JPG

Abstract

BHIM is good, but its multi-factor authentication scheme is too proof-of-knowledge heavy. All that is required is access to the mobile of an honest user, and his UPI pin, and an attacker can make transactions on the honest user’s behalf. The device pin can be accessed from the device itself as it is stored on the device.

Proposal

What I propose is a multi-factor Authentication scheme which sounds overengineered, but will work:

The first step is to generate a key pair, the key pairs could be mapped one for each user, but may not have to be.

The device application will have public key, UPI server will have private key, all communication between the client/app/user and server will be encrypted to prevent man-in-the-middle attacks. Frequent updates will revoke old key pairs and regenerate new key pairs.

The user’s fingerprint will be used to generate a second pair of keys, with the private key being held by the user (in the client/app/user), and the public key uploaded to the UPI server.

Any communication between the server to the client/app/user will require the server to encrypt data using the client’s public key. Any communication between the client/app/user to the server will require the app to encrypt data using the server’s public key.

The actual Multi-factor authentication scheme:

a.) proof of knowledge -An image shown to user during registration, he will have to select the image he saw from a grid of 9 images. Anytime an authenticated user wants to change his image, he will be able to. This image will be hashed and encrypted. This is in addition to the UPI pin which the user will have to remember. Ideally, the jobs of verification of all user data and changing/ revocation should be handled by different parties (different identity servers).

(or) A Zero-knowledge proof that I know the password (i.e. that I am using the same password as the one previously set up and validated).(something like The SRP Authentication and Key Exchange System) , instead of typical password/passphrase schemes.

b.) possession factor - OTP, plus device pin.

c.) Inherence factor - fingerprint will be hashed and encrypted, which will be used for verification. This will also be used to create key pairs identifying the client/user/app.

Any user data (any images, UPI pins, other data etc) which is stored on UPI servers will be stored as salted hashes.