Content uploaded by Wael Ghazi Alnahari
Author content
All content in this area was uploaded by Wael Ghazi Alnahari on Jul 28, 2021
Content may be subject to copyright.
978-1-6654-1224-7/21/$31.00 ©2021 IEEE
Authentication of IoT Device and IoT Server
Using Security Key
Wael Alnahari
College of Computing & Information Technologies
University of Bisha, Bisha,
Saudi Arabia
Email: master@wjn.sa
Mohammad Tabrez Quasim
College of Computing & Information Technologies
University of Bisha, Bisha,
Saudi Arabia
Email: tabrezquasim@gmail.com
Abstract—IoT is an emerging topic in the field of IT that has
attracted the interest of researchers from different parts of the
world. Authentication of IoT includes the establishment of a model
for controlling access to IoT devices through the internet and other
unsecured network platforms. Strong authentication of IoT is
necessary for ensuring that machines and devices could be trusted
when it comes to data sharing. The whole idea of authentication
further prevents cybercriminals from using loopholes in IoT
devices to access data that they are not allowed to access. Various
authentication techniques could be used to secure IoT servers and
devices. Establishing mutual authentication between IoT servers
and IoT devices has attracted a lot of research interests because it
helps enhance the effectiveness and overall security of data
sharing. Therefore, this research provides the basis for analyzing
the whole idea of using security keys to encrypt both IoT servers
and IoT devices.
Index Terms—unsecured network platforms, mutual authenti-
cation, security key, internet of things
I. INTRODUCTION
IoT is one of the latest technological innovations that has
attracted a lot of interest from researchers and IT experts in the
last couple of years. Mutual authentication between IoT servers
and IoT devices is considered by experts as a critical step of
securing the entire IoT system. The use of authentica- tion
systems that are based on single passwords is vulnerable to
dictionary and side-channel attacks [1]. Authentication in the
context of IoT servers and IoT devices is simply a model for the
establishment of trust in the identity of IoT devices and servers
to control access and protect data when information is conveyed
through the internet or other unsecured network. It is important
to have strong IoT authentication because it helps ensure that
connected servers and devices could earn the trust of protecting
data against possible control commands from malicious actors
and unauthorized machines. Additionally, authentication plays
an integral role in preventing potential attackers from
pretending to be authorized IoT servers and IoT devices hoping
that they will access sensitive data.
Different pieces of research have been conducted to estab-
lish the best way of attaining the right level of authentica- tion
for IoT devices and IoT servers. This includes and is
not limited to centralized, distributed, two-way, and one-way
authentication. It is equally vital to note that the IoT is not just
one technology but rather a connected environment that is
comprised of different “things” or machines that function
independently without human intervention. The purpose of the
IoT authorization process is to provide the basis for validating
the identity of every single endpoint within the larger IoT
system. The underlying process of certification is usually
configured following the enrollment entry and offers the
service providers information about the method that can be
used to check the identity of the system during registration.
Consequently, machine identity management usually fo- cuses
on managing and building confidence in the identity of
machines that are meant to interact with other gateways,
clouds, applications, and devices. The rationale could include
authorization and authentication of IoT devices like smart
outlets, lights, and speakers, mobile devices, home security
systems, security cameras, vehicle engine control units, and
industrial control systems. Every single IoT device should have
a unique digital identity that can be used when connecting to
the central server or gateway to help prevent unauthorized
parties from accessing the system. This is attained by binding
identities to cryptographic keys that are unique to each IoT
device. Approaches for machine identity management are es-
pecially essential when it comes to discovering the credentials
that are utilized by various machines. The unique ID of IoT
servers and IoT devices enables system administrators to track
them throughout their lifecycles, establish secure
communication with them, and prevent them from executing
processes that could be harmful. Should an IoT server or device
start to exhibit a behavior that is not expected, the system
administrators could revoke their privileges with ease.
II. EXPECTED DELIVERABLES
IoT servers and devices can be hacked remotely by mali-
cious actors and unauthorized parties who might attempt to
find their way into the device using an internet connection. If
IoT devices could have been configured in a manner that
2021 International Congress of Advanced Technology and Engineering (ICOTEN) | 978-1-6654-1224-7/21/$31.00 ©2021 IEEE | DOI: 10.1109/ICOTEN52080.2021.9493492
Authorized licensed use limited to: Bisha University. Downloaded on July 28,2021 at 11:34:13 UTC from IEEE Xplore. Restrictions apply.
allows for communication only with authorized servers, the
outside communication attempts could have been ignored. The
number of attacks targeting IoT servers and devices has
continued to increase year in year out. Thus, as these devices
are being integrated into corporate networks, special attention
should be redirected to the essence of security. Powerful and
efficient cryptographic solutions should be utilized be- because
they can assist with the standardization of secure lines of
communications between different devices and machines.
Nonetheless, it is also a tough decision to select the most
appropriate authentication model that can get the job done.
Before choosing the architecture model that is ideal for IoT
authentication, it is first essential to consider a wide range of
factors that includes and are not limited to connectivity, security
requirements, security expertise, financial budgets, hardware
capacity, and energy resources [2]. Therefore, the following
models will be used to address the authentication problem that
relates to IoT servers and IoT devices:
A. The Chain of Trust Model
The core purpose of the chain of trust model is to prove that
a specific certificate comes from a given trusted source [3]. The
model is comprised of three basic entities that form the valid
chain of trust. They include end-entity, intermediate, and root.
