Modifikasi Keamanan Otentikasi OTP Menggunakan Algoritma HMAC-SHA256 pada Sistem Informasi PT Indonesia Gadai Oke

Alvin Lie; Martiano Martiano

doi:10.70340/jirsi.v5i2.346

Authors

Alvin Lie Universitas Muhammadiyah Sumatera Utara
Martiano Martiano Universitas Muhammadiyah Sumatera Utara

DOI:

https://doi.org/10.70340/jirsi.v5i2.346

Keywords:

Two-Factor Authentication; HMAC-SHA256

Abstract

The security of user data in web-based information systems is frequently compromised by the weaknesses of conventional authentication mechanisms that rely solely on static passwords. Attacks such as credential theft and brute force on the internal information system of PT. Indonesia Gadai Oke necessitate an additional layer of security to protect sensitive customer data and financial transactions. This research aims to design and implement a Two-Factor Authentication (2FA) security system using the HMAC-SHA256 (Hash-based Message Authentication Code with Secure Hash Algorithm 256-bit) algorithm, integrated with Trusted Device features and Web Push notifications. The applied method is Time-based One-Time Password (TOTP) with a 30-second time interval. A unique code is generated on the server side through a 32-bit dynamic truncation process of the SHA-256 encryption result, which combines a secret key with a timestamp. Web Push Notification was chosen as the distribution medium to eliminate SMS operational costs and minimize delivery latency. System testing was conducted using Black Box Testing and Security Testing methods with a scenario of 10 experimental repetitions. The results indicate that the system achieved a 100% functional success rate in validating authorized users. In terms of security, the system proved effective in mitigating threats with a 100% success rate in rejecting SQL Injection, Cross-Site Scripting (XSS), and Replay Attacks through a single-use token validation mechanism. This implementation successfully reduced the risk of account hijacking and improved the efficiency of the authentication process at PT. Indonesia Gadai Oke.

Downloads

Download data is not yet available.

References

M. Martiano and Y. Sary, “Cryptography generator for prevention SQL injection attack in big data,” Journal of Computer Science, Information Technology and Telecommunication Engineering, vol. 3, no. 2, pp. 292–298, 2022.

E. Wahyudi and B. Santoso, “Efektivitas multi-factor authentication dalam mencegah serangan phishing,” Jurnal Keamanan Siber Indonesia, vol. 7, no. 1, pp. 55–65, 2024.

K. Wijaya, “Penerapan algoritma HMAC-SHA256 untuk keamanan transaksi online,” Jurnal Cyber Security Indonesia, vol. 4, no. 2, pp. 101–110, 2023.

M. Subramanian, Web Push Notifications: A Complete Guide for Developers. Berkeley, CA, USA: Apress, 2019.

S. Ma, J. Li, H. Kim, E. Bertino, S. Nepal, D. Ostry, and C. Sun, “Fine with ‘1234’? An analysis of SMS one-time password randomness in Android apps,” arXiv, 2021, doi: 10.48550/arXiv.2103.05758.

O. E. A. Mayorga and S. G. Yoo, “One time password (OTP) solution for two factor authentication: A practical case study,” Journal of Computer Science, vol. 21, no. 5, pp. 1099–1112, 2025, doi: 10.3844/jcssp.2025.1099.1112.

H. Kim, J. Han, C. Park, and O. Yi, “Analysis of vulnerabilities that can occur when generating one-time password,” Applied Sciences, vol. 10, no. 8, Art. no. 2961, 2020, doi: 10.3390/APP10082961.

A. B. Sofian et al., “Enhancing authentication security: Analyzing time-based one-time password systems,” International Journal of Computer Technology and Science, vol. 1, no. 3, pp. 56–70, 2024, doi: 10.62951/ijcts.v1i3.25.

M. Zen, I. Irwan, H. Hafni, and M. D. P. Ananda, “Implementasi dan pengujian menggunakan metode blackbox testing pada sistem informasi tracer study,” Bulletin of Computer Science Research, vol. 4, no. 4, pp. 327–340, 2024.

