The administrator’s login page on the web application is very important since it is the entry point to the whole system. Login pages that are not secured greatly endanger data and information in web applications. Authentication is one of the most important method for web security. Username and password are two parameters commonly used for two-factor authentication on the admin’s login page. However, the two authentication parameters can be breached so that it becomes a vulnerability gap that malicious activities. For example, attackers can use it to commit a crime such as data modification or theft or even more dangerous to take over the administrator services of a system. Therefore, it is necessary to improve the authentication mechanism on the admin’s login page by adding additional factor other than username and password. The login process on admin’s page consists of three stages i.e. identification, authentication and authorization. The admin’s login page functions to serve all the three stages for users to access the system that can only be accessed by the true admins and not the malicious ones. The identification process is done by checking the user’s username, whether it has been registered in the user’s database. Next, the authentication process is done by comparing the password entered by the user with the password stored in the database. Finally, the authorization process is done by checking the status of the user’s access
rights to resources. For short term, all the three stages is commonly called authentication. In this study, we proposed an application of MAC address as an additional parameter to improve the security of the authentication mechanism. Address Resolution Protocol (ARP) is used in mapping the user’s IP Address to the MAC Address in the validation process. The use of MAC Address as an authentication parameter aims to increase the security of the web applications. If the username and password are stolen / known by unauthorized parties, they can not use it on the admin’s login page without true MAC address. The idea was that MAC Address varies on each device that makes it unique and has the potential as an authentication factor. To enter a system as an administrator, a user required to use a device with registered MAC Address. In this case, the use of the MAC Address as an access control on the admin’s login page can be implemented on the internal network.
This study used experimental method, a method commonly used to compare the conditions of the subject before being treated and after being treated. The treatment carried out in this study is the implementation of MAC Address Access Control on the administrator login page. The idea of implementing the MAC address in this study is given in Figure 1 with the following explanation. The security of an administrative login page that only uses a username and password can be broken if the password is leaked. So, it is needed to add another parameter for authentication on the login page. In this study, the additional parameter is MAC address. After MAC Address implementation, a serial test is carried out on the login page with a simple dictionary attack and shoulder surfing attack scenario.
The flow of the MAC address implementation for authentication on the login page is given in Figure 2. After being on the login page, the admin enters a username and password. Then the system checks the MAC address of the admin. If the MAC address does not match, the access request is denied. If the MAC address is appropriate, continue checking the username and password. If the username and password match then access is granted and otherwise access is denied. The attack simulation in this study was done by dictionary attack and shoulder surfing attack and the flow of the attacks is given in Figure 3. In the dictionary attack, a list of alleged usernames and passwords will be created in the login form to try the security system whether it is successful or not. Dictionary attack was done by using Burp suite tools [https://portswigger.net/burp]. If the condition is true, it will continue to the username and password validation. Then if the username and password are valid, it will continue to the administrator web page. And if the condition is not true, the process will be repeated from the login page.
an access control experiment has been carried out by applying a MAC Address and conducting a system test with a simple attack scenario, dictionary attack and shoulder surfing attack. From the result of design, experiment, and tests, it can be concluded that the application of the MAC address as an additional authentication parameter on the administrator’s login page can increase security on the administrator page. In this experiment, it was found that the administrator login page without the application of MAC address was more resistant to dictionary and shoulder surfing attacks compared to that with application of MAC Address in the authentication process. In the attack test, the attacker can still get the admin’s password and username, but the two authentication parameters were not enough to log in as an administrator because the MAC address used by the attacker is different from the registered MAC address of the admin.