Introduction

Chapter 1

Introduction

It would be very useful if we can find an innovate way of accessing cloud services, which neither
involves memorizing dozens of alphanumeric combinations, nor adds layers of complexity for
users. For password-based authentication methods, their security is mainly determined by the
difficulty of guessing a user’s password. Unfortunately, passwords usually have low randomness
and are easier to guess than users think. To further enhance the security of password-based web
applications, a promising solution is to deploy a technology called two-factor or multifactor
authentication, in which a user is required to provide additional authentication information besides
passwords. The second piece of information is typically generated by a physical token such as RSA
SecurID or a software application as Google Authenticator. If different service providers set up
their own two-factor authentication services, users may have to experience painful registration and
login processes repeatedly. A naive way to reduce users’ burden for holding multiple passwords
for different cloud services is to store users’ credentials in a single device or service, and use certain
key derivation functions to generate temporal passwords for sequential logins.
 Chapter 1, section 1.1
The other approach is to enrol an Internet-scale identity system that defines systematize device
enabling the identity attributes of its users to be shared between web applications and cloud
services. A number of technologies and standards such as OpenID and OAuth have -emerged to
deliver an Internet-scale identity system during the past few years. The basic idea of those identity
systems is to authenticate users with the aid of trusted Identity Providers (IDPs). Recently,
Bonneauetal. presented a comprehensive evaluation for two decades of proposals to replace text
passwords for general-purpose user authentication on the Internet. Their evaluation results have
demonstrated the difficulty of replacing passwords and highlighted the research challenges towards
designing a password-less login scheme. In this contribution, we propose this system, an innovative
security framework for password-less universal login. After an initial registration process, this
salient feature comes from the adoption of push message services for mobile devices and public-
key cryptography. Different from most existing login solutions, the servers in system are not able
to generate users’ credentials. As a potential application of the system security framework, we have
applied it to build a password-less mobile payment solution for tackling the recent Mint Chip-
Challenges

1.1 Project Overview

Password-less Authentication Using QR code is an idea to login to our account without the use of
password. That is user can login to his/her online account without the use of password as his/her
smartphone replaces the password. To login a user simply has to scan a QR code generate by the
site after entering his/her User-Id using his/her smartphone. QR code for generated for a user will
not work if it is scanned by another smartphone.

Department of Computer Engineering, MGMCET, Kamothe Page 2

 Introduction

1.2 Problem statement

The arrival of amazing cloud services and web applications, users frequently access services in
their daily lives. Nowadays, we are likely to have more than ten accounts for computers, email
accounts, websites, social networks, and various other cloud services, all with different passwords
and security policies. Memorizing all passwords is both arduous and annoying, so people often
end up in using simple passwords, or constantly forgetting less frequently used ones.

1.3 Android

Android is a mobile operating system developed by Google, based on the Linux kernel and
designed primarily for touch-screen mobile devices such as smart-phones and tablets.
Android's user interface is mainly based on direct manipulation, using touch gestures that loosely
correspond to real-world actions, such as swiping, tapping and pinching, to manipulate on-screen
objects, along with a virtual keyboard for text input. In addition to touch-screen devices, Google
has further developed Android TV for televisions, Android Auto for cars and Android Wear for
wrist watches, each with a specialized user interface. Variants of Android are also used on game
consoles, digital cameras, PCs and other electronics. Initially developed by Android Inc., which
Google bought in 2005, Android was unveiled in 2007, along with the founding of the Open
Handset Alliance – a consortium of hardware, software, and telecommunication companies
devoted to advancing open standards for mobile devices. Android is popular with technology
companies that require a ready-made, low-cost and customizable operating system for high-
tech devices

Beginning with the first commercial Android device in September 2008, the operating system has
gone through multiple major releases, with the current version being 8.0 "Oreo", released in August

Department of Computer Engineering, MGMCET, Kamothe Page 3

 Chapter 1, Section 1.3, Section 1.4
2017. Android applications ("apps") can be downloaded from the Google Play store, which
features over 2.7 million apps as of February 2017. Android has been the best-selling OS on tablets
since 2013, and runs on the vast majority of smart-phones. As of May 2017, Android has two
billion monthly active users, and it has the largest installed base of any operating system.
Android's source code is released by Google under an open source license, although most Android
devices ultimately ship with a combination of free and open source and proprietary software,
including proprietary software required for accessing Google services. Android is popular with
technology companies that require a ready-made, low-cost and customizable operating system
for high-tech devices. Its open nature has encouraged a large community of developers and
enthusiasts to use the open-source code as a foundation for community-driven projects, which
deliver updates to older devices, add new features for advanced users or bring Android to devices
originally shipped with other operating systems. The extensive variation of hardware in Android
devices causes significant delays for software upgrades, with new versions of the operating system
and security patches typically taking months before reaching consumers, or sometimes not at all.
The success of Android has made it a target for patent and copyright litigation between technology
companies.

