🔒 Research · Security · CSI CUNY

QR Code Assisted OTP Mutual Authentication Scheme

📅 2012 🏫 College of Staten Island, CUNY 👤 Pradip Karki & Esia Yosupov 👥 Mentor: Dr. Xiaowen Zhang

Passwords are vulnerable to phishing, keyloggers, spyware, and dictionary attacks. This research proposed a QR Code Assisted One-Time Password (OTP) Mutual Authentication Scheme that eliminates static passwords entirely. The system uses two independent communication channels — an Internet channel and a wireless phone channel — to achieve mutual authentication between a user and a web server.

The work was conducted in the Computer Science Department at the College of Staten Island (CUNY), supported in part by an NSF STEAM Award, and presented as a research poster.

Research Poster

qr_poster.pdf Download PDF ↓

Problem

Traditional password-based authentication exposes users to a range of well-known attacks. Even one-time password systems already deployed by banks and governments remain vulnerable to sophisticated phishing because the OTP is still entered into a browser that could be compromised. This research addressed that gap with a scheme where the OTP is never typed into a PC browser at all.

How the System Works

Authentication flows across two channels simultaneously, so intercepting either one is not sufficient to compromise the session.

1
Server generates a QR code challenge
The web server creates a fresh random number Rb and computes HMAC₀Ka(Rb) using the pre-shared secret. The QR code encodes both: HMACKa(Rb) || Rb. This image is displayed in the PC browser.
2
User scans the QR code with their phone
The iPhone camera decodes the QR image and retrieves the challenge. The phone independently recomputes HMACKa(Rb) and compares it to the received value, authenticating the server before proceeding.
3
Phone sends a cryptographic response via wireless channel
The phone generates HMACKa(Rb || IDa), binding the random challenge to the user's identity, and sends it back to the server over the wireless channel — never touching the PC or Internet channel.
4
Server verifies and grants the browser session
The server recomputes the expected response and compares it to what the phone sent. On match, the browser session is granted. The OTP is consumed and useless to any attacker who may have observed it.

Cryptographic Design

All cryptographic operations use HMAC-SHA2 with a pre-shared secret key Ka. The random challenge Rb is generated fresh for every login, making every session token unique. Even if a single OTP is intercepted, it cannot be reused.

QR code payload (server → PC browser) protocol: "USER_AUTHENTICATION"
provider: "https://bobbank.com"
random_number: Rb
challenge: HMACKa(Rb)
Phone response (phone → server via wireless) protocol: "USER_AUTHENTICATION"
response: HMACKa(Rb || IDa)
username: "alice@gmail.com"
respondTo: "https://bobbank.com/verify"

Implementation

  • Server: PHP web application generating QR codes and verifying HMAC responses
  • Client: Windows application (targeting Windows Mobile Smartphone) for QR scanning and OTP generation
  • Cryptography: HMAC-SHA2 throughout; no static secrets transmitted over either channel

Security Properties

  • Mutual authentication: both the server and user authenticate each other before access is granted
  • Phishing resistant: the OTP is never typed into a PC browser; a compromised browser cannot replay it
  • Replay attack resistant: each Rb is generated fresh per session and consumed after use
  • Keylogger resistant: no password is typed on the PC at any point in the flow
  • Channel separation: intercepting the Internet channel yields only a used, invalid token

Future Work

  • Native mobile application to replace the Windows prototype
  • Integration with major websites for broad adoption
  • Further hardening of each component against sophisticated attack vectors

Reflection

This was one of my first experiences applying theoretical cryptography to a real system design. Thinking through the threat model — what an attacker gains from each channel individually versus both together — shaped how I approach security in distributed systems today. The two-channel separation principle reappears in modern authentication schemes like FIDO2 and passkeys.

← Back to Projects