A. Pratama and S. Wibowo, “Implementasi metode black box testing pada sistem informasi manajemen berbasis web,” Jurnal Teknologi Informasi dan Ilmu Komputer, vol. 9, no. 4, pp. 780–788, 2022.

B. Santoso, R. Hartono, and D. Putri, “Analisis keamanan sistem otentikasi menggunakan two-factor authentication,” Jurnal Sistem Komputer dan Kecerdasan Buatan, vol. 5, no. 2, pp. 88–95, 2023.

R. Hidayat, “Standarisasi pengujian perangkat lunak pada aplikasi fintech,” Jurnal Rekayasa Perangkat Lunak Indonesia, vol. 10, no. 2, pp. 112–120, 2024.

B. Rahardjo and A. Putra, “Evaluasi keamanan website menggunakan metode OWASP top 10,” Jurnal Keamanan Siber Indonesia, vol. 6, no. 1, pp. 12–25, 2023.

D. Kurniawan, A. Saputra, and S. Budi, “Analisis vulnerability assessment pada sistem informasi akademik,” Jurnal Teknik Informatika dan Sistem Informasi, vol. 9, no. 1, pp. 45–55, 2024.

H. Susanto, “Penerapan prepared statement untuk mencegah SQL injection pada aplikasi e-commerce,” Jurnal Algoritma, vol. 19, no. 1, pp. 50–59, 2022.

I. Setiawan and Z. Arifin, “Analisis kriptografi modern untuk keamanan transaksi digital,” Jurnal Teknologi Informasi, vol. 15, no. 1, pp. 30–42, 2023.

A. Nugraha, B. Santoso, and K. Wijaya, “Komparasi kinerja algoritma SHA-256 dan MD5 dalam integritas data,” Jurnal Sistem Informasi dan Komputer, vol. 7, no. 3, pp. 200–210, 2022.

D. Lestari, “Implementasi Time-Based One-Time Password (TOTP) untuk mencegah replay attack,” Jurnal Informatika dan Rekayasa Perangkat Lunak, vol. 3, no. 2, pp. 150–160, 2021.

B. Angkasa, A. Asriyanik, and A. Pambudi, “Implementasi algoritma HMAC-SHA-256 untuk keamanan kemasan produk,” Jurnal Ilmiah Universitas Budi Luhur, vol. 20, no. 2, pp. 112–120, 2025.

N. M. Aziz, “Penerapan teknik boundary value analysis dan equivalence partitioning pada pengujian sistem ujian berbasis komputer,” Jurnal Informatika dan Teknik Elektro Terapan, vol. 14, no. 1, pp. 45–52, 2026.

H. Hendra, A. Awan, W. Waisen, W. Wilianto, and Y. Yudi, “Memperkuat autentikasi dan integritas data REST-API menggunakan token HMAC SHA-256,” Jurnal Minfo Polgan, vol. 13, no. 2, pp. 2189–2197, 2025.

K. C. Laudon and J. P. Laudon, Management Information Systems: Managing the Digital Firm. Pearson, 2020.

D. M’Raihi, S. Machani, M. Pei, and J. Rydell, “TOTP: Time-based one-time password algorithm,” RFC 6238, Internet Engineering Task Force, 2011, doi: 10.17487/RFC6238.

N. Patel, B. Williams, and E. Johnson, “User perception of notification latency and its impact on application engagement,” International Journal of Human-Computer Studies, vol. 144, Art. no. 102498, 2020.

F. C. Ramdani, A. Rahmatulloh, and R. N. Shofa, “Implementasi JSON web token pada authentication dengan algoritma HMAC SHA-256,” Jurnal Sistem Informasi (SISTEMASI), vol. 11, no. 1, pp. 15–22, 2022.

A. Sultansyah, A. S. Rahayu, I. Yudiana, and F. Nugraha, “Pengujian black box testing pada fitur permohonan informasi publik melalui website pemerintah Jawa Barat,” Jurnal Pengabdian Masyarakat Dan Riset Pendidikan, vol. 3, no. 4, pp. 5912–5919, 2025.