Consequently, the end-entity offers compliance, scalability, and
security with certificate authority standards. Nonetheless,
certificates, in this case, do not offer a guarantee that the subject
under consideration is reputable or trustworthy in his business
activities, safe to carry out business with, or compliant with
specific laws. The end-entity offers vital pieces of information
to the issuing certificate authority through a form of certificate
signing request. This certificate must be signed before being
issued by a trusted certificate authority showing that the
information that has been provided is correct at the time of
issuance. The Secure Sockets Layer connection to the IoT
server will not be successful if the certificate has not been
signed or verified [4].
The chain of trust model could be further categorized into
three models including the CA certificate authority archi-
tecture, web of trust, and hierarchical trust model . For the
hierarchical trust model, there must be a single root certificate
authority or more subordinate certificate authorities. In this
case, subordinated certificate authorities are meant to offer load
balancing and redundancy when the root certificate authority is
offline. That means that even if the subordinate certificate
authority has been compromised, the root certificate authority
will have the opportunity to revoke the subordinate certificate
authority, thus offering redundancy. Apart from that, the web of
trust model which is also regarded as the cross- certification
model has been designed such that the certificate authorities can
form what could be considered as a peer-to- peer relationship.
According to experts, this model is somehow challenging to
manage with an increase in the number of certificate authorities
[5]. This type of trust relationship that is formed in this case
could only take place when other company divisions have their
unique certificate authorities that
must work together. Lastly, the bridge certificate authority
architecture model is different in the sense that it can overcome
the challenges and complexities of the web of trust model. In
this case, the bride certificate authority serves as the central
point of coordination. That implies that other principals or
certificate authorities must trust the bridge certificate authority
only.
B. The Threat Model
The IoT servers have been deployed at the cloud architecture
and have the underlying capability of communicating with the
IoT devices or the client over a WAN . The use of single key
authentication cannot be sufficient when it comes to the
authentication of IoT devices and IoT servers. There are
additional side-channel cyber-attacks that can provide the basis
for the retrieval of shared keys when communication has been
established between the IoT server and the IoT device. If
passwords are not changed regularly, they become vulnerable
to the brute force of dictionary attacks. As soon as adversaries
have acquired the key that has been shared, fake devices could
be created with that same key. Thus, while establishing the
right model for the documentation of this task, a set of keys
known as a secure vault could be used to authenticate both IoT
devices and IoT servers.
In essence, there are three-way mutual authentication tech-
nique for authenticating both the IoT devices and IoT servers
is used. The IoT devices will be responsible for the initiation
of communication by redirecting the request for connection to
the server. Once the request has been received by the IoT
servers, the IoT servers will then send back challenges to the
IoT devices. To this point, the IoT devices can then respond to
the challenges by redirecting further challenges for
authentication to the IoT servers. The IoT servers will then
make a verification for the responses that have been provided
and if by any chance they are valid, the IoT servers would
eventually end up responding to the challenge that has been
sent by the IoT devices. During this session, the IoT devices
and IoT servers must create a shared secret also known as the
session key. The session key must fulfill fundamental
purposes.
Firstly, they should help encrypt all messages that have been
exchanged between the IoT devices and the IoT servers.
Secondly, they serve as encryption keys for message au-
thentication codes that are relied upon for authentication of
messages. All messages that in one or another are going to
be exchanged between the two authentications that have been
established are regarded as sessions. Session keys usually
remain unmodified throughout the entire session even though
varied sessions utilize different, unique session keys.
C. Proposed Design
This study proposes the use of security keys to secure IoT
devices against cyberattacks. Therefore, some of the attacks
and attackers that have been considered in this work include:
1) Malware attackers.
2) Network attackers.
Authorized licensed use limited to: Bisha University. Downloaded on July 28,2021 at 11:34:13 UTC from IEEE Xplore. Restrictions apply.
3) Related-site attackers.
4) Web attackers.
With that in mind, our design goals are as follows:
1) Security: The proposed security key should protect users
against man-in-the-middle attacks, phishing, password reuse,
and so forth.
2) Privacy: The security key should be designed in a manner
that prevents any kind of tracking. Besides, if a security key has
been lost, it should not be easy for attackers to retrieve useful
information from the security key.
3) Easy for developers: The security key should make it
easier for developers to incorporate them into their websites
using simple APIs.
4) Easy for users: The security keys should not require a lot
from the part of the users for them to use them. Its use should
be brainless, easy, and fast.
The security key should be used in the context of web
applications whereby the servers might want to verify the
identity of the users. Therefore, the security key should support
the following commands:
1) Authenticate.
2) Register.
The detailed design captures cryptographic primitives, a test
of user presence, client data, device attestation, authentication,
and registration. Nonetheless, the most important aspects will
registration and authentication as shown in the diagrams below:
The design was implemented using end-to-end support for
security keys. The rationale involved the development of
various open-source components.
D. Evaluation
There are a few metrics that will be used to evaluate the
security key including:
1) Comparative: This will be based on security, deploya-
bility, and usability.
2) Hardware performance: This will involve coming up
with a protocol that was fast enough during normal or ordinary
use.
3) Deployment experience: The security key should be as
advantageous as possible.
4) Time spent authenticating: The key should take little
time possible when authenticating.
5) Failure of the rate of authentication: Higher rates of
authentication failures increased users’ frustrations and time
spent when trying to authenticate.
6) Hardware cost: The security should be cost-effective.
