Using dropped call as an authentication factor

Abstract

Increasing numbers of remotely accessed software applications are adopting Two Factor Authentication (TFA) methods, particularly when performing sensitive actions such as payment transactions. TFA methods, though addressed several weaknesses of purely password based authentication systems, have their own challenges such as their adverse effect on usability and, most notably, the operating cost. For instance, in a TFA mechanism that relies on sending a one-time password (OTP) to user’s phone via SMS, the cost of just sending OTPs can be prohibitive for high volume transactions e.g. in case of an e-commerce payment gateway. We introduce “dropped call” initiated from a user’s phone as a new authentication factor (AF), and present a novel authentication system that uses this new AF. We refer to a phone call which is instantaneously rejected by the callee as a dropped call. This system eliminates operational costs associated with a second factor of authentication. The proposed system can also be used as a sole authentication factor to build a passwordless authentication system. Analysis and evaluation of proposed system w.r.t various attack scenarios, performance and cost implications has been discussed. We show that cost savings in comparison to SMS based OTP transmission system are proportional to the volume of transactions. Considering a volume of 50,000 daily transactions and current pricing of sending bulk SMS (in UK), the cost of proposed system is less than 1% of the SMS based OTP alternative. An actual implementation of this system is deployed at: http://www.dcauth.in