Validation in the PC world alludes to the demonstration of affirming the credibility of the client's computerized personality guarantee. Right now, mainstream confirmation components are for the most part based the accompanying variables: something that the client has (an item), knows (a mystery), or extraordinarily speaks to him (biometric identifiers). In the easiest structure, a framework that requires verification challenges the client for a mystery, commonly a couple of username and secret word. The section of the right pair awards access on the framework's administrations or assets. Shockingly, this methodology is defenseless to a few weaknesses and disadvantages. These deficiencies range from client chose frail or effectively guessable passwords to more modern dangers, for example, malware and console sniffers(keyloggers) etc. To minimize the vulnerabilities, we use a system of random OTP send to registered email id of the user at the time of login so as to prevent the hacker from gaining access to the resources even when he has the password and OTP generated is always unique so unless the hacker has access to emails of the user the system is secure. We have minimized the use of session variable and cookies in the proposed system sensitive data is only stored in database that too using AES encryption. This property alone delivers assaults including word reference assaults and console sniffers computationally hard expanding our capacity to safeguard against brute force attacks. Although biometric authentication systems are considered to be more secure, but in web applications it is not feasible to implement such resource intensive authentication mechanisms thus multifactor authentication using is the balance between secure and user-friendly systems. Multifaceted verification is typically cultivated by joining the customary content-based confirmation with another factor. These elements can incorporate keen cards, USB tokens, handheld gadgets, or one-time secret phrase tokens. Having at least two variables fortifies the resources. The point of the proposed framework is to furnish the client with the safer verification. In this task, the proposed framework is a Multi-factor Authentication System for giving greater security to profoundly classified information. Our methodology conquers the restrictions of the conventional password frameworks.

The details of the user are encrypted and stored at the time of registering to the web portal. During the encryption process a unique key and initial vector is created for each user id and these are stored inside database in encrypted form using Advanced Encryption Standard and used at the time of decryption. The password is also encrypted using Advanced Encryption Standard. During the second factor of authentication a random system generated OTP is send to the user’s registered email id. The OTP is not stored using sessions or cookies instead it is encrypted using hashing function and stored in database with timestamp and when the user enters the OTP for login and it is automatically deleted from the database even if the user enters wrong OTP the record of the OTP associated with that username is deleted so that the OTP cannot be used again. Hence if a wrong OTP is entered then a new OTP needs to be generated by logging in again.

The innovative idea that we implemented are that each user id is associated with a unique key and initial vector. No confidential data such as password, OTP is stored using sessions instead they are stored in database after encryption and decrypted at the server by fetching the cipher text from database so its secures the OTP and password over the network even if malicious users get access to it cannot be deciphered easily and even if it is deciphered it will be useless as the generation of OTP is random and can only be used once and if wrong OTP is entered it still gets deleted from database preventing further access to the same.

Register Module: The user uses this portal to register to the web portal.

Conclusion-

This paper proposes a practical design of AES encryption combined with OTP verification for two factor authentication system. The fusion between AES encrypted password recognition and OTP verification proves to be feasible and reasonable for Web based Apps. The results shows that our optimization for OTP doesn't compromise for Confidentiality, Integrity and Availability.

Future Work-

The proposed system is a 2 Factor Authentication System. It combines the concepts of 'what we know' and 'what we have’. In future we can also include a third layer which will include the feature of 'what we are'. For that we can use biometrics such as Fingerprints, Facial Recognition, Iris Scanner etc. We can also include Captcha or ReCAPTCHA for a more secured version of the system.