Two-factor Password-authenticated Key Exchange with End-to-end Security-Reference-Cited by-同舟云学术

Two-factor Password-authenticated Key Exchange with End-to-end Security

Published:2021-08-31 Issue:3 Volume:24 Page:1-37
ISSN:2471-2566
Container-title:ACM Transactions on Privacy and Security
language:en
Short-container-title:ACM Trans. Priv. Secur.

Author:

Jarecki Stanislaw¹,Jubur Mohammed²,Krawczyk Hugo³,Saxena Nitesh²,Shirvanian Maliheh⁴

Affiliation:

1. University of California Irvine, Irvine, CA, USA

2. University of Alabama at Birmingham, Birmingham, AL, USA

3. Algorand Foundation, New York, NY, USA

4. Visa Research, Palo Alto, CA, USA

Abstract

We present a secure two-factor authentication (TFA) scheme based on the user’s possession of a password and a crypto-capable device. Security is “end-to-end” in the sense that the attacker can attack all parts of the system, including all communication links and any subset of parties (servers, devices, client terminals), can learn users’ passwords, and perform active and passive attacks, online and offline. In all cases the scheme provides the highest attainable security bounds given the set of compromised components. Our solution builds a TFA scheme using any Device-enhanced Password-authenticated Key Exchange (PAKE), defined by Jarecki et al., and any Short Authenticated String (SAS) Message Authentication, defined by Vaudenay. We show an efficient instantiation of this modular construction, which utilizes any password-based client-server authentication method, with or without reliance on public-key infrastructure. The security of the proposed scheme is proven in a formal model that we formulate as an extension of the traditional PAKE model. We also report on a prototype implementation of our schemes, including TLS-based and PKI-free variants, as well as several instantiations of the SAS mechanism, all demonstrating the practicality of our approach. Finally, we present a usability study evaluating the viability of our protocol contrasted with the traditional PIN-based TFA approach in terms of efficiency, potential for errors, user experience, and security perception of the underlying manual process. 1

Funder

NSF

Jazan University

Publisher

Association for Computing Machinery (ACM)

Subject

Safety, Risk, Reliability and Quality,General Computer Science

Link

https://dl.acm.org/doi/pdf/10.1145/3446807

Reference75 articles.

1. RSA breach leaks data for hacking securid tokens. 2011. http://goo.gl/tcEoS. RSA breach leaks data for hacking securid tokens. 2011. http://goo.gl/tcEoS.

2. LinkedIn Confirms Account Passwords Hacked. 2012. http://goo.gl/AWB5KC. LinkedIn Confirms Account Passwords Hacked. 2012. http://goo.gl/AWB5KC.

3. Google acquires slicklogin the sound-based password alternative.2014. https://goo.gl/V9J8rv. Google acquires slicklogin the sound-based password alternative.2014. https://goo.gl/V9J8rv.

4. Russian Hackers Amass Over a Billion Internet Passwords. 2014. Available at: http://goo.gl/aXzqj8. Russian Hackers Amass Over a Billion Internet Passwords. 2014. Available at: http://goo.gl/aXzqj8.

5. Hack Brief : Yahoo Breach Hits Half a Billion Users . 2016 . https://goo.gl/nz4uJG. Hack Brief: Yahoo Breach Hits Half a Billion Users. 2016. https://goo.gl/nz4uJG.

Cited by 4 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. A privacy preserving four-factor authentication protocol for internet of medical things;Computers & Security;2024-02

2. Energy Efficient ECC Authenticated Key Exchange Protocol for Star Topology Wireless Sensor Networks;Journal of Telecommunications and Information Technology;2024-01-18

3. Online Banking User Authentication Methods: A Systematic Literature Review;IEEE Access;2024

4. Biometric-Based Two-Factor Authentication Scheme Under Database Leakage;2023