Liufu Zhu,Ding Wang

DOI: https://doi.org/10.1109/tifs.2024.3451364

IF: 7.231

2024-09-27

IEEE Transactions on Information Forensics and Security

Abstract:Multi-factor authentication (MFA) is crucial for Wireless Sensor Networks (WSNs) to ensure secure communication in security-critical applications such as smart homes, industrial control, and military defense due to the open nature of WSNs. Considerable efforts have been made to propose various MFA schemes with varied security goals and desirable properties. However, little attention has been given to the property of dynamic password recovery, and it still remains a question of how to construct a robust MFA scheme with the desirable property of dynamic password recovery for WSNs. In this paper, we first review two representative multi-factor authentication schemes proposed by Li-Tian (at IEEE Syst J'22) and Fatima et al. (at ACM TOSN'23) as case studies, and reveal that these two schemes fail to resist some known attacks and pay little attention to password forgetting and leakage issues. Accordingly, we employ the techniques of the honeywords method, fuzzy-verifier technique, and public key cryptosystem to construct a novel MFA scheme. Particularly, we propose the first dynamic password recovery method for MFA to address password forgetting and leakage issues. Key rotation is implemented to ensure the security of the long-term secret key. Our scheme is provably secure under the Random Oracle Model. Comparison results show the superiority of our new scheme.

computer science, theory & methods,engineering, electrical & electronic

Sneha Shukla,Gaurav Varshney,Shreya Singh,Swati Goel

2024-06-13

Abstract:Despite being more secure and strongly promoted, two-factor (2FA) or multi-factor (MFA) schemes either fail to protect against recent phishing threats such as real-time MITM, controls/relay MITM, malicious browser extension-based phishing attacks, and/or need the users to purchase and carry other hardware for additional account protection. Leveraging the unprecedented popularity of NFC and BLE-enabled smartphones, we explore a new horizon for designing an MFA scheme. This paper introduces an advanced authentication method for user verification that utilizes the user's real-time facial biometric identity, which serves as an inherent factor, together with BLE- NFC-enabled mobile devices, which operate as an ownership factor. We have implemented a prototype authentication system on a BLE-NFC-enabled Android device, and initial threat modeling suggests that it is safe against known phishing attacks. The scheme has been compared with other popular schemes using the Bonneau et al. assessment framework in terms of usability, deployability, and security.

Cryptography and Security

,Vijaya Saradhi Nanduri

DOI: https://doi.org/10.55041/ijsrem37063

2024-08-13

INTERANTIONAL JOURNAL OF SCIENTIFIC RESEARCH IN ENGINEERING AND MANAGEMENT

Abstract:Today's digital landscape needs robust security measures to safeguard sensitive information and maintain trust with users. Multi-Factor Authentication (MFA) stands as a critical technology in this journey, by offering an additional layer of defense beyond the traditional single-layer security. This white paper explores what is MFA, MFA Architecture, MFA Methods, Benefits of using MFA, current MFA Market providers and future trends. It outlines how MFA addresses the vulnerabilities of single-factor authentication by requiring users to verify their identity through multiple independent credentials. These factors typically include something the user knows (like a password), something they have (such as a smartphone or hardware token), and something they are (like biometric data). This white paper addresses key aspects of MFA as mentioned below: • Enhanced Security - MFA significantly reduces the risk of unauthorized access, protecting against common threats such as phishing, credential theft, and brute-force attacks. • User Experience - The MFA solution can be designed to streamline user interactions while maintaining security standards. Compliance requirements - Industries mandate the use of MFA to comply with data protection regulations. Implementing MFA ensures adherence to legal requirements.. Key Words: Authentication, Multi-Factor Authentication, security journals

