MULTI-FACTOR ATTENDANCE AUTHENTICATION SYSTEM

Taking attendance in classes is a cumbersome task which can benefit from smartphone innovation. This study identifies the vulnerabilities of the technology and proposes a technique to identify cheating. Several smartphone features are proposed for collective use to improve the reliability. The first measure is by using Quick Response (QR) code as a unique token; the second measure is by using International Mobile Equipment Identity (IMEI) number as a unique identification; the third measure is by checking timestamp; and the fourth measures is by checking Global Positioning System (GPS) location of the student. Algorithm matches attendee with event using QR, identifies identify using IMEI and verify attendance using timestamp and GPS. Use cases conducted have shown feasibility in practical aspect and user acceptance. This paper evaluates reliability of the approach and inherent issues


INTRODUCTION
Taking attendance is common in many educational institutions to instil discipline.Some institutions impose strict rules to ensure attainment of good student attendance.This include punitive approach such as barring students from the final examination.For international students studying in some countries, the governments require universities to systemize tracking of attendance.The Malaysian Immigration Department for instances, requires a good record as a pre-requisite for renewal of international student visas.
As an alternative, technologies such as biometrics, Radio Frequency Identification (RFID), Quick Response (QR) have been proposed and tested.Besides taking attendance, the common features include detection of cheating and generation of report.
However, these solutions require special hardware to be purchased and installed in venues, which make the implementation more costly but less flexible.Furthermore, users need to queue up thus making the process less efficient.
The goal of this study is to propose a cost-efficient and flexible alternative that would improve attendance-taking through ubiquitous technologies such as the smart phone.The focus of the study is to improve accuracy of attendance-taking by detecting and eliminating fake attendance.The proposed solution uses software strategy that exploits existing and common smart phone features.

LITERATURE REVIEW
There are some existing studies to improve attendance-taking using technology.Saraswat & Kumar (2010) proposed biometric attendance system that uses fingerprint verification.Xiao & Yang (2009) also use biometric as the technology to authenticate and validate the attendance of students.They developed a real-time authentication that made use of facial recognition technology.A non-biometric device can be seen in the work (Čisar et al., 2016).The authors proposed the use of mobile application that can register attendance to an Arduino device using Bluetooth connection.Biometric approach requires special hardware and thus cumbersome.
More recently, attendance system has also incorporated sensors.(Chew et al., 2015) has proposed NFC-based attendance system to minimize human involvement and errors in attendance-taking.The paper has also evaluated the technology against RFID and concluded both can increase the efficiency.However, there is a concern over setup cost and infrastructure.NFC is more cost-efficient than RFID.The use of mobile phone sensor is a promising cost-effective alternative to dedicated sensor devices and infrastructure.However, NFC is not a permanent feature available in most phones, unlike the camera.
QR code takes advantage of the phone camera.Baban (2014) described implementation of a basic attendance-taking system that uses QR code scanning via students' smart phones.The system generated attendance reports.The design is generic for reimplementation but did not address issues of cheating in attendance.Deugo (2015) proposed a system wherein, students are to generate their unique QR codes and bring them into class for their lecturers to scan them through a special application.However, using the system may not offer time efficiency as it is the lecturers that need to scan the student QR codes.Cleveland (2012) proposed a simpler QR-based attendance in which the lecturer generates the QR code for the students to scan and confirm attendance.The QR code is generated using a web form (e.g.Google Docs) link.Then, the QR code is scanned by attendees during attendance taking.This will trigger the link to a new attendance form for the attendees to fill up.The idea is by placing the link to the form in a third party QR code generator website.Attendees then scan the QR code using smart phones to confirm attendance on the retrieved form.
The use of QR code has advantage over biometrics due to ease of implementation.QR code can be generated easily and scanned using smartphones, which reduces the need for special hardware.However, QR code is less safe compared to biometrics approach when dealing with cheating.QR code can be shared and identity can be tampered.The use of QR code is still insufficient in deterring attendance cheating.Survey conducted with 125 students from 3 different lectures/tutorials reveal a high percentage (39%) being aware of the work-around.Masalha & Hirzallah (2014) proposed the design of an attendance system that uses QR code with multiple security factors to eliminate false registration.The additional factors are biometrics on a selfie photo and analysis of GPS location.GPS seemed to be a popular non-biometric approach apart of QR code.M. Y. Khan, Ram, & others (2015) proposed system that tracks employee through GPS by keeping an active login session on the smart phone.The approach requires registration of the phone's IMSI number with user identity.The solution requires continuous tracking by the server.
Literature review has shown preference for QR compared to biometrics because of economic and scalability reasons.QR code is not cheat-proof, therefore additional checks are conducted using IMEI and GPS features of the smart phone.None of the work, to the best of our knowledge, investigates and explains how the information is processed to detect potential cheating within the system.This work investigates measures that can be used to cheat-proof QR code.
With regard to cheat prevent technology, (Noguchi, Niibori, Zhou, & Kamada, 2015) has implemented an Android personal scanner that allows students to scan their ID cards using their own phone.To prevent cheating, the researchers employed a Bluetooth Low Energy (BLE) beacon device to transmit a secret code that enables proper registration of attendance but only within the range of the beacon.Preliminary investigation is conducted in phase 1.The goal is to understand the problem and what have been done so far to curb the problem.Phase 1 activities include literature review and fieldworks.

