BHARATHIYAR COLLEGE OF ENGINEERING AND TECHNOLOGY

DEPARTMENT OF INFORMATION TECHNOLOGY

PASSWORD MANAGER WITH MULTI FACTOR
AUTHENTICATION

UNDER THE GUIDENCE

OF

MOHAMED AZHARUDEEN 17TH0002

JENNATHUL FIRDOWS 17TD0002
PROBLEM DEFINITION

• Password managers take the hassle out of creating and remembering strong
passwords.

• A good Password manager should ensures some important features such as strong
security, device and browser independency, user friendly and some recovery
policies.

• But when we want to achieve user friendly nature, there will be many obstacles to
ensure the security. Passwords are stolen all the time.

• It is therefore critical to maintain the effectiveness of the password manager. Our

project will be effective in bringing out these poles together (user friendly and
ensuring security) as much as possible.
 
LITERATURE SURVEY
LIMITATIONS

 Limitations in Base Paper’s SplitPass Password Manager

 Impersonating attack – There is a possibility of attacker steals the device and pretends
to be the user.
 User Experience Issue – There is lot of installation process to be held for signing in to
user’s account.
 Limitations in LastPass Password manager
 Security - The LastPass password manager does not have any kind of security measures
to retrieve password.
 Our idea is to overcome the above disadvantages and limitations as possible as we can. The
main constraints that we try to achieve are device independency, browser independent etc.
So that it can be user-friendly and proceeds with less time consumption. According to the
user context, the password manager will provide the authentication levels.
MODULES IMPLEMENTED

 CREATING MASTER ACCOUNT FOR USER

 PASSWORD ENCRYPTION MODULE AND STORING PASSWORDS
 AUTHENTICATION OF USER ACCOUNT AND RETRIEVING PASSWORDS

WORK DONE IN PHASE-I

 Implemented Module-1 which is creating master account for user

 Implemented authentication mechanisms based on device categorization and IP
address categorization
MODULE 1: CREATING MASTER ACCOUNT FOR USER

 
 New registration for new users includes username, mobile number, email id .
 User login for already registered users
 When the user enters to a new website, a pop up will arise asking for saving the password .
 When the user needs to save the password for the particular site, then it will be encrypted and
stored in cloud.
 4 digit pin will be the requirement for further login to the particular site.
AUTHENTICATION MECHANISM BASED ON DEVICE
CATEGORIZATION
 AUTHENTICATION MECHANISM BASED ON DEVICE
CATEGORIZATION
 When the user enters a password field, the password manager opens the wrapper.
The user has to enter his master username and PIN number which is a security
check for retrieving passwords.

 System retrieves the IP address of which the account is logged.

 Factors used for authentication are OTP verification via SMS.

 Whenever the user uses a new device for logging in into the site, the user will be
authenticated via OTP.
 In this categorization, the type of device – android or desktop is determined. If the
user signed in a desktop then level 1 master PIN verification is implemented and
Google authenticator generating TOTP is tested as second level.

 The Google authenticator will generate a 30 second TOTP when the user scans the QR
code generated in the webpage. If the user enters the valid OTP the site’s original
password is retrieved and the desired site is opened.

 If the user signed in android device level 1 master PIN verification is done and OTP
verification is implemented as second level. If valid OTP is entered then the site’s
original password is retrieved and the desired site is opened. This categorization is
done by using browser agent on which the device is signed.
AUTHENTICATION MECHANISM BASED ON IP ADDRESS
AUTHENTICATION MECHANISM BASED ON IP ADDRESS

 In this categorization, if the user signed in the personal device, Level 1

authentication is implemented which is the Master PIN verification.

 The user enters the 4 digit PIN and after successful verification the site’s original
password is retrieved and the desired site is opened. Only level 1 authentication is
tested here.

 If it is a third party device after level 1 authentication other authentication levels

are also tested based on second type of categorization – which is the type of
device.
 MODULE 2: PASSWORD ENCRYPTION MODULE AND
STORING PASSWORDS
 In this module, the user would store the passwords for first time in his account. When the user
enters a password field, the password manager fetches the URL, username and password.

 Now the password is encrypted and stored in cloud. The encryption used here is MD5 encryption.

 Only the encrypted site password is stored in database and hence the original passwords are
hidden.

 The user’s profile and saved logins for different sites are also managed to show to the user in
need. For each user separate session is maintained so that in the same device any number of users
can use their profile.

 MD5 produces an output of 128-bit hash value.

 MODULE 3: AUTHENTICATION OF USER ACCOUNT AND
RETRIEVING PASSWORDS
 This is the main module in which password is retrieved without remembering it. When the user enters a
password field, the password manager opens the wrapper.

 The user has to enter his master username and PIN number which is a security check for retrieving
passwords.

 Based on the user context and device in which the account is logged in, the password manager provides
the multifactor authentication. Factors used for authentication are OTP verification via SMS and Google
authenticator.

 Now the password manager auto fills the password field based on the URL and username. System
retrieves the IP address of which the account is logged.

 This information is later used for providing next level authentication. Whenever the user uses a new
device for logging in into the site, the user will be authenticated via OTP.
IMPLEMENTATION DETAILS

 Level 1 – Master Pin verification

 Level 2 – OTP verification
 Level 3 – Google Authenticator

Third Party Device

Applications Personal Device

Android Desktop

Level 1 Level 1
Facebook Level 1
Level 2 Level 3

Level 1 Level 1
GoDaddy Level 1
Level 2 Level 3
 RESULT DISCUSSION

1. REGISTRATION FORM
2. Master Lock Pin generation after registration
3. Account Login Form
4. Visiting Facebook
5. Profile view
6. Saving Facebook credentials first time
7. Level 1 – android Level 2 – android
Level 3 – Desktop
8. Google authenticator TOTP
Limitations overcomed in our project

 Impersonating attack – Since we have provided the Master PIN verification there
is no threat even if our device is stolen. The User has to enter the master password
to retrieve information.