1.4 QR Code

QR code (abbreviated from Quick Response Code) is the trademark for a type of matrix
barcode (or two-dimensional barcode) first designed for the automotive industry in Japan. A
barcode is a machine-readable optical label that contains information about the item to which it is
attached. A QR code uses four standardized encoding modes (numeric, alphanumeric, byte/binary,
and kanji) to efficiently store data; extensions may also be used.

Department of Computer Engineering, MGMCET, Kamothe Page 4

 Introduction
The QR code system became popular outside the automotive industry due to its fast readability and
greater storage capacity compared to standard UPC barcodes. Applications include product
tracking, item identification, time tracking, document management, and general marketing.
A QR code consists of black squares arranged in a square grid on a white background, which can
be read by an imaging device such as a camera and processed using Reed–Solomon error
correction until the image can be appropriately interpreted. The required data is then extracted from
patterns that are present in both horizontal and vertical components of the image.
QR codes have become common in consumer advertising. Typically, a smart-phone is used as a
QR code scanner, displaying the code and converting it to some useful form (such as a
standard URL for a website, thereby obviating the need for a user to type it into a web browser).QR
code has become a focus of advertising strategy, since it provides a way to access a brand's website
more quickly than by manually entering a URL.
QR codes can be used on various mobile device operating systems. These devices support URL
redirection, which allows QR codes to send metadata to existing applications on the device. Many
paid or free apps are available with the ability to scan the codes and hard-link to an external URL.
QR codes can be used to log into websites: a QR code is shown on the login page on a computer
screen, and when a registered user scans it with a verified smartphone, they will automatically be
logged in. Authentication is performed by the smartphone which contacts the server. Google tested
such a login method in January 2012.
QR codes can be used to store bank account information or credit card information, or they can be
specifically designed to work with particular payment provider applications. There are several trial
applications of QR code payments across the world.

Department of Computer Engineering, MGMCET, Kamothe Page 5

 Chapter 1, Section1.5
1.5 Password

A password is a word or string of characters used for user authentication to prove identity
or access approval to gain access to a resource (example: an access code is a type of password),
which is to be kept secret from those not allowed access. In modern times, user names and
passwords are commonly used by people during a log in process that controls access to protected
computer operating-systems, mobile-phones, cable-TV decoders etc.
A typical computer user has passwords for many purposes: logging into accounts, retrieving e-
mail, accessing applications, databases, networks, web sites, and even reading the morning
newspaper online. Passwords are used on websites to authenticate users and are usually maintained
on the Web server, meaning the browser on a remote system sends a password to the server (by
HTTP POST), the server checks the password and sends back the relevant content (or an access
denied message). This process eliminates the possibility of local reverse engineering as the code
used to authenticate the password does not reside on the local machine.
Transmission of the password, via the browser, in plaintext means it can be intercepted along its
journey to the server. Many web authentication systems use SSL to establish an encrypted session
between the browser and the server, and is usually the underlying meaning of claims to have a
"secure Web site". This is done automatically by the browser and increases integrity of the session,
assuming neither end has been compromised and that the SSL/TLS implementations used are high
quality ones.

Department of Computer Engineering, MGMCET, Kamothe Page 6

 Introduction
1.6 Passwordless Authentication

Passwordless authentication is a type of authentication where users do not need to login with
passwords. This form of authentication totally makes passwords obsolete. With this form of
authentication, users are presented with the options of either logging in simply via a magic link,
fingerprint, or using a token that is delivered via email or text message.

1.6.1 Benefits:

 Improve User Experience: The faster users can sign up and use your service, the more users
your app tends to attract. Users dread having to fill out forms and go through a rigorous
registration process. Imagine eliminating that extra five minutes of asking users to remember
their grandmother's maiden name as a security question. Passwordless authentication helps
improve user experience in this regard.
 Increase Security: Once you go Passwordless, there are no passwords to be hacked.
Let's take a look at Auth0's magic link implementation below:

Figure 1.1: Passwordless Authentication Sequence Diagram.

