Authentication is one of essential components in securitymodel which can be done in three ways (Rouse, 2017).First, knowledge factors based on something user must know. This includesusername, IDs, password and PINs. Second, possession factors based on somethinguser must have such as one-time password tokens (OTP) for both soft and hardtoken. Third, is based on inherence factors, something what user is or does.This includes biometrics such as fingerprints scans, facial recognition andiris scans. The use of mobile devices such as smart phones has evolved veryquickly over the recent years and they become necessity for every individual. Smartphones support Internet services where individuals can access any applicationsvia their smart phones.
A self-service banking option called Mobile banking application(M-Banking) has been offered by the financial institution for their customers’convenient. Clients can make any financial services and transactions throughthe M-Banking applications with their smart phone as long as they have networkconnectivity, anywhere and anytime. From the first stage of the questionnaire study (refer Appendix A) distributed online and refer result (Appendix B),majority of the mobile users in Brunei Darussalam use M-Banking with theirsmartphone. Most common authenticationmechanisms used in financial institutes in Brunei Darussalam are by usingnumber, alphanumeric, OTP (hard-token), OTP (SMS) and subset of digit password.But these authentication methods may prone to dictionary attack and brute forceattack. 1.1.
PROBLEM STATEMENT Most authentication scheme ofM-Banking has the same login method using PIN authentication such as passwordwith the online banking or ATM password. Thus, the password is predictable andvulnerable to guessing. Furthermore, online bank password scheme usually use a6-digits number.
The possible combinations to crack the 6-digits password is 1000 000 combination (Password Depot, 2017). To address this issue,recently many bank adopted OTP (hardware token) as part of multi-factorauthentication. Despite the fact that this method provides a fairly high levelof security, many systems have not taken into consideration the need for a securealternative login method whenever the hardware token is unavailable.