MAHARASHTRA STATE BOARD OF

TECHNICAL EDUCATION

Yashwantrao Chavan Institute of Polytechnic,

Beed (1158)

MICRO PROJECT REPORT

Academic Year: 2024-25
TITLE OF MICRO PROJECT:
Implementation of Three Level Password Authentication

Program: Compute Technology

Program code: CM6I
Course: NIS
Course code: 22620
 MSPM’s Yashwantrao Chavan Institute
Polytechnic
Department of Computer Technology

Submitted by

This is to certify that Mr. Darshan Rajesh Joshi Roll No- 3255 has
successfully completed Micro- project in course Network
Information Security(22620) for the academic year 2024-25
YASHWANTRAO CHAVAN INSTITUTE OF POLYTECHNIC
(code:1158) for the academic year 2024 to 2025 as prescribed in the
curriculum.

Place: - Beed Enrollment no: 2211580381

Date: / / 2024 Exam seat no:
Subject Teacher Head of department Principal
Implementation of Three Level Password Authentication
1.0 Brief Description
The ways in which someone may be authenticated fall into three categories, based on the
factors of authentication:
1. Knowledge factors: Something the user knows (e.g., password, PIN, security
question).
2. Ownership factors: Something the user has (e.g., ID card, security token,
smartphone).
3. Inherence factors: Something the user is or does (e.g., fingerprint, voice,
biometric data).
Security research recommends verifying at least two factors (preferably all three) for
robust authentication.
Single-factor authentication
 Weakest level; uses only one component (e.g., password).
 Not recommended for financial or sensitive transactions.
Multi-factor authentication (MFA)
 Requires two or more factors (e.g., bank card + PIN).
 Enhances security for high-risk systems.

2.0 Aim of Micro-project

 Review three-level authentication systems.
 Analyze awareness of authentication levels.
 Study legal implications of authentication methods.

3.0 Actual Resources Used

S.NO Resource/Material Specifications Qty
1 Computer System Windows 7+, 2GB RAM, Core i3, 500GB HDD 1
2 Software Windows 10 -

4.0 Skills Developed

1. Improved time management.
 2. Reduced paperwork.
3. Efficient record handling.
4. Enhanced research strategies.
5. Ability to retrieve relevant information.

5.0 Course Outcomes Integrated

a. Identify computer security risks and information hazards.
b. Apply user identification and authentication methods.

6.0 Implementation and Result

Authentication is critical in fields like art, forensics, and IT. Three primary types include:
1. Credible person verification: Provenance attestation (e.g., witnessed signatures).
2. Attribute comparison: Analyzing physical/behavioral traits (e.g., carbon dating,
biometrics).
3. Documentation/external records: Certificates, chain of custody.
Challenges: Forgery risks, separation of records, and reliance on implicit trust.
Digital Authentication:
 Enrollment, authentication, and lifecycle maintenance.
 Vulnerable to man-in-the-middle attacks; requires multi-factor validation.
Continuous Authentication:
 Monitors users via behavioral biometrics (e.g., keystroke dynamics).
.