Department of Computer Engineering, MGMCET, Kamothe Page 7

 Chapter 1, Section 1.7
1.7 Applications

 Can replace Smart Card: It requires the separate scanner to scan the smart card. Smart card has
less storage as compare to QR code.
 Can replace Swipe Card: Swipe card can be cloned, but QR code can’t be cloned. Swipe Card
has no memory compared to QR code.
 Secure way of transaction: QR code is scanned through camera equipped with hardware device
therefore our system provides the more secure transaction.
 Cash Card: Transfer can be also done using Cash Card which is replicable to Demand Draft
and Cheque. System will generate Cash Card with QR code providing secure authentication.
 It can also use in shopping mall to scan product and add in a cart.
 It can be used as payroll system for industry.

Department of Computer Engineering, MGMCET, Kamothe Page 8

 Literature Review

Chapter 2

Literature Review

Android applications are written in the Java programming language. The Android SDK tools
compile the code along with any data and resource file into an Android package, an archive file
with a apk suffix. All the code in a single apk file is considered to be one application and is the file
that Android-powered devices use to install the application. Once installed on a device, each
Android application lives in its own security sandbox [1]. The Android operating system is a multi-
user Linux system in which each application is a different user. By default, the system assigns each
application a unique Linux user ID (the ID is used only by the system and is unknown to the
application). The system sets permissions for all the files in an application so that only the user ID
assigned to that application can access them. Each process has its own virtual machine (VM), so
an application's code runs in isolation from other applications.
Passwords are a commonly-used method of authentication. A unique sequence of characters is
[2]
presented to the system when identification is needed . This sequence is then compared with a
stored sequence, perhaps after some transformation (e.g., encryption). A match provides the proof

Department of Computer Engineering, MGMCET, Kamothe Page 9

 Chapter 2
of identity. One weakness with password systems is the choice of the password. If the choice of
possible characters to use in the password is too small, or if the overall length of the password is
too short, the password may be compromisable. Even a rich character set may not be sufficient to
create secure passwords lithe combination of characters is restricted to an arbitrary set of
[3]
possibilities . Thus, good password choice should avoid common words and names. For
password-based authentication methods, their security is mainly determined by the difficulty of
guessing a user’s password. Unfortunately, passwords usually have low entropy and are easier to
guess than users think. Password based authentication systems appear easy to implement, but are
vulnerable to attacks from two directions: losses caused by the theft of the database containing user
[4]
account credentials and weak passwords chosen by the users . Many users choose very weak
passwords and often reuse the same password for multiple web sites. Breaches have been caused
where even experienced system administrators have chosen weak passwords. In fact, users are
unwilling to remember long and complex passwords the sort they must use to be secure. Another
problem not often discussed with password based sites is that if a password is discovered by a third
[5]
party then the end-user is often unaware of the breach . This is most evident in phishing attacks
When a user forgets their password a new one must be generated for them as the password is not
stored by a properly written password based system. There are various mechanisms proposed for
handling forgotten passwords.
Due to the rapid advances in mobile communication technologies, QR code in the embedded
camera devices has been used as new input interfaces. The mobile phones with embedded camera
can capture the QR codes and decode them with software running on the phone. Meanwhile, there
are many advantages to use the QR code in mobile phones such as Omni-direction readability and
error correction capability. For this reason, mobile phones adopt the QR code to support many
services nowadays such as booking tickets, paying a fee and URL reading.
Current login system requires username and password for authentication. In this kind of
authentication, while trying to login, website/application ask for username and password of user's
account. If user do not have account, then he/she first needs to sign-up to the site that is has to
create his/her account for using website/application. It could be viewed as user is registering his/her
identity to website/application. For the first step of registration process the user has to give his/her
asked personal information like name, address, phone number, email ID, etc.