 User Experience Issue – There is no need of installation techniques as our

password manager is a website to be typed in any device.

 Security - We have multi factor authentication in our password manager which

takes care of security issues.
 CONCLUSION
 Password manager using multifactor authentication is a secure, usable and convenient
password manager that combines a clever design paired with modern technologies.
 It is developed with the intent to resist the most common attack models for password
managers. Even with the number of password managers already out there, our analysis
suggest that existing password managers do not provide the desired level of usability as
well as sufficient trustworthiness and security.
 A backbone based on the JavaScript development environments allows the solution to
offer usability and security at its core by reusing well-known design components. It offers
a self-contained application that can be hosted semi-independently from the backend and
that works as a stand-alone application, in contrast to more commonly used multipage
websites that are completely controlled by the server.
 The average user can appreciate a clean, sleek and intuitive user interface with notable
features such as customizable categories like authentication levels based on risk levels as
user can increase the security level as needed.
 FUTURE ENHANCEMENT
 The final part of the objective of the project is providing an easy and secured password manager
with multifactor authentication which can be easily understand by layman.
 Meanwhile this password manager is secured and trustworthy for every user when compared
with other password manager as they are complicated for layman.
 This results in performance gains and a highly secured datasets. The current project work
focuses on minimal approach of URL categorization.
 In future the same URL categorization can be done in generous. The device identification can be
done broader in different format.
 As multifactor authentication expands, its future will shine through its use of non-static
information to verify consumer identity, including biometrics, behaviour, and one-time-use
tokens.
 More than that it is a bridge technology, intended to increase the usable life, reliability and
security of existing singe factor, static identifiers. The future of authentication does not include
more complex passwords or passphrases or multifactor authentication.
 REFERENCES
 [1] Bian Yang, Huiguang Chu, Guoqiang Li, Slobodan Petrovic, Christoph Busch (2014), “Cloud
Password Manager Using Privacy-Preserved Biometrics”, IEEE International Conference on Cloud
Engineering, DOI : 10.1109, ISBN : 978-1-4799-3766-0.
 [2] Bui FM, Hatzinakos D (2005). “A receiver-based variable-size burst equalization strategy for spectrally
efficient wireless communications”. IEEE Transactions on Signal Processing; 53(11): 4304–4314.
 [3] Carlos Luevanos, John Elizarraras, Khai Hirschi, and Jyh-haw Yeh (Jan.2017), “Analysis on the
Security and Use of Password Managers”, in 18th International Conference on Parallel and Distributed
Computing, Application and Technologies, DOI : 10.1109,.
 [4] Damousis, IG, Tzovaras,D and Bekiaris E (2008), “Unobtrusive multimodal biometric authentication:
the HUMABIO project concept”, EURASIP Journal of Advances in Signal  Processing, 2008: 1–11.
 [5] Hakbilen, O., Perinparajan, P., Eikeland, M. and Ulltveit-Moe, N (Jan.2018), “SAFEPASS –
Presenting a Convenient, Portable and Secure Password Manager”, In Proceedings of the 4th International
Conference on Information Systems Security and Privacy, SCITEPRESS, DOI: 10.5220/0006603102920303,
ISBN: 978-989-758-282-0, pp.292-303.
 [6] Liu YT, Du D, Xia YB et al (Jan. 2018), “SplitPass: A mutually distrusting two-party password
manager”, Journal of Computer Science and Technology, DOI 10.1007/s11390-018-1810-y, ISSN : 11390-
018-1810, pp.98-115.
 [7] Masayuki Fukumitsu, Shingo Hasegawa, Jun-ya Iwazaki, Masao Sakai, Daiki Takahashi
(2016), “A proposal of a password manager satisfying security and usability by using the secret
sharing and a personal server‖”, IEEE 30th International Conference on Advanced Information
Networking and Applications (AINA).
 [8] Norkhushaini Awang, Nurul Hidayah Ahmad Zukri, Nor Aimuni Md Rashid, Zuhri
Arafah  Zulkifli and Nor Afifah Mohd Nazri (October. 2017), “Multi agent integrated  password
management (MIPM) application secured with encryption‖”, The 2nd International Conference on
Applied Science and Technology, ISSN : 978-0-7354-1573-7. 
 [9] Wang. R, Chen. S, Wang. X (2012), “Signing me onto your accounts through Facebook and
Google: a traffic-guided security study of commercially deployed single-sign-on web services,”
IEEE Symposium on Security and Privacy, pp. 365-379.
 [10] Yang. B, Hartung. D, Simoens. K, Busch. C (2010), “Dynamic random projection for
biometric template protection,” Proc of the 4th IEEE International Conference on Biometrics:
Theory, applications and systems (BTAS'10).
 [11] Zhiwei Li, Warren He, Devdatta Akhawe and Dawn Song (August 2014), “The Emperor’s
New Password Manager Security Analysis of Web-based Password Managers” in proceedings of
23rd USENIX Security Symposium, ISBN: 978-1-931971-15-7.
 [12] Zhou. X and Tang. X (2011), “Research and implementation of RSA algorithm for encryption
and decryption”, International Forum on Strategic Technology (IFOST), 6(2), pp. 1118-1121.
THANK YOU