FORM 2
THE PATENTS ACT, 1970
(39 of 1970)
&
THE PATENT RULES, 2003
COMPLETE SPECIFICATION (See Section 10 and Rule 13)
Title of invention: CONTEXT-BASED MULTIFACTOR AUTHENTICATION FOR SECURED
ACCESSING OF RESOURCES
Applicant
Tata Consultancy Services Limited A company Incorporated in India under the Companies Act, 1956
Having address:
Nirmal Building, 9th floor,
Nariman point, Mumbai 400021,
Maharashtra, India
Preamble to the description:
The following specification particularly describes the invention and the manner in which it is to be performed.

TECHNICAL FIELD
[001] The disclosure herein generally relates to the field of cyber security and, more particularly, to a method and system for context-based multifactor authentication for secured accessing of resources.
BACKGROUND
[002] Enterprise applications use a variety of authentication methods to protect their resources from attackers. Generally, multifactor authentication is used in addition to login and password authentication to enhance security. Most applications use One-Time Passwords (OTP) as a multi-factor authentication method. However, attackers can still gain access to the application if OTP is shared on a fake/phishing website. For example, the legitimate user may click a link to the fake site and enters their username and password. In such scenarios, the attacker can obtain the username, password and the OTP too. Hence, while using OTP based multifactor authentication system, applications should be safeguarded from attackers gaining OTPs via phishing websites.
[003] In one conventional approach, the OTP is combined with a secure key and is then passed through RSA algorithm to generate a Transaction password. In another approach, user retrieves the OTP via SMS or by alternate email address. After receiving the OTP, the web server creates an encrypted token for the user’s computer/device for authentication. The encrypted token is used for identification, any time user wishes to access the website he/she must request the new password. Another conventional method receives user credentials and provide initial text for modification, then generates a first and second hash values based on a hash function of the initial and modified texts. Further, the hash values are compared and stored along with the user data. Another conventional approach presents a mobile authentication protocol named Mobile-ID which prevents Man-In-The-Middle attacks without relying on a human in the loop. With Mobile-ID, the message signed by the secure element on the mobile device incorporates the context information of the connected service provider. Hence, upon receiving the signed message the Mobile-ID server could easily identify the existence of an on-going attack and notify the genuine service provider. Even though the said conventional methods

generates OTP in a more secure way, the OTPs can be gained by the attacker through phishing websites. Further, hash and other cyber security functions can be easily cracked by the attackers. Thus, the conventional OTP based authentication has technical limitations that need to be addressed for more secure approach.
SUMMARY [004] Embodiments of the present disclosure present technological improvements as solutions to one or more of the above-mentioned technical problems recognized by the inventors in conventional systems. For example, in one embodiment, a method for context-based multifactor authentication for secured accessing of resources is provided. The method includes receiving, by one or more hardware processors, an access request from a user for accessing an application via a user device, wherein the access request is initiated by the user using a plurality of credentials. Further, the method includes extracting, by the one or more hardware processors of the server machine, a plurality of contextual parameters from the user device used for generating the access request using a pattern matching technique. Furthermore, the method includes generating, by the one or more hardware processors of the server machine, a first One-Time Password (OTP) using an OTP generation technique only if each of the plurality of contextual parameters matches with a plurality of historical contextual parameters pertaining to the user, wherein the first OTP is transmitted to a mobile device associated with the user, wherein the user is allowed to access the application after first OTP verification. Furthermore, the method includes identifying, by the one or more hardware processors of the server machine, a plurality of abnormal contextual parameters from among the plurality of contextual parameters based on a comparison between the plurality of contextual parameters and the plurality of historical contextual parameters pertaining to the user if each of the plurality of contextual parameters does not match with a plurality of historical contextual parameters pertaining to the user. Furthermore, the method includes generating, by the one or more hardware processors of the server machine, an updated plurality of contextual parameters by validating the plurality of abnormal parameters with the user via the mobile device associated with the user, wherein the user performs one of a) accepting the plurality

of abnormal parameters and b) denying the plurality of abnormal parameters and sharing the updated plurality of contextual parameters. Furthermore, the method includes generating, by the one or more hardware processors of the server machine, a second OTP based on the updated plurality of contextual parameters if the user denies the plurality of abnormal parameters and shares the updated plurality of contextual parameters using a context based OTP generation technique, wherein the second one-time password is generated based on at least one contextual parameters from among the plurality of updated contextual parameters, wherein the second OTP is transmitted to the mobile device associated with the user and the access request is permitted to the user based on the second OTP verification. Furthermore, the method includes generating, by the one or more hardware processors of the server machine, a third OTP comprising at least one dynamic special character from among a plurality of special characters if the user accepts the plurality of abnormal parameters, wherein the at least one dynamic special character is displayed on the input screen of the application to be accessed and, wherein the third OTP is transmitted to the mobile device associated with the user. Furthermore, the method includes performing, by the one or more hardware processors of the server machine, a user verification by intimating the user to check whether the at least one dynamic special character displayed on the input screen of the application and the at least one dynamic special character associated with the third OTP received via the mobile device are same. Finally, the method includes permitting, by the one or more hardware processors of the server machine, the access request based the third OTP verification, wherein the user is allowed to enter the third OTP on the input screen of the application based on the user verification.
[005] In another aspect, a system for context-based multifactor authentication for secured accessing of resources is provided. The system includes a user device connected to a server machine and a user’s mobile device, wherein the server machine comprises at least one memory storing programmed instructions; one or more Input /Output (I/O) interfaces; and one or more hardware processors operatively coupled to the at least one memory, wherein the one or more hardware processors are configured by the programmed instructions to receive an

