Article Preview
Top1. Introduction
The past few years have witnessed a virtual explosion in Internet-connected smart devices around the world. And with this exponential increase there has been a corresponding swell in information and data being transmitted (Wei et al. 2014). Naturally, all this has given rise to growing concerns about security and one of the core issues aligned with it: authentication. In computing parlance authentication is simply the process of establishing a user’s identity. It is the mechanism of associating an incoming request with a set of identifying credentials already existing on a file in a database of the authorised user’s information on a local operating system or within an authentication server. (Katz & Lindell, 2007).
Authentication itself has witnessed a chequered evolution. In 1981, (Lamport 1981) first introduced what became the traditional user authentication blending the identity, username and password (or a PIN), to confirm the ownership of the user ID. This came to be termed as the single-factor authentication protocol (Wang et al. 2007). As it turned out, though, this protocol proved to be the weakest method of authentication. (Dasgupta, Roy, & Nag, 2016; Bonneau et al. 2015). For instance, if the password is shared, the account is at once compromised. Secondly, since generally the length of the user-chosen password is relatively short and not random, it can easily be divined by dictionary attack and peeking attack (Das, 2011), rainbow table (Ah Kioon, Wang, & Deb Das, 2013), or by social engineering techniques (Heartfield, & Loukas, 2015). To make this authentication a little stronger, it was suggested that passwords of more complex nature be used. (Danny, 2017). In any case, it was soon realised that, on the global scale (Danny, 2017), establishing the credentials of the sender through this method was totally inadequate.
Consequently, two-factor authentication was introduced (Petsas, Tsirantonakis, Athanasopoulos, & Ioannidis, 2015; Wang, He, Wang, & Chu, 2015). Two-factor authentication ensures increased security where one factor comprises a known element such as password, and the other is something owned (Wang, & Chu, 2015), such as smart cards or tokens or phones (Harini, & Padmanabhan, 2013). Nowadays, there are three kinds of elements recognised that can link a user with set credentials (Scheidt, & Domangue, 2006). These three elements are: 1) something the user knows such as a password, 2) something the user has, such as cards, tokens or smartphones and 3) something the user is intrinsically, such as behaviour pattern or biometric data. The two-factor authentication solution, in fact, was introduced with the specific aim of accomplishing certain security aims. But there is a downside. Since two -factor authentication solely relies on, say, a password and a smart card, the solution is rendered unsafe and unsecure in the event of the smart card being compromised (Aloul, Zahidi, & El-Hajj, 2009).
Finally, in view of the scourge of multiple attacks, intrusions and unauthorised access, an enhanced security method in the form of Multifactor Authentication (MFA) emerged. MFA simply is a security protocol that mandates more than one way of authentication emanating from separate categories of credentials to authenticate a user’s identity for performing a transaction or login (Frank, Biedert, Ma, Martinovic, & Song, 2013). MFA was designed to offer an enhanced degree of safety and ensure continuous protection of devices and crucial services against attacks or unauthorised intrusions.