III. DISCUSSIONS
A. Security Keys
The advent of the IoT is arguably amongst the most ex- citing
and dynamic developments in ICT [6]. The past two decades
have seen networking devices becoming increasingly
ubiquitous. However, these devices have largely been restricted
to connect to the traditional end-user devices like tablets,
smartphones, laptop and desktop computers, mainframes, and
so forth. The past few years have seen have experienced more
attachment of more and more devices to the network. These
devices include and are not limited to digital assistants like
Google Home and Amazon Alexa, smart TVs, traffic controls,
streetlights, electric controls and meters, medical devices,
household appliances, and vehicles [7].
The need to authenticate IoT servers and IoT devices using
security keys has attracted the attention of different groups of
researchers and scholars in the field of information technology.
According to [8,9], authentication of online accounts is some-
thing that many people understand as something you have,
something you are, or something you know. This partly implies
the use of passphrases, PINs, and passwords as knowledge;
physical tokens as possessions, and biometric identity as a
form of being intrinsic to oneself [9].
Other authentication techniques might include someone that
you are conversant with and where you are. Once any of these
methods of authentication are used together, the practice is
considered as 2FA. Although there exist different kinds of
authentication options, the use of passwords is continuing to
dominate when it comes to online authentication. In this case,
the main concern is that passwords are associated with a wide
range of security vulnerabilities and flaws with sheer amounts
of generated passwords causing even greater risks [9]. Despite
the continuing instances of passwords being compromised,
many people are still using a single-factor authentication
method that has greatly been associated with misalignment in
human cognition, a vulnerability in the event of social
engineering, and difficulties when it comes to creating
necessary policies. Even though a two-factor authentication is
being adopted on a large scope, a simple examination of the
benefits and risks that are associated with them could call for
further evaluation of their adoption [9].
The initial evaluation that was made about the security keys
were made based on different frameworks that had been
developed to evaluate various authentication approaches. It
was evident that for authentication protocols to be accepted on
a large scale, they must outperform the use of passwords on
many fronts that include and are not limited to preservation of
privacy, scalability, physical burden, and cognitive burden [7].
Further research has also seen five important attributes being
proposed for tokens namely, theft-resistant, loss resistant,
scalable, memoryless, and secure [9]. Despite the fact the use
of security keys does not come in handy with a physical
burden, it is physically effortless, and is lightweight because
their operations are based on the pressing of buttons. Even
more, security keys are unlikely to be stolen or get lost and are
also scalable and secure besides being compatible with the
use of passwords. Once an individual has enrolled in the
service, security keys are further considered as cognitively
effortless[9-15].
B. Cloud Computing
The IoT technology is an extension of cloud computing.
Cloud computing is a general term referring to the delivery of
a wide range of hosted services over the internet. In
Authorized licensed use limited to: Bisha University. Downloaded on July 28,2021 at 11:34:13 UTC from IEEE Xplore. Restrictions apply.
Fig. 1. Security Key Registration
Fig. 2. Security Key Authentication
other words, cloud computing is the provision of various on-
demand computing services like processing power, storage, and
applications, typically on a pay-as-you-go basis and over the
internet. These services are placed into three broad categories
including SaaS, PaaS, and IaaS. According to [16], cloud
computing has evolved into one of the most inspiring
technology in industry and research. It is a model that
necessitates convenient, ubiquitous, on-demand network access
to a wide range of configurable computing resources including,
services, applications, storage, servers, and network that can be
provisioned and subsequently released with min- imal
interaction with the service providers and management efforts.
Due to its high computational value, cloud computing has
continued to grow and allow companies such as Microsoft
Azure to offer their cloud computing services through the
internet [16].
The vast cloud’s capability to store and ensure the avail-
ability of different applications and contents poses a lot of
risks that relate to security and privacy [17]. This is an
important issue of concern, especially for the diffusion of the
cloud because many organizations rely on the cloud for their
mission-critical and strategic functions. In that same regard,
cloud providers are said to be experiencing numerous
challenges and pressure from different stakeholders including
the members of the society to protect information and other
sensitive data assets that belong to the customers [17]. Today,
there is a huge gap between what cloud providers claim to be
offering, and what potential and existing adopters think about
cloud computing’s cloud security. On the flip side, players in
the industry are starting to realize the need to establish
standards that can be used to offer guidance for promoting
privacy and security. Because of a wide range of individual and
organized efforts, the society at large is anticipating significant
security changes in cloud-related institutions [17].
Cloud computing can be classified into different architecture
models, types, and classifications [18]. The public cloud, pri-
vate cloud, and hybrid cloud are the three major transformative
types of networked computing models. The underlying cloud
Authorized licensed use limited to: Bisha University. Downloaded on July 28,2021 at 11:34:13 UTC from IEEE Xplore. Restrictions apply.
infrastructure could assume different features and forms in-
cluding hyper-converged models, software-defined, virtualized
models, and so forth. The public cloud can be described as
the cloud computing model in which IT services are offered
through the internet. Consequently, the service could be
charged, subscription-based, freemium, or free depending on
the type of computing resources that are being used or
consumed. The corresponding computing functionality varies
and might include services such as infrastructure environment,
storage, apps, and emails. It is the responsibility of the cloud
vendors to maintain, manage, and develop the different pools of
computing resources that are provided to different tenants. The
main defining features of public cloud solutions are scalability
of the IT-enabled services and high elasticity that are provided
at relatively low costs and based on pricing tier. The public
cloud has developed into the most common way for cloud
computing deployment [19]. Consequently, cloud resources
such as storage and servers are operated and owned by third-
party cloud vendors after which they are delivered through the
internet. A great example of a public cloud is Microsoft Azure.
