The two-factor authentication mechanism is gaining popularity as more people are becoming aware of the need to secure their identities. In the current form, existing 2FA systems are defenseless against phishing attacks. They do not provide any visual indicator to the user to check the website’s validity before logging in during phishing attacks. This exposes the user’s password during the phishing attack. Two-factor authentication needs to be enhanced to provide a mechanism to detect phishing attacks without adding a significant burden on the user. This research paper will propose a novel 2-FA TOTP mechanism to provide a subconscious indicator during a phishing attack. In comparison, the new proposed novel approach provides better security against phishing attack. Lastly, the mathematical analysis is performed to understand the TOTP variance and validate the security considerations against the existing 2FA systems with respect to adversary attack.
References
[1]
Randed (2018) 8 Most Common Types of Phishing and How to Protect against Them All. https://web.archive.org/web/20201001042454/ https://randed.com/types-of-phishing/?lang=en
[2]
Vade Secure (2020) The Corporate Impact of Phishing. https://www.vadesecure.com/en/blog/the-corporate-impact-of-phishing
[3]
Vade (2023) What Is Email Security? https://www.vadesecure.com/en/email-security
[4]
Help Net Security (2019) 83% of Global Respondents Experienced Phishing Attacks in 2018. https://www.helpnetsecurity.com/2019/01/25/experienced-phishing-attacks/
[5]
Reese, K., Smith, T., Dutson, J., Armknecht, J., Cameron, J. and Seamons, K. (2019) A Usability Study of Five Two-Factor Authentication Methods. Proceedings of the Fifteenth USENIX Conference on Usable Privacy and Security, Santa Clara, 12-13 August 2019, 357-370.
[6]
Frazier, S. (2020) The 2019 State of the Auth Report: Has 2FA Hit Mainstream Yet? https://duo.com/blog/the-2019-state-of-the-auth-report-has-2fa-hit-mainstream-yet
[7]
Vergelis, M., Shcherbakova, T. and Sidorina, T. (2019) Spam and Phishing in Q2 2019. https://securelist.com/spam-and-phishing-in-q2-2019/92379/
[8]
Zane (2018) Password Security Report: 83% of Users Surveyed Use the Same Password for Multiple Sites. https://www.cyclonis.com/report-83-percent-users-surveyed-use-same-password-multiple-sites/
[9]
Kan, M. (2019) Google Detects Steady Stream of Phishing Attacks from Cyberspies. https://www.pcmag.com/news/google-detects-steady-stream-of-phishing-attacks-from-cyberspies
[10]
Anand, P. (2015) Those Security Images on Your Bank Log-in Pages? They’re Useless. https://www.marketwatch.com/story/banks-find-online-security-images-offer-little-protection-2015-11-05
