Research and Development of a Provably Secure and Highly Efficient Two-factor Authentication System

Description

Currently, many online transaction systems use an "SSL + password" mechanism to perform user authentication, in which security relies solely on the password. Password based systems provide much weaker security than cryptographic key based systems because of the low entropy of a password. More seriously, as many users do not know SSL at all, some attackers can use fake web pages to steal user passwords, known as a "phishing attack". Even adding a one-time password in each login session cannot prevent such an attack, as the current mechanism allows the one-time password to be valid for a short period during which a "man-in-the-middle" attack is possible.To achieve much more secure online transactions, this project proposes implementing the two factor authentication mechanism. This mechanism uses a combination of two different factors, something you know and something you have, to verify a user's identity. This project will implement a smartcard (or USB-token) based password authentication scheme recently proposed by the researchers. By using this scheme, users still only need to memorize a short password; however, the security level is upgraded to cryptographic key level. Moreover, the scheme can successfully thwart phishing attacks.