Two-Factor Authentication

Two-factor authentication is a security measure used especially in areas where information such as banking is valuable. Parallel to technological developments, it has developed as much as daily. It aims to take security one step forward because it is composed of two phases. Today, banking, IOT devices, public transport tickets and many other areas are used. Two-factor authentication methods against security attacks in the field of information are also being updated. In recent years, new technologies such as biometric (iris pattern, retinal pattern, etc.) or behavioral biometry (location tracking, walking information, touch speed etc.) were studied. Instead of physically studying somewhere like going to a course in modern society, online trainings become more advantageous. Most of these online trainings are given certificates such as participation certificate, success certificate, etc.

1. Hardware-Based Two-factor Authentication

Two-Factor Authentication (T-FA) was first used physically with ATM cards (smart card [5]). The user places the card in the ATM device in the first stage, and in the second stage enter the password. In this way, a two-factor safety stage is passed. Although this system is safe for those years, it is not a very successful two-step verification method because of the lack of being seen by someone else and the stolen / copied ATM card.

In addition to this hardware-based method today, biometric two-step verification has begun, such as ATM devices that recognize fingerprints. In the future, we will be able to perform our transactions safely by performing two-step verification with behavioral biometrics, without the need for a magnetic-specific hardware structure such as a debit card.

The two-phase verification was first used in the years since the internet speeds were very low and mobile phone usage was not common, so it was provided with a device called “RSA SecurID” to generate the password [6]. In Figure 2, a screenshot of the “RSA SecurID” device is given.The algorithm in this device is capable of generating a complex PIN number. Apart from “RSA SecureID”, there are many commercial devices such as “Safeword of Secure Computing” [6]. If we are carrying these devices with us in today’s conditions, it is still a fact that the algorithm is still considered secure for large keys lengths.

Figure 1. RSA SecurID

The concept of Internet of things (IOT) was first heard in 1999. This system aims to connect various devices and communicate with each other using the same communication protocol. With the development of IOT and robotics work, security especially on the hardware side has gained a great importance.

The fact that many devices are connected to a single network reveals the importance of network security [7]. In order to provide this security, the use of two-factor authentication in robot technology is inevitable [8]. Thanks to NFC technology, data can be exchanged at a short distance with low bandwidth. NFC technology can be used on the hardware side for two-factor authentication. Figure 2 shows the two-step verification using NFC [9].

Figure 2. NFC working principle [9]

With the increasing number of NFC-enabled devices, it has begun to be used especially in cars, at home street gates. At this point, users are not limited to carrying a physical key, but they are secured with smaller NFC controllers (such as the NFC Controller Chip on mobile phones).

2. Alpha Numerical/Graph Based Two-Factor Authentication

It is one of the most commonly used two-step verification methods today. Alpha-Numerical validation is especially important in mobile phone technology. In the general usage example, the user enters the password on the input screen of any system. Then, the alphanumeric code consisting of the combination of letters and numbers coming to the mobile phone enters the corresponding screen and performs two-factor authentication.

There are two basic problems in alpha-numeric two-factor authentication. First, the user becomes dependent on the mobile phone and does not have access to his account because he cannot perform two-factor authentication in cases such as undoing the base station network, corruption of the phone. Another problem is to provide the mobile phone with SMS to forward the code to another phone by hackers with various malicious software.

With the advances in touch screen technologies, graphics-based verification has entered our lives. The user specifies a pattern, such as touching a particular point on a pattern or a photo, and the generated graphical password is recorded in the device. This graphical pattern is actually the password of the user.

The most fundamental problem with graph-based verification is that graphs manually drawn on the screen in public areas are easily observable by malicious people [10]. To prevent this, the option to prevent the graphic template drawn on the Android 7.0 version from being displayed on the screen has been introduced. However, it is not a sufficient measure. Because of the research done, malicious people can predict the graph based password from fingerprints on the screen [1].

A new technology called TouchIn has been developed [1], with security improvements such as the ability to view graphical passwords by others, predictions from fingerprint traces, and improvements in touch screen and sensor technologies [1]. This technology uses the 3D accelerometer sensor;

· Direction: x-coordinate, y-coordinate

· Speed: x-speed, y-speed

· Acceleration : x-acceleration, y-acceleration

· Finger press:

· Hand geometry

features a new approach to graph-based validation.

3. Biological Based Two-Factor Authentication

The biologically based two-factor authentication is divided into Physiological Biology and Behavioral Biometry in itself. Physiological biometry uses media in the devices have entered our lives with the development of sensors such as fingerprint detection. Behavioral biometrics is still a developing technology. It aims to provide security by evaluating features such as the brain wave, thoughts, and movements of the person.

