An Improved Time-Based One Time Password Authentication Framework for Electronic Payments

One-time Password is important in present day scenario in the purposes of improving the security of electronic payments. Security sensitive environment or perhaps organization avoid the resources from unauthorized access by allowing different access control mechanism as user authentication. There are several safety issues in one Password based authentication. However, studies show that OTP sent over SMS are causing different causes and issues, which lead to precious time, delay in transaction. User authentication can be raised with more levels within the procedure of multi-factor authentication scheme. Time-based One-time Password and biometrics are one of the widely accepted mechanisms that incorporate multi-factor authentication. In this paper, we approach the Time-based OTP authentication algorithm with biometric fingerprints to secure an electronic payment. This algorithm uses a secret key exchanged between the client and the server and uses a certain password through the algorithm. The shuffle of the TOTP approach better wear by screening the key as being a QR code, as revealed in the majority movable applications are able to read. It offers confidentiality at the application level within the system to protect user credential within equal entities (the user and the server) for preventing brute force and dictionary attacks. Thus, the proposed system design is possible for users because of the lack of the concern of holding its own hardware token or additional charges from the short message service. Our suggested approach has been found to improve safety performance substantially compared to existing methods with regard to authentication and authorization. This research hopes to boost research effort on further advancement of cryptosystems surrounding multi-factor authentication. Keywords—Electronic payments; One Time Password (OTP); Quick Response (QR) code; Time based One Time Password (TOTP)


I. INTRODUCTION
Mostly all online services and the websites are today implementing multi step authentication to offer protection to the customers of theirs. Multi-factor authentication is a technique of the digital device access influence that a person is able to pass effectively showing different authentication stages. In this, rather than asking only the individual piece of info as passwords, users are requested to provide a number of extra info and that helps make it harder for any intruder to bogus the identity of the real user. This info could be an OTP that will be delivered by the server on the registered mobile of consumer or perhaps there could be certain security concerns. This particular procedure makes it hard for the opponent to access the internet account even if the assailant understands the username as well as password of the user. This more info is able to consist of different aspects as fingerprints, security tokens [1], biometric authentication, and so on. It has emerged as an alternative means to enhance protection by needing the user to give over one authentication factor instead of just one password. Authentication issues are of those kinds: Knowledge -something which the person knows [2], like a password and a username; Possession -a thing the person has specifically a hardware token [3]; Inherence -a thing verifies the person is, like fingerprints, iris, facial recognition, palm print [4][5][6][7]. Biometrics technology enjoys a wider acceptance because of including fingerprint biometrics and more user-friendly applications on digital devices [5]. Two forms of biometric authentication are available, respectively physiological and behavioral approaches [8][9]. Fingerprint is the most popular biometric process. As authentication is highly user friendly, it is increasingly used to login functionality in fingerprints [10]. Among the many other applications of theirs, QR codes are popular for the multi-factor authentication to transmit info through the authenticating device on the mobile device which is accredited as being an AIM Standard, an ISO standard and a JIS Standard [11]. In the beginning, the QR code is created to be utilized in the auto industries. However, these days, it has been popular in the ad so that a customer is able to utilize the smartphone and scan to find out much more info about the marketed products.
