A new secure authentication scheme for web login using BLE smart devices

摘要

Existing user authentication schemes used for login to a website are incapable of handling recent phishing attacks such as real time (RT) / control relay (CR) man in the middle (MITM) attack and attacks launched via covertly installed malicious browser extensions (MEs). Two factor authentication schemes such as Google 2 Step verification, SAASPASS, QR code, graphical password and push notification based login schemes can be compromised using RT / CR MITM phishing attacks. Hardware token based schemes are safe but the extra cost of the hardware token makes them unattractive to users. Therefore, there is a need to develop new authentication schemes which are hard for an attacker to compromise but easy for users to understand and utilize. This paper analyzes existing authentication schemes to identify the research gaps and then proposes a secure authentication scheme which uses Bluetooth Low Energy (BLE, BT 4.0+ version) devices for user identification and which can handle RT/CR MITM phishing attacks, attacks launched via malicious browser extensions and app spoofing via attackers. The proposed scheme is location/client system independent and is secure from Bluetooth address spoofing attacks.