3.1. Physiological Biometry Based Two-Step Verification

Physiological biometry aims to verify the identity of a person depending on their physical characteristics. Physical properties used today;

· Fingerprint [11]

· Iris pattern

· Retina pattern

· Face features

· Hand geometry etc.

In today’s mobile phones (e.g. Samsung Galaxy S8), fingerprints, iris recognition, face recognition features are beginning to be used at the same time. In this way it can be verified in many ways.

Face recognition has also been made available to the end user in the computer world. For example, on Windows 10 computers, face recognition is performed with the help of webcam with Windows Hello application.

The main problem with fingerprinting is that malicious people can get into the system when their finger is torn off and the relevant sensor is read. In order to prevent this, it is only possible to read finger vein information instead of fingerprint. Especially in ATM machines, airports have started to be used in areas where information is very valuable.

3.2. Behavioral Biometry-Based Two-Step Verification

It is a security verification method which is made by adding the parameters that measure the behavior of the person on the physiological biometrics together with the developments in the technology.

Behavioral biometrics uses features;

· Personal behavior

· Location tracks

· Brain waves

· Thoughts etc.

RhyAuth system with rhythm-based verification has been introduced [12]. This system is based on the creation of a melody with various notes. It is secure according to the graphical encryption used on the phone. Because a long note is required to create a melody. This system is also useful for visual impairments to use two-factor authentication. However, it can cause problems in noisy environments such as libraries. It has also been shown to be safe in research on 32 users on Android devices.

The verification of the password in the smart card technology has been studied [13]. Utilizing the cryptography method, SHA-256 algorithm is used to validate while waiting for the devices in the queue, thus saving time in this way.

Behavioral biometry is a method of verification that has not been fully developed. But with future developments in technology, it will be something that end users can take advantage of.


[1] Jingchao Sun, Rui Zhang, Jinxue Zhang, and Yanchao Zhang, TouchIn: Sightless Two-factor Authentication on Multi-touch Mobile Devices, IEEE Conference on Communications and Network Security, 2014.

[2] Dogukan Aydinli, Emre Koroglu, Volkan Erol, Abuse of Mobile Devices by Making Reverse Proxy Server, Preprints 2017, 2017050123 (doi: 10.20944/preprints201705.0123.v1), 2017.

[3] Kadir Imamoglu, Volkan Erol, Gorkem Cetin, Enabling Secure Platforms with Trusted Computing, IEEE 2nd Conference on Homeland Safety and Security (TEHOSS 2006), 2006.

[4] Oguz Ercakir, Orkun Kizilirmak, Volkan Erol, Network Security Issues and Solutions on Vehicular Communication Systems. Preprints 2017, 2017060001 (doi: 10.20944/preprints201706.0001.v1), 2017.

[5] Jing-Chiou Liou, Sujith Bhashyam, A Feasible and Cost Effective Two-Factor Authentication for Online Transactions , 2nd International Conference on Software Engineering and Data Mining (SEDM), 2010 .

[6] Fadi Aloul, Syed Zahidi, Wassim El-Hajj, Two Factor Authentication Using Mobile Phones, International Journal of Mathematics and Computer Science, 4(2009), no. 2, 65–80, 2009.

[7] Herman Engström, Martin Larsson, Joel Wikberg, Factors in Two-Factor Authentication, INFC40 — Information Systems Security

[8] Dhvanik Miglani, Arnold Hensman, Vision for Secure Home Robots: Implementation of two–factor authentication, IEEE International Symposium on Technology and Society (ISTAS), 2015.

[9] Matthew A. Crossman, Hong Liu, Two-Factor Authentication through Near Field Communication, IEEE Symposium on Technologies for Homeland Security (HST), 2016.

[10] Alireza Pirayesh Sabzevar, Angelos Stavrou, Universal Multi-Factor Authentication Using Graphical Passwords, IEEE International Conference on Signal Image Technology and Internet Based Systems (SITIS ‘08), 2008.

[11] Hugh Wimberly, Lorie M. Liebrock, Using Fingerprint Authentication to Reduce System Security: An Empirical Study, IEEE Symposium on Security and Privacy (SP), 2011.

[12] Yimin Chen , Jingchao Sun , Rui Zhang , Your Song Your Way: Rhythm-Based Two-Factor Authentication for Multi-Touch Mobile Devices, IEEE Conference on Computer Communications (INFOCOM), 2015.

[13] Edna Elizabeth N., S. Nivetha, Design of a Two-factor Authentication ticketing system for Transit Applications, IEEE Region 10 Conference (TENCON), 2016.