The cloud provider manages and owns all software, hardware,
and related supporting infrastructure in the public cloud. In this
type of cloud, tenants share network, storage, and hardware with
fellow tenants. These tenants manage their accounts through
web browsers. Many public cloud deployments offer online
office applications, web-based email, testing, storage, and
development environments. Some of the advantages that are
associated with the use of public clouds include high reliability,
near-unlimited scalability, no maintenance, and lower costs.
The private cloud is widely known as a cloud solution that is
mainly dictated for use by a single corporation or organization.
Here, the data center resources could either be operated by a
third-party vendor off-site or on-site. The under- lying
computing resources are isolated before being delivered through
secure private networks rather than being shared with fellow
customers. A private cloud can be customized to meet the
various security and business needs of an organization at large
[20]. With greater control and visibility into such infrastructure,
companies can operate IT workloads that are compliance
sensitive without necessarily having implications on
performance and security. The private cloud is comprised of a
wide range of computing resources that are exclusively used by
a single organization or business. Besides, the private cloud can
be located physically on an organization’s on-site datacenter or
could be hosted by third-party service providers. Infrastructure
and services in the private cloud are usually maintained on what
could be termed as a private network whereas software and
hardware are typically dedicated to solely fulfill organizational
needs. Private clouds are in most cases used by financial
institutions, government agencies, and other middle to large
government corporations that have business-critical functions
aimed at promoting control over a cloud environment.
Advantages of the private cloud include and are not limited to
high scalability, improved security, and more flexibility.
Lastly, a hybrid cloud is defined as the cloud infrastructure
environment that constitutes the mix of private and public
cloud solutions. In this case, resources are mainly orchestrated
as infrastructural environments that have been integrated. Data
workloads and applications can share a wide range of
resources between private and public cloud deployment
depending on organizational efficiency and cost, scalability,
performance, technical policies that revolve around the subject
of security, and so forth [21,22]. For example, a company can
use a private cloud for its information technology workloads
and at the same time complement the underlying infrastructure
with some public cloud resources with the hope of
accommodating spikes in network traffic that are likely to be
experienced on an occasional basis. Because of that, access to
another computing capability will not necessarily need high
CapEx of the private cloud environment. Instead, it will be
delivered through the public cloud solution as a short-term IT
service.
C. Authentications
Authentications are processes that are involved in verifying
whether something or someone is what or who is declared to
be. In other words, authentication is an approach that is
employed when trying to recognize the identity of users. The
mechanism entails relating incoming requests to various sets
of identifying credentials. Credentials that have been provided
are first compared to those that have been filed in the
authentication servers, operating systems, and databases for
information about authorized users. Authentication processes
will always run at the start of applications before any other
code is given the green light to proceed. Multiple systems
might need varied credentials to determine the identity of the
users. These credentials normally assume the form of
passwords that could either be known or secret to a system or
individuals.
There are three authentication techniques. They include
something that you are such as a scanned body part, some-
thing that you have like token keys, and something that you
know like a password. Essentially, something that you are is
considered as the strongest authentication method that is the
hardest to crack. For instance, it is not easy for one to duplicate
fingerprints or replicate an iris scan. Something that you have
has continued to gain popularity because of people’s
unwillingness to be detached from their mobile devices. This
access control technique usually assumes the form of a one-
time toke key that can be retrieved from external sources.
Lastly, something you know does not require special hardware.
Just like the use of passwords, there are no additional tools that
are required to offer secret codes. That is why people are highly
encouraged to come up with passwords that are difficult to
guess.
D. MFA
MFA is an authentication technique whereby users offer at
least two verification factors to establish access over resources
like virtual private networks, online accounts, or applications
MFA is an important aspect of strong policy for identity and
Authorized licensed use limited to: Bisha University. Downloaded on July 28,2021 at 11:34:13 UTC from IEEE Xplore. Restrictions apply.
access management. For instance, instead of being required to
provide a password and a username only, MFA requires the use
of an additional verification factor, thus minimizing cyber-
attacks. In information technology, credentials that form MFA
can take the form of locations, time, biometrics, numerical
codes, hardware tokens, passwords, and so forth [23]. Techni-
cally, combining any two of such credentials is considered as
MFA. That is although many implementations tend to capitalize
on two factors or what is considered as two-factor
authentication. Using many credentials rather than one makes
the authentication process more secure even if one of the
combinations that have been used is compromised. For MFA to
work, users’ credentials must come from a minimum of two of
three different factors or categories: what you are, what you
have, and what you know [24].
E. Weak Passwords
Passwords are arguably the most common authentication
forms that are used to establish control over information such
as voice mail systems, calling cards, telephone, credit cards,
automated teller machines, and personal identification numbers.
Many people use passwords because they are con- venient,
inexpensive, and simple mechanisms to implement and use.
Similarly, passwords are regarded as extremely poor forms of
authentication or protection. It is very difficult to manage
password problems since one computer network could have
thousands or hundreds of accounts that have been protected
using passwords and that only one of them could be
compromised to provide potential attackers with access to the
network or system. With the current nature of the
interconnected internet, skillful hackers can use passwords to
compromise millions of systems [25].
Weak passwords usually play significant roles in any form of
hacking activity [26]. Some systems and applications do not
promote password complexity, thus encouraging users to use
simple passwords like their phone numbers, god, 12345, and
123. Weak passwords are not necessarily characterized by the
characters or length that has been used. They could as well be
associated with guess ability. For instance, a password like
name@12345 appears to be complex but could be guessed [26].
