nach oben

vorheriges Kapitel Collaborative Authentication Using Threshold Cr...

nächstes Kapitel A Risk-Driven Model to Minimize the Effects of ...

Tipp

Weitere Kapitel dieses Buchs durch Wischen aufrufen

2020 | OriginalPaper | Buchkapitel

MuFASA: A Tool for High-level Specification and Analysis of Multi-factor Authentication Protocols

Erstes Kapitel lesen

Autoren: Federico Sinigaglia, Roberto Carbone, Gabriele Costa, Silvio Ranise

Verlag: Springer International Publishing

Erschienen in: Emerging Technologies for Authorization and Authentication

» Jetzt Zugang zum Volltext erhalten

Abstract

In recent years, the usage of online services (e.g., banking) has considerably increased. To protect the sensitive resources managed by these services against attackers, Multi-Factor Authentication (MFA) has been widely adopted. To date, a variety of MFA protocols have been implemented, leveraging different designs and features and providing a non-homogeneous level of security and user experience. Public and private authorities have defined laws and guidelines to guide the design of more secure and usable MFA protocols, but their influence on existing MFA implementations remains unclear.

We present MuFASA, a tool for high-level specification and analysis of MFA protocols, which aims at supporting normal users and security experts (in the design phase of an MFA protocol), providing a high level report regarding possible risks associated to the specified MFA protocol, its resistance to a set of attacker models (defined by NIST), its ease-of-use and its compliance with a set of security requirements derived from European laws.

Bitte loggen Sie sich ein, um Zugang zu diesem Inhalt zu erhalten

Jetzt einloggen Kostenlos registrieren

Sie möchten Zugang zu diesem Inhalt erhalten? Dann informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 69.000 Bücher
über 500 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Umwelt
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Testen Sie jetzt 30 Tage kostenlos.

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 50.000 Bücher
über 380 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Umwelt
Maschinenbau + Werkstoffe

Testen Sie jetzt 30 Tage kostenlos.

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 58.000 Bücher
über 300 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Testen Sie jetzt 30 Tage kostenlos.

Jetzt informieren

Here we provide an example of how the user fills the questionnaire to obtain protocol ( 2). Notice that the sequence of the reported questions only represent a specific path in the interpretation tree.

What is your 1st operation?

I insert some secret credentials (e.g., a password on a website)
I use a device (e.g., a card reader)
I use a software (e.g., an app on my smartphone)
I send/receive something on my mobile phone (e.g., an SMS)
None, I am authenticated
(a) Where are the secret credentials stored?
- On a physical support (e.g., a piece of paper)
- Nowhere, I remember them

What is your 2nd operation?

I insert some secret credentials (e.g., a password on a website)
I use a device (e.g., a card reader)
I use a software (e.g., an app on my smartphone)
I send/receive something on my mobile phone (e.g., an SMS)
None, I am authenticated
(a) Is the device personal? Can you use others’ devices?
- Yes, it is personal
- No, they are all exchangeable
(b) Among the followings, what do you need to use the device?
- I must insert a secret code/pin
- I must scan a part of my body (e.g., my fingerprint)
- Nothing
(c) Is your device connected to something?
- Yes, to my PC (e.g., through a USB cable)
- Yes, to the internet (e.g., through the WiFi)
- No, it is isolated
(d) Does it read some sort of input code?
- Yes, it scans an optic code (e.g., barcode or QR code)
- Yes, I personally digit it (e.g., a code displayed on a website)
- No
(e) Does it recap the ongoing operation and ask for your confirmation?
- Yes (e.g., “Your are paying x$ to y. Confirm?”)
- No
(f) Does it return some code that you have to copy somewhere?
- Yes
- No

What is your 3rd operation?

I insert some secret credentials (e.g., a password on a website)
I use a device (e.g., a card reader)
I use a software (e.g., an app on my smartphone)
I send/receive something on my mobile phone (e.g., an SMS)
None, I am authenticated.

What is your 1st operation?

I insert some secret credentials (e.g., a password on a website)
I use a device (e.g., a card reader)
I use a software (e.g., an app on my smartphone)
I send/receive something on my mobile phone (e.g., an SMS)
None, I am authenticated
(a) Where are the secret credentials stored?
- On a physical support (e.g., a piece of paper)
- Nowhere, I remember them

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figaj_HTML.gif

I insert some secret credentials (e.g., a password on a website)

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figak_HTML.gif

I use a device (e.g., a card reader)

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figal_HTML.gif

I use a software (e.g., an app on my smartphone)

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figam_HTML.gif

I send/receive something on my mobile phone (e.g., an SMS)

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figan_HTML.gif

None, I am authenticated (a) Where are the secret credentials stored?

On a physical support (e.g., a piece of paper)
Nowhere, I remember them

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figao_HTML.gif

On a physical support (e.g., a piece of paper)

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figap_HTML.gif

Nowhere, I remember them What is your 2nd operation?

