Device Identity-Based User Authentication on Electronic Payment System for Secure E-Wallet Apps

: E-wallets are a modern electronic payment system technology that easily recognize con-sumer interest, making our transactions very convenient and efﬁcient. E-wallets are intended to substitute the existing physical wallet, which may tell others something about us as a person. That is why using a physical wallet is a unique, personal experience that cannot be duplicated. A solution would be to replace the physical wallet with an e-wallet on an existing mobile device. The personal nature of the e-wallet is that it should be installed on a unique device. One of the fundamental protections against any illegal access to e-wallet application is through authentication. In particular, the fundamental authentication category used in an existing e-wallet is based on knowledge (i.e., what you know), ownership (i.e., what you have), and biometric (i.e., what you are) authentication, which are sometimes prone to security threats such as account takeover, sim swapping, app cloning, or know your customer veriﬁcation attacks. The design of an e-wallet authentication on mobile device solution must take into consideration the intensity of the security. To address this problem, this study proposes a design of e-wallet apps with an extension security element that focuses on the device identity in the existing user authentication mechanism. This study covers four fundamental categories of authentication: password, one time password, ﬁngerprints, and international mobile equipment identiﬁer. Using IMEI limits an e-wallet to be in one speciﬁc device in one time; this brings it into line with the nature of a physical wallet. In addition, it will be ready to handle the mentioned threats above, which will ultimately result in the far more reliable to use of e-wallet apps. The proposed authentication design has two phases, a registration phase and an authentication phase. The proposed method has been developed and implemented based on an Android Studio Firebase real-time database management and PayPal. In addition, the complete design has been evaluated using functional requirement testing to see how closely it meets functionality requirements. The results obtained from functional testing show that the functionalities of the proposed method meet the requirements, and one cannot use a same account on two devices; hence, it is secure from attacks. The result also shows that the proposed method has no errors. Moreover, it has been shown that our proposed method has better security parameters in terms of the existing method.


Introduction
The concept of electronic wallets is not new. In certain countries such as Japan, the e-wallet has been in popular usage as early as 2004 [1,2]. An electronic wallet, sometimes called a "digital wallet" or "e-wallet", is an electronic adaptation of a payment card that is approved for electronic exchanges [3][4][5]. The e-wallet payment system uses sophisticated authentication methods to enhance protection. The identity of the user must be checked, and only authenticated users are allowed to use the system. To secure user data and privacy, the development of trustworthy e-wallet authentication is an extremely important challenge. Authentication is the principal element associated with e-wallet payment. Currently, knowledge-based authentication is commonly used throughout the community, as it is distinctive and operator-friendly [6,7]. is a method that implements more than one factor and is known to be stronger and safer than the KBA. Authentication by two factors such as tokens or cards has proven effective and difficult to exploit [15,[36][37][38].
Although ownership usage is strong, malicious assaults such as lost/stolen cards, token expenses, token forgery, and token losses continue to affect them [8,39]. As e-wallet transactions increase, ownership is not sufficient for secure transactions [6,11]. Therefore, a better and secure authentication scheme is required to validate users' authenticity.
Multifactor authentication was regarded as a formula for protecting e-wallet transactions to alleviate the problem of ownership. Authentication through multifactor solutions continues to lead the market by securing the future and reputation of e-wallets through emerging technology. They also deter hackers and crimes from attacking users. Multifactor authentication is an access control method that an entity can effectively perform through multiple stages of authentication [40,41], and it helps make it difficult for any intruder to hijack the identity of the real user [42].
Until now, many methods were available for secure user authentication, including biometric authentication [43]. Biometric means automated detection of people based on their specific behavioral and physical attributes, such as experience, speech, fingerprint, iris, etc. [44]. There are two types of biometrics, namely unimodal biometrics and multimodal biometrics [25]. Biometric systems have many uses. Several biometric-based authentication systems are shown in [9,43,[45][46][47]. Additionally, facial biometric authentication [48] plays a crucial part in electronic payment authentication. Built-in video cameras, particularly front-facing digital cameras, are now more common in mobile phones. Facial biometric authentication has become very popular compared to the optical fingerprint recognition component in cell phones, such as in the approach of [49,50]. The works related to e-wallets and their findings are shown in Table 1. Table 1. Work related to e-wallets.

Authors
Methods and Models Technical Feature Finding/Weakness Evaluation Approach [9] Biometric authentication The prototype tries to ensure the captured fingerprint is consistent and the process is repeatable (usability). Facial recognition does not work well under poor conditions such as poor lighting Likert-5, VeriFinger's software development kit (SDK) [11] WinAuth/Google Authenticator This study approach user ID, password, and fingerprint. In order to continue to grow, the security and the privacy aspects need to be improved Android studio [52] Biometric authentication • Fingerprints This study requires an extra device to authentication fingerprint. Costly and single elements Public key cryptosystem [53] Biometric authentication • Iris Poor practicality, unable to distinguish iris colors by ethnic features, the issue of financial difficulty is thus high market price, and therefore, the decrease in general utility is difficult to miniaturize. Requires extra hardware

Mat lab
Electronics 2022, 11, 4 4 of 29 The literature review focuses on the need for device identity-based authentication in electronic payment systems such as e-wallet applications that use over two attributes (what you know, what you have, and what you are). Very few of the online banking or mobile banking studies used IMEI to generate tokens for one time password (OTP) authentication. This technique, however, was not related to e-wallets. In addition, the literature review indicates that there is a possibility of implementing device identity-based user authentication for e-wallets. From the literature study, it is clear that passwords and OTP are not sufficient for secure transactions. Multifactor authentication research has been carried out using many attributes. However, the study does not provide a mixture of attributes that combine specific authentication mechanisms and unique identification of the mobile device to improve the security of e-wallet apps. Many researchers used passwords, OTP, and biometric elements for e-wallet authentication. Most of the work is based on a framework that does not have enough justification for user authentication. Therefore, this research proposes a device identity-based user authentication for e-wallet apps.