The barcode scanner programs are developed that are suitable for smartphones as IOS and android. QR Code is a kind of 2D bar codes that was created by Denso Wave, within 1994 [12]. The symbol things in 2D bar codes include light and dark squares. The 2D specifications set the encoding of the information, the dimensions of quiet zones before and also after the barcode, the finder or maybe place detection patterns, as well as blunder detection and correction of information [12]. Barcodes present an inexpensive and simple way to encode textual info about objects or items in a type which machines are able to read, retrieve, validate, and procedure [12]. The QR code has the increased capacity that will keep 7,089 numeric, 4,296 alphanumeric, and also 2,953 binary characters [13]. Now, QR Codes have forty designs, which range from one to forty, so the scale of each edition is different. The size of QR code is dependent on the vertical and horizontal sizes of the QR version employed [14]. It can be checked out with smartphones equipped by using a digital camera. A software program client placed on the smartphone controls the camera to browse and understand the coded info, letting mobile users to connect to the net with a point and click of the phones of theirs, therefore making mobile surfing easier. It's clear by reasonably equipped mobile cell phones with cameras and also QR *Corresponding Author www.ijacsa.thesai.org scanners, info like Url, SMS, contact info and plain text could be embedded into the two dimensional matrix [13]. Data can be encrypted inside a QR code to offer the confidentiality of info lodged in the code [15]. The barcode and QR code are presented in Fig. 1, respectively.
One of the more trendy implementations is Google authenticator that is working with QR codes. The shuffle of the TOTP approach better wear by screening the key as being a QR code, as revealed in the majority movable applications are able to read. This is easier and acceptable to utilize in looking at the mechanical input of the same secret. After the TOTP authenticator is enabled, owners are going to be ready to allow MFA individually within their user profile that adds a layer of protection and postulate an added authentication code from a dependable device. Fig. 2 displays the TOTP based QR generation procedure flow diagram [16].
Several authentications methods have been developed to ensure the security of electronic transactions. Until now, there are many methods used for authentication in electronic payment. Onetime passwords (OTP) are produced on demand by Internet centralized party and delivered to the customer via a correspondence channel in which a registered getting device is assumed to have the client's possession. Probably the most prominent illustrations will be the SMS OTPs given by banking apps [17]. The majority of the OTP authentication methods are network reliant. The issue is that networkdependent devices provide a secure network connectivity between the device and the authentication server. For instance, SMS based program is going to need to transmit onetime password via an SMS within the user device. As in deep SMS primarily based two-step verification methods, the server will send out an SMS on the user's device, the person might have to purchase the price of SMS. The issue with SMS based OTP is it is just and the SMS network the cell phone is subscribed to? Recent studies show that OTPs over SMS are causing different causes and issues, which lead precious time, delay in transaction [18]. SMS OTP might also have financial problems in case the carrier charges the subscriber for having SMS communications. In this paper, we approach the Time-Based OTP Authentication Algorithm for electrical payment. There will be no spoofing or perhaps tempering of the transmitted information in between. In this manner, only legitimate user will gain a chance to access the account. The entire program will operate with absolutely no system expecting the registration stage. The proposed system maintains zero SMS policy with no additional charges for SMS. It will encrypt and secure the information inside the system from any misuse.
We structure this paper into seven sections. Section 1 discussed above together with introducing the multi-factor authentication techniques. Section 2 offers a brief knowledge of the literature review with OTP techniques. Section 3 points out the part of the proposed method architecture. Section 4 presents the system architecture of the proposed system and result and implementation are presented in Section 5. Section 6 discussion on performance key factor and Section 7 concludes the paper.

