|Multi-Party, Multi-Factor Authentication Lock
|**Multi-Party, Multi-Factor Authentication Lock**
- Shelby Doty (sdoty4)
- Noah Hill (noah5)
- Akshay Sundaram (akshay5)
Governments and government agencies, banks, hospitals, or companies may have rooms, safes, or vaults requiring controlled access to protect their contents. These areas and their contents are prone to physical security attacks such as severance of critical cables, theft of communication equipment, or theft of data servers. Existing methods to protect physical systems from malicious insiders include auditing, job rotation, and separation of duties. Auditing access to a restricted area is reactive and does not prevent unauthorized access from occurring. Job rotation and separation of duties only limit prolonged access to certain areas or physical systems.
Multi-factor authentication (MFA) is an electronic authentication method used to grant an individual access to an application or place only after successfully presenting multiple factors for verification purposes. Multi-party authorization (MPA) requires multiple individuals to authorize access to an application or place. An example of multi-party authorization usage occurs in banks when one accesses a lockbox. This requires both a bank official and the lockbox owner to act together to open the lockbox.
This project is the implementation of an electronic lock mechanism that provides a proactive approach to physical access control by employing both MFA and MPA methods. Access is granted only when a configurable number of individuals (multi-party) successfully authenticate with an inherence factor and a one-time token received via SMS text (multi-factor). The inherence authentication factor is a fingerprint. The mechanism is applicable to, for example, a lockbox in a bank. A bank lockbox already requires multiple parties to be present to gain access, however, the inherence authentication factor, the fingerprint, is not easily lost or misplaced as lockbox keys are.
- The mechanism unlocks only when connected to WiFi
- SMS texts are sent to all enrolled users when the authentication process is initiated
- SMS texts are sent to all enrolled users when the system loses then regains power
- The number of enrolled users and parties required to successfully authenticate (thus, disengaging the lock) are configurable
**Functionality upon initial boot and configuration**
Upon receiving power, the system connects to WiFi and prompts for the following parameters to be configured:
- Number of users to be enrolled
- Number of successful user authentications required to disengage the lock
One by one, each user is prompted to scan a fingerprint and enter their phone number.
**Control unit / authentication verification:**
When a user attempts to authenticate with a fingerprint, the fingerprint module will attempt to verify the user’s identity and provide the ESP32 with the user's identity if successful, or inform the ESP32 an unsuccessful authentication attempt was made.
ESP32 uses Wi-Fi connectivity to provide the TCP client with the identity of the user that successfully authenticated via fingerprint or to notify of a failed authentication attempt.
In case of successful biometric authentication, ESP32 then awaits a one-time token sent via SMS to the user to be input on the tactile keypad. Access is granted/denied depending on whether the user inputs the correct token generated by the TCP client.
The ESP32 will control the LCD display and the servo motor for locking/unlocking.
This subsystem consists of the fingerprint sensor module for gathering biometric data and an LCD screen to display warnings and instructions.
-AS608 Optical Fingerprint Sensor Module for storage of biometric data, fingerprint scanning and digital signal processing
-LCD2004 Character-Type Liquid Crystal Display for user feedback regarding system status, authentication success/failure messages, remaining successful authentications before unlock, etc.
-D72 Tactile Keypad for user to enter one-time token received via SMS
**Mechanical relay & lock status indicator:**
This system will be responsible for the following: indicate to the user when the lockbox is locked and unlocked via LED indicators and a speaker beeping noise, and open and close the locking mechanism using a servo. Additionally, there will be a magnetic contact switch that, when triggered, sends a signal to relock the lockbox. Servo for lock mechanism:
-Red and green LEDs (from ECE lab kit)
-Speaker (from ECE lab kit)
-SG90 9g Micro Servo
-Magnetic contact switch (NTE Electronics, Inc 54-637)
-Connect to ESP32 microcontroller as a TCP client to send and receive signals and data. Additionally, store logs of authentication attempts with timestamps on the server. The micropython network module can be used in Python by connecting to a python socket.
-Initial setup will include connecting devices to the Wi-Fi network and storing initial configuration data. The web app can then authenticate data read after initial setup to send a lock or unlock signal to the controller. The application will also send SMS messages to the correct parties after fingerprint data has been authenticated.
-Application then sends the correct pincode to the ESP32 and the signal to wait for pincode authentication.
**Criterion For Success**
-Lock and unlock after all parties (at least 2) have been verified
-Data written and stored is accurate
-Works plugged in to outlet and/or with battery back-up power
-Easy to use and straight forward web application / web server
-Sends message to parties when verification has failed