The Authentication Conceptual Design
To satisfy the user, every application must apply design. A design is a technique for organizing elements in the most effective way to achieve a particular goal. Registration and authentication phases are the two steps in the authentication design. Before using the Zamwallet, the user must enter their information through a process called registration. A technique known as the authentication step is used to verify the information. In this registration phase, the user has to input their credentials, such as password, fingerprint, and OTP, into the mobile device, from which the information will be moved into the database. The user information will be stored in the Firebase server through real-time databases. The user is required to enter their registered credential information, such as password, fingerprint, and OTP, into the mobile device throughout this authentication phase, where the server will compare registration and authentication value. During transactions, where the Paypal gateway is connected to the Firebase interface, the same rule will be applied. We will utilize Android Studio in our proposed method. The server and application are linked to Android Studio using a variety of (insert full form of API here) APIs, making it simple to construct an e-wallet using sophisticated features and libraries available on the Android platform. For the back-end, we will utilize a real-time Firebase database and PayPal gateway. Once the proposed apps have been completed, the next process is the evaluation process. The proposed method has been used to test the performance of the Zamwallet in the requirement test. The key aim of the requirement testing is to validate how well the functionality works. The proposed conceptual design of authentication is shown in Figure 1. Step 1 Step 2

Authentication Process Flow
The authentication process flow is one of the important elements of the proposed Zamwallet. The primary concern here is to focus on user authentication. The authentication process flow has two phases-registration and authentication phases. The authentication process flow of the study is given in this section. Table 2 presents the notations used in the proposed method.

Authentication Process Flow
The authentication process flow is one of the important elements of the proposed Zamwallet. The primary concern here is to focus on user authentication. The authentication process flow has two phases-registration and authentication phases. The authentication process flow of the study is given in this section. Table 2 presents the notations used in the proposed method. To use the service, the user will need to perform a one-time registration. In the registration phase, the users' information is gathered. Using the information given and the method used during the login, the server checks if the user is legitimate. The proposed registration procedure is presented in Figure 2. Here, the user has to register their account after giving the relevant details. The registration procedures are as follows: Step 1: Start Initialing Registration process Step 2: User inputs their information, (full form) PWDi, IMEI, (full form)BFi on the mobile device Step 3: Generates two large prime numbers p and q, where it computes N = p ×q Step 4: Chooses integers e and d, which satisfy E × d, mod ((p − 1) × (q − 1)) =1 Step 5: Generates OTP and send to input numbers Step 6: Input OTP, Step 7: If "OTP Match"? Goto Step 8 Else Goto Step 6 Step 8: Random Challenge RC for the Ui, where it generates a IDi = PWDi, IMEI, BFi Step 9: Store all the Ui information Step 10: Stop In the registration phase, the information that the user would like to divulge to log into the system will be gathered. In this phase, the user enters their personal identity and can access the system only then.

Authentication Phase
When the customer tries to log in, the authentication server has to authenticate the user. If both values are the same, the authentication is successful. The authentication process flow is composed of two processes-the login process and authentication process. The user must log in using the approved password, fingerprint, and OTP for authentication. After logging in utilizing this method, the user can see only the account details. To complete a transaction, the user must authenticate themself via fingerprint. The transaction will be completed only after the user has authenticated with the fingerprint details. The authentication process flow is shown in Figure 3. The authentication measures can be explained as follows: Step 1: Start initialing authentication process Step 2: User inputs their information, PWDi, IMEI, BFi on the mobile device Step 3: Check for verification, where user encryption function to concatenated string ESQ = E (CS) Step 4: Use encryption function to plain private key, concatenated string PKE = E (PKP, CS) Step 5: RF, matched with decryption function IF RF = D (PKE, CS) Step 6: Generates OTP and sends to input numbers Step 7: Input OTP, Step 8: If "OTP Match"? Goto Step 9 Else Goto Step 7 Step 9: Access granted Stop ics 2022, 10, x FOR PEER REVIEW 7 of 30 Goto Step 7 Step 9: Access granted Stop User Initialing Registration process mobile device Step 2 Input PWDi, IMEI, BFi generates two large prime numbers p and q Step 1 Step 3

Computes N= p×q
Step 4 Chooses integers e and d which satisfy Step 5

Rrandom Challenge
Rc for the Ui where it generates a IDi = PWDi, IMEI, BFi Step 7

Start
Yes generates OTP and send to input numbers No

If OTP Match
Step 8

Input OTP
Store all the Ui information Step 6 Step 9 Step 10   Step 7 Step 9 Figure 3. Authentication process flow.

Detailed Design
The suggested authentication design does not consist of registration and authentication phases alone. It also includes diagrams of components, class, and sequence.

Modules on Zamwallet
Two fundamental modules are available in the proposed Zamwallet applicationone is the admin module, and the other is the user module. The admin module is used to enter login details, add/update/delete items, add-on/update/delete details for registered users, and update order status. It is a system management module that provides an interface for dealing with admin and user management. This systems management monitoring aids the admin in connecting things to the database, updating and removing user information, reviewing user orders, collecting transaction summaries, and collecting all instructions received by the registered user. Management admins are frequently in charge of the system. It is also known as the back-end module. The real-time Firebase database, which uses automated user updates, is employed in our proposed method. Firebase also offers machine-learning techniques for application data security via the ML Kit mobile SDK that offers a selection of highly competent and efficient pre-trained models based on

Detailed Design
The suggested authentication design does not consist of registration and authentication phases alone. It also includes diagrams of components, class, and sequence.