Department of Computer Engineering, MGMCET, Kamothe Page 10

 Literature Review
The information here is asked by website/application itself and is normally feed by user information
with the help textbox. This data is saved in database this data later can be used to optimizing
experience of using our software to users [6]. In the second step has to choose a username(User-ID)
and a password. Username which has to be used should be unique to the website/application that
is no two users of website/application should have same User-ID and the password should be
hidden from others that is no one other than user should know his/her password. If a user selects a
User-ID which had already been selected by another existing user website/application should tell
user that User-ID, he/she wishes to select is already been selected by another user.
Website/application should also determine the strength of password, which depends upon
characters used in password, and provide respective feedback to user which will help the user to
determine his/her password. Registration of some websites/applications gets completed at this step
while some websites/applications mails activation link as their next and final step. The
website/application after getting all information about registering user sends an activation link to
user's email-ID and user just has to access his/her email and click on activation link which activates
user's account. The purpose of the activation link (when used) is not to increase the security of the
users account, but rather to make it more difficult for an attacker to automate the process of signing
up to the forum [7]. Now, since the registration process is completed user can easily login his/her
by using his/her User-ID and password. User-ID and password are the two parameter of user's
account that identify and authenticates him/her as username is unique to an account and password
is only known to user himself/herself. Some website/application gives option of using email-ID
and/or phone number in place of User-ID.
Google have launched two step verification for access Google accounts. In two step verification
after user gives his/her User-ID and password a six digit One Time Password(OTP) is send to user
via SMS that means user receives a six digit OTP on his/her cell phone. Now, to login user has to
[7]
type this OTP at website/application . Although this method is more effective than standard
authentication process it has a drawback if user's phone is out of network the user will not receive
OTP and he/she will not be available to login in his/her account.

Department of Computer Engineering, MGMCET, Kamothe Page 11

 Chapter 3, Section 3.1

Chapter 3

System Analysis

3.1 Existing System

The typical sequence for registering and logging on to a web site forum normally follows the sorts
of steps.
1. The user chooses to register on the web site.
2. A registration form captures a minimum of the following:
• A user name.
• The desired password.
• The contact email address.

Department of Computer Engineering, MGMCET, Kamothe Page 12

 System analysis
3. An email is then sent to the user containing an activation link.
4. The user clicks on the activation link.
5. The user can now log in to the site using their user name and password.
6. The user has access to the site as an authenticated visitor.
The purpose of the activation link (when used) is not to increase the security of the user’s account,
but rather to make it more difficult for an attacker to automate the process of signing up to the
forum. Password based authentication systems appear easy to implement, but are vulnerable to
attacks from two directions: losses caused by the theft of the database containing user account
credentials and weak passwords chosen by the users. Many users choose very weak passwords and
often reuse the same password for multiple web sites. Breaches have been caused where even
experienced system administrators have chosen weak passwords. In fact, users are unwilling to
remember long and complex passwords the sort they must use to be secure. Although there is a
large amount of advice available to developers on how to more securely manage passwords (I.e.
the use of salts and good quality hashing algorithms), many high profile sites have failed to look
after user passwords until after there has been a breach. For example, the popular news aggregating
web site Reddit, http://www. reddit.com/, lost an undisclosed number of passwords when part of a
backup was stolen. The disclosure was caused due to an ill-advised “feature” whereby users would
be able to recover their original password rather than having a new one sent to them. Another
problem not often discussed with password based sites is that if a password is discovered by a third
party then the end-user is often unaware of the breach. This is most evident in phishing attack.
When a user forgets their password a new one must be generated for them as the password is not
stored by a properly written password based system. There are various mechanisms proposed for
handling forgotten passwords.
• Regenerate a new password and email that to the user.
• Generate a password reset token and email that to the user.
The proposed system is structurally very similar except the user is never asked to either chose nor
enter a password. Because the user doesn’t need to remember or choose a password a much longer
password can be chosen by the system.

Department of Computer Engineering, MGMCET, Kamothe Page 13

 Chapter 3, Section 3.2
3.2 Proposed system

The proposed system as an end user sees it consists of the following steps:
1. The user chooses to register on the web site.
2. A registration form captures a minimum of the following:
• A user name.
• The contact email address.
3. Generating QR code using username.

Figure 3.1: QR code

4. Please Scan QR code using our android App.

Figure 3.2: Scan QR code

5. The user has access to the site as an authenticated visitor.

From a user’s perspective the system appears simpler and there is no password to remember. The
account however becomes tied to the browser that they used when they followed the QR code
value. Although this tying of the account to the browser may seem inconvenient, for some use cases
it is an advantage. For example, access to extranets can be tied to a business computer. Simple
implementations would limit a user to a single browser at a time, but it is possible to allow multiple
browsers.

