Abstract
This work introduces Passphone, a new smartphone-based authentication scheme that outsources user verification to a trusted third party without sacrificing privacy: neither can the trusted third party learn the relation between users and service providers, nor can service providers learn those of their users to others. When employed as a second factor in conjunction with, for instance, passwords as a first factor, our scheme maximizes the deployability of two-factor authentication for service providers while maintaining user privacy. We conduct a twofold formal analysis of our scheme, the first regarding its general security, and the second regarding anonymity and unlinkability of its users. Moreover, we provide an automatic analysis using AVISPA, a comparative evaluation to existing schemes under Bonneau et al.’s framework, and an evaluation of a prototypical implementation.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
In practice, \(\tau \ge 128\) is fixed a-priori by the protocol (version).
- 2.
https://developer.android.com/about/dashboards, State of Aug 1, 2016.
- 3.
- 4.
- 5.
References
Aloul, F.A., Zahidi, S., El-Hajj, W.: Two factor authentication using mobile phones. In: IEEE AICCSA, pp. 641–644 (2009)
Altman, J., Williams, N., Zhu, L.: Channel bindings for TLS. RFC 5929 (2010)
Apple. Two-factor authentication for Apple ID (2016). https://support.apple.com/en-us/HT204915
Armando, A., et al.: The AVISPA tool for the automated validation of internet security protocols and applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005). doi:10.1007/11513988_27
Armando, A., Compagna, L., Ganty, P.: SAT-based model-checking of security protocols using planning graph analysis. In: Araki, K., Gnesi, S., Mandrioli, D. (eds.) FME 2003. LNCS, vol. 2805, pp. 875–893. Springer, Heidelberg (2003). doi:10.1007/978-3-540-45236-2_47
Balfanz, D., Hamilton, R.: Transport layer security (TLS) channel IDs, 8 Nov 2013. IETF Internet Draft v01, expired 12 May 2013
Basin, D., Mödersheim, S., Viganò, L.: An on-the-fly model-checker for security protocol analysis. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 253–270. Springer, Heidelberg (2003). doi:10.1007/978-3-540-39650-5_15
Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti, A., Strub, P.: Triple handshakes and cookie cutters: breaking and fixing authentication over TLS. In: IEEE S&P, pp. 98–113 (2014)
Bhargavan, K., Delignat-Lavaud, A., Pironti, A.: Verified contributive channel bindings for compound authentication. In: NDSS. The Internet Society (2015)
Boichut, Y., Héam, P.-C., Kouchnarenko, O.: Automatic verification of security protocols using approximations. Technical report INRIA-Lorraine - CASSIS Project (2005)
Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: IEEE S&P, pp. 553–567 (2012)
Bonneau, J., Preibusch, S.: The password thicket: technical and market failures in human authentication on the web. In: WEIS (2010)
Chevalier, Y., Compagna, L., Cuellar, J., Hankes Drielsma, P., Mantovani, J., Moedersheim, S., Vigneron, L.: A high level protocol specification language for industrial security-sensitive protocols. In: SAPS, p. 13 (2004)
Clarke, D., Gassend, B., Kotwal, T., Burnside, M., Dijk, M., Devadas, S., Rivest, R.: The Untrusted Computer Problem and Camera-Based Authentication. In: Mattern, F., Naghshineh, M. (eds.) Pervasive 2002. LNCS, vol. 2414, pp. 114–124. Springer, Heidelberg (2002). doi:10.1007/3-540-45866-2_10
Cronto Limited. Cronto. http://www.cronto.com/
Czeskis, A., Dietz, M., Kohno, T., Wallach, D.S., Balfanz, D.: Strengthening user authentication through opportunistic cryptographic identity assertions. In: CCS, pp. 404–414 (2012)
Dey, A., Weis, S.: PseudoID: enhancing privacy in federated login. In: PETS, pp. 95–107 (2010)
Dingledine, R., Mathewson, N., Syverson, P.F.: Tor: the second-generation onion router. In: USENIX, pp. 303–320 (2004)
Dodson, B., Sengupta, D., Boneh, D., Lam, M.S.: Secure, consumer-friendly web authentication and payments with a phone. In: Gris, M., Yang, G. (eds.) MobiCASE 2010. LNICSSITE, vol. 76, pp. 17–38. Springer, Heidelberg (2012). doi:10.1007/978-3-642-29336-8_2
Dodson, B., Sengupta, D., Boneh, D., Lam, M.: Snap2Pass: consumer-friendly challenge-response authentication with a phone (2010). http://prpl.stanford.edu/papers/soups10j.pdf
Gemalto. Findings from the 2014 Breach Level Index. http://breachlevelindex.com/pdf/Breach-Level-Index-Annual-Report-2014.pdf
Google. 2-step Authentication (2013). http://www.google.com/landing/2step/
