Multi-Factor Authentication System on Raspberry Pi over Cloud Network

Hi Everyone,

I am a technology enthusiast with an interest lies in multiple domains like Cloud, Security, and DevOps. I was a Programmer Analyst at Cognizant Technology Solutions. I have been developing microservices projects by myself. Along with all the development stuff, I have been exhibiting my presence on social platforms like Instagram and Quora as my favorite pastime with writing short stories, poems, etc. This project was developed by peer members: Soumadeep Dhar, Ankita Sinha, and Ravi Kumar Gubbala.

With Internet of Thing (IoT) Revolution, the technology world has changed. From smart city to smart home, everything is becoming technologically advanced. Now the need has changed into comfort, and with this the security is a major concern. And to serve that purpose of security, authentication and authorization are the first step. In this, we have proposed solution which is a multi-factor authentication and authorization system using the Raspberry Pi connected over a cloud network, so any kind of intrusion or breach is easily detected, and actions can be taken remotely.

1. Introduction

Technology is a luxury appreciated by each and every individual. A luxury involved in every aspect of an individual says it ATMs for cash withdrawal, surveillance camera, healthcare application, fitness band, voice assistant, smart robots, and many more. Internet of Thing (IoT) device is faster, cheaper, and a better choice. Internet of Everything (IoE) is described as four pillars, i.e., people, data, process, and things, which people are connecting people is valued way, data is used as intelligence for decision making, the approach is delivering precise information and things is the device that connected all the pillar, i.e., also known as IoT. IoT is nowadays used for monitoring, analyzing, controlling, research purposes, data collection, and data transfer. So, it is a device or a system that describes the wireless network without any human interaction. A revolution that focuses on overall digital transformation with low-cost connected devices for various sectors.

With the Internet of Things (IoT) Revolution, the technology world has changed. The demand for technologies is mounting and has transformed the way of living. From smart city to smart home, everything is turning smart. Now the need has changed into comfort, and with this, security in this era of the smart world is a significant concern. Hence, authentication and authorization are the first walls of security. Using an authentication system is a pilar in security, be it for offices, home, malls, banks, etc. The system needs to be fast and accurate to serve the purpose, so any kind of intrusion or breach is easily detected and notified further.

Raspberry Pi is a low-cost programmable computer with general-purpose input-output (GPIO), which when connected with external devices that produce IoT. It is a single board high-performance computer. Raspberry Pi offers Raspberry Pi OS/Raspbian, an operating system, i.e., Debian GNU/Linux-based operating system that comes with preloaded packages and programming languages like python. And has a wireless LAN and Bluetooth facility. Hence, best suited for the Internet of Things(IoT).

Authenticating means checking if the user has the necessary access to specific applications or premises or something that is protected from unauthorized access. Authentication means accepting user-based inputs and checking if the user has relevant access. If yes, then provide access or deny if the inputs do not match the necessary criteria. In recent times, it has increasingly become tough to keep the applications secure from intrusion or threats. To mitigate such threats, the technology world has come up with a solution called Multifactor authentication. Meaning that they accept various sets of inputs and authenticates based on that inputs. These sets can include but are not limited to SMS Token Authentication, Email Token Authentication, Hardware Token Authentication, Software Token Authentication, Phone Authentication, and Biometric verification. The actual authentication process can have more than one method depending upon the user’s choice and the importance of the application that the user is accessing. Currently, several applications are supporting the following: Two-Factor Authentication, Three-Factor Authentication, Four-Factor Authentication, and Five-Factor Authentication.

2. Proposed Design Framework

Figure 1: Setup for the Proposed Model

Our project involves multifactor authentication in which we demonstrate to access a given device there are three different ways of authentication before the user successfully gets hold of that resource. There are various other components involved. Raspberry Pie, Multi-Factor Authentication, Raspberry Network over the Cloud Server Connectivity, Python program for Image/Face Recognition, Android or IOS Phone for Authenticator Method, and SSL for Raspbian OS for accessing remotely and securely.

The first one is password authentication. We are using SSH (Secure Shell) to perform authentication. The second one is OTP. We are using Google’s Authenticator for token generation and Linux-PAM (Pluggable Authentication Modules for Linux) at the server-side to validate the code generated by the authenticator. The third one is based on facial recognition and we are using OpenCV API to perform the same.