Weizhao Jin,Xiaoyu Ji,Ruiwen He,Zhou Zhuang,Wenyuan Xu,Yuan Tian

DOI: https://doi.org/10.1109/dsn-w52860.2021.00013

2021-01-01

Abstract:With the rapid growth of online services, the number of online accounts proliferates. The security of a single user account no longer depends merely on its own service provider but also the accounts on other service platforms (We refer to this online account environment as Online Account Ecosystem). In this paper, we first uncover the vulnerability of Online Account Ecosystem, which stems from the defective multi-factor authentication (MFA), specifically the ones with SMS-based verification, and dependencies among accounts on different platforms. We propose Chain Reaction Attack that exploits the weakest point in Online Account Ecosystem and can ultimately compromise the most secure platform. Furthermore, we design and implement ActFort, a systematic approach to detect the vulnerability of Online Account Ecosystem by analyzing the authentication credential factors and sensitive personal information as well as evaluating the dependency relationships among online accounts. We evaluate our system on hundreds of representative online services listed in Alexa in diversified fields. Based on the analysis from ActFort, we provide several pragmatic insights into the current Online Account Ecosystem and propose several feasible countermeasures including the online account exposed information protection mechanism and the built-in authentication to fortify the security of Online Account Ecosystem.

Lucas Augusto Meyer,Sergio Romero,Gabriele Bertoli,Tom Burt,Alex Weinert,Juan Lavista Ferres

2023-05-02

Abstract:This study investigates the effectiveness of multifactor authentication (MFA) in protecting commercial accounts from unauthorized access, with an additional focus on accounts with known credential leaks. We employ the benchmark-multiplier method, coupled with manual account review, to evaluate the security performance of various MFA methods in a large dataset of Microsoft Azure Active Directory users exhibiting suspicious activity. Our findings reveal that MFA implementation offers outstanding protection, with over 99.99% of MFA-enabled accounts remaining secure during the investigation period. Moreover, MFA reduces the risk of compromise by 99.22% across the entire population and by 98.56% in cases of leaked credentials. We further demonstrate that dedicated MFA applications, such as Microsoft Authenticator, outperform SMS-based authentication, though both methods provide significantly enhanced security compared to not using MFA. Based on these results, we strongly advocate for the default implementation of MFA in commercial accounts to increase security and mitigate unauthorized access risks.

Cryptography and Security

Ang Kok Wee,Eyasu Getahun Chekole,Jianying Zhou

2024-07-30

Abstract:Nowadays, cyberattacks are growing exponentially, causing havoc to Internet users. In particular, authentication attacks constitute the major attack vector where intruders impersonate legitimate users to maliciously access systems or resources. Traditional single-factor authentication (SFA) protocols are often bypassed by side-channel and other attack techniques, hence they are no longer sufficient to the current authentication requirements. To alleviate this problem, multi-factor authentication (MFA) protocols have been widely adopted recently, which helps to raise the security bar against imposters. Although MFA is generally considered more robust and secure than SFA, it may not always guarantee enhanced security and efficiency. This is because, critical security vulnerabilities and performance problems may still arise due to design or implementation flaws of the protocols. Such vulnerabilities are often left unnoticed until they are exploited by attackers. Therefore, the main objective of this work is identifying such vulnerabilities in existing MFA protocols by systematically analysing their designs and constructions. To this end, we first form a set of security evaluation criteria, encompassing both existing and newly introduced ones, which we believe are very critical for the security of MFA protocols. Then, we thoroughly review several MFA protocols across different domains. Subsequently, we revisit and thoroughly analyze the design and construction of the protocols to identify potential vulnerabilities. Consequently, we manage to identify critical vulnerabilities in ten of the MFA protocols investigated. We thoroughly discuss the identified vulnerabilities in each protocol and devise relevant mitigation strategies. We also consolidate the performance information of those protocols to show the runtime and storage cost when employing varying number of authentication factors.

Cryptography and Security

Sabrina Amft,Sandra Höltervennhoff,Nicolas Huaman,Alexander Krause,Lucy Simko,Yasemin Acar,Sascha Fahl

