In recent years, web fraud detection market has increased considerably, so innovation in authentication methods has become of great importance.
General access control systems provide methods for Authentication, Authorization and Audit (or Accountability). The process of authorization is distinct from that of authentication. Whereas authentication is the process of verifying that “you are who you say you are”, authorization is the process of verifying that “you are permitted to do what you are trying to do”. Authentication and authorization are often combined into a single operation, so that access is granted based on successful authentication. Authenticators are commonly based on at least one of the following four factors: something you know, something you have, something you are, and where you are.
The vulnerable security architecture in many computer applications leads to the common problem of authentication hacking attacks. Authentication attacks target and attempt to exploit the authentication process a computer-based system uses to verify the identity of a user, service, or application. The Open Web Application Security Project (OWASP) Foundation has published a comprehensive list of threats to Authentication methods showing an array of tricks, techniques, and technologies that exist to steal passwords, attack password systems, and circumvent authentication security. According with Burr, W. E. et. al [1] this list of authentication process threats can be structured into the following categories:
TABLE 1Categories of attacks over Authentication Process (NIST)Online GuessingAn Attacker performs repeated logon trials by guessing possiblevalues of the token authenticator.PhisingA user is lured to interact with a counterfeit verifier, and tricked intorevealing his or her token secret, sensitive personal data orauthenticator values that can be used to masquerade as theSubscriber to the Verifier.PharmingA user who is attempting to connect to a legitimate verifier, is routed toan attacker's website through manipulation of the domain nameservice or routing tablesEavesdroppingAn attacker listens passively to the authentication protocol to captureinformation which can be used in a subsequent active attack tomasquerade as the user.ReplayAn attacker is able to replay previously captured messages (between alegitimate user and a verifier) to authenticate as that user to theverifier.Session hijackAn attacker is able to insert himself or herself between a user and averifier subsequent to a successful authentication exchange betweenthe latter two parties. The attacker is able to pose as a user to theverifier/RP or vice versa to control session data exchange.Man-in-the-middleThe attacker positions himself or herself in between the user and(MitM)verifier so that he or she can intercept and alter the content of theauthentication protocol messages. The attacker typically impersonatesthe verifier to the user and simultaneously impersonates the user tothe verifier. Conducting an active exchange with both partiessimultaneously may allow the Attacker to use authentication messagessent by one legitimate party to successfully authenticate to the other.Denial of ServiceThe attacker overwhelms the verifier by flooding it with a large amountof traffic over the authentication protocol;Malicious codeThe attacker may compromise or otherwise exploit authenticationtokens and may intercept all input or output communications from thedevice (Man-in-the-device (MitD) or Man-in-the-Browser (MitB))
It is possible to implement a range of countermeasures to the authentication attacks described above. This invention proposes a novel approach against some authentication attacks that it is authentication agnostic, completely independent of any authentication procedure.
There are different alternatives to strengthen existing authentication schemes. The security in the exchange of information is generally implemented with SSL/TLS or EVC/SSL. But the way this information is selected to be associated to a user identity can be quite different for different authentication schemes. Therefore it is crucial to perform an in-depth study of such schemes to reveal their shortcomings. It can be stated that at present the two factors-based schemes predominate in most systems.
For instance, Bonneau J. et. al [2] proposes the following definition of authentication procedures categories:                Traditional Scheme. In this security scheme depends on the user. The user must create a strong password and make sure not be easily compromised.        Proxy-based. Proxy-based schemes are based on the definition of a service between the client and the server (man-in-the-middle) which manages the authentication process using one-time-password.        Federated Single Sign-On. They allow websites to delegate its user's identification to a trusted identity server that manages the entire authentication process.        Graphical. These schemes seek to exploit the human ability to recognize images to remove the need for password.        Cognitive. These schemes are challenge/response-based. The user must demonstrate her knowledge of a secret without having to disclose it. Normally the server expects that a user will be able to perform a cryptographic hash of the secret along with a nonce generated by the server.        PaperToken. It uses a physical storage (paper) of a set of indexed passwords. The authentication scheme assumes that the server asks the user the corresponding key to a specific index.        VisualCrypto. Quite similar to paperToken, but with a system of complex key storage that leverages the features of the display used by the client and the way in which humans perceive colors        Hardware Tokens. The secrets are stored on a hardware module that users must keep with them. They are based on the same principles as Cognitive schemes but the answer to the challenge that sends the server, is provided by the user's hardware token.        Phone Based. It is a token-based scheme but instead of using a specific hardware for the storage and computation of the key, it uses the phone as key storage and the phone processor as substitute of specific cryptographic hardware.        Biometric. These schemes avoid the use of the password, basing the user authentication into something that defines them, not something you have or something you know.        Recovery. These schemes are complementary to any authentication scheme based on passwords. And allow easier retrieval of information necessary to authenticate in case of lost.        
