Mobile – Based Multi-Factor Authentication Scheme for Mobile Banking

Abstract

Authentication for all mobile initiated financial transaction is a mandatory requirement. USSD applications authenticate using PIN and Phone number while native applications can have further authentication inbuilt or provided for by third a party. The level of security for a given authentication scheme depends on attribute combination, authentication channel, credential storage, and encryption. A number of researches have been conducted on mobile based authentication and their level of security. However, there is limited research on authentication schemes that combines attributes asynchronously, securely and efficiently. Mobile payment transactions are vulnerable when using single and two-factor authentication schemes. This research project proposes a combination of multiple factors – PIN, One-time password (OTP), flash call interception, device specific soft tokenization using IMEI, and encryption these attributes using AES 256 bit in mobile banking applications. The solution uses one user-supplied attribute while the rest are authenticated asynchronously in the background. The storage of credentials is in distributed locations. This architecture provides increased security from identity theft, sniffing attacks, dictionary attacks, and man in the middle attacks. A software solution was developed using prototyping in a waterfall model. Authentication time delays, delivery mechanism were measured and analyzed. Using Kernel Density Estimation, the results showed that combination of PIN and OTP had shorter time delays followed by PIN and phone call combination and OTP and phone call combination in that order. In the background, credentials were encrypted and the mobile device was identified and authenticated.