Today, most web applications use authentication methods that often rely on social media authentication or simple registration by entering a unique ID and password. When it comes to the use of social media authentication methods in large companies, these solutions are driven by their relative simplicity, speed, and reliability. It is commonly believed that their encryption algorithms and methods of transmitting authentication data are encapsulated and protected from hacking. However, the analysis shows that each method has its advantages and disadvantages. The paper considers somewhat non-standard and, in some cases, faster methods of user authentication in web applications by using the capabilities of the Android operating system and its server.
If we talk about authenticating a conditional user in any system, from highly secure password storage software (Bitwarden, 1Password, etc.) [1] to a simple image editor [2], then usually, when downloading, we see a window with the possibility of choosing several authentication methods: authenticate through a social network, or using a phone number, email and, if necessary, entering a password.
In the first case, the user must have an account in the selected social network through which authentication will be performed [3].
In the second case, the user needs to go from entering his or her email to entering a password twice.
At first glance, this is not a complicated
procedure, but if we imagine a situation in which
several users want to have access to a conditional
password manager or even a photo editor library,
from a simple family that wants to share a
password to a platform where they study together,
or a company that uses a shared account in a
service that a large number of employees should
have access to, this causes certain technical
difficulties and risks [
In the cases considered, it would be nice if the authentication system could quickly and with minimal user action provide access to an existing account. Some methods will use only the capabilities of the Android operating system, while other authentication methods will be performed exclusively on the server.
The server is a computer configured to respond to messages from the application. It stores data, processes it, searches for it in databases if necessary, and issues it as a response to the application’s request.
Only the result of their execution with data that the system can use to directly authenticate the user will be returned to the phone.
Consider the following authentication
methods [
3. Presentation of the Main Material
For all authentication methods, we have the following prerequisite:
An account has been created in the system and there is at least one user who is already authenticated to this account.
The task of the authentication system is to ensure that another user successfully authenticates to an existing account.
1. Authentication by IP address
This type of authentication can only be performed on one device and is used to quickly reenter an account if the user has previously logged out. It is performed mainly with the help of a server that will act as a kind of hub and will issue authentication permissions based on the IP address of the device and the encrypted token. The device will only need to contact the server to get permission to re-authenticate.
If the user re-opens the application using the
same IP address within a certain period and the
server confirms his/her token, the device is
successfully authenticated. A possible scheme of
this process is shown in Fig. 1 [
The disadvantages of this authentication
system are as follows:
• In some cases, the implementation of this
logic can be difficult.
• You need to have your server.
• Because the IP address of the device is
analyzed, there is a possibility to authenticate
the wrong device if the method is implemented
incorrectly.
• It cannot be said that this method is 100%
secure.
• Can only be used on a device that has
already been authenticated before.
• The authenticated device must be located
in the same IP address area.
2. User authentication using a QR code
To implement this authentication method, the
user must scan the provided code with any
available QR code scanner and be either near the
device on which it is generated or can scan it [
The technical implementation of this authentication method involves the implementation of a QR code generation procedure.
The Android Studio IDE software [
Let us consider how the system on which this
QR code is scanned understands that it is
necessary to authenticate the user and allow him
to enter the application [
So, the system, when generating a QR code,
starts a procedure that accesses the server and
passes it certain parameters that will be required
to authenticate another client in this account. After
receiving these parameters, the server must return
a so-called Deeplink in its response [
A Deeplink is a hyperlink that redirects the user to a specific section of an application or website. This feature reduces the number of intermediate user actions and helps the user get to the desired page in a minimum number of steps.
Deeplink can [
Fig. 2 shows a scheme that can be used for authentication using a QR code.
