Secure Password-less Authentication

Abstract

In the rapidly advancing era of digitization, traditional password-based authentication systems are becoming insufficient to secure online services. The use of weak passwords introduces various vulnerabilities including brute-force attacks, credential theft, and phishing. Moreover, the usage of complex passwords is not user-friendly and leads the user to reuse the same password across multiple services. The adoption of biometric authentication systems, especially facial recognition-based ones, is becoming more common in handheld devices like mobile phones and laptops. However, it remains limited in online services due to several security challenges, such as spoofing, privacy concerns regarding user data embeddings, and the reliability of securing sensitive information. These challenges underscore the need for more robust and user-friendly authentication solutions to protect sensitive data. This thesis aims to design and develop a multi-factor authentication system inspired by FIDO2 standard. by combining facial recognition, Dynamic One-Time passwords alongside FIDO2 standard which utilize a standard USB stick for secure public-key cryptography. This study evaluates the performance and the overall security of the proposed system. The prototype developed in this thesis is secure against several attacks, including brute-force attacks, phishing, human negligence, and SQL injection. That said, it still has some limitations due to the lack of necessary hardware. For example, the prototype remains insecure against spoofing attacks and can be easily cracked due to the absence of a camera capable of processing the depth of the face in the current frame to detect liveness. Despite the limitations caused by hardware constraints, the findings highlight the potential of the proposed prototype to be a secure authentication system. Future work could focus on integrating more advanced hardware to overcome these challenges, making the system a viable solution for secure and scalable authentication in real-world applications.