Modules on Zamwallet
Two fundamental modules are available in the proposed Zamwallet application-one is the admin module, and the other is the user module. The admin module is used to enter login details, add/update/delete items, add-on/update/delete details for registered users, and update order status. It is a system management module that provides an interface for dealing with admin and user management. This systems management monitoring aids the admin in connecting things to the database, updating and removing user information, reviewing user orders, collecting transaction summaries, and collecting all instructions received by the registered user. Management admins are frequently in charge of the system. It is also known as the back-end module. The real-time Firebase database, which uses automated user updates, is employed in our proposed method. Firebase also offers machine-learning techniques for application data security via the ML Kit mobile SDK that offers a selection of highly competent and efficient pre-trained models based on deep learning algorithms [54]. Various kinds of attacks can be reduced using machine-learning techniques, such as malware detection and cloud security [54,55].
The front-end Graphical User Interface (GUI) is the user module. The user interface enables users, by registering in the application, to log in, edit profiles, view transactions, top-up money, transfer money, and log out.

Component Diagram
The components diagram explains how this system is divided into many subs-systems. There is a multilayer component in Zamwallet such as the Firebase database, Android device, Firebase SDK, PayPal SDK, and framework controller. The Firebase real-time databases are connected to the Firebase management. The application controller includes all the applications that are the middle layer within the Firebase SDK, PayPal SDK, and framework components. The controller (mobile device) is connected to both sides (i.e., the Firebase real-time database and framework). The Firebase is responsible for connecting to the real-time database server. Figure 4 illustrates the component diagram of this application.
Electronics 2022, 10, x FOR PEER REVIEW deep learning algorithms [54]. Various kinds of attacks can be reduced using mac learning techniques, such as malware detection and cloud security [54,55].
The front-end Graphical User Interface (GUI) is the user module. The user inte enables users, by registering in the application, to log in, edit profiles, view transac top-up money, transfer money, and log out.

Component Diagram
The components diagram explains how this system is divided into many subs tems. There is a multilayer component in Zamwallet such as the Firebase database droid device, Firebase SDK, PayPal SDK, and framework controller. The Firebase time databases are connected to the Firebase management. The application controll cludes all the applications that are the middle layer within the Firebase SDK, PayPal and framework components. The controller (mobile device) is connected to both sides the Firebase real-time database and framework). The Firebase is responsible for con ing to the real-time database server. Figure

Class Diagram
The implementation requirements depend on the analysis of the system. The un modeling language (UML) is used to draw and visualize the architectural structure o projects. The UML is a unique, standardized representation. In a system review, a d oper may use the case diagram to display all the participants taking part in the pr Figure 5 presents the class diagram of the Zamwallet.

Class Diagram
The implementation requirements depend on the analysis of the system. The unified modeling language (UML) is used to draw and visualize the architectural structure of the projects. The UML is a unique, standardized representation. In a system review, a developer may use the case diagram to display all the participants taking part in the project. Figure 5 presents the class diagram of the Zamwallet.

Sequence Diagram
A sequence diagram is an interaction diagram that describes how the exchange of messages is carried out over time. A sequence diagram is a good way to display different runtime scenarios and to validate them. This can help predict how a system is going to behave and recognize roles that a class may have in designing a new system. This sub-section describes the sequence diagram of proposed Zamwallet apps for the front-end interface where a customer will register, authenticate, top-up money, and transfer money through a payment gateway.

User Registration Function
The proposed application has two process register activities and a register OTP activity. Creating an account is the first step in using this application. The method of registration is quite simple. Initially, the user must complete all the fields needed in the registration form. The registration form consists of four fundamental categories of authentication: password, device ID, fingerprints, and OTP. Then, users will submit the form by clicking the register button. The backend controller of the registration page will ensure that all fields needed are correct. If not, the program shows the user an error message indicating the precise details of the error, and the user is re-directed to the registration page. In the proposed Zamwallet, the user passwords are encrypted using the full form of the RSA (RSA) algorithm for security. In the following figure, the hide keyboard function is used to keep the virtual keyboard to prevent autocorrect for spelling mistakes; here, the hide keyboard function is used for security. Encrypted data is the process of encrypting user input data using an RSA string to the public key and finally creating a user account in register activity. After input, an OTP verification code will be sent to the registered phone number of the user. If all the information is correct, the user is automatically directed to the default page to log in as a member. The registration is shown in Figure 6a, while Figure 6b shows the OTP activity.

Sequence Diagram
A sequence diagram is an interaction diagram that describes how the exchange of messages is carried out over time. A sequence diagram is a good way to display different runtime scenarios and to validate them. This can help predict how a system is going to behave and recognize roles that a class may have in designing a new system. This subsection describes the sequence diagram of proposed Zamwallet apps for the front-end interface where a customer will register, authenticate, top-up money, and transfer money through a payment gateway.

