OTP Algorithm In order to secure the system, the generated OTP must be hard to guess, retrieve, or trace by hackers.

Therefore, its very important to develop a secure OTP generating algorithm. Several factors can be used by the OTP algorithm to generate a difficult-to-guess pass ord. !sers seem to be illing to use simple factors such as their mobile number for services such as authori"ing mobile micropayments #$, %&'. (ote that these factors must e)ist on both the mobile phone and server in order for both sides to generate the same pass ord. In the proposed design, the follo ing factors ere chosen* %. I+SI number* The term stands for International +obile Subscriber Identity hich is a uni,ue number associated ith all -S+ and !niversal +obile Telecommunications System .!+TS/ net ork mobile phone +ulti 0actor Authentication !sing +obile Phones 1% users. It is stored in the Subscriber Identity +odule .SI+/ card in the mobile phone. An I+SI is usually %2 digits long. The first 3 digits are the +obile 4ountry 4ode, and are follo ed by the +obile (et ork 4ode .+(4/. The remaining digits are the mobile subscriber identification number .+SI(/ ithin the net ork5s customer base. This number ill also be stored in the server5s database for each client. 6. !sername* Although no longer re,uired because the I+7I ill uni,uely identify the user any ay. This is used together ith the PI( to protect the user in case the mobile phone is stolen. 3. 8our* This allo s the OTP generated each hour to be uni,ue. &. +inute* This ould make the OTP generated each minute to be uni,ue9 hence the OTP ould be valid for one minute only and might be inconvenient to the user. An alternative solution is to only use the first digit of the minute hich ill make the pass ord valid for ten minutes and ill be more convenient for the users, since some users need more than a minute to read and enter the OTP. (ote that the soft are can modified to allo the administrators to select their preferred OTP validity interval. 2. :ay* +akes the OTP set uni,ue to each day of the eek. ;. <ear=+onth=:ate* !sing the last t o digits of the year and the date and month makes the OTP uni,ue for that particular date. The time is retrieved by the client and server from the telecommunication company. This ill ensure the correct time synchroni"ation bet een both sides. 16 0. Aloul, S. >ahidi, ?. 7l-8a@@ The above factors are concatenated and the result is hashed using S8A62; hich returns a 62; bit message. The message is then AOB-ed ith the PI( replicated to 62; characters. The result is then Case;& encoded hich yields a 6D character message. The message is then shrunk to an administrator-specified length by breaking it into t o halves and AOB-ing the t o halves repeatedly. This process results in a pass ord that is uni,ue

for a ten minute interval for a specific user. Eeeping the pass ord at 6D characters is more secure but more difficult to use by the client, since the user must enter all 6D characters to the online ebpage or AT+ machine. The shorter the OTP message the easier it is for the user, but also the easier it is to be hacked. The proposed system gives the administrator the advantage of selecting the pass ord5s length based on his preference and security needs. A detailed breakdo n of the generation process is illustrated through the e)ample belo . Assume the follo ing system parameters* %. !sername F (D%" 6. I+SI F %63&2;1D$%63&2 3. Time of -eneration F 1=;=6GG$ %%*G6 A+ %. The factors are concatenated giving the follo ing* %%GSunG$;1(D%"%63&2;. . . .. . . . . . ..1D$%63&2;3;$Ge;a.length depends on the length of the username / 6. The result is hashed using S8A-62; to give* 7;:%2:DG0C$GA%DG%632. . . . . .7D063:CCD%27%6 3. The t o hashes obtained above are AOB-ed to give* D4:02:DG$%$7A%DG1D3C4A6. . . . . . ..::%D027%6 &. ?e then shrink the above hash to half its length by AOB-ing the leftmost byte ith the rightmost byte and so on to obtain* $7D%:62%A4;4&1A2GC&:6773D1$$C;;; +ulti 0actor Authentication !sing +obile Phones 13 2. The result is then AOB-ed ith the PI( hash again to give* 0&D0:62%4;;6&1A2;%&367737:$1C;;; ;. The result is then shrunk again using the same byte ise AOB-ing process and then rehashed ith the PI(. This process is repeated till the hash is shrunk to the desired length hich in our case as D characters and gives* 3433G$$$ 1. The result is then encoded using base-;& encoding to give the final OTP*P:+HmIFF