access request from a user for accessing an application via a user device, wherein the access request is initiated by the user using a plurality of credentials. Further, the one or more hardware processors are configured by the programmed instructions to extract a plurality of contextual parameters from the user device used for generating the access request using a pattern matching technique. Furthermore, the one or more hardware processors are configured by the programmed instructions to generate a first One-Time Password (OTP) using an OTP generation technique only if each of the plurality of contextual parameters matches with a plurality of historical contextual parameters pertaining to the user, wherein the first OTP is transmitted to a mobile device associated with the user, wherein the user is allowed to access the application after first OTP verification. Furthermore, the one or more hardware processors are configured by the programmed instructions to identify a plurality of abnormal contextual parameters from among the plurality of contextual parameters based on a comparison between the plurality of contextual parameters and the plurality of historical contextual parameters pertaining to the user if each of the plurality of contextual parameters does not match with a plurality of historical contextual parameters pertaining to the user. Furthermore, the one or more hardware processors are configured by the programmed instructions to generate an updated plurality of contextual parameters by validating the plurality of abnormal parameters with the user via the mobile device associated with the user, wherein the user performs one of a) accepting the plurality of abnormal parameters and b) denying the plurality of abnormal parameters and sharing the updated plurality of contextual parameters. Furthermore, the one or more hardware processors are configured by the programmed instructions to generate a second OTP based on the updated plurality of contextual parameters if the user denies the plurality of abnormal parameters and shares the updated plurality of contextual parameters using a context based OTP generation technique, wherein the second one-time password is generated based on at least one contextual parameters from among the plurality of updated contextual parameters, wherein the second OTP is transmitted to the mobile device associated with the user and the access request is permitted to the user based on the second OTP verification. Furthermore, the one

or more hardware processors are configured by the programmed instructions to generate a third OTP comprising at least one dynamic special character from among a plurality of special characters if the user accepts the plurality of abnormal parameters, wherein the at least one dynamic special character is displayed on the input screen of the application to be accessed and, wherein the third OTP is transmitted to the mobile device associated with the user. Furthermore, the one or more hardware processors are configured by the programmed instructions to perform a user verification by intimating the user to check whether the at least one dynamic special character displayed on the input screen of the application and the at least one dynamic special character associated with the third OTP received via the mobile device are same. Finally, the one or more hardware processors are configured by the programmed instructions to permit the access request based the third OTP verification, wherein the user is allowed to enter the third OTP on the input screen of the application based on the user verification.
[006] In yet another aspect, a computer program product including a non-transitory computer-readable medium having embodied therein a computer program for context-based multifactor authentication for secured accessing of resources is provided. The computer readable program, when executed on a computing device, causes the computing device to receive an access request from a user for accessing an application via a user device, wherein the access request is initiated by the user using a plurality of credentials. Further, the computer readable program, when executed on a computing device, causes the computing device to extract a plurality of contextual parameters from the user device used for generating the access request using a pattern matching technique. Furthermore, the computer readable program, when executed on a computing device, causes the computing device to generate a first One-Time Password (OTP) using an OTP generation technique only if each of the plurality of contextual parameters matches with a plurality of historical contextual parameters pertaining to the user, wherein the first OTP is transmitted to a mobile device associated with the user, wherein the user is allowed to access the application after first OTP verification. Furthermore, the computer readable program, when executed on a computing device, causes the

computing device to identify a plurality of abnormal contextual parameters from among the plurality of contextual parameters based on a comparison between the plurality of contextual parameters and the plurality of historical contextual parameters pertaining to the user if each of the plurality of contextual parameters does not match with a plurality of historical contextual parameters pertaining to the user. Furthermore, the computer readable program, when executed on a computing device, causes the computing device to generate an updated plurality of contextual parameters by validating the plurality of abnormal parameters with the user via the mobile device associated with the user, wherein the user performs one of a) accepting the plurality of abnormal parameters and b) denying the plurality of abnormal parameters and sharing the updated plurality of contextual parameters. Furthermore, the computer readable program, when executed on a computing device, causes the computing device to generate a second OTP based on the updated plurality of contextual parameters if the user denies the plurality of abnormal parameters and shares the updated plurality of contextual parameters using a context based OTP generation technique, wherein the second one-time password is generated based on at least one contextual parameters from among the plurality of updated contextual parameters, wherein the second OTP is transmitted to the mobile device associated with the user and the access request is permitted to the user based on the second OTP verification. Furthermore, the computer readable program, when executed on a computing device, causes the computing device to generate a third OTP comprising at least one dynamic special character from among a plurality of special characters if the user accepts the plurality of abnormal parameters, wherein the at least one dynamic special character is displayed on the input screen of the application to be accessed and, wherein the third OTP is transmitted to the mobile device associated with the user. Furthermore, the one or more hardware processors are configured by the programmed instructions to perform a user verification by intimating the user to check whether the at least one dynamic special character displayed on the input screen of the application and the at least one dynamic special character associated with the third OTP received via the mobile device are same. Finally, the computer readable program, when executed