METHODOLOGY
The goal of literature survey is to identify the issues in attendance taking and the state of the art.Existing techniques were investigated by reviewing literature recently published in Google Scholar, IEEE, ACM and commercial websites.75% of the studied systems are not more than 3 years ago.Inclusion criteria are "attendance cheating", "attendance logging", "mobile application", "QR code application", "attendance-taking technology" and "authentication".Search results are prioritized according to articles that fulfil most of the inclusion criteria.
The goal of fieldworks is to investigate the current methods of attendance taking at the university.Formal and informal interviews as well as observation were conducted throughout a period of a year involving 20 lecturers and 100 over students for feedbacks on their thoughts about attendance taking, the issues of the current attendance mechanism in their classes and the effectiveness of the current attendance mechanism.Attendance cheating is an issue with the current attendance mechanism thus information on the methods of cheating and suggestions on prevention were obtained.
Data are collected through questionnaire survey and semi-structured interviews.Student feedbacks are collected through online form during the use of the proposed application.Interviews with lecturers are done in semi-structure format.a. Questionnaire -Survey questionnaire collects students' opinions and knowledge about attendance taking, the significance, the method used and safety issues.Questions also polls for student's history of attempted cheating.The surveys were done two times.The second questionnaire survey was dispensed after students were given opportunity to use the developed smart app.The objective is to collect the usability opinions.b.Interview -Interviews were done with lecturers.Interview contains two parts.The first part of the interview is structured by giving questions which require objective answers.These questions are mainly about the techniques that have been used to collect attendance and measures to detect cheating.The second part of the interview is open-ended.Questions allow space for interview to elaborate on concerns and ideas.
In Phase 2, findings from literature review and fieldworks are combined and analysed.The state of the art mentioned in literature is matched with requirements and existing approach in fieldworks.Different techniques have different strengths and weaknesses.The analysis of this study focuses on curbing attendance cheating using ubiquitous technologies to minimize cost and to increase flexibility of implementation.This affects the design and development of the idea which will be elaborated in the following sections.Analysis using Unified Modelling Language (UML) diagrams help with analysis of structure and behaviour of the design.The resulting prototype is developed using rapid prototyping approach in order to gain quick feedbacks from endusers and to identify hidden issues.
Phase 3 is about testing activities to ensure the proposed technique is working and users can accept and perceive if the proposal is both useful and user-friendly.The techniques apply multiple measures to capture data essential for authentication of an attendance.It is important that the techniques work collectively and smoothly.
Tests was conducted on multiple lecture and lab cohorts of various sizes.A total of 18 different locations inside and outside of the premises were tested using the smart app that implements the proposal.A student familiar with the attendees was implanted to simulate cheating.Several scenarios involving attempted cheating were re-enacted during actual lecture or laboratory to see if the proposed technique could cheat-proof those attempts.The results captured by the software were compared with manual attendance.