User Registration Function
The proposed application has two process register activities and a register OTP activity. Creating an account is the first step in using this application. The method of registration is quite simple. Initially, the user must complete all the fields needed in the registration form. The registration form consists of four fundamental categories of authentication: password, device ID, fingerprints, and OTP. Then, users will submit the form by clicking the register button. The backend controller of the registration page will ensure that all fields needed are correct. If not, the program shows the user an error message indicating the precise details of the error, and the user is re-directed to the registration page. In the proposed Zamwallet, the user passwords are encrypted using the full form of the RSA (RSA) algorithm for security. In the following figure, the hide keyboard function is used to keep the virtual keyboard to prevent autocorrect for spelling mistakes; here, the hide keyboard function is used for security. Encrypted data is the process of encrypting user input data using an RSA string to the public key and finally creating a user account in register activity. After input, an OTP verification code will be sent to the registered phone number of the user. If all the information is correct, the user is automatically directed to the default page to log in as a member. The registration is shown in Figure 6a, while Figure 6b shows the OTP activity.  Step 1.2: The EncrptData function is the process in RsaAlgorithmUtil, which waits for the user input data to process the message. Step 1.2.1: The user input data encrypts into RsaUtil. Step 1.2.1.1: Then, user input data encrypt using RSA string to public key in RSAUtil and send return message from the RsaAlgorithmUtil to Register-Activity. Step 1.3: Finally, the register activity sends a message to the UserModel to create an account and wait for the RegisterActivity to respond. In (b), Step 1.1: The RegisterOtpActivity will hide the keyboard in the CommonUtil and return a message to the RegisterOtpActivity. Step 1.2: The verifyOtp code starts, ends with RegisterOtpActivity, and waits for the response. Step 1.2.1: Once OTP is verified, the onComplete function then waits for the anonymous (where Utils functions are stored) response to process the request. Step

User Login Function
To log into the system, the client needs a password, fingerprints, and OTP verification. The user password is encrypted with an RSA algorithm with a user private key in the RSA unit. When a user submits their account credentials and presses the ask OTP button, the login method will send a verification code to the registered phone number if the provided data match the user's login details stored in the database. If it does not Step 1.2: The EncrptData function is the process in RsaAlgorithmUtil, which waits for the user input data to process the message. Step 1.2.1: The user input data encrypts into RsaUtil. Step 1.2.1.1: Then, user input data encrypt using RSA string to public key in RSAUtil and send return message from the RsaAlgorithmUtil to RegisterActivity. Step 1.3: Finally, the register activity sends a message to the UserModel to create an account and wait for the RegisterActivity to respond. In (b), Step 1.1: The RegisterOtpActivity will hide the keyboard in the CommonUtil and return a message to the RegisterOtpActivity. Step 1.

User Login Function
To log into the system, the client needs a password, fingerprints, and OTP verification. The user password is encrypted with an RSA algorithm with a user private key in the RSA unit. When a user submits their account credentials and presses the ask OTP button, the login method will send a verification code to the registered phone number if the provided data match the user's login details stored in the database. If it does not match, an error message will be displayed to the user for the corresponding field. If the data submitted match the credentials in the database, the customer is forwarded with a login profile to the main page. The login function can be divided into two categories-login activity and login OTP activity. Figure 7a describes the sequence diagram of user login activity, and Figure 7b describes the login OTP activity. match, an error message will be displayed to the user for the corresponding field. If the data submitted match the credentials in the database, the customer is forwarded with a login profile to the main page. The login function can be divided into two categorieslogin activity and login OTP activity. Figure 7a describes the sequence diagram of user login activity, and Figure 7b describes the login OTP activity.   Step 1.2: The signing starts and ends with LoginActivity and waits for the response. Step

User Authenticating Function
Authentication functionality is one of the most important functions in Zamwallet. For top-up and transfer of money, functionality authentication is a single method. Users require a password, fingerprints, and OTP authentication for access to the system. With a private user key, the user password is encrypted into the RSA unit using the RSA algorithm. Authentication of the OTP identification code with user credentials is required when logging into the system. When a user confirms their account credentials and clicks the OTP button, the authentication system will deliver the registered phone number to the success list, to the verification code, where the submitted data should match the user login information. If this does not match, an error message is shown to the client, and it must be validated by the customer with OTP authentication. The user shall be forwarded to the profile if the requested data matches the credentials in the database. The user will see the updating transaction in this process. The user transaction updates the user balance and servers instantaneously. The authenticating function can be divided into three categories-AuthenticateActivity, AuthenticateOtpActivity, and AuthenticateSuccessActivity. Figure 8a describes the sequence diagram of AuthenticateActivity, Figure 8b describes the AuthenticateOtpActivity, and finally, Figure 8c describes the AuthenticateSuccessActivity.

User Authenticating Function
Authentication functionality is one of the most important functions in Zamwallet. For top-up and transfer of money, functionality authentication is a single method. Users require a password, fingerprints, and OTP authentication for access to the system. With a private user key, the user password is encrypted into the RSA unit using the RSA algorithm. Authentication of the OTP identification code with user credentials is required when logging into the system. When a user confirms their account credentials and clicks the OTP button, the authentication system will deliver the registered phone number to the success list, to the verification code, where the submitted data should match the user login information. If this does not match, an error message is shown to the client, and it must be validated by the customer with OTP authentication. The user shall be forwarded to the profile if the requested data matches the credentials in the database. The user will see the updating transaction in this process. The user transaction updates the user balance and servers instantaneously. The authenticating function can be divided into three categories-AuthenticateActivity, AuthenticateOtpActivity, and AuthenticateSuccessActivity. Figure 8a describes the sequence diagram of AuthenticateActivity, Figure 8b describes the Au-thenticateOtpActivity, and finally, Figure 8c describes the AuthenticateSuccessActivity.
(a)  Step 1.2: AuthenticateActivity sends a message to the AuthenticationModel to create an account and waits for AuthenticateActivity to respond. Step 1.3: Finally, AuthenticationModel creates and sends a response to AuthenticateActivity. In (b), Step 1.1: The AuthenticateOtpActivity will hide the keyboard in the CommonUtil and return a message to the AuthenticateOtpActivity. Step   Step 1.2: AuthenticateActivity sends a message to the AuthenticationModel to create an account and waits for AuthenticateActivity to respond. Step 1.3: Finally, AuthenticationModel creates and sends a response to AuthenticateActivity. In (b), Step 1.1: The AuthenticateOtpActivity will hide the keyboard in the CommonUtil and return a message to the AuthenticateOtpActivity. Step 1. Step 1.1: The UpdateTransactionDb will start and return a message to the AuthenticateSuccessActivity.

