# CPEN 442 Term project # Idea#1:Two-factor Auth with phone calls --- ## Advantages - If logging in with computer, code entry is done on a different device and channel. - Doesn't require a smartphone app : help to introduce the ageing population with adapting secure services - Helps with man-in-the-middle 2FA phishing hack - Helps with MFA Fatigue attack ## Disadvantages - Need a phone - more complicated user journey? ## Steps ### 2FA - Log in normally with username and password; a pin code will pop up on screen, enter this pin code into the call - You will then recieve a phone call - When you answer the call, you will be prompted to put in a code - Once you have successfully entered the code, you will be logged in ### Going further - "passwordless" - Request login by inputting username, pin/salt appears on screen - Receive phone call - phone number must be specified (securely) upon sign up - use case : bank, where you sign up onsite --> data integrity certified - On answering, input pin/salt authorizing login - Disadvantage: can spam phonecalls to someone provided you know their username, so a low limit would need to be imposed, which could cause access issues what about "revoluttionnary?" idea of : "Mapping user application activity as a fingerprint", used to identify whether shoud be treated as suspicious activity or not sounds hella tough - nahhhhh, application dependent : (e.g.: how often do you view emails and then change your password, vs directly connect and change passsword (which a hacker would mostly do) ) changing passwords is obviously goign to be an irregular activity. If a user forgets a password, logs in using a backup like security questions, and changes it, is that weird behaviour? Yeah but "log in using backup" != log in "normally", through phishing for example How do you differentiate someone changing their password from the phishing : from the phising, the hacker would direclty connect then change password - something normal users don't do. Normal change of password, we might find out, happens maybe after some "app usage " (e.g.: users connects to email, looks at bunch of emails, then changes password). Wpuld be user dependent/dynamic but all of this is leveraging large amounts of data that we don't have access to. Since this is basically just evaluating common user actions, maybe something ML based, but Yeah, but an idea we can make a PoC on smaller app? or like, build custom mail, get some students to use it, and use that to analyse data and show whether our thing is useful Basically it just time gates password changing, is that right? Not exactly, that would be one of the exaple, the whole idea is analysing ALL the fingerprint of the user to identify any suspicious activity I think it would be a good idea for a large company with access to that info to implement, but I don't believe we could feasibly do it I guess the general idea is to build something that can identify suspicious activity as a general second layer on top of the password/logging in layer # Idea#2:basically identifying suspicious activity as an extra security layer in case hacker gets in.