A two-factor authentication near-field communication (NFC) smartphone access control system is proposed in this paper as an emerging alternative to traditional authentication schemes. The authors combine the usage of digital key cryptography with a proprietary encryption steganography graphical password (ESGP) scheme on the assumption that humans remember images better than numbers.

The authors clearly present their idea and detail the proposed implementation, emphasizing the fact that the ESGP scheme is meant “to increase the security level of existing NFC smartphone access control systems.”

The enrollment phase of the system requires either the user’s photo, in any form, or a random object capture, which will represent the base for the stego-photo generation. Also, a graphical password is generated, after choosing a sequence of three pictures from a 3x3 grid of graphics. The password will serve as a symmetrical key, used to encrypt the access passcode. Finally, via steganography, the encrypted passcode is embedded into the initial picture.

During the authentication process, after initializing the NFC communication between the smartphone and the system NFC reader, each user must provide the graphical password selected during the registration process and then submit the correct stego-photo, chosen from his mobile phone. As the steganography technique is applied so that it doesn’t visibly alter the initial image, it is difficult for an attacker to forge both the digital password and the stego-photo. Upon successful extraction and decryption of the embedded passcode, the user is authenticated within the system.

Also, the paper details the hardware setup of the proposed architecture, used as an access control system for a door lock. This comprises an NFC reader, a controller, a stepper motor with door lock, and a central server, which hosts the user management application.

In the final section of the paper, the authors detail the evaluation of their system, done using a seven-point Likert scale and 40 volunteer participants, in order to measure the “usability, perceived vulnerability, and perceived security of the system.” The survey showed that the system gained a high level of acceptance, especially due to its two-factor authentication mechanism and the emerging graphical password steganography technique used.