Hallsteinsen, S., Jorstad, I., Thanh, D.: Using the mobile phone as a security token for unified authentication. In: ICSNC, p. 68 (2007)
Hardt, D.: The OAuth 2.0 authorization framework. RFC 6749 (2012)
Karapanos, N., Capkun, S.: On the effective prevention of TLS man-in-the-middle attacks in web applications. In: USENIX, pp. 671–686 (2014)
Karapanos, N., Marforio, C., Soriente, C., Capkun, S.: Sound-proof: usable two-factor authentication based on ambient sound. In: USENIX, pp. 483–498 (2015)
Lord, B.: Keeping our users secure (2013). https://blog.twitter.com/2013/keeping-our-users-secure
Lystad, T.: Leaked password lists and dictionaries - the password project (2013). http://thepasswordproject.com/leaked_password_lists_and_dictionaries
Mannan, M., Oorschot, P.C.: Using a personal device to strengthen password authentication from an untrusted computer. In: Dietrich, S., Dhamija, R. (eds.) FC 2007. LNCS, vol. 4886, pp. 88–103. Springer, Heidelberg (2007). doi:10.1007/978-3-540-77366-5_11
Mannan, M., van Oorschot, P.: Leveraging personal devices for stronger password authentication from untrusted computers. J. Comput. Secur. 19(4), 703–750 (2011)
Meisner, J.: Microsoft account gets more secure (2013). https://blogs.technet.microsoft.com/microsoft_blog/2013/04/17/microsoft-account-gets-more-secure/
Nuñez, D., Agudo, I.: BlindIdM: a privacy-preserving approach for identity management as a service. Int. J. Inf. Secur. 13(2), 199–215 (2014)
Nuñez, D., Agudo, I., Lopez, J.: Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services. In: CloudCom, pp. 241–248 (2012)
U.S NIST. Validated FIPS 140–1 and FIPS 140–2 cryptographic modules (2013). http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
Parno, B., Kuo, C., Perrig, A.: Phoolproof phishing prevention. In: Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, pp. 1–19. Springer, Heidelberg (2006). doi:10.1007/11889663_1
Potthast, M., Forler, C., List, E., Lucks, S.: Passphone: outsourcing phone-based web authentication while protecting user privacy. In: Cryptology ePrint Archive (2016, to appear)
Recordon, D., Reed, D.: OpenID 2.0: a platform for user-centric identity management. In: Digital Identity Management, pp. 11–16 (2006)
Riesch, P.J., Du, X.: Audit based privacy preservation for the OpenID authentication protocol. In: IEEE HST, pp. 348–352 (2012)
Shirvanian, M., Jarecki, S., Saxena, N., Nathan, N.: Two-factor authentication resilient to server compromise using mix-bandwidth devices. In: NDSS. The Internet Society (2014)
Song, A.: Introducing login approvals (2011). www.facebook.com/notes/facebook-engineering/introducing-login-approvals/10150172618258920/
Starnberger, G., Froihofer, L., Göschka, K.M.: QR-TAN: secure mobile transaction authentication. In: IEEE ARES, pp. 578–583 (2009)
Tsudik, G., Xu, S.: A flexible framework for secret handshakes. In: Danezis, G., Golle, P. (eds.) PET 2006. LNCS, vol. 4258, pp. 295–315. Springer, Heidelberg (2006). doi:10.1007/11957454_17
Turuani, M.: The CL-Atse protocol analyser. In: Pfenning, F. (ed.) RTA 2006. LNCS, vol. 4098, pp. 277–286. Springer, Heidelberg (2006). doi:10.1007/11805618_21
Urueña, M., Muñoz, A., Larrabeiti, D.: Analysis of privacy vulnerabilities in single sign-on mechanisms for multimedia websites. Multimedia Tools Appl. 68(1), 159–176 (2014)
Van Rijswijk, R., Van Dijk, J.: Tiqr: a novel take on two-factor authentication. In: LISA (2011)
Wu, M., Garfinkel, S., Miller, R.: Secure web authentication with mobile phones. In: DIMACS Workshop on Usable Privacy and Security Software (2004)
Acknowledgments
The authors thank Anne Barsuhn, Thomas Dressel, Paul Christoph Götze, André Karge, Tom Kohlberg, Kevin Lang, Christopher Lübbemeier, Kai Gerrit Lünsdorf, Nicolai Ruckel, Sascha Schmidt, and Clement Welsch for implementing the first prototype within student projects. Our special thanks go to Thomas Dressel and André Karge for their pursuing work, and to Benno Stein and the anonymous reviewers for valuable comments and suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Potthast, M., Forler, C., List, E., Lucks, S. (2016). Passphone: Outsourcing Phone-Based Web Authentication While Protecting User Privacy. In: Brumley, B., Röning, J. (eds) Secure IT Systems. NordSec 2016. Lecture Notes in Computer Science(), vol 10014. Springer, Cham. https://doi.org/10.1007/978-3-319-47560-8_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-47560-8_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-47559-2
Online ISBN: 978-3-319-47560-8
eBook Packages: Computer ScienceComputer Science (R0)