on a computing device, causes the computing device to permit the access request
based the third OTP verification, wherein the user is allowed to enter the third OTP
on the input screen of the application based on the user verification.
[007] It is to be understood that both the foregoing general description and
the following detailed description are exemplary and explanatory only and are not
restrictive of the invention, as claimed.
BRIEF DESCRIPTION OF THE DRAWINGS [008] The accompanying drawings, which are incorporated in and
constitute a part of this disclosure, illustrate exemplary embodiments and, together
with the description, serve to explain the disclosed principles:
[009] FIG. 1 is an overall architecture of a system for context-based multifactor authentication for secured accessing of resources, in accordance with some embodiments of the present disclosure.
[0010] FIG. 2 is a functional block diagram of the server (FIG. 1) of the system for context-based multifactor authentication for secured accessing of resources, in accordance with some embodiments of the present disclosure.
[0011] FIG. 3 illustrates a functional architecture of the server machine of FIG. 1, for context-based multifactor authentication for secured accessing of resources, in accordance with some embodiments of the present disclosure.
[0012] FIG. 4 (FIG. 4A and FIG. 4B) is an exemplary flow diagram illustrating a processor implemented method for context-based multifactor authentication for secured accessing of resources implemented by the system of FIG. 1 according to some embodiments of the present disclosure.
DETAILED DESCRIPTION OF EMBODIMENTS
[0013] Exemplary embodiments are described with reference to the accompanying drawings. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. Wherever convenient, the same reference numbers are used throughout the drawings to refer to the same or like parts. While examples and features of disclosed principles are described herein, modifications, adaptations, and other implementations are possible without departing from the spirit and scope of the disclosed embodiments.

[0014] Generally, multifactor authentication is used in addition to login and password authentication to enhance security. Most applications use One-Time Passwords (OTP) as a multi-factor authentication method. However, attackers can still gain access to the application if OTP is shared on a fake/phishing website. For example, the legitimate user may click a link to the fake site and enters their username and password. In such scenarios, the attacker can obtain the username, password and the OTP too. Hence, while using OTP based multifactor authentication system, applications should be safeguarded from attackers gaining OTPs via phishing websites.
[0015] In one conventional approaches, the OTP is combined with a secure key. In another approach, user retrieves the OTP via SMS or by alternate email address. After receiving the OTP, the web server creates an encrypted token for the user’s computer/device for authentication. The encrypted token is used for identification, any time user wishes to access the website he/she must request the new password. Another conventional method receives user credentials and generates a first and second hash values based on a hash function of the initial and modified texts. Further, the hash values are compared and stored along with the user data. Another conventional approach presents a mobile authentication protocol named Mobile-ID which prevents Man-In-The-Middle attacks without relying on a human in the loop. Even though the said conventional methods generates OTP in a more secure way, the OTPs can be gained by the attacker through phishing websites. Further, hash and other cyber security functions can be easily cracked by the attackers. Further, no prior art teaches about context-based multifactor authentication systems.
[0016] To overcome the challenges of the conventional approaches, embodiments herein provide a method and system for context-based multifactor authentication for secured accessing of resources. The present disclosure provides extracts contextual parameters of the user device and compares the extracted contextual parameters with the user’s historical contextual parameters. If the acquired contextual parameters are normal, the access is permitted based on a first OTP. If the contextual parameters are anomalous and if the user is a knowledgeable

user, the contextual parameters are shared in user’s mobile device, which the user needs to confirm through the mobile device, or in some cases, it requests additional details related to the user's device through the mobile application before generating a second OTP. It also records the user's mobile location and uses it to authenticate the user's identity. The second OTP is generated based on the updated user's contextual information. If the contextual parameters are abnormal and the user is an ignorant user, the user accepts the contextual parameters. In that scenario, a third OTP is generated by the server machine and displayed on user’s mobile device. The third OTP includes a special character along with other characters. The same special character is displayed on the application’s input screen, and it helps the user to validate the input screen. The user is allowed to enter the third OTP in the input screen of the application only if the special character included in the received third OTP is same as the special character displayed in the input screen of the application.
[0017] Referring now to the drawings, and more particularly to FIGS. 1 through 4, where similar reference characters denote corresponding features consistently throughout the figures, there are shown preferred embodiments and these embodiments are described in the context of the following exemplary system and/or method.
[0018] FIG. 1 is an overall architecture for a system 100 for context-based multifactor authentication for secured accessing of resources, in accordance with some embodiments of the present disclosure. The architecture 100 includes a user device 102, a server machine 104 and a user’s mobile device 106. The user’s mobile device can be any portable mobile computing device like mobile phones, gadgets, and the like. The user device 102 (for example, any computing device like desktop, laptop and the like) and the server machine 104 are connected via a network connection 108A. Similarly, the server machine 104 and the user’s mobile device are connected via the network connection 108B. In an embodiment, the network connections 108A and 108B are either a wired communication network or a wireless communication network.
[0019] FIG. 2 is a functional block diagram 200 of the server 104 of FIG. 1 for context-based multifactor authentication for secured accessing of resources, in

