Development of a multifactor authentication result checker system through GSM

This work is an implementation of a multifactor authentication SMS based result checking system. The objectives of this work were to improve on the available authentication methods and apply it on examination result checking system. The work takes care of only course codes with their grades, the current GPA and the overall CGPA. It employs the Pull SMS service, built on an independent service and a modem. Examination results consist of sensitive information, hence the need to further enhance the ones already in place so as to ensure further privacy and integrity, In the course of this project, the following assumptions were made: That a system that does the computation of students’ result, calculate of GPA and CGPA is already in place. The implemented system was connected to the database of the existing system. A database that contains the bio-data of each student admitted exists. That SMTP (Simple Mail Transport Protocol) modem exists and should have been used but to reduce cost, a modem that can act like a SIM browser is used with a standard SIM card inserted in it and connected via cable to the application server. The system showed that further security and privacy could be achieved when multifactor authentication is employed. For further work, the system could be developed and built as a dependent service which involves having the application server connected to the service provider’s SMS Center (SMSC). KEYWORDS Multifactor Authentication, GSM, Telecommunication, Communication, Internet.

💡 Research Summary

The paper presents the design, implementation, and evaluation of a multifactor authentication (MFA) system for checking university examination results via GSM‑based Short Message Service (SMS). Recognizing that many institutions rely on web portals or simple SMS services that suffer from limited internet access, high server load, and weak security (often only phone‑number registration or a single PIN), the authors set out to create a more secure, cost‑effective solution. Their approach combines two key ideas: (1) a two‑step authentication process that uses knowledge‑based questions stored in the student’s bio‑data, and (2) an independent “Pull‑SMS” architecture that employs a standard mobile phone or modem with a regular SIM card connected directly to an application server, thereby avoiding the need for contracts with SMSC providers and reducing upfront costs.

The system architecture follows a two‑tier model. The business‑logic tier, written in C# on the .NET Framework 4.0, handles incoming SMS requests, parses them, retrieves the appropriate security questions, validates answers, and finally composes the result message. The data tier uses Microsoft SQL Server 2005 accessed via ODBC and contains tables for student personal information, course codes, grades, GPA/CGPA, as well as message and audit logs. The application assumes that an existing academic management system already computes GPA and CGPA; the new module simply reads those values from the shared database.

Operational flow: a student sends an SMS in the format “G <matric‑no> ” to request grades or “C <matric‑no> ” for GPA/CGPA. The server replies with one or more knowledge‑based questions (e.g., date of birth, department, admission year). The student must answer correctly; only then does the server return the requested academic data. Because the questions are pre‑populated from the admission records, no additional user interaction is required beyond the SMS exchange.

Implementation details include the use of a conventional mobile phone (e.g., Sony Ericsson) acting as a modem, connected via a serial cable to the server. This “independent service” model eliminates the need for an SMSC gateway, meaning that only standard SMS tariffs apply. All interactions are logged for audit purposes, enabling post‑incident analysis.

Testing demonstrated that the system delivers results faster than web‑portal queries, especially in environments with poor internet connectivity. The MFA mechanism effectively blocks unauthorized access: even if a phone is stolen, an attacker cannot retrieve grades without correctly answering the knowledge‑based questions. However, the hardware‑centric design introduces vulnerabilities such as power or cable failures, modem malfunctions, and limited scalability under high concurrent load.

The authors compare their solution with several existing SMS‑based result services (NTU eXpress, MUET, Orissa Board). Those systems rely solely on registered phone numbers or simple PINs, offering minimal protection against impersonation. In contrast, the proposed system removes reliance on phone numbers and static PINs, substituting dynamic, student‑specific questions that raise the security bar considerably.

Future work outlined includes migrating from the independent modem to a “Dependent Service” architecture where the application server connects directly to a mobile operator’s SMS Center (SMSC) over the internet. This would eliminate the physical modem, improve reliability, and allow the use of short codes and premium billing models. The authors also suggest enriching the MFA scheme with one‑time passwords (OTP), QR‑code verification, or biometric factors, and encrypting the question‑answer database to mitigate the risk of question leakage.

In conclusion, the study validates that a GSM‑based, MFA‑enhanced SMS result checking system can provide a more secure, user‑friendly, and low‑cost alternative to traditional web portals or single‑factor SMS services. By integrating with existing academic databases and employing a simple two‑step verification, the prototype achieves meaningful improvements in privacy and integrity of student records, while highlighting practical considerations for scaling and hardening the solution in real‑world deployments.