Department of Computer Engineering, MGMCET, Kamothe Page 14

 System analysis
3.3 Encryption and Decryption

Encryption

An encryption is the process of encoding a message or information in such a way that only
authorized parties can access it and those who are not authorized cannot. Encryption does not itself
prevent interference, but denies the intelligible content to a would-be interceptor. In an encryption
scheme, the intended information or message, referred to as plaintext, is encrypted using an
encryption algorithm a cipher generating cipher text that can be read only if decrypted.

Decryption

Decryption is the process of transforming data that has been rendered unreadable through
encryption back to its unencrypted form. In decryption, the system extracts and converts the garbled
data and transforms it to texts and images that are easily understandable not only by the reader but
also by the system. Decryption may be accomplished manually or automatically. It may also be
performed with a set of keys or passwords.

AES

Advanced Encryption Standard (AES for short), also known as Rijndael, is 128-bit encryption
technique developed by US National Institute of Standards and technology(NIST) in 2001. AES is
a subset of Rjidael cipher which was proposed and developed by Vincent Rjimen and Joan Daemen.
It had replaced Data Encryption Standard (DES for short) and it do not use Feistel Network like its
predecessor the DES. It can support cipher keys of three different sizes, 128, 192 and 256-bit key
but it divides data to be encrypted in size 128 bit. It is symmetric key algorithm.

Department of Computer Engineering, MGMCET, Kamothe Page 15

 Chapter 3, Section 3.3

Fig 3.3: AES encryption and decryption

According to designers of AES, it has 3 main feature they are:
1. Symmetric and parallel.
2. Adapted to modern Processors.
3. Suited to smart cards.
Following are step performed in AES algorithm while encrypting data-
1. Key Expansions: In AES actual cipher key given to algorithm is not used for encrypting or
decrypting data. 128 bit keys are generated for each round. Number of keys generated is
equal to number of rounds in process plus one final round. In this step, the cipher key is
expanded and divide into number of 4x4 arrays.

Department of Computer Engineering, MGMCET, Kamothe Page 16

 System analysis
2. Initial Round: In this round simply 16-byte plain text is copied into 4x4 array called state.
 Add Round Key: Now each byte of state is combined with round key using bitwise XOR.
3. Rounds: The following steps are performed.

Sub-Bytes

In the Sub--Bytes step, each byte in the state matrix is replaced with a Sub-Byte using an 8-
bit substitution box, the Rijndael S-box. This operation provides the non-linearity in the cipher.
The S-box used is derived from the multiplicative inverse over GF(28), known to have good non-
linearity properties. To avoid attacks based on simple algebraic properties, the S-box is constructed
by combining the inverse function with an invertible affine transformation. The S-box is also
chosen to avoid any fixed points (and so is a derangement),and also any opposite fixed points.
While performing the decryption, the InvSub-Bytes step (the inverse of Sub-Bytes) is used, which
requires first taking the inverse of the affine transformation and then finding the multiplicative
inverse.

Fig 3.4: Sub-Bytes

ShiftRows

The ShiftRows step operates on the rows of the state; it cyclically shifts the bytes in each row by a
certain offset. For AES, the first row is left unchanged. Each byte of the second row is shifted one
to the left. Similarly, the third and fourth rows are shifted by offsets of two and three respectively.
For blocks of sizes 128 bits and 192 bits, the shifting pattern is the same. Row n is shifted left
circular by n-1 bytes. In this way, each column of the output state of the ShiftRows step is
composed of bytes from each column of the input state. (Rijndael variants with a larger block size
have slightly different offsets). For a 256-bit block, the first row is unchanged and the shifting for
the second, third and fourth row is 1 byte, 3 bytes and 4 bytes respectively—this change only

Department of Computer Engineering, MGMCET, Kamothe Page 17

 Chapter 3, Section 3.3
applies for the Rijndael cipher when used with a 256-bit block, as AES does not use 256-bit blocks.
The importance of this step is to avoid the columns being encrypted independently, in which case
AES degenerates into four independent block ciphers.

Fig 3.5: Shift Row

MixColumns

In the MixColumns step, the four bytes of each column of the state are combined using an
invertible linear transformation. The MixColumns function takes four bytes as input and outputs four
bytes, where each input byte affects all four output bytes. Together
with ShiftRows, MixColumns provides diffusion in the cipher. During this operation, each column is
transformed using a fixed matrix (matrix left-multiplied by column gives new value of column in
the state).