MANUAL ATTENDANCE TAKING -A UNIVERSITY CASE STUDY
Various methods may have been used to take attendance in Malaysian universities.This case study is based on a Malaysian private university.Various approaches have been used, from manual attendance to phone-based attendance.
A common manual approach will have an attendance form passed around and students put their initials on the form.Some lecturers prefer use a single attendance form for the whole semester, and some on session basis.Cheating occurs when students put initials on the days that they had not attended; or signing for others.Detecting this cheating is cumbersome and finding the proof is even more burdensome.Manual approach is prone to cheating.
Manual approach is also less efficient for both collecting initials and analysing the attendance.Paper-based attendance has another drawback: M. B. Khan et al (2017) mentioned that attendance forms can be lost easily which leads to loss of data.
To address the limitation of paper-based attendance, the University has also attempted phone-based technology.Any generic QR code scanner can be installed on student's phone.During class, attendance is taken by requiring student to scan a unique QR code displayed by the lecturer.The QR code provides a link to a Microsoft Form.Students open the link, fill and submit the attendance form.The advantage is instant report generation.However, it does not address attendance cheating.User survey has revealed that the approach does not eliminate cheating as the QR code can be captured as an image and sent to another phone for QR scanning.The web server provides GSM connection to clients that are logged into the system.One-time device registration is needed with the server for mapping user identity with device (smart phone) unique 15-digit IMEI.The server-side system is using 3-tier architecture.

MULTI-FACTOR AUTHENTICATION ATTENDANCE SYSTEM
The front-tier provides access to the system through client's smartphone application to end-user and through web forms for administrator and course creator.The design focuses on minimalist and intuitive use.Data required for authentication and validation are captured through user input and detecting client system's unique identification.
The second tier contains the essential business functions: -registration, QR code generator, reporting and multi-factor attendance analytics sub-functions.The analytics sub-functions will be elaborated in the following sections.
The third-tier of the server is data tier.It is implemented in MySQL Relational Database Management System and designed through MySQL Workbench.It contains multiple relational tables which are designed for ease of scalability and flexibility.A user can create or sign into a course/event.A participant needs only to register once to sign attendance for any events.An event can have multiple sessions, each with its attendance list.

Framework Using Multi-Factor Attendance Cheat-Proofing Analytics
The Multi-Factor Attendance Authentication System adopts a framework that uses a combination of deterrent and detection approach.The two approaches provide two level of attendance checking are the deterrent approach and the detection approach.The deterrent approach makes logging a fake attendance difficult.Detection approach helps administrator to identify potential fake attendance using analytics of the logging data statistics.Figure 3 shows the multi-factor conceptual framework.

Figure 3 Multi-factor Conceptual Framework
In deterrent approach, tokens are introduced as a measure to authenticate a genuine attendance.The use of tokens makes forging identity more difficult.There are two-sided tokens used in this work: server-side and client-side token.The server-side token uses unique QR code generated by server for each lecture/laboratory or session.The clientside token uses a unique 15-digit International Mobile Equipment Identifier (IMEI) code of each phone is mapped to the identity of the user during first-time registration.The use of two unique tokens create a unique attendance identifier in the database to be used for authentication.
It is still possible to identify the unique digits of the QR code and IMEI thus, a second level of security to curb forged attendance.This second level acts as detection stage by validating that the student's actual location when the attendance is taken.The detection stage uses time range and space parameters for validation.Time range parameter indicates that attendance logging should occur within the start and end time of the event.Space parameter.Space parameter indicates that attendance logging should occur at the venue of the event within the time range parameter.

Factor 1 -QR Code
The use of the QR code is to provide student the access to a lecture session.A lecturer registers the event in the system by entering the name and running time.The server attaches a unique QR code.This code is displayed on screen as a small window during the lecture session.A unique number based on name and time of event is encoded.Figure 4 shows the activity diagram for the lecturer to generate the QR code for the lecture session.Figure 5 shows the activity diagram for students to record their attendance.Before the class begins, the lecturer will display the QR code via a projector.The students need to download the Multi-factor attendance authentication mobile application and access the mobile application.For a first-time user, the student needs to register their details.Once logged in, the student can scan a QR code each time for attendance record.When student downloads and installs the smart app, they are prompted for personal details.The phone number is mapped to the registered name.Apart of phone number, the smart app will also register the unique IMEI number of the smartphone device.This information is stored in the database.The database contains five entities: Students, lecturers, courses, sessions and attendance.One of the attributes in Students class is the IMEI number which indicates that a mobile phone is attached to one student only.The QR code is generated based on the Session class.When the students record their attendance using the QR code, the QR unique identifier, scan time and attendee geo-location are sent to server for cheat-proofing analysis.The data will be analysed by comparing the data using some assumptions against known information in the database.