II. LITERATURE REVIEW
To preserve details on the net as protected as servers and possible, many clients implement different kinds of cryptographic methods to encrypt sensitive details and authenticate individuals at the opposite end of the connection [19][20]. Today that much more confidential information is stored virtual [21], it is supreme that community security oak updated with modern threats [22]. The bulk of sites in use today use the conventional verification pattern of supplying a password and a username more than a secure interconnection. The user name is used-to find what online account a client would like to access, even though the password is accustomed to confirming the identity of the customer. However, it seems secure in concept several passwords even now wind up being affected [23][24]. This is because of two things: vulnerable passwords and also quicker password cracking hardware [25][26]. In order to stop these attacks, two-factor authentication contemplated solving securing online transactions and also identifying the authentic individual and logging them right into a method or even the program.
The most used method of boosting the protection of an account is asking for additional info out of the computer user. Rather than asking only one piece of info out of the person, the server can ask for additional info, making it a lot harder for an assailant to bogus the identity of the person. With the hand of the fantasy, they have approached the OTP primarily based authentication [27][28], do the related work approach by [29]. A onetime password (OTP) method depends on the capability for just a unit to make a onetime code that will be delivered towards the server for verification. If the code is discovered to be accurate, subsequently that consumed is provided a chance to access the account. A onetime Password (OTP) is the one of the important part of the mobile networking [30]. OTP is a password or maybe code that is effective just for one login session or maybe transaction holding a computer or maybe www.ijacsa.thesai.org some electronic device. OTPs had been released to stay away from the flaws, which are connected with fixed passwords. Even though they are legitimate for a little time and they also instantly expire after the specified time span. A technological mechanism to reduce the risk of an unauthorized person getting to access the account. The most important advantage of OTP is in contrast to a static password. OTP, security technique shield for the various password-based attacks, specifically password sniffing and reply attack [31]. TOTP is one of the principal requirements for the onetime password. In generally, TOTP, the token creates a numeric code, typically six or maybe eight digits [25]. TOTP makes use of time in increments known as time action, and that is typically thirty or maybe sixty seconds. What this means is that every OTP is legitimate for the duration of the precious time action. The TOTP is regarded as a much more safe Onetime Password remedy. A high-level diagram of TOTP enrolment process are shown in Fig. 3 [23].
A Time-based authentication of multi-factor tokens improved cryptocurrency security approach by [32]. Tahar et al. (2019), in their research, they developed the protection and enhancement algorithm for MFA Crypto-monetary (CR) to set up an additional safeguard layer when looking for the target through the onetime password (TOTP) technology in time. The user first requires a username and password for logging into every 2FA-enabled entity; as a second factor, the user will then create a TOTP virtually through the token. A similar concept based TOTP based challenge response protocol for ecommerce approach in [33]. Aina et al. (2018) on their paper, they approached Scan2Pass payment for banking system. The system is depended both server side and client side. After the registration in server side, the user needs to input their username and password and generate a QR code. In client side, the user has to open; his mobile application to screening the QR code after input the user authentication details. Do the similar work proposed by [34]. Abhishek et al. (2020), in their article they proposed TOTP Based Authentication Using QR Code for payments. The QR code is read, and the system tracks the TOTP on the server side. The consumer is permitted to join whether this TOTP matches in the QR code. Moreover, Chowdhury et al. [35] suggested the usage of OTP and QR code for payment transfers in the online banking system. (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 11, No. 11, 2020 362 | P a g e www.ijacsa.thesai.org A QR code along with a secret key shared between the client and the server is generated in this system and is used to generate an OTP, which is integrated into the QR code. For the transaction to be completed, this QR code is then checked to verify the OTP. A new OTP must then be created for every session to provide additional protection. In addition, a TOTP based two-factor authentication using smart phones as software tokens proposed in [36]. The proposed system would use mobile phones to create software tokens that will be used to authenticate an Internet Banking application, using specific onetime passwords (OTPs). The user ID, IMEI phone number, timestamp and PIN of the server compute the mutual secret of the TOTP algorithm on their device. After the analysis of the previous study, it can be found that most of the study proposed username and password based authentication system along QR code. Furthermore, the can be improved using biometric features for client side authentication. Authentication techniques, which hinge on much more when compared to one component, typically are tougher to compromise as opposed to just one element system. There is a strong need to produce the strategy powerful and efficient a multi-factor authentication component is necessary to boost protection for electronic transactions. Table I lists the existing systems and their proposed properties. III. PROPOSED SYSTEM In the proposed method, we have utilized TOTP as a starting algorithm to produce needed onetime passwords. TOTP is dependent on HTOP; However, HTOP is used counter whereas TOTP is a time-based algorithm. TOTP is going to generate an innovative worth after a determined period. This particular occasion is known as the time step. TOTP supports HMAC-SHA2 and HMAC-SHA1 hash functions [37]. The proposed system has two phases, namely: registration stage, an authentication phase. A comprehensive explanation of each phase is provided below. Before making use of this service, the user should register the information of theirs during a procedure known as the registration phase. Verification of that information may just be achieved by a procedure known as an authentication phase. Each of the suggested materials and strategies are completed in the system during both registration process as well as the login procedure, their process flow is reviewed in this area. In Table II, we provided the symbol used in the proposed technique.

