Auth4App: Protocols for Identification and Authentication using Mobile Applications

Abstract

The increasing adoption of mobile applications as a means of user authentication is revealing new security challenges and opportunities. In order to modernize their physical identification and authorization procedures (e.g., access turnstile), some institutions have adopted static QR Codes generated using simple and static user data, such as some type of individual citizen national identification number. This procedure is easy to implement and verify, but it represents a critical security vulnerability. To address this issue, we propose Auth4App, a set of protocols for identification and authentication using mobile applications. Auth4App has two main protocols, one for binding user credentials to the mobile device (i.e., identification) and another one for generating one-time authentication codes (OTACs). Both protocols were formally verified using Scyther, an automated verification tool. Based on the automated analysis, our results show Auth4App protocols are robust enough and meet safe relevant criteria. Our prototype simulates access control using electronic turnstiles and was developed to present how our solution works and its deployment feasibility. The results show Auth4App enables accurate user authentication with a low computational cost.