2023-09-19

Abstract:Multi-Factor Authentication is intended to strengthen the security of password-based authentication by adding another factor, such as hardware tokens or one-time passwords using mobile apps. However, this increased authentication security comes with potential drawbacks that can lead to account and asset loss. If users lose access to their additional authentication factors for any reason, they will be locked out of their accounts. Consequently, services that provide Multi-Factor Authentication should deploy procedures to allow their users to recover from losing access to their additional factor that are both secure and easy-to-use. In this work, we investigate the security and user experience of Multi-Factor Authentication recovery procedures, and compare their deployment to descriptions on help and support pages. We first evaluate the official help and support pages of 1,303 websites that provide Multi-Factor Authentication and collect documented information about their recovery procedures. Second, we select a subset of 71 websites, create accounts, set up Multi-Factor Authentication, and perform an in-depth investigation of their recovery procedure security and user experience. We find that many websites deploy insecure Multi-Factor Authentication recovery procedures and allowed us to circumvent and disable Multi-Factor Authentication when having access to the accounts' associated email addresses. Furthermore, we commonly observed discrepancies between our in-depth analysis and the official help and support pages, implying that information meant to aid users is often either incorrect or outdated. Based on our findings, we provide recommendations for best practices regarding Multi-Factor Authentication recovery.

Cryptography and Security

Nader Abdel Karim,Hasan Kanaker,Waleed K. Abdulraheem,Majdi Ali Ghaith,Essam Alhroob,Abdulla Mousa Falah Alali

DOI: https://doi.org/10.5267/j.ijdns.2023.10.003

2024-01-01

International Journal of Data and Network Science

Abstract:A robust authentication method is needed to protect online user accounts and data from cyber-attacks. Using only passwords is insufficient because they can be easily stolen or cracked. Multi-factor authentication (MFA) increases security by requiring two or more verification factors from the user before granting access to a resource such as an online account or an application. MFA is essential to a strong identity and access management (IAM) policy. This study evaluates and contrasts several MFA methods for online systems, including Microsoft Authenticator, FIDO2 security keys, SMS, voice calls, and biometrics. We assess these methods based on four criteria: security, usability, cost, and compatibility. We discover that only some MFA methods excel across the board. The best MFA method will depend on the organization's and users' specific needs and preferences. Each MFA method has benefits and drawbacks on its own. Based on our analysis, we do, however, make some general observations and recommendations, such as preferring FIDO2 security keys and certificate-based authentication for high-security scenarios, choosing Microsoft Authenticator and biometrics for high-usability scenarios, and avoiding SMS and voice calls for low-security and low-usability scenarios.

Amin Mahnamfar,Kemal Bicakci,Yusuf Uzunay

DOI: https://doi.org/10.1016/j.cose.2024.103739

IF: 5.105

2024-01-26

Computers & Security

Abstract:The challenge of achieving passwordless user authentication is real given the prevalence of web applications that keep asking passwords. Complicating this issue further, in an enterprise environment, a single sign-on (SSO) service is often maintained but not all applications can be integrated with it. We envision a passwordless future which provides a frictionless and trustworthy online experience for users by integrating credential management and federated identity systems. In this regard, our implementation ROSTAM offers a dashboard that presents all applications the user can access with a single click after a passwordless SSO. The security of web passwords on the credential manager is ensured with a Master Key, rather than a Master Password, so that encrypted passwords can remain secure even if stolen from the server. We propose and implement novel techniques for synchronization (pairing) and recovery of this Master Key. We compare our solution to previous work using different evaluation frameworks, demonstrating that our hybrid solution combines the benefits of credential management and federated identity systems.

computer science, information systems

Muath Obaidat,Joseph Brown,Suhaib Obeidat,Majdi Rawashdeh

DOI: https://doi.org/10.3390/s20154212

2020-07-29

Abstract:A significant percentage of security research that is conducted suffers from common issues that prevent wide-scale adoption. Common snags of such proposed methods tend to include (i) introduction of additional nodes within the communication architecture, breaking the simplicity of the typical client-server model, or fundamental restructuring of the Internet ecosystem; (ii) significant inflation of responsibilities or duties for the user and/or server operator; and (iii) adding increased risks surrounding sensitive data during the authentication process. Many schemes seek to prevent brute-forcing attacks; they often ignore either partially or holistically the dangers of other cyber-attacks such as MiTM or replay attacks. Therefore, there is no incentive to implement such proposals, and it has become the norm instead to inflate current username/password authentication systems. These have remained standard within client-server authentication paradigms, despite insecurities stemming from poor user and server operator practices, and vulnerabilities to interception and masquerades. Besides these vulnerabilities, systems which revolve around secure authentication typically present exploits of two categories; either pitfalls which allow MiTM or replay attacks due to transmitting data for authentication constantly, or the storage of sensitive information leading to highly specific methods of data storage or facilitation, increasing chances of human error. This paper proposes a more secure method of authentication that retains the current structure of accepted paradigms, but minimizes vulnerabilities which result from the process, and does not inflate responsibilities for users or server operators. The proposed scheme uses a hybrid, layered encryption technique alongside a two-part verification process, and provides dynamic protection against interception-based cyber-attacks such as replay or MiTM attacks, without creating additional vulnerabilities for other attacks such as bruteforcing. Results show the proposed mechanism outperforms not only standardized methods, but also other schemes in terms of deployability, exploit resilience, and speed.