SSH is mainly employed to transfer encrypted data between two devices so that no third person can have visibility to the data. SSH is a connection-oriented transport mechanism and can support symmetric, asymmetric and hashing methods of encryption. SSH supports several encryption methods which include the key exchange algorithms such as Diffie-Hellman, MAC algorithms such as HMAC/MD5 and also ciphers such as AES-128/Blowfish-CBC, etc. A client-server model is used in SSH to encrypt and authenticate data that occurs between two parties. Connections are heard on a designated port by the server component. Upon acceptance of the credentials, it negotiates the secure connection, authenticates the connecting party, and starts the correct environment. During initial TCP handshakes, the client negotiates a secure connection with the server, verifies that it matches previously recorded credentials, and passes credentials for authentication. Two separate stages are required for setting up an SSH session. Encrypting future communication is the first step that should be agreed upon and implemented. The second step involves authenticating the user and determining whether access to the server should be granted.

Figure 2: Google Authentication

Google Authenticator is one of the many applications that generate TOTP (Time-based one-time password) that works with server side. Both user side and server share the same secret key. They will share it the time of registration by way of text or QR code etc. It has three components, shared secrete, input time and signing function.

Shared Secret: To set up the account on your phone, you need to obtain the shared secret. The QR code can be taken either by taking a photo with a smartphone or manually by entering it.

Input (Current Time): As soon as you determine the secret, you will be able to input the time value directly from your phone. No further interaction with the server is required. In any event, your phone should be set to the correct time as the server will use the current time it already knows on the server instead of the current time on your phone.

Signing Function: HMAC-SHA1 is the signing function used. The HMAC algorithm is a secure one-way hash function that uses a one-way hash function in this case (SHA1) to sign a value. A cryptographic algorithm like HMAC can validate and prove the integrity of a unique piece of data — only a person with the secret can give the same output on the same input.

Figure 3: Facial Recognition System Flow

Once the password authentication and google authentication has validated the user, the next phase is facial recognition. Facial recognition is a way to identity the user. Thus, we are using real-time facial recognition system that will notify the administrator through email if it recognizes the user also if an unknow user is detected. This is a type of biometric security, used for surveillance as well as alerting the admin in case of theft. It has been proven very useful for low enforcement, retailers, and home security. In our proposed facial recognition model, we have used python as an environment with OpenCV, Face_recognition and imutiles packages that will train the Raspberry pi based on collection of authentic user images that are collected and then a mapping is created with respect to the user’s name and face (i.e., the images) in the file i.e., encodings pickle. This process is done using HaarCascade algorithm that maps and train the model. Once the training is done the facial recognizing requestion code is triggered to detect and identify the face, for this we have used (HOG). With this an email notification code is also trigged i.e., an API call that notifies the admin if there is a physical intrusion in case of both authorized and unauthorized users. For the authentic user the name mapped to the persons face is shown and for unauthorized user are labelled as unknown as shown in the figure 9. We have implemented facial recognition for physical authentication i.e., also a type 3 authentication technique.

We have implemented a VNC server over cloud that allows different users to connect to the network and use raspberry pi interface. With this remote usage is possible. But this is possible only if the admin of the network gives permission to the user to enter the cloud network. For this the IP address and VNC server key need to be added to the cloud network. Below figures 5 and 6 shows the VNC server, and the users allowed to connect over cloud remotely. Also, HTOP task manager using which we are monitoring the raspberry pi system.

Figure 4: VNC Server view

Figure 5: Remote Access to Raspberry pi

Figure 6: HTOP Task Manager

3. Result and Analysis

We have implemented multi-factor authentication methods. First method is a password authentication method if the password is accurate then the verification code, i.e., the google authentication method is enabled. If the accurate code is provided, then raspberry pi network can be used else you have to start again. This is done in SSH panel. So, if a user is providing wrong password for 3 times continuously then the SSH will lock the network for a specified time. In the below figure we have shown the successful result of the authentication. Below are different test scenarios of authentication:

Test 1: Providing correct password and correct verification code: With correct password and verification code, the network allows user to enter the raspberry pi interface.

Test 2: Providing wrong password: With wrong password, the network wont allows user to enter the raspberry pi interface. Password authentication is the first step for authentication and is mandatory. Hence, with a wrong password, the user is not allowed to move into the next authentication or allowed entry in the network. If the user is continuously providing wrong password for 3 times, then the SSH will lock the service for a specified time.

Test 3: Providing Correct password and wrong verification code : With correct password the SSH allows the user to move into next authentication i.e., google authenticator. Then if wrong verification code is provided, the network wont allows user to enter the raspberry pi interface. This verification code is generator every 30 seconds and is accessible to the user via google authentication app that is connected to the raspberry pi.

With multiple testing, we have found the accuracy level is high for all the above cases. Also, with VNC server over cloud different users are allowed to connect to the network this is possible only if the admin of the network gives permission to the user. And this is only possible for the used who have the permission and are authenticated.

