Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Two Factor Authentication System

Tags:

security

php

I'm trying to design a two factor authentication system (on PHP) using SMS as the second auth method. This is for a test project thus can anyone help me to design this service?

This will be an web based system and below is what i have done so far.

  1. Once the client enters the Username and Password the website will send a secure HTTP request to our server with the MSISDN, a UID (to identify the session), their UserID & PassWord.

  2. Our server will add the request to a MySQL DB and respond the website with a Code, UID and some other info.

  3. Our server will send the client a SMS with the one time password.

  4. Once the client enters the OTP into the website, the website will send another HTTPS request with the encrypted OTP to our server and we will send a success or fail code as the response.

this is the flow i have thought about. Anyone have a better flow? or suggestions?

Thanks.

like image 461
megazoid Avatar asked Apr 26 '11 04:04

megazoid


People also ask

What is a two-factor authentication system?

Two-factor authentication (2FA), a type of multi-factor authentication (MFA), is a security process that cross-verifies users with two different forms of identification, most commonly knowledge of an email address and proof of ownership of a mobile phone.

What is an example of two-factor authentication?

Using two knowledge factors like a password and a PIN is two-step authentication. Using two different factors like a password and a one-time passcode sent to a mobile phone via SMS is two-factor authentication.

What is the best two-factor authentication system?

The most popular two-factor authentication program is Google Authenticator. This is an app to be installed on your mobile phone, and it gives you a real-time authentication code that changes every 30 seconds.


1 Answers

This may work fine, however it is not two factor authentication.

In addition to a password, a second factor can be:

  • Something you have (e.g. secureid, smartcard, etc).
  • Something you are (i.e. various forms of biometrics).

Since I assume you're not aiming for biometrics ;), let me clarify why I say this is not a 2nd factor (something you have).

In order to qualify as the 2nd factor, you would need to guarantee that the holder of the device (i.e. the pre-registered cellphone) is the only one who could possibly have received the SMS.
In todays cellular networks, that just aint so. There are hacks to copy e.g. a SIM card; the cellular operators can intercept; smartphones can have apps that intercept and resend; etc.
Furthermore, having the user type the code back into the website allows all the standard web attacks on that additional password: sniffing, interception, MITM, session hijacking, etc...

Now, to be clear, this still definitely has value - out of band communication can help ensure that the apparent user is not being victimized by a simple web attack, XSS, etc.
I've worked with a lot of telecoms that love this solution (it also happens to be part of their business model, but whatever ;) )

However, depending on your situation, some places (e.g. banks, gov't) require a real 2nd factor - i.e. cryptographic proof (usually). And this aint it.

like image 145
AviD Avatar answered Sep 22 '22 07:09

AviD