Two factor authentication security

Abstract

The rapid advancement of technology and the widespread use of mobile applications in various aspects of our lives have started to attract the attention of cyber attackers. As time passes, the scale of cyber attacks on these platforms is increasing, leading to reputation and financial losses for organizations. Therefore, organizations take certain security measures to protect their sensitive and confidential information from unauthorized access and its adverse consequences. Cryptographic algorithms are used to encrypt and transmit sensitive data securely when sending them to the receiving party.To ensure security, certain fundamental security principles are followed. Encryption methods are utilized to ensure the confidentiality and integrity of critical and sensitive data. Additionally, authenticaiton and authorization control are provided for accessing critical data. Authorized users should have access to these data whenever needed, and the actions performed by authorized users should be logged. With the increasing presence of the internet in our lives, the number of attacks on organizations is also rising. One of the most significant among these is DDoS attacks. DDoS attacks aim to disrupt the functioning of systems by sending far more requests than their capacity. The objective of these attacks is not to access, modify, or steal critical and sensitive data but to block and disrupt the accessibility of systems. One of the fundamental elements of resisting cyber attacks and keeping systems secure is authentication. Two-factor authentication (2FA), which is one of the advanced identity authentication methods designed to protect systems from unauthorized access, is commonly used by many organizations as an additional security layer to enhance security. However, these systems have some security vulnerabilities despite enhancing access security. In this master's thesis, we exemplify how two-factor authentication, commonly used for security, can be exploited by attackers to cause denial-of-service attacks by halting the operation of services. There are two steps in the authentication phase: first is the authentication server verifying the username and password, and second is generating a PIN and sending it to the user. In our study, to exemplify the PIN generation phase during authentication, we randomly assign a number to the server and encrypt it using 2048-bit numbers. The speed at which systems perform this operation is in milliseconds. However, as the number of requests received per second increases, the encryption process with 2048-bit numbers becomes more challenging, resulting in a decrease in the server's response rate. Additionally, freezing and slowing down are observed on the device where the program is executed. As a result, the incoming requests eventually exhibit the effects of a DoS attack, negatively impacting the server's performance. We anticipate that in mobile banking applications, simultaneous authentication requests from legitimate users will slow down the application in a similar manner, resembling a Denial-of-Service attack, causing the application to respond to fewer requests and reducing its functionality.