accordance with some embodiments of the present disclosure. The system 200 includes or is otherwise in communication with hardware processors 202, at least one memory such as a memory 204, an I/O interface 212. The hardware processors 202, memory 204, and the Input /Output (I/O) interface 212 may be coupled by a system bus such as a system bus 208 or a similar mechanism. In an embodiment, the hardware processors 102 can be one or more hardware processors.
[0020] The I/O interface 212 may include a variety of software and hardware interfaces, for example, a web interface, a graphical user interface, and the like. The I/O interface 212 may include a variety of software and hardware interfaces, for example, interfaces for peripheral device(s), such as a keyboard, a mouse, an external memory, a printer and the like. Further, the I/O interface 212 may enable the system 200 to communicate with other devices, such as web servers, and external databases.
[0021] The I/O interface 212 can facilitate multiple communications within a wide variety of networks and protocol types, including wired networks, for example, local area network (LAN), cable, etc., and wireless networks, such as Wireless LAN (WLAN), cellular, or satellite. For the purpose, the I/O interface 212 may include one or more ports for connecting several computing systems with one another or to another server computer. The I/O interface 212 may include one or more ports for connecting several devices to one another or to another server.
[0022] The one or more hardware processors 202 may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, node machines, logic circuitries, and/or any devices that manipulate signals based on operational instructions. Among other capabilities, the one or more hardware processors 202 is configured to fetch and execute computer-readable instructions stored in the memory 204.
[0023] The memory 204 may include any computer-readable medium known in the art including, for example, volatile memory, such as static random access memory (SRAM) and dynamic random access memory (DRAM), and/or non-volatile memory, such as read only memory (ROM), erasable programmable ROM, flash memories, hard disks, optical disks, and magnetic tapes. In an

embodiment, the memory 204 includes a plurality of modules 206. The memory 204 also includes a data repository (or repository) 210 for storing data processed, received, and generated by the plurality of modules 206.
[0024] The plurality of modules 206 include programs or coded instructions that supplement applications or functions performed by the system 200 for context-based multifactor authentication for secured accessing of resources. The plurality of modules 206, amongst other things, can include routines, programs, objects, components, and data structures, which performs particular tasks or implement particular abstract data types. The plurality of modules 106 may also be used as, signal processor(s), node machine(s), logic circuitries, and/or any other device or component that manipulates signals based on operational instructions. Further, the plurality of modules 206 can be used by hardware, by computer-readable instructions executed by the one or more hardware processors 202, or by a combination thereof. The plurality of modules 206 can include various sub-modules (not shown). The plurality of modules 206 may include computer-readable instructions that supplement applications or functions performed by the system 200 for context-based multifactor authentication for secured accessing of resources. In an embodiment, the modules 206 include a contextual parameters extraction module 302 (shown in FIG. 3), a first OTP generation module 304 (shown in FIG. 3), an abnormal contextual parameters identification module 306 (shown in FIG. 3), an updated contextual parameters generation module 308 (shown in FIG. 3), a second OTP generation module 310 (shown in FIG. 3), a third OTP generation module 312 (shown in FIG. 3), a user verificaiton module 314 (shown in FIG. 3) and a third OTP verification module 316 (shown in FIG. 3). In an embodiment, FIG. 3 illustrates a functional architecture of the system of FIG. 2, for context-based multifactor authentication for secured accessing of resources, in accordance with some embodiments of the present disclosure.
[0025] The data repository (or repository) 210 may include a plurality of abstracted piece of code for refinement and data that is processed, received, or generated as a result of the execution of the plurality of modules in the module(s) 206.

[0026] Although the data repository 210 is shown internal to the system 200, it will be noted that, in alternate embodiments, the data repository 210 can also be implemented external to the system 200, where the data repository 210 may be stored within a database (repository 210) communicatively coupled to the system 200. The data contained within such an external database may be periodically updated. For example, new data may be added into the database (not shown in FIG. 2) and/or existing data may be modified and/or non-useful data may be deleted from the database. In one example, the data may be stored in an external system, such as a Lightweight Directory Access Protocol (LDAP) directory and a Relational Database Management System (RDBMS).
[0027] FIG. 4 is an exemplary flow diagram illustrating a method 400 for context-based multifactor authentication for secured accessing of resources implemented by the system of FIG. 1 according to some embodiments of the present disclosure. In an embodiment, the system 200 includes one or more data storage devices or the memory 204 operatively coupled to the one or more hardware processor(s) 202 and is configured to store instructions for execution of steps of the method 400 by the one or more hardware processors 202. The steps of the method 400 of the present disclosure will now be explained with reference to the components or blocks of the system 200 as depicted in FIG. 2 and the steps of flow diagram as depicted in FIG. 4. The method 400 may be described in the general context of computer executable instructions. Generally, computer executable instructions can include routines, programs, objects, components, data structures, procedures, modules, functions, etc., that perform particular functions or implement particular abstract data types. The method 400 may also be practiced in a distributed computing environment where functions are performed by remote processing devices that are linked through a communication network. The order in which the method 400 is described is not intended to be construed as a limitation, and any number of the described method blocks can be combined in any order to implement the method 400, or an alternative method. Furthermore, the method 400 can be implemented in any suitable hardware, software, firmware, or combination thereof.