Top-Up Money Function
Users can access multiple banks for topping up money after authentication into the system. They need to choose the amount they want to update in this application. Once the user selects their preferred bank account, the payment gateway is sent directly to the user. PayPal is the default payment gateway for transactions. Each registered user can add funds to their PayPal account. The PayPal sandbox account helps users to work conveniently. The user's money is immediately updated in the user balance and database. Figure 9 describes the sequence diagram of user top-up money for the proposed Zamwallet apps.

Top-Up Money Function
Users can access multiple banks for topping up money after authentication into the system. They need to choose the amount they want to update in this application. Once the user selects their preferred bank account, the payment gateway is sent directly to the user. PayPal is the default payment gateway for transactions. Each registered user can add funds to their PayPal account. The PayPal sandbox account helps users to work conveniently. The user's money is immediately updated in the user balance and database. Figure  9 describes the sequence diagram of user top-up money for the proposed Zamwallet apps.

Transfer Money Function
Users can transfer money from their account to another registered Zamwallet account after the money has been added to the system. In this process, the user has to choose the amount they want to transfer before transferring the money to another Zamwallet account. Users could also use the contact list to get the recipient's profile information.
Once the user has chosen the recipient, they have to authenticate themself using their password, fingerprint, and OTP. The money is sent to the recipient's account after successful authentication. Figure 10 describes the sequence diagram for user money transfer for proposed Zamwallet apps.

Transfer Money Function
Users can transfer money from their account to another registered Zamwallet account after the money has been added to the system. In this process, the user has to choose the amount they want to transfer before transferring the money to another Zamwallet account. Users could also use the contact list to get the recipient's profile information.
Once the user has chosen the recipient, they have to authenticate themself using their password, fingerprint, and OTP. The money is sent to the recipient's account after successful authentication. Figure 10 describes the sequence diagram for user money transfer for proposed Zamwallet apps.

Proposed Method Implementation
The proposed Zamwallet has some functional capabilities that need to be imp mented. For each functionality, a full procedure is followed. All the functionality has be developed and implemented based on an Android Studio framework and a Firebase real-time database management. The prototype is evaluated based on the registrat stage and authentication stages. The simulation is run on the webserver side on a DE laptop computer with Intel Core i7 CPU, 3.40 GHz CPU, as well as 6 GB RAM. The op ating system is Windows 10 Professional. Android is an open-source operating syst built on Linux, and the Android platform makes everyday activities simple and fast, a it has helpful apps for mobile devices. The prototype implementation is discussed as f lows:

Proposed Method Implementation
The proposed Zamwallet has some functional capabilities that need to be implemented. For each functionality, a full procedure is followed. All the functionality has been developed and implemented based on an Android Studio framework and a Firebase in real-time database management. The prototype is evaluated based on the registration stage and authentication stages. The simulation is run on the webserver side on a DELL laptop computer with Intel Core i7 CPU, 3.40 GHz CPU, as well as 6 GB RAM. The operating system is Windows 10 Professional. Android is an open-source operating system built on Linux, and the Android platform makes everyday activities simple and fast, and it has helpful apps for mobile devices. The prototype implementation is discussed as follows:

User Registration
To perform a transaction from Zamwallet to another Zamwallet, the user must be a registered member. When a new user signs up on the Zamwallet by clicking the register button, the switch on the welcome page. If a user clicks on "Register," the user will receive a registration form. The user must complete all the necessary fields in the following four specific categories: knowledge (i.e., password), device ID (i.e., IMEI), biometrics (i.e., fingerprints), and ownership (i.e., OTP). A registered member can access this method only when the registration is complete. A "RegisterSuccessActivity" feature can process and verify all the data entered in the registry form before saving it in the database. After the user details have been completely input into the system, OTP verification is asked for the registration. If the user registers successfully, then a notification message, "successfully registered" appears. The proposed Zamwallet has three activities in the registration-"RegisterActivity", "RegisterOtpActivity", and "RegisterSuccessActivity". A display message will appear to the customer after a successful registration. The details of each step are shown in Figure 11. appear to the customer after a successful registration. The details of each step are shown in Figure 11.

User Login
The user has to use their credentials for logging into the application each period of usage. The system asks the user to first authenticate themself with their information. To log in, the user has to provide the registered details, such as password, fingerprint, and OTP. If the user enters details not registered, then the user will get a notification message. The user cannot log in to the system through system authentication properties. A request is executed, and a login form is delivered to the user when the user clicks on the login table. A user "LoginActivity" feature performs all the logic and procedures required to connect to the database and stay connected to it. The proposed Zamwallet has two activities in the login phase-"LoginActivity" and "LoginOtpActivity". There is a string query to extract the correct login credentials from the database to match the requested data of the user. The user is routed to the application's homepage after active login. The user will view their name and a log out option. A login screen displaying the authentication pages is listed in Figure 12.

