Text password is widely used for user authentication on websites because of its convenience and simplicity. Since users select weak password and reuse the same password in different websites, user’s passwords are prone to be stolen and compromised by many threats and vulnerabilities.

In order to protect the user’s identity the user authentication protocol proposes the oPass enhancement; it requires a long-term password for cell phone protection and account ID for login on all websites. Since the TeleServiceProvider is a third party in order to enhance more security, we develop a shared secret key exchange mechanism between server and user instead of TSP.

For high performance and speed we also use a 3G connection. Secret key exchange mechanism is used to transfer information securely between the server and client directly. In order to avoid password reuse and stealing attack at each time one time password is automatically generated by the oPass .

If cell phone is lost, using long term password of the user’s cell phone and with reissued SIM the user can again recover the oPass system. Compared to other conventional web authentication mechanism oPass is more efficient and affordable. Data integrity problem and other attacks can be prevented using onetime password along with enhanced encryption using key exchange scheme (RSA+DIFFIE).

Apart from reuse attack it is important to consider about other stealing attacks like phishing. Even though a lot of research has been made to protect passwords used in online accounts [4][3] and other sites from dictionary attacks[9] using many hash visualization[10] current defenses are still limited in terms of accuracy and efficiency.

In this paper we target to prevent both password reuse and password stealing attacks using a user authentication protocol called oPass [1] that uses user’s cell phone that is used to generate one time password and Short Message Service which is used to transmit the message. We also use a shared secret key between server and client for direct secure communication.

A 3G connection is also used for fast and better performance. The advantage is that user needs not to be remembering or type any passwords on conventional computers. The main advantages of oPass are: 1) Anti-malware—Retrieving sensitive information from users mainly password is called Malware (e.g., key logger) .

In oPass, users can enter into different sites without typing passwords on their computers. So malware is not allowed here. 2) Phishing Protection—Sometimes users are forged to enter websites by cheating them using phishing attacks .Users who propose oPass are able to withstand phishing attacks. 3) Secure Registration and Recovery—In oPass, here uses SMS for secure registration and Recovery. 4) Password Reuse Prevention and Weak Password Avoidance— oPass performs one-time password approach.

For each login the cell phone automatically derives one time password .So there is no need of remembering the password at all. 5) Cell phone Protection—Since cell phone have a long term password that is only known by user the cell phone is always protected from attackers.

 Malu P Thankachan
Assistant Professor