Authentication is one of essential components in security
model which can be done in three ways (Rouse, 2017).
First, knowledge factors based on something user must know. This includes
username, IDs, password and PINs. Second, possession factors based on something
user must have such as one-time password tokens (OTP) for both soft and hard
token. Third, is based on inherence factors, something what user is or does.
This includes biometrics such as fingerprints scans, facial recognition and
The use of mobile devices such as smart phones has evolved very
quickly over the recent years and they become necessity for every individual. Smart
phones support Internet services where individuals can access any applications
via their smart phones. A self-service banking option called Mobile banking application
(M-Banking) has been offered by the financial institution for their customers’
convenient. Clients can make any financial services and transactions through
the M-Banking applications with their smart phone as long as they have network
connectivity, anywhere and anytime.
From the first stage of the questionnaire study (refer Appendix A) distributed online and refer result (Appendix B),
majority of the mobile users in Brunei Darussalam use M-Banking with their
smartphone. Most common authentication
mechanisms used in financial institutes in Brunei Darussalam are by using
number, alphanumeric, OTP (hard-token), OTP (SMS) and subset of digit password.
But these authentication methods may prone to dictionary attack and brute force
Most authentication scheme of
M-Banking has the same login method using PIN authentication such as password
with the online banking or ATM password. Thus, the password is predictable and
vulnerable to guessing. Furthermore, online bank password scheme usually use a
6-digits number. The possible combinations to crack the 6-digits password is 1
000 000 combination (Password Depot, 2017).
To address this issue,
recently many bank adopted OTP (hardware token) as part of multi-factor
authentication. Despite the fact that this method provides a fairly high level
of security, many systems have not taken into consideration the need for a secure
alternative login method whenever the hardware token is unavailable.