User Login
The user has to use their credentials for logging into the application each period of usage. The system asks the user to first authenticate themself with their information. To log in, the user has to provide the registered details, such as password, fingerprint, and OTP. If the user enters details not registered, then the user will get a notification message. The user cannot log in to the system through system authentication properties. A request is executed, and a login form is delivered to the user when the user clicks on the login table. A user "LoginActivity" feature performs all the logic and procedures required to connect to the database and stay connected to it. The proposed Zamwallet has two activities in the login phase-"LoginActivity" and "LoginOtpActivity". There is a string query to extract the correct login credentials from the database to match the requested data of the user. The user is routed to the application's homepage after active login. The user will view their name and a log out option. A login screen displaying the authentication pages is listed in Figure 12.

Profile Activity and Dashboard
A user profile includes the following functions: update and access profile as a system member, name of the user, user phone number, and user profile image. A feature called "ProfileActivity" protects both logic and procedures for connecting to the server. Meanwhile, the dashboard shows the user's profile image, wallet balance, mobile number, and transaction view. All usable links can be found on the dashboard. A function named "DashboardActivity" will handle all the logic and processes to connect to the application. The activity of this proposed system is shown in Figure 13.

Top-Up Money
After being authenticated by the system, users can access multiple banks to top-up money. Within this option, users need to choose the level of updating they require. The users can choose their favorite bank account. Whenever the users select their preferred bank account, the password, fingerprint, and OTP verification have to be authenticated by the users. The payment gateway is submitted directly to the recipient of the application. "TopupMoneyActivity" is the transaction process developed for this. The execution of the money transfer happens after successful authentication. The details of each step are shown in Figure 14.

Profile Activity and Dashboard
A user profile includes the following functions: update and access profile as a system member, name of the user, user phone number, and user profile image. A feature called "ProfileActivity" protects both logic and procedures for connecting to the server. Meanwhile, the dashboard shows the user's profile image, wallet balance, mobile number, and transaction view. All usable links can be found on the dashboard. A function named "DashboardActivity" will handle all the logic and processes to connect to the application. The activity of this proposed system is shown in Figure 13.

Profile Activity and Dashboard
A user profile includes the following functions: update and access profile as a system member, name of the user, user phone number, and user profile image. A feature called "ProfileActivity" protects both logic and procedures for connecting to the server. Meanwhile, the dashboard shows the user's profile image, wallet balance, mobile number, and transaction view. All usable links can be found on the dashboard. A function named "DashboardActivity" will handle all the logic and processes to connect to the application. The activity of this proposed system is shown in Figure 13.

Top-Up Money
After being authenticated by the system, users can access multiple banks to top-up money. Within this option, users need to choose the level of updating they require. The users can choose their favorite bank account. Whenever the users select their preferred bank account, the password, fingerprint, and OTP verification have to be authenticated by the users. The payment gateway is submitted directly to the recipient of the application. "TopupMoneyActivity" is the transaction process developed for this. The execution of the money transfer happens after successful authentication. The details of each step are shown in Figure 14.

Top-Up Money
After being authenticated by the system, users can access multiple banks to top-up money. Within this option, users need to choose the level of updating they require. The users can choose their favorite bank account. Whenever the users select their preferred bank account, the password, fingerprint, and OTP verification have to be authenticated by the users. The payment gateway is submitted directly to the recipient of the application. "TopupMoneyActivity" is the transaction process developed for this. The execution of the money transfer happens after successful authentication. The details of each step are shown in Figure 14.

Transfer Money
Users can transfer money from their account to another registered Zamwallet account after the money has been added to the system. In this process, the users have to choose the amount to be sent before transferring the money to another Zamwallet account. The users have to authenticate themselves using their password, fingerprint, and OTP. A function named "TransferMoneyActivity" handles all the logic and processes involved. After successful authentication, the money transfer will be successfully executed. The entire money transfer activity testing is shown in Figure 15.

View Transaction
Any registered member can view all the purchase details in this module. After successful login, the user can check transaction history. A function named "ViewTransaction-Activity" has been developed to monitor transactions by clicking the view transaction table. All the transactions of the users, such as transfer money and top-up money, can be seen using the view transaction button. The view transaction page is shown in Figure 16.

Transfer Money
Users can transfer money from their account to another registered Zamwallet account after the money has been added to the system. In this process, the users have to choose the amount to be sent before transferring the money to another Zamwallet account. The users have to authenticate themselves using their password, fingerprint, and OTP. A function named "TransferMoneyActivity" handles all the logic and processes involved. After successful authentication, the money transfer will be successfully executed. The entire money transfer activity testing is shown in Figure 15.

Transfer Money
Users can transfer money from their account to another registered Zamwallet account after the money has been added to the system. In this process, the users have to choose the amount to be sent before transferring the money to another Zamwallet account. The users have to authenticate themselves using their password, fingerprint, and OTP. A function named "TransferMoneyActivity" handles all the logic and processes involved. After successful authentication, the money transfer will be successfully executed. The entire money transfer activity testing is shown in Figure 15.

View Transaction
Any registered member can view all the purchase details in this module. After successful login, the user can check transaction history. A function named "ViewTransaction-Activity" has been developed to monitor transactions by clicking the view transaction table. All the transactions of the users, such as transfer money and top-up money, can be seen using the view transaction button. The view transaction page is shown in Figure 16.