[0028] At step 402 of the method 400, the one or more hardware processors 202 of the server machine 104 are configured by the programmed instructions to receive an access request from a user for accessing an application via the user device 102, wherein the access request is initiated by the user using a plurality of credentials like username and password.
[0029] At step 404 of the method 400, the contextual parameters extraction module 302 executed by one or more hardware processors 202 of the server machine 104 is configured by the programmed instructions to extract a plurality of contextual parameters from the user device used for generating the access request using a pattern matching technique. For example, the plurality of contextual parameters includes a device ID, a device type, an Internet Protocol (IP) address, location details, browser details, timing details and Operating System (OS) version. The device ID indicates an identification number for each device. The device type includes mobile device, laptop and the like. The mobile device is represented with a number ‘1’ and the laptop with ‘2’ and the like. The location details include latitudes and longitudes. The browser details include browser type, for example, based on the starting character of the browser name, the browsers are numbered accordingly. For example, Chrome→1, Explorer→3 and Firefox→2. The timing details are represented as time slots, for example, time slot between 9 AM and 6 PM are considered as slot 1 and the time slot between 6 PM and 9 AM are considered as slot 2. Similarly, OS details are represented as ‘1’ for Windows, ‘2’ for Linux, ‘3’ for Mac and the like.
[0030] At step 406 of the method 400, the first OTP generation module 304 executed by the one or more hardware processors 202 of the server machine 104 is configured by the programmed instructions to generate a first One-Time Password (OTP) using an OTP generation technique only if each of the plurality of contextual parameters matches with a plurality of historical contextual parameters pertaining to the user, wherein the first OTP is transmitted to a mobile device associated with the user, wherein the user is allowed to access the application after first OTP verification.

[0031] At step 408 of the method 400, the abnormal contextual parameters identification module 306 executed by the one or more hardware processors 202 of the server machine 104 is configured by the programmed instructions to identify a plurality of abnormal contextual parameters from among the plurality of contextual parameters based on a comparison between the plurality of contextual parameters and the plurality of historical contextual parameters pertaining to the user if each of the plurality of contextual parameters does not match with a plurality of historical contextual parameters pertaining to the user
[0032] At step 410 of the method 400, the updated contextual parameters generation module 308 executed by the one or more hardware processors 202 of the server machine 104 is configured by the programmed instructions to generate an updated plurality of contextual parameters by validating the plurality of abnormal parameters with the user via the mobile device associated with the user. The user performs one of a) accepting the plurality of abnormal parameters b) denying the plurality of abnormal parameters and sharing the updated plurality of contextual parameters.
[0033] At step 412 of the method 400, the second OTP generation module 310 executed by the one or more hardware processors 202 of the server machine 104 is configured by the programmed instructions to generate a second OTP based on the updated plurality of contextual parameters if the user denies the plurality of abnormal parameters and shares the updated plurality of contextual parameters using a context based OTP generation technique. The second one-time password includes at least one contextual parameters from among the plurality of updated contextual parameters, wherein the second OTP is transmitted to the mobile device associated with the user and the access request is permitted to the user based on the second OTP verification.
[0034] For example, OTP verification is performed as explained as follows. If the OTP “178918” is received, the system compares (178918, I789B8). If true, it fetches the IP address and browser details from the device. It generates a single digit value for the IP address and browser details. If they are equal, it allows access.

[0035] The method of generating the second OTP by the context based OTP generation technique as follows: In one embodiment, the knowledgeable user updates only IP address the browser details, the IP address and browser details are included in the OTP generation as explained below: Initially, the IP address is converted it into individual numbers by keeping them in ascending order. For example, 172.25.148.59→172,148,59,25. Further, the individual numbers are grouped into a two numbers set and subtracted, for example, (172,148) and (59,25) → (172-148) & (59-25)→ (24,34). One set is generated after subtraction. Further one more subtraction is performed by keeping it in ascending order, for example, (34-24) =10. If a two-digit number is generated, add or subtract to generate a one-digit number. (1+0=1). A 6-digit random OTP is generated using a OTP generation technique, for example “378958”. The generated IP address’s single digit value (‘1’ in this case) replaced in the generated first OTP with the nearest value. In the above example OTP, 3 is nearest to the value 1. So ‘3’ is replaced with ‘1’ and the final OTP is “178958”.
[0036] Further, if the browser detail is included in OTP generation as explained below: Initially, each browser is labelled using a single digit browser Id based on its name. For example, chrome with its version number 112.0.5615.121 is replaced with ‘2’. Further, each component of the version number is converted into single digit, for example, 2.(112.0.5615.121) -> (1+1+2). (0). (5+6+1+5). (1+2+1) -> 4.0.17.4→(4). (0). (1+7).4)→4.0.8.4. Further, the obtained numbers are sorted in ascending order and pairwise subtraction is performed, for example, 8,4,4,0→(8-4) and (4-0)→4,4. The obtained number are further added for example, 4+4→8 (Version should not be zero). Combine the browser ID and the resultant value obtained from the above computation, for example, 2.8 (2 is the browser Id and 8 is the browser version). Adding the two numbers, for example, 2+8→10→1+0=1. Hence the browser value is 1. Obtain nearest value to the browser value from the OTP obtained from the IP address, for example, 178958→5 is the nearest value to browser value 1. Hence ‘5’ is replaced with ‘1’ and the OTP value is “178918” (one-time password with IP Address and browser details). In an embodiment,