7. Conclusion and Recommendations: Implementing a Strategic Three-Level

Authentication Framework
The implementation of a three-level password authentication system offers a strategic
approach to enhancing security by tailoring the strength of authentication to the specific
risks associated with different levels of access. Each level presents its own set of
considerations and trade-offs between security and usability.
Level 1: Basic Multi-Factor Authentication, utilizing strong passwords and OTP via SMS
or email, provides a good initial balance of security and usability. It is suitable for broad
adoption across a wide range of users and applications, offering a significant
improvement over single-factor authentication. However, the inherent vulnerabilities of
SMS and email OTP should be carefully considered, especially for more sensitive
resources.
Level 2: Enhanced Multi-Factor Authentication, building upon Level 1 with the
implementation of Authenticator Apps (TOTP) or software tokens, offers a higher degree
of security. While requiring a slightly greater user effort for setup and usage, this level
mitigates some of the risks associated with SMS and email delivery, making it
appropriate for accessing more sensitive data and systems.
Level 3: High-Assurance Multi-Factor Authentication, incorporating biometric
authentication or hardware security tokens, provides the highest level of security within
this framework. While biometric methods offer convenience, they may raise privacy
concerns for some users. Hardware tokens provide robust security but can introduce
usability challenges related to management and portability. This level is ideally suited for
protecting critical assets and for users with elevated privileges or access to highly
sensitive information.
The selection of the appropriate authentication level should be guided by a thorough risk
assessment that considers the sensitivity of the data being accessed, the potential impact
of a security breach, and the usability requirements of the users. For standard users
accessing general-purpose applications, Level 1 might provide an adequate level of
security with minimal disruption to their workflow. For users accessing more sensitive
data or performing critical functions, Level 2 offers a stronger security posture. Level 3
should be reserved for administrators, privileged accounts, and access to the most critical
assets where the risk of unauthorized access is highest.
Ultimately, a three-level authentication system should be viewed as a crucial component
of a broader defense-in-depth security strategy . By layering multiple security
mechanisms, organizations can create a more resilient security architecture that prevents a
single point of failure and significantly hinders the ability of attackers to compromise
their systems and data . Implementing a well-planned and executed three-level
authentication framework, tailored to the specific needs and risk landscape of the
organization, is a vital step towards building a more secure and resilient digital
environment.
Key Valuable Tables:
Table 1: Comparison of Authentication Factors
Factor Security
Examples Usability Common Use Cases
Category Strength
Passwords, PINs, Security Low to Basic logins, password
Knowledge High
Questions Medium recovery
 Smartphones, Security
Medium Online banking, VPN
Possession Tokens, OTPs, Smart Medium
to High access, application logins
Cards
Fingerprint Scans, Facial Device unlock, physical
Inherence Recognition, Voice High Medium access control, high-security
Recognition, Iris Scans application access
Restricting access based on
Geo-fencing, IP Address Low to
Location Medium geographical location or
Verification Medium
network
Keystroke Dynamics, Gait Continuous authentication,
Behavior Medium Low
Recognition fraud detection
Export to Sheets
Table 2: Three-Level Authentication System Design
Primary Secondary Security Usability Recommended
Level Tertiary Factor
Factor Factor Level Level Use Cases
General user
Strong SMS/Email
1 N/A Medium High access, low-
Password OTP
sensitivity data
Access to
Authenticator moderately
Strong
2 App/Soft N/A High Medium sensitive data,
Password
Token standard business
applications
Access to highly
Authenticator sensitive data,
Strong Biometric/Hardware Very Low to
3 App/Soft privileged
Password Token High Medium
Token accounts, critical
infrastructure
Export to Sheets
Table 3: Comparison of OTP Methods
Security Implementation
OTP Method Usability Cost
Strength Complexity
SMS OTP Low High Low Low
Email OTP Low to Medium High Low Low
Authenticator High Medium Medium Low
Apps
Medium to
Hardware Tokens High Medium Medium to High
High
Export to Sheets
Table 4: Comparison of Biometric Authentication Methods
Biometric Security Hardware
Usability Potential Challenges
Method Strength Requirements
Spoofing (less common with
Fingerprint High High Scanner
modern sensors)
Medium to Accuracy variations based on
Facial High Camera
High lighting, angle, similarity
Medium to Background noise, voice
Voice Medium Microphone
High similarity
Specialized Intrusive, requires specific
Iris/Retina Very High Low
scanner conditions
Specialized Less common, requires
Vein High Medium
scanner specific hardware