A. Registration Phase
After the registration is done, the client app creates an eight digit onetime password (OTP) that may be utilized for the authentication aim. The registration process of the proposed system can be seen in Fig. 4. However the registration process of the proposed system as working as follows.
Step 1: The user input his credential information IDi on the server.
Step 2: The server determines the client's info and recovers the client's public key PKIDi Step 3: the server then choices an arbitrary string TOTP, have a period slot, and encrypts it together with the public element to get (1) Step 4: The server generates the QR code in the payment side.
Step 5: The client decodes the QR code with (2) Step 6: The arbitrary string is encrypted together with the client's public key PKIDi, the client is able to read the TOTP string just over the device of user by (3) and type in the TOTP within the terminal with an actual keyboard.

Server Side
Step 2

Generate QR code
Step 1 Step 3

Open client app
Step 4

Scan QR code
Step 5

Input OTP
Step 6 registration successful

B. Authentication Phase
The authentication service has to authenticate the client whenever the client wants to access the system. The authorization service checks server data and database identification Identities. The value submitted by the client would be compared to the current value of the server. When the values are both identical, the authentication is successful; the new value will be used to change the old value for the server. Otherwise, the authentication of the client will fail.

Server Side
Step 2

Generate QR code
Step 1 Step 3

Open client app
Step 4

Verify user fingerprint
Step 5

Input OTP
Step 6

Scan QR code
Step 7 Authentication successful Step 1: The user input his credential information on the server.
Step 2: The server determines the client's info and regains the client's public key Step 3: The server generates the QR code in the payment side.
Step 4: In user side, the user will open the application.
Step 5: The client input his fingerprint to verify Step 6: Once the app verify the registered user, then the app ready for decode the QR code.
Step 7: the user will get TOTP number after decode the QR code.
Step 8: the user will input the TOTP number in the server side, if matched, Step 9: Authentication successful.
IV. SYSTEM ARCHITECTURE In this paper, we proposed TOTP based on authentication for enhanced electronic payments authentication security. The system design includes various entities, like a prospect, a smartphone, a user's PC and a server. The user is an individual with little to no knowledge of cryptographic codes, such as passwords and complicated mathematical equations. The terminal of a user is a computer of a user that is used to connect to a server for money transfers [38]. The user has a smartphone that stores the public key certification of the digital certificate or the server furnished with a camera. The server is the method entity belonging to the monetary institution that interrelates with the user by carrying out all the back end operations. In deep agreement with the present moment, TOTP uses a secret shared between client and server to produce a onetime use code [39]. Through executing the disgust secret through the algorithm, the client experiences the code with the server being able, during the whole algorithm, to confirm the published chip with a similar secret. The cipher is equally relevant for an imbued amount of time, usually thirty seconds [32]. The flow looks like firstly operator logs directly into an application program with username as well as the password, now view a text field asking to type in the newest launch and code TOTP client on their cell phone. Fig. 6 displays the proposed framework architecture of the proposed system.
The user gets a TOTP token by scanning the QR code. In the first phase, users open the Internet browser for login their account details getting a username password together with TOTP. Within the next stage, it provides an authentication need on the identity authentication server. In the last stage, verification on the request is used by confirming the allowed individual through identity authentication server. The request may be accepted in the last stage and maybe denied. The onetime password is made on the subject of the server using seed exchange, after which provided via a Transport Layer Security (TLS) tunnel about the client mobile program. The client will solely be authenticated whether it suits the password on the server on the server part. It is moreover secure than the SMS solution, since the transmission of the cipher is not intermediate. The function is the algorithm. To stay behind safe, mutual confidentiality should be reserved for this process. www.ijacsa.thesai.org

V. DESIGN CONSIDERATION
The suggested solution works with a smartphone on the person's side. The smartphone plays a significant part within connecting the breach between the server and the user. In order to offer secure user authentication device, which works mutual authentication in between entities, thus, the proposed method uses the TOTP algorithm of RFC 6234 to compute the OTP required authenticating the user and finishing the login process [27]. The android application syndicates three components: the shared secret, timestamp and server challenge [33], in the mobile to make a token of 8 or more 8 digits so long as it applies the TOTP algorithm. Random details are essential, and they are utilized by the 8 bytes utilizes tokens and the shared secret. The system is depended both server side and client side. Some parameters are needed for the establishment of a TOTP authentication. The following steps are descrying how this framework works:  For the TOTP generation, users and servers will know or be able to measure the current UNIX period.
 A secret key must be shared between user and server. The hidden key may be used as a pre-existing key between the parties. On the other side, the secret key may be produced by means of a main agreement protocol during agreement between the parties. This is a secure communication.
 The HMAC-Based One Time Password (OTP) will be the main component for the algorithm.
 The same time value is required for both the user and the server.
 For each user there must be a single specific private key.
 The key must be generated randomly or by key derivative algorithms and the keys should be protected from unauthorized access.
 In order to login, first-time users must register. At the registration stage, the user from the server will provide the QR code for authentication with the username and password.
 The user application runs on their device and needs user registered fingerprints on their phone to authenticate it.
 The registered device should only be used for a transaction, so each time a valid fingerprint needs to be checked.
 In order to access the system, the user is compulsory to input the approved fingerprints.
 Once users successfully enter the username and password, then the user side application needs to open a QR scan request. Remember that the user must encrypt their application via fingerprint before logging on the services.
 Complete after registration. The QR code scan page will be sent to the user with the same hidden key once the login is done and stored in the database. This key will produce the TOTP encoded in the QR code. Therefore, the QR code is verified using a QR code reader. The TOTP is then compared with the server TOTP.
 The user is permitted to enter if both TOTP match, otherwise access is not permitted.

