Abstract:A Two-Factor Authentication (2FA) scheme can authenticate a client if the client is able to provide the possession factor (like biometric feature, smart card) and the knowledge factor (like password, secret key) simultaneously. With only one factor, it is hard for an adversary to impersonate the client to pass the authentication, and thus 2FA provides better security than single-factor authentication schemes. However, as far as we know, all existing 2FA schemes do not consider the leakage of server's database, and their authenticity may fail when the database is also compromised (in addition to one factor). Considering numerous reports of database leakage in the real world, it seems imminent to study and design 2FA schemes resilient to database leakage. In this paper, we formalize security models for 2FA schemes by taking database leakage into account. Our security models consider malicious adversaries who can obtain both the client's one authentication factor and the server's database, and have two requirements, authenticity and zero-knowledge . Authenticity ensures that such malicious adversaries cannot impersonate the client to pass the authentication, while zero-knowledge guarantees that such malicious adversaries obtain no information about the client's the other factor. Zero-knowledge is especially important for biometric features (like faces, fingerprints), which are inherent to human beings and can hardly be changed. Then we propose a biometric-based 2FA scheme with biometric feature and secret key serving as the two authentication factors. Our 2FA scheme has three rounds, and we prove its authenticity and zero-knowledge under database leakage in the random oracle model. Notably, our construction makes a novel use of a recent technical advance called robust property-preserving hashing (Boyle et al., ITCS 2019) together with fully homomorphic encryption, to recognize or discern clients by their biometric samplings in a homomorphic and secure way.

Biometric-based two-factor authentication scheme under database leakage

A PRIVACY-PRESERVING AUTHENTICATION SCHEME USING BIOMETRICS FOR PERVASIVE COMPUTING ENVIRONMENTS

Authentication Scheme Based on Biometric Encryption

Authentication scheme based on biometric encryption for pervasive computing environments

Design and Analysis of a Secure Three Factor User Authentication Scheme Using Biometric and Smart Card

An Enhanced Biometric-Based Three Factors User Authentication Scheme for Multi-Server Environments

A Secure Two-factor Authentication Key Exchange Scheme

Security Analysis and Enhancements of a Multi-Factor Biometric Authentication Scheme

Cryptanalysis of a biometric-based remote user authentication scheme

A Novel and Provably Secure Biometrics-Based Three-Factor Remote Authentication Scheme for Mobile Client-Server Networks

An Enhanced Biometrics-Based User Authentication Scheme for Multi-Server Environments in Critical Systems

Understanding Security Failures of Multi-Factor Authentication Schemes for Multi-Server Environments

Two-Factor Authenticated Key Exchange from Biometrics with Low Entropy Rates

Two-Factor Mutual Authentication Based on Smart Cards and Passwords

Cryptanalysis of Anonymous Three Factor-Based Authentication Schemes for Multi-server Environment

Provably Secure Anonymous Three-Factor Authentication Scheme for Multi-Server Environments

Cryptanalysis and Improvement of a Biometrics-Based Authentication and Key Agreement Scheme for Multi-Server Environments

Two Birds with One Stone: Two-Factor Authentication with Security Beyond Conventional Bound.

Cryptanalysis of Multi Factor Authentication Scheme Using Smart Card

Revisiting Anonymous Two-Factor Authentication Schemes for Multi-server Environment

Cryptanalysis And Improvement Of A Biometric-Based Multi-Server Authentication And Key Agreement Scheme