Users are encouraged to avoid passwords that relate to mobile
numbers, places, or names. Weak passwords are easy to guess
and, in some instances, especially when they are too short,
attackers can use brute force. That is why users are highly
encouraged to utilize special characters alongside random
strings. Even though it might be difficult to remember such a
password combination, the truth is that they are quite secure
[26].
F. Importance of MFA
The core importance of MFA is that it increases organiza-
tional security [27]. The technique requires all users such as
organizational employees to identify themselves using addi-
tional credentials rather than just usernames and passwords.
Essentially, usernames and passwords are vulnerable to brute
force attacks and could be compromised or get stolen by
unauthorized third parties. Promoting the use of MFA at the
organizational level promotes the sense of confidence that an
organization remains safe from potential cyber-attacks.
Passwords are considered the most popular authentication
technique. However, they provide very little protection
because once stolen, they can be used by hackers or
unauthorized users to wreak serious havoc, bypass other access
controls, and log in to business systems and applications.
According to research, stolen login credentials are the most
common means that hackers use to carry out data breaches.
There are many other attack vectors out there that
cybercriminals can use to gain access and steal passwords such
as stolen hardware, point of sale intrusions, web app attacks,
brute force attacks, and phishing attacks. Some users make
things easier for cyber attackers by keeping the same
passwords for a considerably long period, storing their
passwords in locations that are not secure, using the same
passwords in different applications, and going for weak
passwords. Thankfully, MFA comes in handy with an
additional protection layer that makes it easier to deal with
these problems. This technique addresses the ripple
implications of credentials that have been compromised
because even if malicious actors might steal users’ passwords
and usernames, they will be prompted to offer another factor
before being allowed to access sensitive data.
MFA is also important because based on recent surveys, the
most security and IT professionals think that it is the most
effective security control for both public cloud and on-
premises data. Additionally, many current MFA solutions that
are also available in the market are easy and fast to implement.
The solutions make it easy for companies to implement the
security controls without redirecting a lot of effort and time on
the same. That is beside the level of cost-effectiveness that
comes in handy with the same solutions.
Another vital significance of MFA authentication is that it
offers an excellent way of enabling enterprise mobility [28].
This is especially important since enterprise mobility is a
significant initiative that is prioritized by many companies that
are still undergoing digital transformation. The level of
productivity usually increases when workers or employees can
use devices that they prefer securely and easily to access
resources that they need to fulfill their tasks. The use of MFA
authentication to remotely log in to a network using virtual
private networks or long into business applications provides a
high level of flexibility. Besides, encouraging the use of MFA
at the organizational level is a clear indication that a firm is
committed to both network and data protection measures.
MFA is also important because it forms part of compliance
with specific geographical and industry regulations. For
instance, PCI-DSS requires the implementation of MFA on
specific instances to prevent unauthorized users and malicious
actors from accessing systems that are used to process payment
transactions. Additionally, MFA provides healthcare institu-
tions and providers to have the convenience of complying with
HIPAA. The authentication method is an integral part of
making sure that strong customer authentication has been met,
especially in financial institutions.
Authorized licensed use limited to: Bisha University. Downloaded on July 28,2021 at 11:34:13 UTC from IEEE Xplore. Restrictions apply.
MFA helps promote cybersecurity. As the scope and number
of cybercrimes continue to increase, enterprises are soon
starting to realize the scope of threats that they are facing. In
the world of today, cyber-attackers do not target large
organizations only. Approximately 31% of companies that have
less than 250 employees have been popular targets of
cybercrimes. It is equally vital to note that the intention of
cyber-attackers is not just stealing data. Some of them try to
destroy or corrupt it completely. Because of this concern, the
market for MFA is expected to hit about $12.51 billion in the
next four years.
Further, implementation of MFA is important when it comes
to setting security expectations [29]. Identification of
organizational security requirements is an integral part of any
implementation of MFA. For instance, it is important to
consider things like the business model, industry, type of
data that should be stored, utilized, or captured, and applicable
compliance regulations to attain normal business functions.
Implementation of MFA provides all organizations with the
opportunity to single out and classify typical business scenarios
depending on the level of risks and to figure out situations when
MFA should be applied. For example, based on different sets of
factors, companies could choose to use MFA when workers are
logging in remotely when specific databases or applications are
being accessed or for high-risk scenarios. Apart from that, MFA
could also be used to limit locations where users can access data
or information, thus enhancing access restriction measures.
G. Different Implementations of MFA
There are various ways of implementing MFA. Examples
include:
Using a TOTP. TOTP functions by generating a one-time
password from the current timestamp and shared secret key
using types of cryptographic function. Here, the cryptographic
functions tend to vary across the board. The use of SMS. Once
you try to log in to systems or resources, a text message with a
code is automatically sent to your phone. Because you are the
only person who has access to your phone, you will
automatically receive notification of any attempt made to log
into your system, resource, or account.
1) The use of email.
2) Push notifications.
H. Statistics and Numbers on Security
The field of IT is complex and subject to change. Any
security change has the potential of setting off a chain of
adjustments and tweaks that could irritate users. Streamlined
authentication processes help maintain productivity levels in the
IT sector as high as possible. That is why IT administrators are
encouraged to make sure that all emerging upgrades are
integrated to increase security. With MFA, IT administrators
have a unique opportunity of adapting the required level of
security support with the aid of contextual information like geo-
location and behavioral patterns.
