© 2018 IJRAR November 2018, Volume 5, Issue 4 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)

IJRAR1904588 International Journal of Research and Analytical Reviews (IJRAR) www.ijrar.org 576

FIVE FACTOR AUTHENTICATION (5FA) FOR

SECURED LOGIN PROCESS WITH AES-256

ENCRYPTION IN WEB APPLICATIONS 1T.Ebanesar, 2 Dr.G.Suganthi, Ph.D

1Assistant Professor, Department of Computer Science, Malankara Catholic College, Mariagiri, Tamilnadu, India 2Associate Professor, Department of Computer Science, Women’s Christian College, Nagercoil, Tamilnadu, India

Abstract: In today’s internet world, all the web applications are used 2 factor authentication for their login process. It is fact that,

all the Internet applications still used the authentication method with text- based passwords. It was the existing method to protect

the unauthorized person to access or enter into the account. Today’s technology revolution, the hackers are supposed to be hacked

the account in 2FA security method.In 2FA method passwords are easy to steal or hack. In order to avoid this, we proposed a new

high level security authentication method is called 5FA- Five Factor Authentication. Research suggests that use of images may be

more effective in terms of security and ease of use for some application. This is because we, humans are easy to recognizing

images than remembering password. In this paper we describe new image based authentication system which can be used

independently. We implemented the above said system along with current authentication system (username and password) and

OTP. The main objective of this paper is to secure the login process and protect the personal or public data at maximum level. In

this paper we had implemented 5FA method in client-side encryption using AES-256.

Keywords – authentication, data protection, 2FA method, graphical image password, AES 256 Encryption, MFA method,

OTP

1. INTRODUCTION

Security is the main concern of Internet based web applications. Most of the login account these days uses a combination of

username and password for authentication. In fact, it is not secured one. Because of, the hackers are able to get the username and

password easily. A graphical password is easier than a plain-text based password. It is easy to remember. Graphical passwords use

images instead of text-based passwords. Almost all the Internet applications still used the authentication method with text based

passwords. Authentication to access a login account, accessing social media accounts, online ticket reservation for flight, train and

hotels are carried out by Alpha-numeric password or OTP. Authentication is the most important process to confirm that you are the

right user of the login account. Utilization of static passwords in login process leads to access the files of any user easily. Hackers,

ID thieves and fraudsters are easy to attack the login account and steal passwords so as to gain access the login accounts.

5FA method is the combination of alpha-numeric text password, OTP, graphical image, offline-signature and master key. The

above all 5 level security mechanisms are encrypted at client-side using AES-256. In client –side encryption technique, all the data

are encrypted at client side before storing the data in server. In fact, hackers are not able to get the user’s login data. Now sending

the client side encrypted string to the server means that you never know the actual data. In our project, we used similarity measure

algorithm for image matching.

A strong password with encryption is your first level of security to defense against online intruders and hackers. It is very

important to safe our personal accounts (e-mail, social media accounts). Unfortunately, if a hacker hacks or break the text –based

login account and OTP, third level of our security stopped everything.

2. EXISTING AUTHENTICATION METHOD

Authentication is the way to access the web applications with proper keys. Most of the web applications are using Two

Factor Authentication method. It is not secure for online transactions and log in process. Username and password are the most

commonly used mechanism for authentication because of simplicity and convenience. When you signed into any website or app,

you were probably asked to sign in using a username and password. The password you entered is considered a single-factor

authentication. One factor, your password and username, proved to the website that you are allowed to access the account.Two-

Factor Authentication, commonly referred to as 2FA, is a feature that adds an additional “factor” to your normal login procedure

to verify your identity. 2FA adds an extra layer of security by verifying your identity using OTP via SMS. A unique 4 digit one-

time password is generated and then sent to the registered user's phone number.All the social media websites such as facebook,

twitter and google+ and netbanking accounts are using 2FA method to access the account and online transaction. With this

method, online accounts and social media accounts may be hacked by cybercriminals. Most of the email service providers use

2FA method. Example gmail, AOL, fastmail, hushmail, yahoo, zimbra, zoho and protonmail.In the month of September 2018,

atleast 50 million facebook accounts were hacked [24]. Facebook login uses 2FA method. In the year 2013, YAHOO has

confirmed that cybercriminals were able to steal personal data – including name, address, and security questions – from all 3

billion Yahoo user accounts [25].Yahoo also uses 2FA method. Table 1 gives the information about the hacking of user accounts

in diferent websites used by 2FA method.