Factor 2: IMEI Code
The second deterrent factor is the IMEI code.IMEI code is a unique 15-digit code that uniquely identifies a valid mobile phone.An IMEI code is attached to a user.When a student registers first time, the system stores the IMEI code of the phone used for registration into the database.This maps student identity with IMEI.However, a limitation is that the student needs to update the registration in case he or she plans to use a different phone.During authentication, IMEI of the attendee will be checked against the stored IMEI number.Figure 6 presents the algorithm to check whether the student uses a registered phone when recording the attendance.

Factor 3: Time and Space Parameters
The third factor is about the validation of the user's time of attendance and location.Students needs to be at the right date, time and location to considered as present.Multi-Factor Attendance Authentication System checks for both time and location parameters.The time parameter is based on server time of when a new attendance record is created in the database.This is compared with the registered time of the event.In case the attendance time was not within the event's expected time window, the attendance would not be recorded.Next, the system identify determines location of attendee.Attendance logging should take place inside the premise.For this purpose, latitudes and longitudes coordinates of a student smart phone will be captured automatically when the student snaps the QR code.The longitudes and latitudes become the coordinates of each authenticated attendees.Each event will have a list of recorded attendees, each row represents an attendee.The assumption is that majority of the attendees are genuine and there may be a small minority of forged attendance if any. Figure 7 shows the pseudocode to identify forged attendance by processing the geo-location of the user.In the report, the coordinates are sorted in ascending order.All coordinates are expected to be very close.In our observation, all the digits up to thousandths decimal place is typically similar in both latitude and longitude coordinates.Using the sample in Table 1 below, note that attendees have similar digits up to thousandth decimal places for latitude 4.381 and longitude 100.968 respectively with reasonable distances among one another (especially with the session creator).Thus, the mod value can be determined from the thousandth decimal precision.Any record falling out of the mod (outlier) is a potential defaulter.Figure 8 shows the pseudocode to identify the outliers: Figure 8 Pseudocode for Geolocation Outlier Analysis.
The algorithm carries out analysis automatically by using the following logical expression on the coordinates for each row of the list:

IF ((latitude_row(?) <> latitude_mod) OR (longitude_row(?) <> longitude_mod)) THEN OUTCOME(?) = "Outside" ELSE OUTCOME(?) = "Inside", WHERE ? is ROW END IF
As a prerequisite, the algorithm needs to know the mode of the longitude and latitude.The assumption is attendees flock together, thus the values of longitude and latitude are very similar.Based on our study, within an average lecture hall, the longitude and latitude values are similar up to the 3 rd decimal place.Thus, the mode can be determined by checking for similar values up to 3 rd decimal places.
Algorithm to determine cheating is implemented as finding the row of data with attribute that is distant from the mode value.The above algorithm compares every longitude and latitude in records with the mode longitude and mode latitude.Difference after the 3 rd decimal place is negligible.Any other dissimilarity before the 3 rd decimal indicates possibility of the device being in a different location.
Both algorithms above are of O(n) complexity, where n is the number of records.Since n is reasonably small, the complexity is negligible.

Mobile Application User Interface
The user interface of Multi-Factor Attendance Authentication System consists of a client smart phone application and server web application user interface.Figure 9 shows the user interface for the Multi-factor attendance authentication mobile application.The mobile application requires one-time registration of new user to map user identity with IMEI.Then, attendance checking is done by having the device scanning a QR code.
The client mobile application does not analyse authentication.The role is as a sensor to capture values needed for multi-factor authentication analysis on the server side.The values captured are summarized in Table 2: Figure 10 shows the user interface for the lecturer to manage courses.This user interface includes all created courses with their details by lecturer and reports button on the left.Moreover, the page includes actions such as adding new course, creating session and editing or deleting the course itself.A lecturer can create more than one courses.For each course, the lecturer can create the sessions.The reporting features of Multi-Factor Attendance Authentication System provides documentation to the lecturers and the university.Users can select the courses that they want to view or download the report.Figure 12 shows user interface for users to download the attendance report.The downloaded report will be in CSV file format.

