Enhancing Anti-phishing by a Robust Multi-Level Authentication Technique (EARMAT)

Phishing is a kind of social engineering attack in which experienced persons or entities fool novice users to share their sensitive information such as usernames, passwords, credit card numbers, etc. through spoofed emails, spams, and Trojan hosts. The proposed scheme based on designing a secure two factor authentication web application that prevents phishing attacks instead of relying on the phishing detection methods and user experience. The proposed method guarantees that authenticating users to services, such as online banking or e-commerce websites, is done in a very secure manner. The proposed system involves using a mobile phone as a software token that plays the role of a second factor in the user authentication process, the web application generates a session based onetime password and delivers it securely to the mobile application after notifying him through Google Cloud Messaging (GCM) service, then the user mobile software will complete the authentication process – after user confirmation- by encrypting the received onetime password with its own private key and sends it back to the server in a secure and transparent to the user mechanism. Once the server decrypts the received onetime password and mutually authenticates the client, it automatically authenticates the user's web session. We implemented a prototype system of our authentication protocol that consists of an Android application, a Java-based web server and a GCM connectivity for both of them. Our evaluation results indicate the viability of the authentication protocol to secure the web applications authentication against various types of threats.