© 2018 IJRAR November 2018, Volume 5, Issue 4 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)

IJRAR1904588 International Journal of Research and Analytical Reviews (IJRAR) www.ijrar.org 577

Table 1: Hacking of user accounts in diferent websites used by 2FA method

Sl.No Website Name Authentication Used Year Total No. of User accounts hacked

1 www.yahoo.com 2FA 2013 3 billion

2 www.facebook.com 2FA 2018 50 million

Table 1 gives the information about the hacking of user accounts in diferent websites used by 2FA method.From the above

analysis, it is found that 2FA method is not a best method to secure user’s accounts.

3. PROPOSED AUTHENTICATION METHOD

When compared to existing method of text-based username and password, OTP sometimes hackers are to be broken the

same. To avoid this, we proposed Five-Factor Authentication (5FA) method .This method is a 5 different layer of security used

when logging into websites or web applications. In our project, all data are encrypted at client side .So that no data will be stolen by

hackers.The block diagram of proposed system is shown in fig 1.

Fig 1: Block diagram of proposed system

We will explain the steps involved during registration and login section using this proposed method.

3.1) Registration Process: The below diagram shows the registration phase of the 5FA method. In the registration phase, the

user enters all the personal information with graphical image and offline-signature. This graphical image and off-line signature is

used to confirm to check the user at the time of user log in. When user registers to web application, user selects a password with

the following constraints. A strong password should have a minimum of 8 alphanumeric characters and includes a mix of

uppercase letters, lowercase letters and numbers. Username and password are encrypted at client side using AES-256 encryption

method. Apart from selecting the password, user needs to select one image as a graphical password image. The image and off-line

signature are stored in database in the form of size. The registration phase process is shown in fig 2.

Fig 2: Registration Process

3.2) Login Process: In login process, we had implemented 5 different levels of security to protect the user’s data. Login process

uses 5FA method. In the year 2016, 3.3 billion login credentials were stolen. 9 out of 10 login attempts were fraudulent in

2016[26].To protects our data from cybercriminals, it is very essential to implement 5FA method. In this project, we used AES-

256 encryption to protect user’s login credentials at client-side technique.

The login process is as follows:

3.2.1) User name & Password (First Factor)

3.2.2) OTP (Second Factor)

3.2.3) Graphical Image or User’s Photo (Third Factor)

3.2.4) Offline-Signature (Forth Factor)

3.2.5) MasterKey (Fifth Factor)

© 2018 IJRAR November 2018, Volume 5, Issue 4 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)

IJRAR1904588 International Journal of Research and Analytical Reviews (IJRAR) www.ijrar.org 578

3.2.1) User name & Password

The most commonly used form of authentication today is password based wherein a user is prompted to enter his username and

password.A user logs into a website with a username and password.When the user enters into their account, a 5 digit alpha-

numeric characters are automatically generated in masterkey field in the database with AES-256 encryption.This masterkey will

be used as the fifth factor authentication of login process. The login process is shown in fig 3. It will be considered as the First

Factor Authentication.

3.2.2) OTP

One Time Password (OTP) service using Mobile Phone was first implemented in Japan, 2007.User can use this for better

security for online trasaction and web applications. A one-time password (OTP) is an automatically generated numeric or

alphanumeric string of characters that authenticates the user for a single transaction or session. This is used by many online

platforms to validate customer transactions and identity. A one time password as the word indicates is only valid for a specific

time interval or one-time usage. If the user credentials are valid, a 4 digit one time password is sent to your registered mobile

number through SMS and you are required to enter it when prompted.The OTP Verification process is shown in fig 4. It is the

Second Factor Authentication.If the session of OTP number expires, the user is able to receive a new OTP number when he or

she is using the option resend OTP.

