-
Smarter 2-Factor Authentication
Inspiration
2-Factor authentication is becoming more and more necessary due to the increasing ease of an attacker compromising a user's password. To address this there are several 2-factor authentication schemes available that provide enhanced security, however the more powerful the protections a 2-factor authentication scheme gives, often too are the usability drawbacks. Enhancing the usability of secure techniques while maintaining the exact same security guarantees is a great way to help provide user's with a higher level of security, without sacrificing the usual inconvenience that would accompany it.
What it does
Time-based One Time Passwords (TOTP -- RFC 6238 Standard) allow for a user to generate unique passcodes every 30 seconds, which can be verified by an authentication service by combining the current time with the shared secret key between the user and authentication service (using cryptographic operations of course). These passcodes provide a very high level of security due to their relatively high entropy and dynamic nature. Because a TOTP changes every 30 seconds, an onlooker who gains access to a single TOTP will be unable to login using it. Furthermore, a single TOTP leaks absolutely no information about the secret key, regardless of the amount of TOTP's an attacker acquires. The drawback of this high level of security is that it requires a user to type in a 6 digit (or much larger in high security systems) code in a relatively short amount of time. Although this is usually an accomplish-able task, it can often be tedious to memorize the number and type it quickly enough for it not to expire (especially if you are prone to making typing mistakes, or are slow). These drawbacks overall limit the usability of TOTP's. My project involves encoding the 6-digit numbers output by TOTP's into easy to remember, small-length strings. Not only are these strings of the same size as the numbers, but they are constructed to be easy to remember and type quickly (unlike numbers which are difficult to type without a number pad). There are currently two options enabled for encoding depending on the memory-preference of the user, a combination of short words or a combination of easy to type sounds. In summary, a passcode can be converted into two 3-letter Scrabble-approved words, or three 2-letter sounds combining a consonant and a vowel (like 'La', 'Di', 'Fo',etc.). The daemon can then determine which format was used, and almost instantly convert it back to the numeric form which can be used for authentication by the Authentication service.
How I built it
I built an Android application serving as the user's second factor device, and a Java server application to act as the Authentication service in order to provide verification for the ease and effectiveness of the modified service.
Challenges I ran into
Encoding large unique numbers without enlarging the passcode or harming the memorability of the passcode is not trivial. It took a while to figure out what would work best.
Accomplishments that I'm proud of
To the best of my knowledge the idea is novel, and providing usability benefits without harming security in any manner is always a plus.
What I learned
The coolest things you can do with math are often not practical :(. Long story short I wanted to do something really cool with composite keys, but it would harm usability too much.
What's next for Smart Factor
I may look into downgrading the security slightly in order to provide much higher levels of usability, however I would rather perfect the memory-based encoding techniques before going that far.
Log in or sign up for Devpost to join the conversation.