Login hardening with Multi-factor Authentication

Sammanfattning: The aim with this Master’s Thesis work was to conduct research about different available authenticators, as well as implementing a multi-factor authenticator into the currently used login-application. The research included biometric authentication technologies, and investigation of how to implement these to create a highly secure and customizable multi-factor authentication for My Axis-accounts for Axis Communications in Lund. A part of the research was to investigate and compare weaknesses, vulnerabilities, trade-offs, practical considerations, and security storage for common authenticators, as well as recovery and support for the loss of an authentication factor. The method used to achieve these goals was to collect information from research papers, books, and studies about authentication and authenticators, to do a small study about account recovery, and to investigate and analyze the currently used authentication system to implement a multi-factor authenticator that extends the system. The key objectives of the project were gaining an in-depth knowledge of multi-factor authentication, the OpenID Connect protocol and how it can be used in a system, and the implementation of a multi-factor authenticator that would utilize a combination of username/password authentication (knowledge factor), a smartphone (ownership factor), and biometric authentication (biometric factor). The implementation consists of a plugin that extends the current system and an Android application. The application authenticates the user with the built-in fingerprint sensor and creates a time-based one time password (TOTP), i.e., the application is an authenticator that combines TOTP with fingerprint so that the fingerprint never leaves the device, which mitigates the risk of biometric factor leaks. A key conclusion of this project is that the security level of the authenticator is decreased to the security level of its fallback method, in the case where the fallback method is less secure. This fallback method is used in case the user loses, for example, its email address or device.