3.2.3) Graphical Image or User’s Photo

If the OTP number is correct, the user is asked to load the image when he or she was stored at the time of sign up. We

used similarity measure algorithm for image matching. An improtant problem in image processing is the comparison of images.

The Verification of user’s Image or Photo process is shown in fig 5. It is the Third Factor Authentication.

3.2.4) Offline-Signature

After the image matches, user selects his signature for forth level of security. The Verification of user’s Offline-Signature

process is shown in fig 6. It is the Forth Factor Authentication.

3.2.5) MasterKey

After the Offline-Signature matches, the 5 digit alpha-numeric OTP code is sent to your registered mobile number through

SMS. This OTP is the MasterKey or MainKey to login the system. The MasterKey is generated using random algorithm by which

it is making unique for each and every time the user requests for login.This is the Fifth Factor Authentication. The Verification of

masterkey process is shown in fig 7.

4. Image Comparison Algorithm

In this project, we used image similarity measure algorithm for comparing two images. The simplest similarity measure

consists of directly comparing the pixel values of the two images, e.g. by means of the total pixels. When registering the account, it

is essential to store the image for security. This image is stored in the server and its size (total no. of bytes) is stored in the database.

When the user is login the system, system asks two images one by one from the registered database and user has to select the image

that were selected during registration time .The size of the image is stored in hiddenfield control.It is non-visual control in

ASP.NET where we can save the value.Now this value is matched with uploaded image. If two image sizes are equal, images are

same. The comparison of two images pseudocode is given in pseudocode 1.

if (dt.Rows.Count > 0)

{

HiddenField1.Value = dt.Rows[0]["sizephoto"].ToString();

System.Drawing.Image img = System.Drawing.Image.FromStream(fuimage.PostedFile.InputStream);

int height = img.Height;

int width = img.Width;

decimal size = Math.Round(((decimal)fuimage.PostedFile.ContentLength / (decimal)1024), 5);

Bitmap img1 = new Bitmap(img);

Bitmap img2 = new Bitmap(img);

decimal siz2 = Convert.ToDecimal(HiddenField1.Value);

if (size == siz2)

{

ClientScript.RegisterStartupScript(this.GetType(), "alert", "ShowPopup();", true);

Response.Redirect("VerifySignature.aspx");

}

else

{

ClientScript.RegisterStartupScript(this.GetType(), "alert", "ShowPopup();", true);

}

}

Pseudocode 1: Comparison of two images pseudocode

© 2018 IJRAR November 2018, Volume 5, Issue 4 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)

IJRAR1904588 International Journal of Research and Analytical Reviews (IJRAR) www.ijrar.org 579

Fig 3: Login Process – Username & Password (First Factor)

Fig 4: Login Process – Verify OTP (Second Factor)

Fig 5: Login Process – Verify Image or Photo (Third Factor)

Fig 6: Login Process – Verify your Signature (Fourth Factor)

Fig 7: Login Process – Verify MasterKey (Fifth Factor)

© 2018 IJRAR November 2018, Volume 5, Issue 4 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)

IJRAR1904588 International Journal of Research and Analytical Reviews (IJRAR) www.ijrar.org 580

5. FIVE-FACTOR AUTHENTICATION (5FA) METHOD

Five-factor authentication is the highest secured authentication mehod in IT field. Five-factor authentication, or 5FA, is a 5

different layer of security used when logging into websites or web applications. With 5FA, you have to log in with your username

and password and provide another form of authentication that only you know or have access to.This method is used to strenghen

the security by requring 5 method or levels (also called as factors) to verify your identity.These factors are something you know –

like a user name & password, OTP, graphical image or user’s photo, offline-signature and masterkey. There have been several

cases of stolen and hacked passwords in 2FA method. Web application with just simple username and password combinations

getting hacked is very easy. In this situation, implementing five factor authentications will prevent hackers from gaining access to

your accounts even if your password is stolen. The extra layers of protection that 5FA offers ensure that your account is more

secure. Five-factor authentication is the most reliable way to ensure the security of your users.