Mengjun Xie,Yanyan Li,Kenji Yoshigoe,Remzi Seker,Jiang Bian

DOI: https://doi.org/10.1109/hase.2015.41

2015-01-01

Abstract:Frequent outbreak of password database leaks and server breaches in recent years manifests the aggravated security problems of web authentication using only password. Two-factor authentication, despite being more secure and strongly promoted, has not been widely applied to web authentication. Leveraging the unprecedented popularity of both personal mobile devices (e.g., Smartphones) and barcode scans through camera, we explore a new horizon in the design space of two-factor authentication. In this paper, we present CamAuth, a web authentication scheme that exploits pervasive mobile devices and digital cameras to counter various password attacks including man-in-the-middle and phishing attacks. In CamAuth, a mobile device is used as the second authentication factor to vouch for the identity of a use who is performing a web login from a PC. The device communicates directly with the PC through the secure visible light communication channels, which incurs no cellular cost and is immune to radio frequency attacks. CamAuth employs public-key cryptography to ensure the security of authentication process. We implemented a prototype system of CamAuth that consists of an Android application, a Chrome browser extension, and a Java-based web server. Our evaluation results indicate that CamAuth is a viable scheme for enhancing the security of web authentication.

Markus Jakobsson

DOI: https://doi.org/10.48550/arXiv.2001.06075

2020-01-16

Cryptography and Security

Abstract:Attackers increasingly, and with high success rates, use social engineering techniques to circumvent second factor authentication (2FA) technologies, compromise user accounts and sidestep fraud detection technologies. We introduce a social engineering resistant approach that we term device-aware 2FA, to replace the use of traditional security codes.

Zhi Wang,Xin Yang,Du Chen,Han Gao,Meiqi Tian,Yan Jia,Wanpeng Li

2024-11-18

Abstract:To protect users from data breaches and phishing attacks, service providers typically implement two-factor authentication (2FA) to add an extra layer of security against suspicious login attempts. However, since 2FA can sometimes hinder user experience by introducing additional steps, many websites aim to reduce inconvenience by minimizing the frequency of 2FA prompts. One approach to achieve this is by storing the user's ``Remember the Device'' preference in a cookie. As a result, users are only prompted for 2FA when this cookie expires or if they log in from a new device. To understand and improve the security of 2FA systems in real-world settings, we propose SE2FA, a vulnerability evaluation framework designed to detect vulnerabilities in 2FA systems. This framework enables us to analyze the security of 407 2FA systems across popular websites from the Tranco Top 10,000 list. Our analysis and evaluation found three zero-day vulnerabilities on three service providers that could allow an attacker to access a victim's account without possessing the victim's second authentication factor, thereby bypassing 2FA protections entirely. A further investigation found that these vulnerabilities stem from design choices aimed at simplifying 2FA for users but that unintentionally reduce its security effectiveness. We have disclosed these findings to the affected websites and assisted them in mitigating the risks. Based on the insights from this research, we provide practical recommendations for countermeasures to strengthen 2FA security and address these newly identified threats.