Identity theft is a high-reward, low-risk, and easy type of
crime and threat to individuals and organizations. It is one of
the fastest-growing crimes that is increasingly becoming more
profitable compared to crimes that relate to drugs. Research
has shown that stolen and weak user credentials are important
weapons to hackers who have been using them in almost 95%
of all attacks that have been orchestrated on web applications.
Malicious actors seem to be on the winning side because
between 2013 and 2014, the total number of attack breaches
that ended up being successful had gone up by approximately
27.5%. Even though these breaches have been associated with
companies that bear household names, there has been a further
concern because out of all target attacks, about 31% have been
targeting business enterprises with less than 250 employees.
Advanced firewalls and anti-virus systems are as important as
vulnerability tests. However, the front door will always remain
open without proper user authentication. Password theft has
continued to evolve as attackers attempt to utilize highly
sophisticated techniques like pharming, phishing, and
keylogging. The bitter truth is that cyberattackers have been
trying to do more than just steal data.
They change services or programs, destroy data, or use
servers to transmit malicious code, spam, or propaganda.
I. Effectiveness of MFA
Many IT departments would agree that implementing MFA
across all APs could bolster organizational security. The prob-
lem is that the nature of MFAs could be tedious leaving some
people wondering about their effectiveness. Therefore, to truly
understand the effectiveness of multifactor authentications, it
is first important to develop a coherent understanding of how
hackers and other malicious actors engage in their activities in
the absence of MFA. In a nutshell, cyber-attackers are required
to access your password and username. Some of the typical
access techniques that hackers have been using to steal
sensitive information include:
1) Dark Web: In both small and large organizations, data
breaches can always mean that confidential information has
been made available on the Dark Web where people with
bad intentions can purchase or sell them. Such information
could be corporate login information or personal information
such as bank information, credit card numbers, driver’s license
information, and addresses.
2) Malware: There are different ways in which malware
can find its way into your computer. This could be through
thumb drives, network shares, attachments, websites, emails,
and so forth. The problem is that once malware has entered
your computer, it can do a lot of terrible things including a
keylogger that can be used to record anything that you type
and forwards them to cyberattackers. Logging in into a website
where the keylogger is active and running can only mean that
your password and username are going to be shared
immediately.
3) Social engineering: Just like phishing, social engineering
takes place when cyberattackers decide to impersonate other
people in an organization or corporation. Once they do so, they
Authorized licensed use limited to: Bisha University. Downloaded on July 28,2021 at 11:34:13 UTC from IEEE Xplore. Restrictions apply.
can then send you an email requesting that they are granted
access to resources like network servers. If the individual who
has been impersonated is a senior person, there are high chances
that those who have been tricked will share requested
information without asking a lot of questions.
4) Smishing/Phishing: Most phishing activities occur when
cyber criminals decide to send millions of emails to specific
individuals. These emails could be offering warnings about
compromised passwords, thus prompting the receivers to
change them. In such a case, the link that will be provided is
always fictitious and will make it possible to immediately gather
all login credentials that are shared. The malicious actors can
then attempt to use the credentials to gain access to sensitive
information of their victims including their banks. Smishing
works the same way except that initial messages come in form
of texts.
5) Brute Force: Brute force is an automated technique of
attempting thousands or hundreds of passwords to gain access
over a system. It is often based on personal information about
an individual such as anniversary dates, pet names, spouse
names, and birthdays as well as common passwords.
Thousands of people from different parts of the world
including prominent and intelligent ones get hacked every day
using either of the above methods. As soon as malicious actors
have been able to acquire your login credentials, they can cause
a lot of damage.
According to Microsoft, MFA blocks approximately 99% of
account hacking attempts. Users who want to prevent 99% of
automated attacks should consider implementing MFA because
it does the trick well. This strategy is not just effective for
Microsoft accounts only, but also for other accounts. That is
why it is highly encouraged that MFA is enabled regardless of
whether there are complex or simple security measures in place.
The advice was further echoed by Google by encouraging users
who were using the phone number for account recovery
purposes because the rationale helps strengthen the security of
their accounts. That among others is a clear indication of the
overall effectiveness of MFA.
MFA is an effective and proven technique than just using
credentials. Its effectiveness revolves around the fact that
whereas malicious actors might obtain users’ credentials
through credential stuffing or phishing attempts, they cannot
easily obtain second verification. The method is an integral
aspect of zero-trust security and requires that users should offer
at least two credentials if they want to gain access to sensitive
information and resources. So far, this form of security
approach has been proved to protect resources, sensi- tive
information, accounts, and so forth from cyber-attackers. MFA
functions by preventing attacks that could result from
cybercriminals attempting to guess or obtain users’ credentials.
The effectiveness of MFA is further demonstrated through its
applicability in various industries including education,
communication and media, technology, and financial services,
among others. Being a process whereby users are required to
pass at least two authentication levels to access information,
resources, accounts, or data, MFA has continued to gain
popularity. It has become increasingly important to implement
MFA, especially now that companies are facing cyber threats
of different scopes and nature. The chances of suffering from
cyber-attacks will usually decrease by adding another security
layer. Essentially, this is because of the difficulty that is
associated with attempts to surpass multiple levels of
authentication.