5FA protects against phising, social engineering & password brute-force attacks and password hacking. Five-Factor

authentication provides an extra layer of security and makes it harder for attackers to gain access to a person’s devices & online

applications.

6. AES-256 ENCRYPTION ALGORITHM

Advanced Encryption Standard (AES) is one of the most frequently used and secure encryption algorithm in IT industry.The

Advanced Encryption Standard or AES is also called Rijindael cipher. The AES encryption is a symmetric cipher and uses the

same key for encryption and decryption. It was developed by Vincent Rijmen and Joan Daemen in the year 1997.Later it was

approved as a federal encryption standard in USA 2002. AES supports 128 ,192 and 256 bit encryption, which can be determined

by the key size, 128-bit encryption key size is 16 bytes, 192-bit encryption key size is 24 bytes, 256-bit encryption key size is 32

bytes. It supports a block length of 128 bits and key lengths of 128, 192, and 256 bits. AES encryption offers good performance

and a good level of security. We implemented AES-256 bit encryption in our project. Because, it is a strong and secure cipher.It is

very difficult to access the content. In fact, it is not possible to read the original content. It is faster than the other encryption. As of

today, no practicable attack against AES exists. Therefore, AES remains the preferred encryption standard for governments, banks

and high security systems around the world.In AES-256 encryption, there are 14 rounds for 256-bit keys. A round is comprised of a

few preparing steps that incorporate substitution, shift rows and mixing of the input plain text and converts it into cipher text. The

flow chart of AES algorithm is shown in fig 8. The four steps that compose the standard round are:

• Substitute bytes: nonlinear procedure that uses the S-box to perform byte by byte of the data block.

• Shift rows: a simple transformation that uses permutation to shift the bytes within the data block in cyclic fashion.

• Mix columns: a simple transformation that uses arithmetic over 8 GF (28) to group 4-bytes together forming 4-term polynomial,

then multiplies the polynomials with a fixed polynomial 4*4 matrix.

• Add round key: bitwise XOR of the current block with a portion of the expanded key.

The encryption and the decryption structure of the AES algorithm with four steps are as shown in Fig. 8. The AES encryption

pseudocode is given in pseudocode 2.

Cipher (byte in[4*Nb], byte out[4*Nb], word w[Nb*(Nr+1)])

begin

byte state[4,Nb]

state = in

AddRoundKey(state, w)

for round = 1 step 1 to Nr-1

SubBytes(state)

ShiftRows(state)

MixColumns(state)

AddRoundKey(state, w+round*Nb)

end for

SubBytes(state)

ShiftRows(state)

AddRoundKey(state, w+Nr*Nb)

out = state

end

Pseudocode 2: AES encryption pseudocode

© 2018 IJRAR November 2018, Volume 5, Issue 4 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)

IJRAR1904588 International Journal of Research and Analytical Reviews (IJRAR) www.ijrar.org 581

Fig 8: Flow Chart of AES Algorithm

6.1 Compile time and Execution time

Compile time refers to the amount of time required for compilation.Type checking, register allocation, code generation,

and code optimization are typically done at compile time. Execution time refers to the amount of time required for execution of a

program.The AES-256 encryption program was compiled by the online compiler named as dotnetfiddle [19]. Table 2 gives the

information about the compile time and execution time of AES-256 program using C#.

Table 2: compile time and execution time of AES-256 program using C#

Sl.No Date & Time

(dd/mm/yyyy)

Compile Time

in seconds

Execution Time in

seconds

Memory in

kilo bytes

CPU in

seconds

1 11/03/2018,

5:18:39 pm

0.156 0 16 0

2 11/03/2018,

5:23:20 pm

0.156 0.016 16 0.031

3 11/03/2018,

5:24:37 pm

0.156 0.016 16 0.031

4 11/03/2018,

5:25:45 pm

0.156 0. 24 0

5 11/03/2018,

5:26:16 pm

0.156 0 16 0

6 11/03/2018,

5:26:48 pm

0.156 0 24 0

© 2018 IJRAR November 2018, Volume 5, Issue 4 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)

IJRAR1904588 International Journal of Research and Analytical Reviews (IJRAR) www.ijrar.org 582

Table 3: Comparision of RSA, DES, 3DES and AES [20]

It is found at least six times faster than triple DES. Column 5 in table 3 shows that AES encryption is the fastest and excellent

security method.