Cryptography and Security

Yuan Zhang,Chunxiang Xu,Hongwei Li,Kan Yang,Nan Cheng,Xuemin Shen

DOI: https://doi.org/10.1109/tmc.2020.2975792

IF: 6.075

2021-06-01

IEEE Transactions on Mobile Computing

Abstract:Password-based single-sign-on authentication has been widely applied in mobile environments. It enables an identity server to issue authentication tokens to mobile users holding correct passwords. With an authentication token, one can request mobile services from related service providers without multiple registrations. However, if an adversary compromises the identity server, he can retrieve users' passwords by performing dictionary guessing attacks (DGA) and can overissue authentication tokens to break the security. In this paper, we propose a password-based threshold single-sign-on authentication scheme dubbed PROTECT that thwarts adversaries who can compromise identity server(s), where multiple identity servers are introduced to authenticate mobile users and issue authentication tokens in a threshold way. PROTECT supports key renewal that periodically updates the secret on each identity server to resist perpetual leakage of the secret. Furthermore, PROTECT is secure against off-line DGA: a credential used to authenticate a user is computed from the password and a server-side key. PROTECT is also resistant to online DGA and password testing attacks in an efficient way. We conduct a comprehensive performance evaluation of PROTECT, which demonstrates the high efficiency on the user side in terms of computation and communication and proves that it can be easily deployed on mobile devices.

computer science, information systems,telecommunications

Ding Wang,Ping Wang

DOI: https://doi.org/10.1007/978-3-319-23829-6_11

2015-01-01

Abstract:Smart-card-based password authentication, known as two-factor authentication, is one of the most widely used security mechanisms to validate the legitimacy of a remote client, who must hold a valid smart card and the correct password in order to successfully login the server. So far the research on this domain has mainly focused on developing more secure, privacy-preserving and efficient protocols, which has led to numerous efficient proposals with a diversity of security provisions, yet little attention has been directed towards another important aspect, i.e. the usability of a scheme. This paper focuses on the study of two specific security threats on usability in two-factor authentication. Using two representative protocols as case studies, we demonstrate two types of security threats on usability: (1) Password change attack, which may easily render the smart card completely unusable by changing the password to a random value; and (2) De-synchronization attack, which breaks the consistence of the pseudo-identities between the user and the server. These threats, though realistic in practice, have been paid little attention in the literature. In addition to revealing the vulnerabilities, we discuss how to thwart these security threats and secure the protocols.

Lalitha Sravanti Dasu,Mannav Dhamija,Gurram Dishitha,Ajith Vivekanandan,V. Sarasvathi

DOI: https://doi.org/10.2478/cait-2023-0016

2023-06-01

Cybernetics and Information Technologies

Abstract:Abstract Defending against identity-based threats, which have predominantly increased in the era of remote access and working, requires non-conventional, dynamic, intelligent, and strategic means of authenticating and authorizing. This paper aims at devising detailed risk-scoring algorithms for five real-time use cases to make identity security adaptive and risk-based. Zero-trust principles are incorporated by collecting sign-in logs and analyzing them continually to check for any anomalies, making it a dynamic approach. Users are categorized as risky and non-risky based on the calculated risk scores. While many adaptive security mechanisms have been proposed, they confine identities only to users. This paper also considers devices as having an identity and categorizes them as safe or unsafe devices. Further, results are displayed on a dashboard, making it easy for security administrators to analyze and make wise decisions like multifactor authentication, mitigation, or any other access control decisions as such.

Suyun Borjigin

2024-05-31

Abstract:Credential theft and remote attacks are the most serious threats to user authentication mechanisms. The crux of these problems is that we cannot control such behaviors. However, if a password does not contain user secrets, stealing it is useless. If unauthorized inputs are invalidated, remote attacks can be disabled. Thus, credential secrets and account input fields can be controlled. Rather than encrypting passwords, we design a dual-password login-authentication mechanism, where a user-selected secret-free login password is converted into an untypable authentication password. Subsequently, the authenticatable functionality of the login password and the typable functionality of the authentication password can be disabled or invalidated to prevent credential theft and remote attacks. Thus, the usability-security tradeoff and password reuse issues are resolved; local authentication password storage is no longer necessary. More importantly, the password converter acts as an open hashing algorithm, meaning that its intermediate elements can be used to define a truly unique identity for the login process to implement a novel dual-identity authentication scheme. In particular, the system-managed elements are concealed, inaccessible, and independent of any personal information and therefore can be used to define a perfect unforgeable process identifier to identify unauthorized inputs.