IV. RESULTS
1) Proof of Concept: There was a demonstration of how
fake domains and social engineering could be used to bypass
the use of passwords. To address this concern, further research
was conducted to determine the effectiveness of the 2FA
technique. Even though 2FA has some weaknesses that could
be explored through push notifications, the security approach
emerged as an excellent first step that can help keep attackers
at bay. In this research, evaluations were made on IoT servers
and IoT devices that had been configured using 2FA, and
results documented. It emerged that in as much as this research
was seeking a basis for assessing the effectiveness of security
keys in the authentication of IoT servers and IoT devices, the
core objectives were met. 2FA comes in handy with the
scalability and adaptability that can enable both organizations
and individuals to meet their security needs.
2) Research Evaluation: This prototype that came up in this
study was evaluated based on the dominant nature of the use of
passwords. Whereas some people go for weak passwords that
could be compromised easily using brute force and dictionary
attacks, 2FA enhances the effectiveness of promoting security.
An evaluation about the scope of the use of 2FA was conducted
and the extent to which the security approach is being adopted
and implemented assessed even further. Two models were used
to help bolster the testability of the authentication technique in
the light of similar research that has thus far been carried out
by other scholars. It emerged that as contrasted to overreliance
on the use of passwords, it appeared that many users find it
more secure to use 2FA. Therefore, it will be especially vital
to encourage users to start accepting the use of this
authentication approach.
V. CONCLUSION
To sum up, MFA is one of the proven approaches that could
be used to increase cybersecurity. Even though passwords play
an integral part in promoting security, they are not entirely
infallible. Cyber-attackers can use different methods to
compromise, steal, or guess your passwords. However, MFA
can assist significantly because it makes it more challenging
for malicious actors to access accounts or devices. That is why
many companies have been providing MFA features in most of
their product offerings.
VI. NOMENCLATURE
Internet of Things (IoT)
Information Technology (IT)
Public Key Infrastructure (PKI)
Authorized licensed use limited to: Bisha University. Downloaded on July 28,2021 at 11:34:13 UTC from IEEE Xplore. Restrictions apply.
Multi-factor Authentications (MFA)
Electronic Mail (email)
Short Message Service (SMS)
Time-based One-Time Password (TOTP)
Software-as-a-Service (SaaS)
Platform-as-a-Service (PaaS)
Infrastructure-as-a-Service (IaaS)
Access Points (APs)
Two-Factor-Authentication (2FA)
Internet Protocol (IP)
Information and Communications Technology (ICT)
Wide Area Network (WAN)
Distributed Denial of Service (DDoS)
Denial of Services (DoS)
ACKNOWLEDGMENT
I wish to thank my parents for their support and encour-
agement throughout my studies and special thanks to my
respected supervisor Dr. Mohammad Tabrez Quasim.
REFERENCES
[1] T. Shah and S. Venkatesan, “Authentication of IoT Device and IoT Server
Using Secure Vaults,” Proceedings 17th IEEE International Conference
on Trust, Security and Privacy in Computing and Commu- nications and
12th IEEE International Conference on Big Data Science and
Engineering, pp. 819–824, 2018.
[2] H. Alqarni, W. Alnahari, and M.T. Quasim, “Internet of things (IoT)
security requirements: Issues related to sensors,” 2021 National Com-
puting Colleges Conference (NCCC, 2021.
[3] G. Cheng, H. Xie, and D. Zhang, “Analyzing the Chain of Trust Model
Based on Entity Dependence,” Lecture Notes in Computer Science
(including subseries Lecture Notes in Artificial Intelligence and Lecture
Notes in Bioinformatics) 12472 LNCS, pp. 146–159, 2020.
[4] S. Y. Chau, O. Chowdhury, E. Hoque, H. Ge, A. Kate, C. Nitarotaru, and
N. Li, “SymCerts: Practical Symbolic Execution for Exposing Noncom-
pliance in X.509 Certificate Validation Implementations,” Proceedings
IEEE Symposium on Security and Privacy, pp. 503–520, 2017.
[5] S. B. Roosa and S. Schultze, “Trust Darknet: Control and Compromise
in the Internet’s Certificate Authority Model,” IEEE Internet Computing,
vol. 17, no. 3, pp. 18–25, 2013. [Online].
Available: 10.1109/mic.2013.27;https://dx.doi.org/10.1109/mic.2013.27
[6] M. A. Khan, M. T. Quasim, N. S. Alghamdi and M. Y. Khan, "A Secure
Framework for Authentication and Encryption Using Improved ECC for
IoT-Based Medical Sensor Data," in IEEE Access, vol. 8, pp. 52018-
52027, 2020. DOI: 10.1109/ACCESS.2020.2980739
[7] M. T. Quasim, M. A. Khan, M. Abdullah, M. Meraj, S. P. Singh and P.
Johri, "Internet of Things for Smart Healthcare: A Hardware Perspective,"
2019 First International Conference of Intelligent Computing and
Engineering (ICOICE), Hadhramout, Yemen, 2019, pp. 1-5. DOI:
10.1109/ICOICE48418.2019.9035175
[8] M. Meraj, S. P. Singh, P. Johri and M. T. Quasim, "An investigation on
infectious disease patterns using Internet of Things (IoT)," 2020
International Conference on Smart Technologies in Computing, Electrical
and Electronics (ICSTCEE), Bengaluru, 2020, pp. 599-604, doi:
10.1109/ICSTCEE49637.2020.9276922.
[9] M. A. Khan, M. T. Quasim, F. Algarni and A. Alharthi, "Internet of Things:
On the Opportunities, Applications and Open Challenges in Saudi Arabia,"
2019 International Conference on Advances in the Emerging Computing
Technologies (AECT), Al Madinah Al Munawwarah, Saudi Arabia, 2020,
pp. 1-5, doi: 10.1109/AECT47998.2020.9194213.
