Developing a multi-factor authentication prototype for improved security of enterprise resource planning systems for Kenyan universities

Abstract

Automated systems are crucial for organizations to maintain records and transactions effectively. Universities have increasingly adopted Enterprise Resource Planning (ERP) systems, a software that provides integrated management of processes and transactions in real-time. ERP systems contain lots of information and are accessed by multiple users, commonly through usernames and password authentication mechanisms. However, there have been security and privacy concerns about ERP systems’ security, where only the traditional authentication method of a username and password is commonly used. Passwords have weaknesses that can be easily compromised. Thus, this research aimed at establishing authentication methods used for ERPs in chartered Kenyan Universities and their vulnerabilities. The study further aimed at developing and validating a multi-factor authentication prototype to improve ERP systems security. Multi-factor authentication which combines several authentication factors such as something the user has, knows, or is, is a new state-of-the-art technology that is being adopted to strengthen systems’ authentication security. This research used an exploratory sequential design and a survey for chartered Kenyan Universities. Data collection was done through document analysis, issuing questionnaires online to the universities’ system administrators to establish ERP authentication methods and vulnerabilities. The questionnaires were validated by carrying out a pre-study that assessed whether the required data was captured and helped identify areas of improvement. The data collected was analyzed using descriptive statistics, correlation and regression, whose outcome was used as input for the development of a multi-factor authentication prototype. The key vulnerabilities established from the survey were password guessing, password reuse and social engineering hence the proposed multifactor authentication prototype to counter them. The independent variable factors found to have a positive significant relationship with ERP systems security according to the correlation were; attack tolerance, level of user training and ICT Security policy. The regression analysis model revealed that user training was the most significant variable on improved ERP systems security. This research hence proposed and developed a multifactor authentication prototype factoring in these variables, to contribute towards the improvement of security of ERP systems for universities in Kenya. The final outcome of the research was a multi-factor authentication prototype combining passwords and biometric authentication, that requires to be coupled with effective user training and enforcement of ICT security policies, to improve ERP systems security for Kenyan universities. As a recommendation for further research, alternative biometric authentication methods, integration of authentication applications and addressing other systems security issues can be explored to further improve ERP systems security.