Fig 3.6: MixColumns

Department of Computer Engineering, MGMCET, Kamothe Page 18

 System analysis
Add Round Key:

In the Add Round Key step, the subkey is combined with the state. For each round, a subkey is
derived from the main key using Rijndael's key schedule; each subkey is the same size as the state.
The subkey is added by combining each byte of the state with the corresponding byte of the subkey
using bitwise XOR.

Fig 3.7: Add Round Key

Final Round (no MixColumns)

Final round is last round in AES. It is just like normal round but for this round we do not perform
Mix Column Step. Step performed in final round are as follows:
1. Sub-Bytes
2. Shift Rows
3. Add Round Key.

Department of Computer Engineering, MGMCET, Kamothe Page 19

 Chapter 3, Section 3.4
3.4 Hardware and Software Requirement

 Hardware Requirement

 Minimum: Pentium IV or above

 RAM: 512MB
 Android based smartphone
 HDD: 20GB or more
 Software Requirement

 XAMPP
 Internet Browser
 OS: Windows XP, 7, 8 or 10
 Minimum Android version 4.0
 Android Studio
 Android SDK version 22

Department of Computer Engineering, MGMCET, Kamothe Page 20

 System Design

Chapter 4

System Design

4.1 Data Flow Diagram

A data flow diagram (DFD) is a graphical representation of the "flow" of data through an
information system, modeling its process aspects. A DFD is often used as a preliminary step to
create an overview of the system without going into great detail, which can later be elaborated. A
DFD shows what kind of information will be input to and output from the system, how the data
will advance through the system, and where the data will be stored. Data flow diagrams are one of
the three essential perspectives of the structured-systems analysis and design method SSADM. The
sponsor of a project and the end users will need to be briefed and consulted throughout all stages
of a system's evolution. With a data flow diagram, users are able to visualize how the system will
operate, what the system will accomplish, and how the system will be implemented. The old
system's data flow diagrams can be drawn up and compared with the new system's data flow
diagrams to draw comparisons to implement a more efficient system.

Department of Computer Engineering, MGMCET, Kamothe Page 21

 Chapter 4, Section 4.1
DFD Level 0

Figure 4.1: Context Level DFD

DFD Level 1

Figure 4.2: Data Flow Diagram of system

Department of Computer Engineering, MGMCET, Kamothe Page 22

 System Design
4.2 Sequence Diagram

A sequence diagram is an interaction diagram that shows how objects operate with one another and
in what order. It is a construct of a message sequence chart. A sequence diagram shows object
interactions arranged in time sequence. It depicts the objects and classes involved in the scenario
and the sequence of messages exchanged between the objects needed to carry out the functionality
of the scenario.
The figures show some important use case system sequence diagram. In each diagram, we provide
two methods to help user to control the system, the black arrow means the user completes the
processes by button and the blue arrow means the users completes the processes by voice control.

Department of Computer Engineering, MGMCET, Kamothe Page 23

 Chapter 4, Section 4.2

web server database

: user

1: enter user details

2: validation

3: Generate QR code

4: scan QR code

5: send U_ID

6: set password

7: login

8: check details

9: scan QR code

10: QR code and U_ID matchs

11: server access

12: data upload and download

13: store and retrive data

Figure 4.3: Sequence Diagram

Department of Computer Engineering, MGMCET, Kamothe Page 24

 System Design
4.3 Flow Chart

Flowcharts are used in designing and documenting simple processes or programs. Like other types
of diagrams, they help visualize what is going on and thereby help understand a process, and
perhaps also find less-obvious features within the process, like flaws and bottlenecks. There are
different types of flowcharts: each type has its own set of boxes and notations. The two most
common types of boxes in a flowchart are:
 a processing step, usually called activity, and denoted as a rectangular box
 a decision, usually denoted as a diamond.

A flowchart is described as "cross-functional" when the chart is divided into different vertical or
horizontal parts, to describe the control of different organizational units. A symbol appearing in a
particular part is within the control of that organizational unit. A cross-functional flowchart allows
the author to correctly locate the responsibility for performing an action or making a decision, and
to show the responsibility of each organizational unit for different parts of a single process.

Department of Computer Engineering, MGMCET, Kamothe Page 25

 *Chapter 4, Section 4.3

Figure 4.4: Flow chart

Department of Computer Engineering, MGMCET, Kamothe Page 26

 System Design
4.4 Architecture Diagram

A system architecture or systems architecture is the conceptual model that defines the structure,
behaviour, and more views of a system. An architecture description is a formal description and
representation of a system, organized in a way that supports reasoning about the structures and
behaviour of the system.
A system architecture can comprise system components, the expand systems developed, that will
work together to implement the overall system. There have been efforts to formalize languages to
describe system architecture, collectively these are called architecture description languages
(ADLs).