Cryptography and Security,Emerging Technologies,Systems and Control

Marc Saideh,Jean-Paul Jamont,Laurent Vercouter

DOI: https://doi.org/10.3390/s24144621

2024-07-18

Abstract:Communication between connected objects in the Internet of Things (IoT) often requires secure and reliable authentication mechanisms to verify identities of entities and prevent unauthorized access to sensitive data and resources. Unlike other domains, IoT offers several advantages and opportunities, such as the ability to collect real-time data through numerous sensors. These data contains valuable information about the environment and other objects that, if used, can significantly enhance authentication processes. In this paper, we propose a novel idea to building opportunistic sensor-based authentication factors by leveraging existing IoT sensors in a system of systems approach. The objective is to highlight the promising prospects of opportunistic authentication factors in enhancing IoT security. We claim that sensors can be utilized to create additional authentication factors, thereby reinforcing existing object-to-object authentication mechanisms. By integrating these opportunistic sensor-based authentication factors into multi-factor authentication schemes, IoT security can be substantially improved. We demonstrate the feasibility and effectivenness of our idea through illustrative experiments in a parking entry scenario, involving both mobile robots and cars, achieving high identification accuracy. We highlight the potential of this novel method to improve IoT security and suggest future research directions for formalizing and comparing our approach with existing techniques.

Cryptography and Security

Suyun Borjigin

2024-09-25

Abstract:The existing authentication system has two entry points (i.e., username and password fields) to interact with the outside, but neither of them has a gatekeeper, making the system vulnerable to cyberattacks. In order to ensure the authentication security, the system sets a third entry point and use an external MFA service to guard it. The crux of the problem is that the system has no internal mechanism to guard its own entry points as no identifiers can be defined for the username and password without using any personal information. To solve this problem, we open the hash algorithm of a dual-password login-authentication system to three login credentials. Therefore, the intermediate elements of the algorithm can be used to define an identifier to verify the user identity at each entry point of the system. As a result of the above setup, a triple-identity authentication is established, the key of which is that the readily available user's login name and password are randomly converted into a matrix of meaningless hash elements which are concealed, incommunicable, inaccessible, and independent of personal information. So the identifiers defined using such elements can be used by the system to verify the identities of the user at all the entry points of the system, thereby ensuring the authentication security without relying on MFA services.

Cryptography and Security,Emerging Technologies,Human-Computer Interaction,Networking and Internet Architecture,Systems and Control

Zengpeng Li,Zheng Yang,Pawel Szalachowski,Jianying Zhou

DOI: https://doi.org/10.1109/jiot.2020.3008773

IF: 10.6

2021-01-15

IEEE Internet of Things Journal

Abstract:Industrial Internet of Things (IIoT) brings together computers, devices, advanced analytics, and people in industries such as transportation, oil plant and power grid, that leads to major efficiency and productivity gains for almost any industrial procedures. Due to the interconnection of devices in IIoT, communication security has become a critical issue to address in many emerging industry standards which require the authentication and key exchange procedure to be done to guarantee the authorized machine access (e.g., from users) and secure the data transmission between machines. To overcome the shortcoming (i.e., low entropy) of the memorable password in user authentication, it is rightfully recommended by industry standards (such as IEC-62443 family) to use multi-factor authentication for higher security levels. Notably, latency is one of the main sources of inefficiency when a device is communicating with other machines on IIoT. To mitigate latency, smooth projective hash function (SPHF) built from wellstudied standard assumptions is used to achieve low-interactivity multi-factor authenticated key exchange protocol (MFAKE), because SPHF allows each party to prove to the others that he knows the right authentication factor(s). In this paper, we are therefore motivated to build a new MFAKE named "secure remote multifactor (SRMF)" to achieve the human involved "machine-to-machine" secure communication in IIoT. That is, SRMF leverages multiple user-centric authentication factors (such as password, biometric fingerprints, and PIN), and it can synergistically support multi-factor registration (MFR), multi-factor authentication (MFA) and multifactor key exchange (MFKE). Further, to prevent authentication factors stored at the server exposing to attackers, the password-harden service (i.e., Pythia-PRF, USENIX'15) inspires us to develop a multifactor hardening service (MFHS) -tilizing an oblivious pseudorandom function (OPRF). The balanced security of the proposed protocol is proved under the model of Bellare-Pointcheval-Rogaway (EUROCRYPTO' 00) along with theoretical and experimental evaluations.

computer science, information systems,telecommunications,engineering, electrical & electronic