I789B8 is maintained in a temporary database for revalidating at the time of verification. Here, ‘I’ indicates IP address and ‘B’ indicates browsing details.
[0037] In one embodiment, the knowledgeable user updates only the IP address in the mobile application without updating other context details. Then the system needs to consider only IP address details for tagging the device with the OTP. In that scenario, the system generates a two-digit code for the IP address instead of a one-digit code. In some cases, when using a one-digit code, the probability of matching is very high. For example, considering the IP address, “192.168.29.247”, the elements of the IP address are sorted in ascending order (247,192,168,29). Two pairs are obtained further from the sorted elements of the IP address, for example, (247,192) & (168,29). The elements of the sets are subtracted, for example, (247-192) & (168-29)→(55,139). A 2-digit number is generated by addition or subtract or average, for example, (139-55)→84. A 6-digit random OTP is generated using a conventional OTP generation technique, for example, “378958”. Finally, the nearest matching value “89” is replaced with “84”, for example, 378958→(378458). The OTP is stored in the temporary database as “37II458”. Here, the OTP is “378458”.
[0038] In another embodiment, the attacker is also accessing from the same location from which the user previously accessed. If the attacker's location is the same as the user's, it generates a 4-digit code for the IP address. A matching network ID is possible if location is same. In an IP address, there is a network ID and a host ID, and by considering that, the application generates a 4-digit code for the IP address. For example, 192.168.29.247→192.168.29 (network Id) and 247 (host Id). Here, a 2-digit unique number is assigned to the network ID and stored in database. For example, here, the host ID is 247 and the digits are added to get a two digit number, for example, 247→(2+4+7)→(13).
[0039] In another embodiment, the knowledgeable user only updates browser type without changing IP address and browser version, the application assigns browser code to the browser type and without considering the version. For example, the browser is assigned with unique code based on its browser name.

Chrome→1, Explorer→2 and Firefox→3 etc. If user only updates browser type, it includes browser code to the nearest matching digit in the one-time password.
[0040] In another embodiment, the system captures location details based on latitude and longitude. The application maintains users’ past location details using location name, latitude, and longitude details. If the attacker's location does not match the user's past locations, it identifies the location name in the mobile application using the received latitude and longitude values. It displays the city name based on the location's latitude and longitude.
[0041] In another embodiment, each device type and operating system are assigned a two-digit code. It uses that code in the one-time password. For example, System, Windows→11, System, Unix→12 etc. If the user's device is a desktop with the Windows operating system, the system generates a 6-digit random one-time password. Ex: 378958. It is replaced with the nearest digit →(378958)→(118958). The one-time password works for selected device.
[0042] Based on the updated contextual parameters, the system tags the OTP to the device by using contextual parameters. The system generates a 1- to 4-digit code for the IP address based on the input type. Tagging context details in the second OTP is to restrict phishing attacks when the OTP is hacked.
[0043] At step 414 of the method 400, the a third OTP generation module 312 executed by the one or more hardware processors 202 of the server machine 104 is configured by the programmed instructions to generate a third OTP comprising at least one dynamic special character from among a plurality of special characters if the user accepts the plurality of abnormal parameters, wherein the at least one dynamic special character is displayed on the input screen of the application to be accessed and, wherein the third OTP is transmitted to the mobile device associated with the user. An example, third OTP is “378$58”.
[0044] At step 416 of the method 400, the user verificaiton module 314 executed by the one or more hardware processors 202 of the server machine 104 is configured by the programmed instructions to perform a user verification by intimating the user to check whether the at least one dynamic special character