Figure 4.5: Architecture Diagram

Department of Computer Engineering, MGMCET, Kamothe Page 27

 Chapter 5

Chapter 5

Result

Fig 5.1: User Login/Sign up page

Department of Computer Engineering, MGMCET, Kamothe Page 28

 Result Analysis

Fig 5.2: Android App homepage

Fig 5.3: Sign up before scanning

Department of Computer Engineering, MGMCET, Kamothe Page 29

 Chapter 5

Fig 5.4: Scanning QR code using Android App

Fig 5.5: Sign up page after scanning

Department of Computer Engineering, MGMCET, Kamothe Page 30

 Result Analysis

Fig 5.6: Homepage

Fig 5.7: Login using Username

Department of Computer Engineering, MGMCET, Kamothe Page 31

 Chapter 5

Fig 5.8: Uploaded files

Department of Computer Engineering, MGMCET, Kamothe Page 32

 Conclusion and Future Scope

Chapter 6

Conclusion and Future Scope

It is possible to improve the current process of identification and authentication and reduce the
burden of remembering different passwords for different website accounts on user by implement
QR code for authentication as it makes the process of login and signing up as simple as just
scanning QR code generated on website by his/her smartphone.
Even though the Password-less Authentication System using QR code has been implemented for
website it still has potential for been develop for offline computer applications. Further the app on
user's smart phone can be developed to scan generated QR code even when phone is not connected
to internet.

Department of Computer Engineering, MGMCET, Kamothe Page 33

 References

[1] Bo Zhu,Xinxin Fan and Guang Gong – “ Loxin , a solution to passwordless universal login,
IEEE paper, 2014”.

[2] Kirit Saelensminde and Prof. Veera Boonjing - “A simple password less authentication system
for web sites, Seventh International Conference on Information Technology IEEE paper, 2010”

[3] Kuan-Chieh Liao, Min-Hsuan Sung, Wei-Hsun Lee, TingChing Lin - “A One-Time Password
Scheme with QR-Code Based on Mobile Phone” 2009 Fifth International Joint Conference on INC,
IMS and IDC.

[4] Renjie Weng – “Password-less login Everywhere, Journal of Stevens Institute of technology,
Hoboken, NJ07030”.

[5] Cryptography and Network Security: Principles and Practice, 5th edition Book by William
Stallings.

[6] Cryptography and Network Security by Book by behrouz a forouzan.

[7] Security in Computing. 4th edition Book by charles p. pfleeger.

Department of Computer Engineering, MGMCET, Kamothe Page 34

 Acknowledgement

We would like to express our gratitude to all those who helped us reach our goal, it would not have
been possible without the kind support and help of many individuals and organizations. We would
like to extend my sincere thanks to all of them.
We are also thankful to Dr. S. K. Narayankhedkar, Principal, Mahatma Gandhi Mission’s
College of engineering and Technology, Navi Mumbai, for his encouragement and for providing
an outstanding academic environment.
We are also thankful to Dr. K. Sankar, H.O.D, Computer Department, Mahatma Gandhi Mission’s
College of engineering and Technology, Navi Mumbai, for his guidance, encouragement and
support during my project. We would like to thank all the staff members for their valuable co-
operation and permitting us to work in the computer labs.
We are using this opportunity to express our gratitude to everyone who supported us throughout
the process of this B.E project. We are highly indebted to Mrs. Rajashree Sonawale for the
guidance and constant supervision as well as for providing necessary information regarding the
project and also for his support in completing the project. We are thankful for his aspiring guidance,
invaluable constructive criticism and friendly advice during the project. We are sincerely grateful
to him for sharing truthful and illuminating views on the number of issues related to this project.
Special thanks to our colleagues and friends for providing us useful comments and continuous
encouragement. Finally, we would like to thank our family, our parents for supporting us spiritually
throughout our carrier and for their support and endurance during this work.

Mr. Sahil Khatate Mr. Soham Karnik Mr. Nikhil Kamthe

UID (114CP1202A) UID (114IT1365A) UID (114CP1322A)

Department of Computer Engineering, MGMCET, Kamothe Page 35