VI. DISCUSSION AND ANALYSIS
In this paper, we use the Time Based onetime password authentication algorithm to secure an electronic payment. The TOTP method is generally utilized in applications, which have to limit time like mobile banking and applications transactions. This section summarizes the key functionality and discussing regarding the OTP authentication system their methods. In the earlier methods found there are already various stages in the authentication task, as there they have worn SMS OTP Authentication within the authentication phase. Right here we have used TOTP its combat with specific QR Code of user that could be a fruitful method for supplying great protection on the authentication procedure. Here we have compared the usability considerations of SMS OTP and TOTP. The comparison of existing methods with the proposed system outcome is shown in Table III, where the usability considerations are discussed in Table IV for both SMS OTP AND TOTP.
The important paradigm of SMS OTP that is the Mobile Transaction Authorization Number, that's put on to authorize transactions of the person. In this particular mechanism, the OTP is delivered as a text message on the user's mobile device. Nevertheless, the protection of SMS OTP depends on the confidentiality of SMS, which is trusted by the security of movable networks [40]. While authenticator Apps count during a shared secret, which both the server and the App have to store. This "seed" is mixed with the period to produce the multi-factor authentication code. In our method, the TOTP based onetime password authentication for secure electronic payment process aims to be raised by utilizing TLS connection www.ijacsa.thesai.org between server and client Apps. Because the seed is discussed making use of the secure link, therefore it is never, exposed.
User verification has become more and more important than ever for electronic payments. Various authentication stages were described in previous approaches, as they did with the knowledge-based methods in the authentication stage. The security mechanism for usernames and passwords that can easily be accessed through guessing and password based attacks [41][42]. There is also a possibility to develop user authentication methods for multi-factor implementations. This study suggested a user authentication framework focused on TOTP for electronic payments that are concrete with biometric features. In addition, the proposed study recommends the possibility of biometric fingerprints verification during user authentication. The fingerprint method appears to be one of the most secure means for authentication in the electronic payments world in order to reduce future security vulnerabilities [43][44].
However, the proposed system is free of cost. The program-offering site likewise should make use of this product to improve the protection of the program, charging no extra cost. Because user have no SMS, services associated with the device so there will be absolutely no cost of SMS to user and server. This method could be lodged in a broad range of applications to provide multi factor authentication. VII. CONCLUSION Strengthened multi-factor authentication guarantees the protection of personal data for internet companies and protects them from collapsing or losing money. With Time-based multifactor authentication algorithm, we improved protection of electronic payments. Our proposed methods uses mechanisms of TOTP, where it facilitates the user device authentication creating the onetime codes. Enabled MFA and worked with the TOTP method to include an additional level of protection for an electronic payment program. We presented our proposed method is building an additional biometric authentication layer that is going to provide additional is safe against famous attacks such as spoofed, MITMF and tempering. The real information of the user is saved anomalously in database. In addition, the algorithm is used to operate an identical secret via the algorithm using a shared secret key between the client and the server. Our system has the benefit to authenticate the only legitimate user will acquire a chance to use the account where the system is free of cost. Our suggested solution has shown that security efficiency for authentication and authorization has been improved significantly compared to the existing method. Finally, the effort could be put on using modern environments such as cloud computing, banking systems, e-commerce, and mobile devices. In the future, we will apply in actual time as a potential task. In addition, we have focused on incorporating other protection elements into the approaches suggested.