displayed on the input screen of the application and the at least one dynamic special character associated with the third OTP received via the mobile device are same.
[0045] At step 418 of the method 400, the third OTP verification module 316 executed by the one or more hardware processors 202 of the server machine 104 is configured by the programmed instructions to permit the access request based the third OTP verification, wherein the user is allowed to enter the third OTP on the input screen of the application based on the user verification, wherein the user is allowed to access the application only if the at least one dynamic special character displayed on the input screen of the application and the at least one dynamic special character associated with the third OTP received via the mobile device are the same and denied to enter the third OTP on the input screen of the application otherwise.
Use cases:
[0046] In an embodiment, if the attacker sends fake links to legitimate users through email or SMS to capture user credentials and OTP, the legitimate user opens the link and treats that as an original site and the legitimate user enters his/her username and password on the fake site. After capturing the username and password from the fake site, the attacker uses them on the original site. When the attacker uses the username and password on the original site, the application captures contextual parameters and evaluates whether the parameters are normal or abnormal based on past context data using a machine learning algorithm. It displays the device parameters on the user’s mobile application that are abnormal. The legitimate user receives the device details on his or her mobile application. If the legitimate user is knowledgeable, the user may deny or update the device details in the mobile application. If the legitimate user denies it, it does not generate the first OTP, and application access is also denied. If the legitimate user updates his or her device details that are displayed on the mobile application, the application generates the second OTP using the updated contextual parameters. When an attacker captures the second OTP from the legitimate user and enters that OTP, the application fetches the updated contextual parameters from the second OTP and

compares them with the device contextual parameters. If it does not match, the system denies access to the attacker.
[0047] If the legitimate user is ignorant, the user may confirm without checking the displayed context details on the mobile application. If the user confirms, the application generates the third OTP and adds a special character in the middle of the third OTP. It also displays the same special character on the input screen of the application. It requests the user to check the special character displayed on the input screen before entering the third OTP. It helps the user validate the input screen for entering the one-time password.
[0048] The written description describes the subject matter herein to enable any person skilled in the art to make and use the embodiments. The scope of the subject matter embodiments is defined by the claims and may include other modifications that occur to those skilled in the art. Such other modifications are intended to be within the scope of the claims if they have similar elements that do not differ from the literal language of the claims or if they include equivalent elements with insubstantial differences from the literal language of the claims.
[0049]The embodiments of present disclosure herein address the unresolved problem of generating the context-based multifactor authentication for secured accessing of resources. The present disclosure generates OTPs which carry device contextual parameters, and the application is protected from attackers. Further, the present disclosure restricts the attacker’s ability to capture an OTP through fake links.
[0050] It is to be understood that the scope of the protection is extended to such a program and in addition to a computer-readable means having a message therein such computer-readable storage means contain program-code means for implementation of one or more steps of the method when the program runs on a server or mobile device or any suitable programmable device. The hardware device can be any kind of device which can be programmed including e.g. any kind of computer like a server or a personal computer, or the like, or any combination thereof. The device may also include means which could be e.g. hardware means like e.g. an application-specific integrated circuit (ASIC), a field-programmable

gate array (FPGA), or a combination of hardware and software means, e.g. an ASIC and an FPGA, or at least one microprocessor and at least one memory with software modules located therein. Thus, the means can include both hardware means and software means. The method embodiments described herein could be implemented in hardware and software. The device may also include software means. Alternatively, the embodiments may be implemented on different hardware devices, e.g. using a plurality of CPUs, GPUs and edge computing devices.
[0051] The embodiments herein can comprise hardware and software elements. The embodiments that are implemented in software include but are not limited to, firmware, resident software, microcode, etc. The functions performed by various modules described herein may be implemented in other modules or combinations of other modules. For the purposes of this description, a computer-usable or computer readable medium can be any apparatus that can comprise, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. The illustrated steps are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope and spirit of the disclosed embodiments. Also, the words “comprising,” “having,” “containing,” and “including,” and other similar forms are intended to be equivalent in meaning and be open ended in that an item or items following any one of these words is not meant to be an exhaustive listing of such item or items, or meant to be limited to only the listed item or items. It must also be noted that as used herein and in the appended claims, the singular forms “a,” “an,” and “the” include plural references

unless the context clearly dictates otherwise. Furthermore, one or more computer-readable storage media may be utilized in implementing embodiments consistent with the present disclosure. A computer-readable storage medium refers to any type of physical memory on which information or data readable by a processor may be stored. Thus, a computer-readable storage medium may store instructions for execution by one or more processors, including instructions for causing the processor(s) to perform steps or stages consistent with the embodiments described herein. The term “computer-readable medium” should be understood to include tangible items and exclude carrier waves and transient signals, i.e. non-transitory. Examples include random access memory (RAM), read-only memory (ROM), volatile memory, nonvolatile memory, hard drives, CD ROMs, DVDs, flash drives, disks, and any other known physical storage media.
[001] It is intended that the disclosure and examples be considered as exemplary only, with a true scope of disclosed embodiments being indicated by the following claims.

WE CLAIM:
1. A processor implemented method (400), the method comprising:
receiving (402), by one or more hardware processors of a server machine, an access request from a user for accessing an application via a user device, wherein the access request is initiated by the user using a plurality of credentials;
extracting (404), by the one or more hardware processors of the server machine, a plurality of contextual parameters from the user device used for generating the access request using a pattern matching technique;
generating (406), by the one or more hardware processors of the server machine, a first One-Time Password (OTP) using an OTP generation technique only if each of the plurality of contextual parameters matches with a plurality of historical contextual parameters pertaining to the user, wherein the first OTP is transmitted to a mobile device associated with the user, wherein the user is allowed to access the application after first OTP verification;
identifying (408), by the one or more hardware processors of the server machine, a plurality of abnormal contextual parameters from among the plurality of contextual parameters based on a comparison between the plurality of contextual parameters and the plurality of historical contextual parameters pertaining to the user if each of the plurality of contextual parameters does not match with a plurality of historical contextual parameters pertaining to the user;
generating (410), by the one or more hardware processors of the server machine, an updated plurality of contextual parameters by validating the plurality of abnormal parameters with the user via the mobile device associated with the user, wherein the user performs one of a) accepting the plurality of abnormal parameters and b) denying the plurality of abnormal parameters and sharing the updated plurality of contextual parameters;