View Transaction
Any registered member can view all the purchase details in this module. After successful login, the user can check transaction history. A function named "ViewTransactionActivity" has been developed to monitor transactions by clicking the view transaction table. All the transactions of the users, such as transfer money and top-up money, can be seen using the view transaction button. The view transaction page is shown in Figure 16.

Prototype Evaluation
To ensure their functionality, it is important to evaluate mobile apps. Evaluation i the main way to comprehend how users communicate with a specific interface when they use the system. For evaluating the entire design, we performed a functionality test. Func tionality testing is a type of apps testing that validates the software system against func tional requirements. The discussion here focuses on the essential implementing consider ations of the functional aspects of the proposed device identity-based Zamwallet. The re quirement test is performed to ensure that the system is executing as per expectations with no bugs or errors. This section describes the outcomes of the experiments on the proto type. The objectives of the evaluation are: • To ensure that the functionality requirement is fulfilled in different Android ver sions/devices; • To ensure that Zamwallet registered to a single entity/user cannot run on two device at a time; • To ensure that Zamwallet satisfies the conditions of registration, authentication transfer of money, and top-up of money with the functionality test.

Result and Analysis
The proposed method uses four-authentication techniques in this study to secur Zamwallet e-wallet apps. This paper has demonstrated the system and pointed out it output using different functions. The proposed Zamwallet was installed on different An droid devices to measure their performance for functionality. The main functionality and performance results are presented in the following subsections.

Experimental Result of OTP
We have evaluated the Zamwallet using three different mobile phone devices-Redmi, Vivo, and Neffos. The experimental OTP results of the Redmi user are shown in Table 3. Table 4 shows the experimental results on the Vivo device. Additionally, Table 5 shows the results on the Neffos device.

Prototype Evaluation
To ensure their functionality, it is important to evaluate mobile apps. Evaluation is the main way to comprehend how users communicate with a specific interface when they use the system. For evaluating the entire design, we performed a functionality test. Functionality testing is a type of apps testing that validates the software system against functional requirements. The discussion here focuses on the essential implementing considerations of the functional aspects of the proposed device identity-based Zamwallet. The requirement test is performed to ensure that the system is executing as per expectations with no bugs or errors. This section describes the outcomes of the experiments on the prototype. The objectives of the evaluation are:

•
To ensure that the functionality requirement is fulfilled in different Android versions/devices; • To ensure that Zamwallet registered to a single entity/user cannot run on two devices at a time; • To ensure that Zamwallet satisfies the conditions of registration, authentication, transfer of money, and top-up of money with the functionality test.

Result and Analysis
The proposed method uses four-authentication techniques in this study to secure Zamwallet e-wallet apps. This paper has demonstrated the system and pointed out its output using different functions. The proposed Zamwallet was installed on different Android devices to measure their performance for functionality. The main functionality and performance results are presented in the following subsections.

Experimental Result of OTP
We have evaluated the Zamwallet using three different mobile phone devices-Redmi, Vivo, and Neffos. The experimental OTP results of the Redmi user are shown in Table 3. Table 4 shows the experimental results on the Vivo device. Additionally, Table 5 shows the results on the Neffos device.

Experiment Result of Top-Up Money
Seven transactions were completed in the top-up functionality involving different times and different amounts of money. The top-up money functionality was successfully completed using the PayPal payment gateway, and all the records were given by a Pay-Pal sandbox account. We also evaluated transactions between the PayPal gateway and Zamwallet. The list of top-up money transactions is presented in Table 6.

Experiment of Transaction Money
Eleven transactions were completed by the user registered phone numbers and currencies in the transfer functionality test. The transfer money functionality was successfully completed by transferring money from one Zamwallet user to another Zamwallet user. We hid the users' numbers to conceal their identities. Table 7 shows the overall characteristics of the transfer money functionality. For security purpose we hided user last 3 digits as ***.

Experiment on Firebase Database
The admin must log in to enter the real-time database. To log into the Firebase console, the user must have a Google account. After successful login to the Firebase console, the user can select the database's features. Only an admin can monitor the system. Moreover, the admin could edit and delete user details from the system. Figure 17 shows each step of the real-time database of the proposed Zamwallet.

Experiment of Transaction Money
Eleven transactions were completed by the user registered phone numbers and currencies in the transfer functionality test. The transfer money functionality was successfully completed by transferring money from one Zamwallet user to another Zamwallet user. We hid the users' numbers to conceal their identities. Table 7 shows the overall characteristics of the transfer money functionality. For security purpose we hided user last 3 digits as ***.