SYSTEM TESTING
The system has successfully detected QR and IMEI code in most situations.First-time installation and usage of the system's smart app has shown to be taking a longer time than usual due to participant's lack of familiarity with the procedure.The experiment was deliberately done in a candid manner to see how attendees could use the system with zero or minimal instruction.
It is also noted that scanning QR code is straightforward and easy.However, if the room is large, the screen may become warped for students who sat on the edges.They found the scanner to be less effective in detecting the screen.
Table 3 presents a sample record from the experiment conducted for geolocation analysis.The actual location of the subject is already known, as depicted by column "Expected outcome" in Table 3 below.The system will generate values recorded under "Actual test outcome".Conclusion is consistent if both expected value and actual value are similar.
Majority recorded coordinates are similar.The MOD coordinates are determined by counting similar coordinates up to thousandth place.In the example, the MOD latitude and MOD longitude are 4.381 and 100.968 respectively.
However, highlighted rows have different coordinates from the MODs and thus requires further validation.It could be seen that for Max, the difference is in the longitude coordinate.For both John and Conor, the difference is in the latitude coordinate.As for Jeff, difference is found in both latitude and longitude.

Table 3 Sample Attendance Record
Figure 13 illustrates number of detected attendance cheatings against attempted cheatings using two methods of attendance taking.The blue line represents the proposed attendance system whereas orange dashed line represents manual attendance-taking.

Figure 13 Detection of Attendance Cheating
Several repeated tests of the system have produced consistent and positive outcomes.On the other hand, manual attendance does not reliably detect all cheating attempts.With a bigger number of attendees and more cheating attempts, manual approach does not effectively catch up.

USER ACCEPTANCE TESTING
User acceptance testing has been conducted with a total of hundred undergraduate students spanning over three lectures and two labs.These students were familiar with manual attendance as well as QR code scanning.A facilitator guided them to install, register identity, scan QR code to register the attendance and to fill up the feedbacks.
The general perception (90% of respondents) is in favor of the technology for effective record-keeping.The proposed technique introduces a new hassle which is requiring registration for a new event and scanning of QR code for every session of the event.Respondents, however, did not see this as being more of a hassle compared to manual attendance taking.On the Likert Scale of 1 to 10, where higher number indicates higher perceived hassle, the average hassle score for manual attendance and the proposed multi-factor approach are 9 and 2 respectively.
Respondents were unable to distinct the difference between the conventional QR code application and the proposed QR code with multiple-factor authentication.This is unsurprising because the multi-factor authentication is a server-side processing.The mobile phone is only used for collecting contextual information about the user, which is location and time.A few users are aware that Location feature of the phone is being used when the application prompted them to turn on the feature.
Survey has also been conducted with a few lecturers.Two of them tested the technique with students in real lecture and lab settings.The rest of the lecturers are interviewed after being shown the system's interface and demonstration.Feedbacks indicate good acceptance because all the lecturers are familiar with attendance-taking using QR code.All agreed that QR code itself does not prevent cheating in a way better than manual attendance.In fact, manual attendance provides an advantage when the student's signature can be analyzed.
The lecturers agreed however QR code used with other prevention factors introduced in this work can effectively help to authenticate an attendance and possibly make cheating very inconvenient.One advantage of the system is the real-time recording of attendance, time-stamp and GPS location.A lecturer can access the dashboard to track the attendance, identify the suspicious IMEI device using GPS location that is not similar to the mode values statistically, and use the mapped phone number to call the student.

Significance
The significance of this study is the implementation of multi-factor attendance authentication which requires no special hardware setup but providing reliable detection.It is naïve to say that it is totally cheat-proof, but the algorithm makes cheating less appealing: - Factor 1are you at the right event? Factor 2do you have the unique token? Factor 3are you there within the event time range? Factor 4are you (your token) there physically?

Figure 1
Figure 1 shows the methodology of the project.It contains three major phases: Phase 1 Preliminary Investigation, Phase 2 System Development and Phase 3 User Acceptance.

Figure 2
Figure2depicts the multi-factor authentication attendance system architecture.The system architecture uses client-server architecture.The client is a thin Android application, an Android Package Kit (APK) file downloadable from Google Play Store.It contains simple user interface for one time registration of user and phone; and a function to scan QR code each time the user intends to sign for an attendance.

Figure 2
Figure 2 System architecture

Figure 4
Figure 4 Activity Diagram: Lecturer Generates QR Code.

Figure 5
Figure 5 Activity Diagram: Students Record their Attendance

Figure 6
Figure 6 Pseudocode for IMEI Number Check.

Figure 9
Figure 9 Student User Interface: Mobile Application

Figure 10
Figure 10 Lecturer User Interface: Manage Courses

Figure 11
Figure 11 Lecturer User Interface: Creating New Session.

Figure 12
Figure 12 Lecturer User Interface: Report Download.

Table 1
Sample Student Attendance Records

Table 2
Factors for attendance authentication.