generating (412), by the one or more hardware processors of the server machine, a second OTP based on the updated plurality of contextual parameters if the user denies the plurality of abnormal parameters and shares the updated plurality of contextual parameters using a context based OTP generation technique, wherein the second one-time password is generated based on at least one contextual parameters from among the plurality of updated contextual parameters, wherein the second OTP is transmitted to the mobile device associated with the user and the access request is permitted to the user based on the second OTP verification;
generating (414), by the one or more hardware processors of the server machine, a third OTP comprising at least one dynamic special character from among a plurality of special characters if the user accepts the plurality of abnormal parameters, wherein the at least one dynamic special character is displayed on the input screen of the application to be accessed and, wherein the third OTP is transmitted to the mobile device associated with the user;
performing (416), by the one or more hardware processors of the server machine, a user verification by intimating the user to check whether the at least one dynamic special character displayed on the input screen of the application and the at least one dynamic special character associated with the third OTP received via the mobile device are same; and
permitting (418), by the one or more hardware processors of the server machine, the access request based the third OTP verification, wherein the user is allowed to enter the third OTP on the input screen of the application based on the user verification. 2. The method as claimed in claim 1, wherein the plurality of contextual parameters comprises a device ID, a device type, an Internet Protocol (IP) address, location details, browser details, timing details and Operating System (OS) version.

3. The method as claimed in claim 1, wherein the third OTP comprises at least one special character and a plurality of characters.
4. The method as claimed in claim 1, wherein the application is accessed via the user device.
5. The method as claimed in claim 1, wherein the user verification is performed by checking whether the at least one dynamic special character displayed on the input screen of the application and the at least one dynamic special character associated with the third OTP received via the mobile device are the same.
6. A system (100) comprising:
a user device (102) connected to a server machine (104) and a user’s mobile device (106), wherein the server machine (104) comprises at least one memory (204) storing programmed instructions; one or more Input /Output (I/O) interfaces (212); and one or more hardware processors (202) operatively coupled to the at least one memory (204), wherein the one or more hardware processors (202) are configured by the programmed instructions to:
receive an access request from a user for accessing an application via a user device, wherein the access request is initiated by the user using a plurality of credentials;
extract a plurality of contextual parameters from the user device used for generating the access request using a pattern matching technique;
generate a first One-Time Password (OTP) using an OTP generation technique only if each of the plurality of contextual parameters matches with a plurality of historical contextual parameters pertaining to the user, wherein the first OTP is transmitted to a mobile device associated with the user, wherein the user is allowed to access the application after first OTP verification;
identify a plurality of abnormal contextual parameters from among the plurality of contextual parameters based on a comparison between the plurality of contextual parameters and the plurality of historical contextual

parameters pertaining to the user if each of the plurality of contextual parameters does not match with a plurality of historical contextual parameters pertaining to the user;
generate an updated plurality of contextual parameters by validating the plurality of abnormal parameters with the user via the mobile device associated with the user, wherein the user performs one of a) accepting the plurality of abnormal parameters and b) denying the plurality of abnormal parameters and sharing the updated plurality of contextual parameters;
generate a second OTP based on the updated plurality of contextual parameters if the user denies the plurality of abnormal parameters and shares the updated plurality of contextual parameters using a context based OTP generation technique, wherein the second one-time password is generated based on at least one contextual parameters from among the plurality of updated contextual parameters, wherein the second OTP is transmitted to the mobile device associated with the user and the access request is permitted to the user based on the second OTP verification;
generate a third OTP comprising at least one dynamic special character from among a plurality of special characters if the user accepts the plurality of abnormal parameters, wherein the at least one dynamic special character is displayed on the input screen of the application to be accessed and, wherein the third OTP is transmitted to the mobile device associated with the user;
perform a user verification by intimating the user to check whether the at least one dynamic special character displayed on the input screen of the application and the at least one dynamic special character associated with the third OTP received via the mobile device are same; and
permit the access request based the third OTP verification, wherein
the user is allowed to enter the third OTP on the input screen of the
application based on the user verification.
7. The system of claim 6, wherein the plurality of contextual parameters
comprises a device ID, a device type, an Internet Protocol (IP) address,

location details, browser details, timing details and Operating System (OS) version.
8. The system of claim 6, wherein the third OTP comprises at least one special character and a plurality of characters.
9. The system of claim 6, wherein the application is accessed via the user device.
10. The system of claim 6, wherein the user verification is performed by checking whether the at least one dynamic special character displayed on the input screen of the application and the at least one dynamic special character associated with the third OTP received via the mobile device are the same.