6.2) Client Side Encryption with Javascript

In our project we used client side encryption method to hide the data from all. By performing encryption at the client

side plain text information is never transmitted outside of the user’s environment. Client side encryption is performed locally

within our browser and the private key is never transmitted to the server. Client-side JavaScript has become ubiquitous in web

applications to improve user experience and reduce server load. User data is encrypted at the client level not on server or in the

cloud.The comparision of server side and client side encryption is shown in table 4.

Table 4: Comparision of server side and client side encryption

Sl. No Encryption

Deployed on

Owner of the

data

Who controls the

Encryption keys

Who can view & use the

data

1 Server Side User The Server provider User and he Server provider

2 Client Side User User User

From the above analysis of table 4, it is clear that client-side encryption significantly improves our overall data security

posture. You, the owner of the data is always in control and not cloud-based storage provider.

7. SYSTEM DESIGN

The system design of the proposed five factor authentication (5FA) method is shown in fig 9.

Factors RSA DES 3DES AES Developed by Ron Rivest, Adi

Shamir, and

Leonard

Adleman In

1978

IBM in 1975 IBM IN 1978 Vincent Rijmen, Joan Daemen in

2001

Key Length Depends on

number of bits

in the modulus n

where n=p*q

56 bits

168 bits (k1,

k2 and k3)

112 bits (k1

and k2)

128, 192, or 256 bits

Round(s) 1 16 48

10 - 128 bit key,12 - 192 bit key,14 -

256 bit key

Block Size Variable 64 bits 64 bits 128 bits

Cipher Type Asymmetric

Block Cipher

Symmetric Block

Cipher

Symmetric

Block Cipher Symmetric Block Cipher

Speed Slowest Slow Very Slow Fast

Security Least Secure Not Secure Enough

Adequate

Security Excellent Security

© 2018 IJRAR November 2018, Volume 5, Issue 4 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)

IJRAR1904588 International Journal of Research and Analytical Reviews (IJRAR) www.ijrar.org 583

Fig 9: The new system design of the proposed five factor authentication (5FA) method

8. IMPLEMENTATION AND EVALUATION

Implementation of algorithms has been done using ASP.NET with C#. Installation of Visual Studio 2010 and SQL server

2008 is necessary for our system.This paper was successfully completed with the implementation of Five-factor Authentication

method.

9. ADVANTAGES

If the proposed system is implemented in web applications then the advantages are (i) It improves data security with

highest level (ii) Since there are five level protections it will be defence in depth (iii) Cybercriminals cannot enter into the user

account (iv) All the user’s data will be encrypted before storing in the server (v) The world’s highest security AES-256 encryption

algorithm used.

10. RESULTS AND DISCUSSION

The result that we get after implementing the proposed 5FA method is given in Figure 10. We apply our project in PG

students of computer Sceince at the Malankara Catholic College computer lab and perform the login process with 25 students (10

male students and 15 female students) between ages of 20-23.We had succesfully verified and executed the project with 5FA

method using AES-256 encryption technique. The time taken to complete log in process is given in table 5.

© 2018 IJRAR July 2018, Volume 5, Issue 4 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)

IJRAR1601009 International Journal of Research and Analytical Reviews (IJRAR) www.ijrar.org 584

Table 5: Time taken to complete log in process

Sl. No Gender Total no. of students Average Time(minutes)

1 Male 10 1.188

2 Female 15 1.251

Column 4 of table 5 shows that the average time to complete log in process are 1.188 and 1.251 for both male and female

students. When compared with 2FA method it takes much more time to complete log in process. But at a same time it is the most

secured login process.