[10] I. B. Guirat and H. Halpin, “Formal verification of the w3c web
authentication protocol,” ACM International Conference Proceeding
Series, 2018.
[11] M. Joye and Y. Michalevsky, “RSA signatures under hardware re-
strictions,” Proceedings of the ACM Conference on Computer and
Communications Security, pp. 51–54, 2018.
[12] C. D. Omorog, B. D. Gerardo, and R. P. Medina, “The performance of
blum-blum-shub elliptic curve Pseudorandom Number Generator as WiFi
protected access 2 security key generator,” ACM International Conference
Proceeding Series, pp. 23–28, 2018.
[13] D. Strobel, D. Oswald, B. Richter, F. Schellenberg, and C. Paar,
“Microcontrollers as (In)Security Devices for Pervasive Computing
Applications,” Proceedings of the IEEE, vol. 102, no. 8, pp. 1157–
1173, 2014. [Online]. Available: 10.1109/jproc.2014.2325397;https:
//dx.doi.org/10.1109/jproc.2014.2325397
[14] Quasim M.T., Khan M.A., Algarni F., Alshahrani M.M. (2021)
Fundamentals of Smart Cities. In: Khan M.A., Algarni F., Quasim M.T.
(eds) Smart Cities: A Data Analytics Perspective. Lecture Notes in
Intelligent Transportation and Infrastructure. Springer, Cham.
https://doi.org/10.1007/978-3-030-60922-1_1
[15] Quasim M.T., Khan M.A., Algarni F., Alharthy A., Alshmrani G.M.M.
(2020) Blockchain Frameworks. In: Khan M., Quasim M., Algarni F.,
Alharthi A. (eds) Decentralised Internet of Things. Studies in Big Data, vol
71. Springer, DOI: https://doi.org/10.1007/978-3-030-38677-1
[16] M. T. Quasim, A. A. E. Radwan, G. M. M. Alshmrani and M. Meraj,
"A Blockchain Framework for Secure Electronic Health Records in
Healthcare Industry," 2020 International Conference on Smart
Technologies in Computing, Electrical and Electronics (ICSTCEE),
Bengaluru, 2020, pp. 605-609, doi:
10.1109/ICSTCEE49637.2020.9277193.
[17] A. Mukherjee, P. Goswami, M. A. Khan, L. Manman, L. Yang and P.
Pillai, "Energy Efficient Resource Allocation strategy in Massive IoT
for Industrial 6G Applications," in IEEE Internet of Things Journal,
doi: 10.1109/JIOT.2020.3035608.
[18] S. Verma, S. Kaur, M. A. Khan and P. S. Sehdev, "Towards Green
Communication in 6G-enabled Massive Internet of Things," in IEEE
Internet of Things Journal, doi: 10.1109/JIOT.2020.3038804..
[19] Mohammad Ayoub Khan, et. al, Decentralised IoT, Decenetralised
IoT: A Blockchain perspective, Springer, Studies in BigData, 2020,
DOI: https://doi.org/10.1007/978-3-030-38677-1
[20] Quasim M.T., Khan M.A., Algarni F., Alshahrani M.M. (2021)
Fundamentals of Smart Cities. In: Khan M.A., Algarni F., Quasim M.T.
(eds) Smart Cities: A Data Analytics Perspective. Lecture Notes in
Intelligent Transportation and Infrastructure. Springer, Cham.
https://doi.org/10.1007/978-3-030-60922-1_1Khan, M. A., Quasim,
M. T., Algarni, F., & Alharthi, A. (2020). Decentralised Internet of
Things: A blockchain perspective. https://doi.org/10.1007/978-3-030-
38677-1. ISBN: 978-3-030-38676-4.
[21] S. Yangui, P. Ravindran, O. Bibani, R. H. Glitho, N. B. Hadjalouane,
M. J. Morrow, and P. A. Polakos, “A platform as-a-service for hybrid
cloud/fog environments,” 2016 IEEE International Symposium on
Local and Metropolitan Area Networks (LANMAN), pp. 1–7, 2016.
[22] S. Das, B. Wang, Z. Tingle, and L. J. Camp, 2019.
[23] S. Ibrokhimov, K. L. Hui, A. A. Al-Absi, H. J. Lee, and M. Sain,
“Multi- Factor Authentication in Cyber Physical System: A State of
Art Survey,” Advanced Communication Technology, pp. 279–284,
2019.
[24] I. Vakilinia, S. Cheung, and S. Sengupta, “Sharing Susceptible Pass-
words as Cyber Threat Intelli gence Feed,” Proceedings IEEE
Military Communications Conference MILCOM 2019-Octob, pp.
774–779, 2019.
[25] C. Sudhanshu and N. K, 2015.
[26] D. Dasgupta, A. Roy, and A. Nag, 2017.
[27] A. Acar, W. Liu, R. Beyah, K. Akkaya, and A. S. Uluagac, “A
privacy- preserving multifactor authentication system,” Security and
Privacy, vol. 2, pp. 1–19, 2019.
[28] A. Henricks and H. Kettani, “On Data Protection Using MultiFactor
Authentication,” ACM International Conference Proceeding Series,
pp. 1–4, 2019
Authorized licensed use limited to: Bisha University. Downloaded on July 28,2021 at 11:34:13 UTC from IEEE Xplore. Restrictions apply.