8.0 Implementation and Result:

Authentication is relevant to multiple fields. In art, antiques and anthropology, a common

problem is verifyingthat a given artifact was produced by a certain person or in a certain
place or period of history. In computer science, verifying a user's identity is often required
to allow access to confidential data or systems
Authentication can be considered to be of three types:
The first type of authentication is accepting proof of identity given by a credible person
who has first-hand evidence that the identity is genuine. When authentication is required
of art or physical objects, this proof could be a friend, family member or colleague
attesting to the item's provenance, perhaps by having witnessed the item in its creator's
possession. With autographed sports memorabilia, this could involve someone attesting
that they witnessed the object being signed. A vendor selling branded items implies
authenticity, while he or she may not have evidence that every step in the supply chain
was authenticated. Centralized authority-based trust relationships back most secure
internet communication through known public certificate authorities; decentralized peer-
based trust, also known as a web of trust, is used for personal services such as email or
files (Pretty Good Privacy, GNU Privacy Guard) and trust is established by known
individuals signing each other's cryptographic key at Key signing parties, for instance.
The second type of authentication is comparing the attributes of the object itself to what
is known about objects of that origin. For example, an art expert might look for
similarities in the style of painting, check the location and form of a signature, or
compare the object to an old photograph. An archaeologist, on the other hand, might use
carbon dating to verify the age of an artifact, do a chemical and spectroscopic analysis of
the materials used, or compare the style of construction or decoration to other artifacts of
similar origin. The physics of sound and light, and comparison with a known physical
environment, can be used to examine the authenticityof audio recordings, photographs, or
videos. Documents can be verified as being created on ink or paper readily available at
the time of the item's implied creation.
Attribute comparison may be vulnerable to forgery. In general, it relies on the facts that
creating a forgery indistinguishable from a genuine artifact requires expert knowledge,
that mistakes are easily made, and that the amount of effort required to do so is
considerably greater than the amount of profit that can be gained from theforgery.
In art and antiques, certificates are of great importance for authenticating an object of
interest and value. Certificates can, however, also be forged, and the authentication of
these poses a problem. For instance, the son of Han van Meegeren, the well-known art-
forger, forged the work of his father and provided a certificate for its provenance as well;
see the article Jacques van Meegeren.

Criminal and civil penalties for fraud, forgery, and counterfeiting can reduce the incentive
for falsification,depending on the risk of getting caught.
Currency and other financial instruments commonly use this second type of
authentication method. Bills, coins, and cheques incorporate hard-to-duplicate physical
features, such as fine printing or engraving, distinctive feel, watermarks, and holographic
imagery, which are easy for trained receivers to verify.
The third type of authentication relies on documentation or other external affirmations.
In criminal courts, the rules of evidence often require establishing the chain of custody of
evidence presented. This can be accomplished through a written evidence log, or by
testimony from the police detectives and forensics staff that handled it. Some antiques are
accompanied by certificates attesting to their authenticity. Signed sports memorabilia is
usually accompanied by a certificate of authenticity. These external records have their
own problems of forgery and perjury, and are also vulnerable to being separated from the
artifact and lost.
In computer science, a user can be given access to secure systems based on user
credentials that imply authenticity. A network administrator can give a user a password,
or provide the user with a key card or otheraccess device to allow system access. In this
case, authenticity is implied but not guaranteed.
Consumer goods such as pharmaceuticals, perfume, fashion clothing can use all three
forms of authentication to prevent counterfeit goods from taking advantage of a popular
brand's reputation (damaging the brand owner's sales and reputation). As mentioned
above, having an item for sale in a reputable store implicitly attests to it being genuine,
the first type of authentication. The second type of authentication might involve
comparing the quality and craftsmanship of an item, such as an expensive handbag, to
genuine articles. The third type of authentication could be the presence of a trademark on
the item, which is a legally protected marking, or any other identifying feature which aids
consumers in the identification of genuine brand-name goods. With software, companies
have taken great steps to protect from counterfeiters, including adding holograms,
security rings, security threads and color shifting ink
The ways in which someone may be authenticated fall into three categories, based on
what are known as the factors of authentication: something the user knows, something the
user has, and something the user is. Each authentication factor covers a range of elements
used to authenticate or verify a person's identity prior to being granted access, approving
a transaction request, signing a document or other work product, granting authority
toothers, and establishing a chain of authority.
Security research has determined that for a positive authentication, elements from at least
two, and preferably allthree, factors should be verified The three factors (classes) and
some of elements of each factor are:the knowledge factors: Something the user knows
(e.g., a password, partial password, pass phrase, personal identification number
(challenge response (the user must answer a question or pattern), security question).the
ownership factors: Something the user has (e.g., wrist band, ID card, security token,
implanted device, cell phone with built-in hardware token, software token, or cell phone
holding a software token).
the inference factors: Something the user is or does (e.g., fingerprint, retinal pattern, DNA
sequence (there are assorted definitions of what is sufficient), signature, face, voice,
unique bio-electric signals, or other biometricidentifier).
Authentication types
The most frequent types of authentication available in use for authenticating online users
differ in the level of security provided by combining factors from the one or more of the
three categories of factors for authentication:
Strong authentication
The U.S. government's National Information Assurance Glossary defines strong
authentication as
layered authentication approach relying on two or more authenticators to establish the
identity of an originatoror receiver of information.
The European Central Bank (ECB) has defined strong authentication as "a procedure
based on two or more of
the three authentication factors". The factors that are used must be mutually independent
and at least one factor must be "non-reusable and non-replicable", except in the case of an
inherence factor and must also be incapable of being stolen off the Internet. In the
European, as well as in the US-American understanding, strong authentication is very
similar to multi-factor authentication or 2FA, but exceeding those with more rigorous
requirements.