It is important to remember that the
implementation of Deeplink requires the use of a
special service to generate such a link and make it
work correctly, such as Google’s Firebase service
[
Thus, we have a ready-made QR code with a
built-in Deeplink. On another client, you need to
scan the QR code, which will result in a certain
identifier by which we can contact the server and,
if it confirms the correctness of this identifier,
successfully authenticate the user to the account
[
The advantages of this authentication method
are:
• The relative simplicity of
implementation, this method is quite common,
so there is a lot of documentation on its
implementation [
A code is generated on the server that can
consist of numbers, letters, or a combination of
both. The code can also have an arbitrary length
and, optionally, an expiration date [
Device A: initiates a request to the server. If we describe the algorithm in simple terms, it will look like this: “Generate a code and send it to me in response to this request.” After that, it is possible to display this code on the device screen and ask the user to enter it on another device.
Device B performs the following actions:
enters the code in the appropriate window, then
encrypts it with the most convenient and possible
encryption method (for example, SHA-256 using
salt) and sends its hash to the server [
The server, in turn, processes the encrypted code sent to it, decodes it, checks whether it matches the code generated by the same server earlier, and if it does, it sends a response to Device B.
After receiving confirmation from the server, we can successfully authenticate the user (Device B) to the account.
A diagram of the implementation of this
authentication method is shown in Fig. 3 [
The disadvantages of the method are that:
• The implementation of the method
requires the use and administration of its
server.
• Physically, the user has to go through
more steps in the authentication process.
Compared to other methods, the user needs to:
send the code if there is no physical access to
the device on which it was generated, and enter
the code through the input device. Also, the
possibility of an error in the process of entering
the authentication code by the user cannot be
ruled out. At the same time, this method is the
most convenient and secure if there is a large
distance between the devices [
4. Authentication using Network Service Discovery (NSD) technology
First, you need to analyze the NSD technology itself, its features, and how it works.
So, the Network Service Discovery (NSD)
function provides the application with access to
services provided by other devices on the local
network. Devices that support the NSD function
include printers, webcams, HTTPS servers, and
other mobile devices [
NSD implements a mechanism for searching for services based on DNS-SD.
DNS-SD allows your application to request services by specifying the type of service and the ID of the device that provides the desired type of service.
DNS-SD is supported on both Android and other mobile platforms.
To start the implementation on an
authenticated device, we will need to register a
special service on the network using an IP address
and port. As an example, we can use the following
method of use: over this network, we can transmit
the so-called JSON [
Advantages of this method [
The disadvantages include: • The presence of a local network, makes it impossible to use this method for devices that are outside of it. • Reliability is not guaranteed, messages may be lost and, as a result, authentication will not take place. • The use of multicast traffic, which may lead to a greater discharge of mobile device batteries. • The possibility of unauthorized access to authentication data that may be locally cached.
The study has shown that there are many
nonstandard, interesting, and effective methods of
user (device) authentication, in addition to those
that are currently most common. The tendency to
use social networks as an authentication method
and enter a password and identifier is dictated by
large companies that have large computing
resources and can determine which authentication
method the user is most likely to use to access the
application [
However, such solutions may not always ensure the confidentiality, integrity, and availability of user data. It is worth recalling the process of registration in such popular networks as Instagram, Facebook, etc., where two-factor authentication technology was out of the question a couple of years ago.
In this paper, we have considered the methods of user authentication by IP address, using a QR code, using a connection code, and Network service discovery technology. Each of these methods is unique and has its specifics of implementation and the corresponding level of security, so it is not appropriate to say that one is better and one is worse.
The method of user authentication should be chosen taking into account the technology of operation and security requirements of the system in which the user (device) must be authorized.
If we talk about choosing a specific authentication method, we can consider the following cases as an example. To develop an application that should work locally or devices that will be authenticated will be located nearby, it will be convenient to use NSD and a QR authorization code, depending on the security requirements, you can choose between a more secure QR code and a less secure NSD. As an example, applications such as Walkie-talkie or Zello can serve as a good example, if you want to provide similar functionality to these, these authentication methods will be the best choice.
If you are developing an application whose user can have several options for authentication and, accordingly, have different implementations, you can use IP address authentication.
In general, there are many examples of the implementation of different authentication methods, the main thing is that their use can be different, up to the fact that you can implement authentication using all methods, it all depends on the specific goals that will be set. 5. References [1] [2] [3] [4] [5] [6]