Figure 7: Facial Recognition Results

The methodologies reviewed have a high accuracy rate if human faces were detected correctly. The train of the model and the quality of the camera and pictures play a vital role in the system’s performance. Our proposed facial recognition model has high accuracy while detecting faces as shown. The performance analysis of the facial recognition system was run on our dataset. Our evaluation used the following metrics: False Negatives, Unknown faces, and False Recognition. The face recognition accuracy rate was calculated as follows: Face Recognition Rate ​= ​(Total Number of Faces — a total number of False Recognition)/(Total number of Faces) * 100%. Table 1 below shows that the proposed facial recognition accuracy is high compared to an existing model. With respect to the dataset, our proposed facial model is evaluated using the same metrics the face recognition rate is calculated with respect to 3 different parameters.

Table 1: Face recognition accuracy model comparison

The methodologies reviewed have a high accuracy rate if human faces were detected correctly. The train of the model and the quality of the camera and pictures play a vital role in the system’s performance. Our proposed facial recognition model has high accuracy while detecting faces as shown. The performance analysis of the facial recognition system was run on our dataset. Our evaluation used the following metrics: False Negatives, Unknown faces, and False Recognition. The face recognition accuracy rate was calculated as follows: Face Recognition Rate ​= ​(Total Number of Faces — a total number of False Recognition)/(Total number of Faces) * 100%. Table 1 below shows that the proposed facial recognition accuracy is high compared to an existing model. In table 2 with respect to the dataset, our proposed facial model is evaluated using the same metrics the face recognition rate is calculated with respect to 3 different parameters.

4. Conclusion

Security is an essential part of technology to protect and prevent any kinds of threats and intrusions. Hence, the accuracy rate of the security application is actually imperative. So, applications like face detection and recognition should be highly accurate, which will, in return, protect the system, stores, etc., from getting accessed by an unauthorized person like any hacker or intruder. By the use of Raspberry Pi, the whole system is cost-effective and can be power-effective also. Hence, the purpose is to identify any suspicious behavior or unknown face and then alert the administrator.

5. References

1. Perera, Pramuditha, and Vishal M. Patel. “Face-based multiple user active authentication on mobile devices.” IEEE Transactions on Information Forensics and Security 14, no. 5 (2018): 1240–1250
2. H.M. Ahmed, R.T. Rasheed, A Raspberry PI Real-Time Identification System on Face Recognition, Proc. 2020 1st Inf. Technol. to Enhanc. E-Learning Other Appl. Conf. IT-ELA 2020. (2020) 89–93.
3. R.A. Nadaf, V. Bonal, Smart Mirror Using Raspberry Pi for Intrusion Detection and Human Monitoring, Adv. Intell. Syst. Comput. 1133 (2021) 1359–1373.
4. Rajesh Khanna M., Prakash Raj G., Prem Kumar S., Vignesh Raaj N.S. (2021) Intruder Insinuation and Smart Surveillance Using Face Detection and Mask Detection. In: Tuba M., Akashe S., Joshi A. (eds) ICT Systems and Sustainability. Advances in Intelligent Systems and Computing, vol 1270. Springer, Singapore.
5. R.A. Nadafa, S.M. Hatturea, V.M. Bonala, S.P. Naikb, Home Security against Human Intrusion using Raspberry Pi, Procedia Comput. Sci. 167 (2020) 1811–1820.
6. R. Sumanth, K.N. Bhanu, Raspberry Pi Based Intrusion Detection System Using K-Means Clustering Algorithm, Proc. 2nd Int. Conf. Inven. Res. Comput. Appl. ICIRCA 2020. (2020) 221–229.
7. Li, Daming, Qinglang Su, Lianbing Deng, and Kaicheng Cai. “3D Reconstruction of Face Image Authentication Technology in Electronic Transaction Authentication.” IEEE Sensors Journal 20, no. 20 (2019): 11909–11918.
8. Mokhayeri, Fania, Eric Granger, and Guillaume-Alexandre Bilodeau. “Domain-specific face synthesis for video face recognition from a single sample per person.” IEEE Transactions on Information Forensics and Security 14, no. 3 (2018): 757–772
9. de Freitas Pereira, Tiago, André Anjos, and Sébastien Marcel. “Heterogeneous face recognition using domain-specific units.” IEEE Transactions on Information Forensics and Security 14, no. 7 (2018): 1803–1816.
10. He, Lingxiao, Haiqing Li, Qi Zhang, and Zhenan Sun. “Dynamic feature matching for partial face recognition.” IEEE Transactions on Image Processing 28, no. 2 (2018): 791–802.