Two-Factor Authentication Using Mobile OTP and Multi-dimensional Infinite Hash Chains

  • Uttam K. RoyEmail author
  • Divyans Mahansaria
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 1129)


Hash chains are often used to implement One Time Password based authentication systems. Some use finite hash chains that require frequent system re-initialization. Some use computationally-intensive public-key algorithm to achieve infiniteness. Eldefrawy et al. proposed a hash-based infinite chain but has limited ability to resist pre-play and guessing attack. This paper provides a smartphone-based two-factor authentication system nRICH that uses both knowledge (password) and possession (seed) based information. The OTP is generated perpetually from a multi-dimensional infinite hash chain that eliminates the limitations of other techniques. It is superior to resist pre-play attack. The hard challenge is a random path from origin to a random point inside a multi-dimensional moving hypercube. We have rigorously performed the security analysis and compared with other techniques w.r.t. various metrics and found suitable to be implemented in even low-end devices. The only drawback is the increased length of the challenge to be typed by the user. We propose to use QR code to avoid this problem.


One Time Password Authentication Hash chain One-way encryption Security 


  1. 1.
    Lamport, L.: Password authentication with insecure communication. Commun. ACM 24(11), 770–772 (1981)CrossRefGoogle Scholar
  2. 2.
    Cha, B., Park, S., Kim, J.: Cluster Comput. 19, 1865 (2016). Scholar
  3. 3.
    Cha, B.R., Kim, Y.I., Kim, J.W.: Telecommun. Syst. 52, 2221 (2013). Scholar
  4. 4.
    Holtmanns, S., Oliver, I.: SMS and one-time-password interception in LTE networks. In: 2017 IEEE International Conference on Communications (ICC), Paris, pp. 1–6 (2017).
  5. 5.
    Hallsteinsen, S., Jorstad, I., Thanh, D.‐V.: Using the mobile phone as a security token for unified authentication: systems and networks communication. In: International Conference on Systems and Networks Communications, pp. 68–74. IEEE Computer Society, Washington, DC (2007)Google Scholar
  6. 6.
    Indu, S., Sathya, T.N., Saravana Kumar, V.: A stand-alone and SMS-based approach for authentication using mobile phone. In: 2013 International Conference on Information Communication and Embedded Systems (ICICES), Chennai, pp. 140–145 (2013)Google Scholar
  7. 7.
    Mulliner, C., Borgaonkar, R., Stewin, P., Seifert, J.P.: SMS-based one-time passwords: attacks and defense. In: Rieck, K., Stewin, P., Seifert, J.P. (eds.) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2013. Lecture Notes in Computer Science, vol. 7967, pp. 150–159. Springer, Heidelberg (2013)Google Scholar
  8. 8.
    Siddique, S.M., Amir, M.: GSM security issues and challenges. In: Proceedings of the Seventh ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/ Distributed Computing, SNPD 2006. IEEE Computer Society, Washington, DC (2006)Google Scholar
  9. 9.
    Wang, H.: Research and design on identity authentication. System in mobile‐commerce, pp. 18–50. Beijing Jiaotong University (2007)Google Scholar
  10. 10.
    Laukkanen, T., Sinkkonen, S., Kivijarvi, M., Laukkanen, P.: Segmenting bank customers by resistance to mobile banking. In: International Conference on the Management of Mobile Business, p. 42. IEEE Computer Society, Washington, DC (2007)Google Scholar
  11. 11.
    Eldefrawy, M.H., Khan, M.K., Alghathbar, K., Kim, T., Elkamchouchi, H.: Mobile one-time passwords: two-factor authentication using mobile phones. Secur. Commun. Netw. 5, 508–516 (2012). Scholar
  12. 12.
    Haller, N.: The S/KEY one‐time password system. In: Proceedings of the ISOC Symposium on Network and Distributed System Security, San Diego, CA, pp. 151–157, February 1994Google Scholar
  13. 13.
    Goyal, V., Abraham, A., Sanyal, S., Han, S.: The N/R one time password system. In: Proceedings of International Conference on Information Technology: Coding and Computing, ITCC 2005, vol. 1, pp. 733–738. IEEE Computer Society, Washington, DC (2005)Google Scholar
  14. 14.
    Chefranov, A.: One‐time password authentication with infinite hash chains. In: Novel Algorithms and Techniques in Telecommunications, Automation and Industrial Electronics, pp. 283–286. Springer, Heidelberg (2008)Google Scholar
  15. 15.
    Bicakci, K., Baykal, N.: Infinite length hash chains and their applications. In: Proceedings of the 11th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborating Enterprises, WETICE 2002, pp. 57–61. IEEE Computer Society, Washington, DC (2002)Google Scholar
  16. 16.
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Yeh, T., Shen, H., Hwang, J.: A secure one-time password authentication scheme using smart cards. IEICE Trans. Commun. E85–B(11), 2515–2518 (2002)Google Scholar
  18. 18.
    Yum, D., Lee, P.: Cryptanalysis of Yeh–Shen–Hwang’s one–time password authentication scheme. IEICE Trans. Commun. E88–B(4), 1647–1648 (2005)CrossRefGoogle Scholar
  19. 19.
    Raddum, H., Nestås, L., Hole, K.: Security analysis of mobile phones used as OTP generators. In: Proceedings of the Fourth IFIP Workshop in Information Security Theory and Practice, WISTP 2010, pp. 324–331. Springer, Heidelberg (2010)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.Department of ITJadavpur UniversityKolkataIndia
  2. 2.Tata Consultancy ServicesKolkataIndia

Personalised recommendations