Eng Cn Translate this page:
Please select your language to translate the article

You can just close the window to don't translate
Your profile

Back to contents

Software systems and computational methods

Voytyuk T.E., Zudilova T.V., Tsymzhitov G.B. Protection against password guessing using two-factor authentication

Abstract: Two-factor authentication is required to establish a secure connection when a remote user tries to connect to the corporate web services. Authentication is a prerequisite for web services that process confidential information. Two-factor authentication is a way to improve the corporate information security. There are many ready solutions for the implementation of two-factor authentication system but these solutions have several disadvantages, such as high cost or difficult integration into existing corporate information structure. The aim of this study is to define the architecture of the system that overcomes the mentioned disadvantages. For designing a protection system against password guessing the authors previously used a method of static analysis to justify the demand for systems of this type. The authors also used data analysis method to determine the requirements for the system of two-factor authentication; an experiment confirmed the results of a research. Presented architecture provides protection from password guessing, does not depend on additional hardware or software and has a modular structure, which gives the advantage of scalability. The architecture defines advanced functionality for such systems: determining geographic location of real IP-addresses, address filtering based on geolocation and proxy addresses using a POST requests. It also allows building modules, which can be easily integrated with existing enterprise infrastructure. The result of using the proposed system shows that the percentage of intruders accessing corporate information system is reduced.


information security, password guessing, single sign-on technology, service-oriented architecture, control permissions, one-time password, authentication code, two-factor authentication, secure connection, web service

This article can be downloaded freely in PDF format for reading. Download article

This article written in Russian. You can find original text of the article here .
1. Razzaq A., Hur A., Shahbaz S., Masood M., Ahmad R., Critical analysis on web application firewall solutions. IEEE Eleventh International Symposium on Autonomous Decentralized Systems: 2013, pp. 1-6.
2. Al-Kahtani M.A., Sandhu R.S. 2002. A Model for Attribute-Based User-Role Assignment. Proceedings of the 18th Annual Computer Security Applications Conference: 2002, pp. 353-362.
3. Liu J., Liu C., Jiao D., Chen J. The Research of a Multi-Factor Dynamic Authorization Model. Proceedings of the 2012 IEEE Ninth International Conference on e-Business Engineering: 2012, pp. 201-205.
4. Oh S. W., Kim H. Decentralized access permission control using resource-oriented architecture for the web of things. Advanced Communication Technology (ICACT), 2014 16th International Conference: 2014, pp. 749-753.
5. M'Raihi D., Rydell J., Bajaj S., Machani S., Naccache D. RFC 6287. OCRA: OATH Challenge-Response Algorithm. IETF, 201, p. 38.
6. M'Raihi D., Machani S., Pei M., Rydell J. RFC 6238. TOTP: Time-Based One-Time Password Algorithm. RFC Editor, 2011, 16 p.
7. Fergyuson N., Shnayer B. Prakticheskaya kriptografiya. M: Vil'yams, 2005, 424 c.
8. Babash A.V., Baranova E.K. Kriptograficheskie metody zashchity informatsii. Uchebnik. Seriya: "Bakalavriat i magistratura". M: Knorus, 2016, 189 c.
9. Bellare M., Canettiy R., Krawczykz H. Message Authentication using Hash Functions The HMAC Construction. CryptoBytes. 1996. 2(1): pp.1-2.
10. Eastlake D., Crocker S., Schiller J. RFC 1750: Randomness Recommendations for Security. RFC Editor, 1994, p. 30.
11. M'Raihi D., Bellare M., Hoornaert F., Naccache D., Ranen O.. RFC 4226. HOTP: An HMAC-Based One-Time Password Algorithm. RFC Editor, 2005, p. 37.
12. Kivi Berd. Kvantovaya kriptoneopredelennost'. Zhurnal Komp'yuterra, 2004, 46. [Elektronnyy resurs]. Rezhim dostupa: http://old.computerra.ru/206396/ svobodnyy. Yaz. russ. (data obrashcheniya 20.01.2016).
13. Nam S.Y., Djuraev S., Collaborative approach to mitigating ARP poisoning-based Man-in-the-Middle attacks. Computer Networks: The International Journal of Computer and Telecommunications Networking, 2013. 57(18): pp. 38663884.
14. Pramanik S., Security Architecture Approaches. The Journal of Defense Software Engineering, 2013. 26(6): pp. 12-17.
15. Bürger J., Jürjens J., Wenzel S., Restoring security of evolving software models using graph transformation international. Journal on Software Tools for Technology Transfer, 2015, 17(3): pp. 267-289.