Experiment on Firebase Database
The admin must log in to enter the real-time database. To log into the Firebase console, the user must have a Google account. After successful login to the Firebase console, the user can select the database's features. Only an admin can monitor the system. Moreover, the admin could edit and delete user details from the system. Figure 17 shows each step of the real-time database of the proposed Zamwallet. As Figure 17a shows, the user device identity (ID) is encrypted with base64. However, Firebase real-time is very secure with support from Google. The user password is encrypted with RSA. Full form (NIST) has been proposing a minimum of 2048-bit keys for RSA since 2015, an upgrade from the accepted 1024-bit minimum recommendation from at least 2002 onwards [56][57]. RSA 2048 key is the most secure [58][59]. To secure  As Figure 17a shows, the user device identity (ID) is encrypted with base64. However, Firebase real-time is very secure with support from Google. The user password is encrypted with RSA. Full form (NIST) has been proposing a minimum of 2048-bit keys for RSA since 2015, an upgrade from the accepted 1024-bit minimum recommendation from at least 2002 onwards [56,57]. RSA 2048 key is the most secure [58,59]. To secure interactions with the webserver, a 2048-bit RSA key and a self-signed SSL certificate are generated to encrypt all the full form (HTTPS) communications [60][61][62]. Figure 18 shows the performance for Zamwallet, and Figure 19 shows the real-time database overview. As Figure 17a shows, the user device identity (ID) is encrypted with base64. However, Firebase real-time is very secure with support from Google. The user password is encrypted with RSA. Full form (NIST) has been proposing a minimum of 2048-bit keys for RSA since 2015, an upgrade from the accepted 1024-bit minimum recommendation from at least 2002 onwards [56][57]. RSA 2048 key is the most secure [58][59]. To secure interactions with the webserver, a 2048-bit RSA key and a self-signed SSL certificate are generated to encrypt all the full form (HTTPS) communications [60][61][62]. Figure 18 shows the performance for Zamwallet, and Figure 19 shows the real-time database overview.   As Figure 17a shows, the user device identity (ID) is encrypted with base64. However, Firebase real-time is very secure with support from Google. The user password is encrypted with RSA. Full form (NIST) has been proposing a minimum of 2048-bit keys for RSA since 2015, an upgrade from the accepted 1024-bit minimum recommendation from at least 2002 onwards [56][57]. RSA 2048 key is the most secure [58][59]. To secure interactions with the webserver, a 2048-bit RSA key and a self-signed SSL certificate are generated to encrypt all the full form (HTTPS) communications [60][61][62]. Figure 18 shows the performance for Zamwallet, and Figure 19 shows the real-time database overview.   Total activity, total denies, and total errors of the system were operated and checked.
After analyzing Zamwallet, it shows here that there is no error in the database so far.
The functionality test focuses on four areas. First is security management, which confirms that the system can create new users and properly manage their credentials in the registration phase. The second is identification and authentication, to ascertain that the registered details of the user can be authenticated. The third is the session, to confirm that the system can perform different kinds of transactions such as topping up money and transferring money. The fourth test and the main component of the system is a device identity based on user authentication, i.e., apps cannot run on two devices simultaneously. Only one user can use Zamwallet on their device. The user cannot create accounts on the same device using two different numbers. Table 8 shows the functionality test of the proposed method. Hence, results also show that the entire functionality test has passed. This shows that the system is operating as planned with no system bugs or errors.

Discussion
Authentication is becoming more and more necessary. Even in the modern age, most users rely on systems authentication and permission to add traditional passwords in multifactor operations. While there are still questions about privacy, safety, accessibility, and accuracy, full form (MFA) is becoming a system that guarantees modern uses of available security and efficiency for those who need these while accessing sensitive data. Biometrics is without question one of the primary foundations for MFA development. This capability is often seen to be an extension of standard security methods, such as passwords, security tokens, and PINs, and is not a standalone method. Once the user of an e-wallet app is authenticated, two or more authentication methods should be paired for better security.
The discussion here focuses on the key implementation and security aspects of the proposed device identity-based Zamwallet. The application covers four main authentication categories: knowledge (i.e., password), device identification (i.e., IMEI), biometrics (i.e., fingerprint), and ownership (i.e., OTP). Each of these techniques provides good security on their own, but a combination of two systems offers much more security against different attacks and types of social engineering while maintaining functionality and accessibility. This section outlines the research findings on the experiment on the prototype. In addition, the results are also linked to the literature review and research gaps. In the previous methods, various levels of authentication had been identified; as in, the authentication stage they had used was ownership or multifactor. Many of them have a framework-based theory, such as multifactor authentication, which is not applied in reality. The actual performance of these methods is not effective. There is also an opportunity to develop multifactor user authentication techniques. Here, we have used a user device ID and its interaction with individual user credentials covering the user's knowledge, ownership, and biometrics, which can be a good strategy to ensure a proper authentication process. We evaluated our results in Table 9, where we compared the existing authentication scheme and the proposed authentication scheme. The base method has three security features, and the proposed method has four security features.   Table 9 shows that Zamwallet, at four points, has the most active points among authentication categories. The second authentication category, L. Sharma

Conclusions and Future Work
Security is the main element associated with an e-wallet. The proposed system provides users with safe access to authorization through multifactor authentication. The proposed scheme verifies the user utilizing their password, fingerprint, and OTP. This approach improves upon the existing authentication methods. The proposed method improves the security of user authentication systems in e-wallet apps by covering four authentication categories. The implementation and evaluation process checked for stable and consistent functioning of the proposed Zamwallet. Specifically, users without extensive experience of using mobile phones will be comfortable using the apps after the initial glimpse. It ensures that unauthorized users cannot sniff or steal data, as they are being exchanged between the user device and database servers. In addition, the proposed solution has shown that the security performance of authentication and authorization could be dramatically improved relative to the existing systems. In comparison to other authentication schemes, the proposed Zamwallet has low effective cost. This is because, in the proposed Zamwallet, the user does not need an additional device to authenticate their fingerprint and hardware device. In this study, we presented the conceptual design of an authentication method in keeping with the viewpoint of the research of a device identity-based e-wallet. A prototype was designed and implemented to evaluate the proposed security method. Further investigations and enhancements could be considered in the future, as the proposed method is only for Android users. However, there is a possibility of developing the same for the iOS operating system. Mobile reloads, bill payments, blood donation features, etc. can be added as additional features for the proposed apps. Moreover, static and dynamic tools will be used to test the security of the proposed apps. The limitation of this study is that the proposed method cannot be used to access two separate devices and is not available for conventional mobile phones that do not support fingerprint recognition.