It is noteworthy that some of the authentication schemes do not belong to only one category and that most institutions use at least two or more of these schemes, as it is the case in Google Authenticator product (a two-factor authentication system based on a mobile application or SMS messaging).
Different criteria can be defined to establish comparison between authentication schemes. In [2] the authors suggest the need to define three criteria in order to perform an effective comparison. These aspects are: security, usability and complexity on implementation (deployability). [2] Presents an intensive study to instrument the comparison through the definition of metrics. Table 2 summarizes the metrics defined for each criterion.
TABLE 2Design metrics for Authentication SchemesUsabilityMemory-EffortlessScalable-for-UsersNothing-to-CarryPhysical-EffortlessEasy-to-LearnEfficient-to-UseInfrequent-ErrorsEasy-recovery-from-LossDeployabilityAccessibleNegligible-Cost-per-UserServer-CompatibleBrowser-CompatibleMatureNon-ProprietarySecurityResilient-to-Physical-ObservationResilient-to-Targeted-ImpersonationResilient-to-Throttled-GuessingResilient-to-Unthrottled-GuessingResilient-to-Internal-ObservationResilient-to-Leaks-from-Other-VerifiersResilient-to-PhishingResilient-to-TheftNo-Trusted-third-PartyRequiring-Explicit-ConsentUnlinkable
In the case of security criterion, the proposed metric set summarizes all the aspects that are usually estimated in defining a threat model. In the definition of these models is necessary to adopt a number of decisions, defining these decisions the working scenario. For example in the case of OAuth 2.0 [3] the adopted assumptions are as follows:                The attacker has full access to the network between the client and authorization servers and the client and the resource server, respectively. The attacker may eavesdrop on any communications between those parties. He is not assumed to have access to communication between the authorization server and resource server.        An attacker has unlimited resources to organize an attack.        Two of the three parties involved in the OAuth protocol may collude to mount an attack against the third party. For example, the client and authorization server may be under control of an attacker and collude to trick a user to gain access to resources.        
On another hand, passwords have high customer acceptance, they are based on a shared secret and one needs to have a different one for each service provider. The problem is that passwords rely on the user's memory and adherence to good password practices. However, anecdotal evidence shows that a significant proportion of customers will not follow good password practices and attacks usually work by obtaining the password. This is a severe breach of security as the attacker is then able to operate as the customer until the breach is discovered.
Hardware tokens are generally considered to support stronger security, but they are still susceptible to malicious code attacks that can prompt the token for an authentication request. Authorised insiders may also abuse their privileges and be able to obtain stored cryptographic keys. Software tokens have lower costs than hardware tokens, but the trade-off is that copying attacks become viable.
All one-time password systems need to be used in conjunction with communication channel protections. As mutual authentication is not supported, verifier impersonation attacks are possible. This means there is some exposure to the phishing attacks, although the potential for success with such attacks is far more limited than with password systems. The exposure to coping attacks depends on the product.
When communication channel protections are used, even biometrics-based authentication schemes are still susceptible to attacks that copy the biometric data. Such attacks are likely to become more popular if biometrics are more widely used. Because biometrics are personal data, privacy is an issue with regard to the storage, use and transfer of biometric data.
In [1] four different levels are defined in terms of the consequences of authentication errors and misuse of credentials. Level 1 is the lowest level (the most insecure) and level 4 is the highest. From the table 1 the next matching can be done.                Level 1—Protection against online guessing and replay attacks. NIST recommends use a single or multi-factor authentication with no identity proof.        Level 2—Protection against eavesdropping and all the attacks from the level 1. NIST recommends single or multi-factor authentication.        Level 3—Protection against verifier impersonation, MitM attacks and the attacks from level 2. NIST recommends a multi-factor authentication and wide use of OTP. It also suggests a token used for authentication to be unlocked by the user using a password or biometrics.        Level 4—Protection against session hijacking and the attacks from the level 3. NIST suggests employing Multi-factor authentication with FIPS-140-2 certified tamper-resistant hardware (hardware tokens).        
Attending to the metrics introduced above, is possible to determine that solutions corresponding to the higher security level (level 4) have poor performance in deployability and usability. Once the assessment of a system allows to determine in which level has to be deployed its authentication system, it is needed to evaluate if the users are authenticated safely and correctly. Although there are some tools that aid in this task, as the ones presented by Dalton, M. et. al [3] or by Sun, F. et al [4], deploys in the level 4 are difficult to evaluate correctly. In terms of usability, the use of tampering resistant hardware tokens goes against the adoption of these solutions by users, and it has been proved that this situation leads to a misuse of the credential systems. A different approach is needed that improves the overall security in the authentication systems, whatever it is the scheme or schemes (multi-factor) adopted, minimizing the impact on the usability and deployability of these systems.