Single-factor authentication
As the weakest level of authentication, only a single component from one of the three
categories of factors isused to authenticate an individual’s identity. The use of only one
factor does not offer much protection from misuse or malicious intrusion. This type of
authentication is not recommended for financial or personally relevant transactions that
warrant a higher level of security.

Multi-factor authentication
Main article: Multi-factor authentication
Multi-factor authentication involves two or more authentication factors (something you
know, something you have, or something you are). Two-factor authentication is a special
case of multi-factor authentication involvingexactly two factors
For example, using a bankcard (something the user has) along with a PIN (something the
user knows) provides two-factor authentication. Business networks may require users to
provide a password (knowledge factor) and apseudorandom number from a security token
(ownership factor). Access to a very-high-security system might require a mantrap
screening of height, weight, facial, and fingerprint checks (several inherence factor
elements) plus a PIN and a day code (knowledge factor elements), but this is still a two-
factor authentication.
 Gmail
authentication
Turn on 2-Step Verification
With 2-Step Verification (also known as two-factor authentication), you add an
extra layer of security to your account in case your password is stolen. After you
set up 2-Step Verification, you’ll sign in to your account in two steps using:
 Something you know, like your password
 Something you have, like your phone

Activate 2-Step Verification

1. Open your Google Account.

2. In the navigation panel, select Security.
3. Under “Signing in to Google,” select 2-Step Verification Get started.
4. Follow the on-screen steps.
Your account, [email protected], is associated with your work or school. If
you can’t set up 2-Step Verification, contact your administrator.
Verify it’s you with a second step
After you turn on 2-Step Verification, you’ll need to complete a second step to
verify it’s you when you sign in. To help protect your account, Google will request
that you complete a specific second step.
9.0 Conclusion:
The process of authorization is distinct from that of authentication. Whereas
authentication is the process of verifying that "you are who you say you are",
authorization is the process of verifying that "you are permitted to do what you are
trying to do". While authorization often happens immediately after authentication
(e.g., when logging into a computer system), this doesnot mean authorization
presupposes authentication: an anonymous agent could be authorized to alimited
action set. One familiar use of authentication and authorization is access control. A
computer system that is supposed to be used only by those authorized must attempt
to detect and exclude the unauthorized. Access to it is therefore usually controlled
by insisting on an authentication procedure to establish with some degree of
confidence the identity of the user,granting privileges established for that identity.