11. CONCLUSION

Encryption algorithms play an important role in data security on cloud. Existing authentication methods are two level

security methods. 2FA method is not suitable for today’s technology world. It allows entering unauthorised person into the user’s

account. 5FA method improves security with 5 different levels of security.No hackers and cybercriminals will be accessed into

the user’s account. Five-factor authentication is a recommended best-practice for protecting sensitive data, and is sometimes

required by law when handling certain types of information. Graphical Based Image Authentication is more security than any

other authentication. It is impossible to hack the data and also to avoid the brute force attack.If you are looking to increase online

security, turn on Five-Factor Authentication method.It is the best and secured authentication method than any other method. 5FA

method can help protect you from a potentially devastating account breach.

REFERENCES

[1] https://help.github.com/articles/securing-your-account-with-two-factor-authentication-2fa/

[2] https://www.tutorialspoint.com/cryptogr aphy/cryptography_hash_functions.htm

[3] https://www.fidelissecurity.com/threatgeek/2018/05/github-cyber-danger-plain-sight

[4] https://www.turnon2fa.com/

[5] https://www.turnon2fa.com/about/

[6] https://www.turnon2fa.com/simple-online-safety-tips-cyber-security-awareness-month/

[7] https://motherboard.vice.com/en_us/article/bj8pvq/hackers-steal-6-million-user-accounts-for-cash-for-surveys-site

[8]https://www.csoonline.com/article/3236716/authentication/how-hackers-crack-passwords-and-why-you-cant-stop-them.html

[9] https://www.entrepreneur.com/article/246902

[10] https://keepersecurity.com/

[11] https://keepersecurity.com/business.html

[12] https://www.interserver.net/blog/

[13] https://www.adwebtech.com/two-factor-authentication/

[14] https://blog.dashlane.com/beginners-guide-to-2fa-and-u2f-to-secure-passwords/

[15] https://www.phonon.in/portal/2016/12/09/otp-generation-and-verification-solution/

[16] https://www.c-sharpcorner.com/article/introduction-to-aes-and-des-encryption-algorithms-in-net/

[17] https://nciphers.com/tutorial/aes/

[18] http://www.crypto-it.net/eng/symmetric/aes.html?tab=0

[19] https://dotnetfiddle.net/fr8zz9

[20] https://pdfs.semanticscholar.org/187d/26258dc57d794ce4badb094e64cf8d3f7d88.pdf

[21] https://www.garykessler.net/library/crypto.html#fig20

[22] https://www.ibr.cs.tu-bs.de/users/goltzsch/papers/eurosec2017-trustjs.pdf

[23]http://startuphyderabad.com/client-side-encryption-vital-privacy-business-confidentiality-third-party-untrusted-clouds/

[24] https://www.pcworld.com/article/3310040/security/facebook-account-breach-faq.html

[25] https://www.express.co.uk/life-style/science-technology/862255/Yahoo-Account-Hack-Change-Password-Check-Email

[26] https://info.shapesecurity.com/2017-Credential-Spill-Report.html

AUTHORS

T.Ebanesar MCA., M.Phil. B.Ed working as an Assistant Professor of Department of Computer Science, Malankara Catholic

College,Mariagiri,Tamilnadu ,INDIA from June 2008 to till date.Earlier I had worked as a Lecturer in N.M.S.S.Vellaichamy

Nadar College, Madurai from 2004 to 2008. His main research area focuses on Cloud Computing, Email Technologies, Artificial

Intelligence and Security in Computing. He has 13 years of experience in teaching.My personal website www.ebanesar.in

© 2018 IJRAR July 2018, Volume 5, Issue 4 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)

IJRAR1601009 International Journal of Research and Analytical Reviews (IJRAR) www.ijrar.org 585

Dr.G.Suganthi M.Sc., M.Phil, B.Ed., PGDCA, Ph.D

She is working as an Associate Professor of Department of Computer Science, Women’s Christian Colege, Nagercoil, Tamilnadu,

INDIA from June 2008 to till date.

She is Guiding 6 Ph.D Scholars. She has presented 15 papers in national and international conferences and published 8 papers in

international journals. She has authored 2 books. She is serving as the IQAC Co-ordinator since 2012.She is the doctoral

committee member of St.Joseph′s College (Autonomous), Thiruchirapalli. She received two awards namely Shiksha Rattan

Pureskar in October 2012 at New Delhi and Best Citizen Award by International publishing house, New Delhi in February 2013.