step

Proposed authentication system

Step 6: Succeeded login to the system

Proposed authentication system

Final confirmatory feedback SMS message (Traceability)

Results summaryThe proposed solution protects the e-government web portal access from security threats using strong multi-step two-factor authentication system that:• Provide strong multi-step two-factor authentication

using National ID and password that only writeable by the portal’s built-in on-screen keyboard

• Use one-time password that the system generate it and send it via SMS or e-mail (including login session ID, login request time, login request location, used browser and OS details)

• Use image based authentication step that uses image category recognition.

• Mutually-authenticated and speak over SHA-2 256bit Transport Layer Protocol (TLS) encrypted channels between client and server

• Avoid the known drawbacks of two-factor authentication systems

• Provide a cost-effective, user-friendly and high secure authentication.

• Use the mobile phone SMS as the user’s second authentication token.

• Use the e-mail system as a backup second authentication token.

• Easy to use for any regular user with no additional use of hardware or special training.

• Easy to deploy solution for large enterprise• Does not rely on username and password only

authentication that is not secure anymore in such enterprise system.

Results summary

It overcomes the security limitations of traditional two-factor authentication systems and vulnerabilities of mobile device like: • Untrustworthy Interface• Theft/Loss of the Device• Man-in-the-middle-attacks• Cryptographic attacks• Eavesdropping• human vulnerability factors like compromised

password also covered by the proposed solution.

Security limitations that are solved by the proposed solution

Implement E-mail message as a backup two-factor authentication method when:• The GSM gateway service provider’s servers are down

and could not sent OTP to the user even though he is a genuine user.

• The user’s mobile network service provider terminates the connection due to the delay in bill payments

• The user is in a poor signal of the network area.• Theft/steal of the mobile phone device of the user

Mobile phone SMS two-factor authentication limitations the proposed solution overcomes

Thesis conclusionThis thesis develops an authentication mechanism For the Libyan E-government web portal that combines the strength of the three popular authentication approaches: multilevel, multi-channel, and multi-factor. These three authentication approaches were merged to form an authentication mechanism that can highly protect e-government user accounts from illegal authentication. Also gives protection from using a compromised account credentials.

Thesis conclusionResearch objectives:

• Objective 1: Review the most commonly used authentication classes, authentication mechanisms, and authentication attacks.• Objective 2: Review the usability and acceptability aspects of authentication mechanisms and the evaluation techniques used to decide high secure and easy to use two-factor authentication solution for Libyan e-government portal.

Thesis conclusionResearch objectives:

• Objective 3: With respect to e-government web portal needs, discuss the currently used authentication mechanisms and identify their weaknesses, showing how they fail to protect customer accounts against different attacks identified in objective 1.• Objective 4: Propose an authentication solution that addresses the security and usability problems identified and listed in objective 2. Theoretically evaluate the security of this solution and identify all features needed for implementation.

Thesis conclusionResearch contribution:

The contribution is proposing a new multi-step, multi-channel two-factor authentication system that: • Increase security while maintain the usability of Libyan

E-government web portal authentication. • Utilize a backup authentication mechanism • Other features and guidelines were included to

complement and facilitate the actual implementation of the proposed authentication solution.

Thesis conclusionFuture Work

• More Usable Channels: Other possible usable communication channels can also be used to support two-factor authentication. This includes and not limited to chatting software.

• Two-factor authentication for the disabled people: Disabled users might find it difficult to utilize two-factor authentication for their e-government transactions.

Final Word

The proposed authentication system protects the Libyan e-government web portal user accounts from authentication attacks that other two-factor authentication mechanisms fail to address. Improves the security while maintaining usability.

The guidelines and recommendations provided in this thesis will provide guidelines to implement a strong and more secure and usable authentication system for the Libyan e-government web portal.

ADDITIONAL READING AVAILABLE IN THE THESIS BOOK

• Detailed technical aspects• Online survey• Tests• Solution Implementation• User account creation and first

login steps and flowcharts• Normal login steps and flowcharts• Emergency user account login steps

and flowcharts• References (35)

THANK YOU