I insert some secret credentials (e.g., a password on a website)
I use a device (e.g., a card reader)
I use a software (e.g., an app on my smartphone)
I send/receive something on my mobile phone (e.g., an SMS)
None, I am authenticated
(a) Is the device personal? Can you use others’ devices?
- Yes, it is personal
- No, they are all exchangeable
(b) Among the followings, what do you need to use the device?
- I must insert a secret code/pin
- I must scan a part of my body (e.g., my fingerprint)
- Nothing
(c) Is your device connected to something?
- Yes, to my PC (e.g., through a USB cable)
- Yes, to the internet (e.g., through the WiFi)
- No, it is isolated
(d) Does it read some sort of input code?
- Yes, it scans an optic code (e.g., barcode or QR code)
- Yes, I personally digit it (e.g., a code displayed on a website)
- No
(e) Does it recap the ongoing operation and ask for your confirmation?
- Yes (e.g., “Your are paying x$ to y. Confirm?”)
- No
(f) Does it return some code that you have to copy somewhere?
- Yes
- No

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figaq_HTML.gif

I insert some secret credentials (e.g., a password on a website)

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figar_HTML.gif

I use a device (e.g., a card reader)

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figas_HTML.gif

I use a software (e.g., an app on my smartphone)

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figat_HTML.gif

I send/receive something on my mobile phone (e.g., an SMS)

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figau_HTML.gif

None, I am authenticated (a) Is the device personal? Can you use others’ devices?

Yes, it is personal
No, they are all exchangeable

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figav_HTML.gif

Yes, it is personal

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figaw_HTML.gif

No, they are all exchangeable (b) Among the followings, what do you need to use the device?

I must insert a secret code/pin
I must scan a part of my body (e.g., my fingerprint)
Nothing

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figax_HTML.gif

I must insert a secret code/pin

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figay_HTML.gif

I must scan a part of my body (e.g., my fingerprint)

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figaz_HTML.gif

Nothing (c) Is your device connected to something?

Yes, to my PC (e.g., through a USB cable)
Yes, to the internet (e.g., through the WiFi)
No, it is isolated

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figba_HTML.gif

Yes, to my PC (e.g., through a USB cable)

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figbb_HTML.gif

Yes, to the internet (e.g., through the WiFi)

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figbc_HTML.gif

No, it is isolated (d) Does it read some sort of input code?

Yes, it scans an optic code (e.g., barcode or QR code)
Yes, I personally digit it (e.g., a code displayed on a website)
No

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figbd_HTML.gif

Yes, it scans an optic code (e.g., barcode or QR code)

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figbe_HTML.gif

Yes, I personally digit it (e.g., a code displayed on a website)

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figbf_HTML.gif

No (e) Does it recap the ongoing operation and ask for your confirmation?

Yes (e.g., “Your are paying x$ to y. Confirm?”)
No

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figbg_HTML.gif

Yes (e.g., “Your are paying x$ to y. Confirm?”)

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figbh_HTML.gif

No (f) Does it return some code that you have to copy somewhere?

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figbi_HTML.gif

Yes

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figbj_HTML.gif

No What is your 3rd operation?

I insert some secret credentials (e.g., a password on a website)
I use a device (e.g., a card reader)
I use a software (e.g., an app on my smartphone)
I send/receive something on my mobile phone (e.g., an SMS)
None, I am authenticated.

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figbk_HTML.gif

I insert some secret credentials (e.g., a password on a website)

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figbl_HTML.gif

I use a device (e.g., a card reader)

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figbm_HTML.gif

I use a software (e.g., an app on my smartphone)

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figbn_HTML.gif

I send/receive something on my mobile phone (e.g., an SMS)

https://static-content.springer.com/image/chp%3A10.1007%2F978-3-030-39749-4_9/MediaObjects/491623_1_En_9_Figbo_HTML.gif

None, I am authenticated.

https://www.nordea.se/.

https://www.nordea.se/Images/154-21252/quickguide-cardreader.PDF.

https://www.nordea.se/Images/154-300029/Broschyr_skaffa_Mobilt_BankID.pdf.

We use “;” to separate the elements of the sequence.

Armando, A., Carbone, R., Zanetti, L.: Formal modeling and automatic security analysis of two-factor and two-channel authentication protocols. In: Lopez, J., Huang, X., Sandhu, R. (eds.) NSS 2013. LNCS, vol. 7873, pp. 728–734. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38631-2_63 CrossRef

Cristofaro, E.D., Du, H., Freudiger, J., Norcie, G.: Two-Factor or not Two-Factor? A Comparative Usability Study of Two-Factor Authentication. CoRR abs/1309.5344. University College London (2013)

DeFigueiredo, D.: The case for mobile two-factor authentication. IEEE Secur. Priv. 9, 81–85 (2011) CrossRef

European Banking Authority: Recommendations for the Security of Internet Payments (2013). https://www.ecb.europa.eu/pub/pdf/other/recommendationssecurityinternetpaymentsoutcomeofpcfinalversionafterpc201301en.pdf

European Banking Authority: Recommendations for the Security of Mobile Payments - DRAFT (2013). https://www.ecb.europa.eu/paym/cons/pdf/131120/recommendationsforthesecurityofmobilepaymentsdraftpc201311en.pdf

European Banking Authority: Directive 2015/2366 of the European Parliament and of the Council on payment services in the internal market (PSD2) (2015). https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32015L2366

European Banking Authority: Regulatory Technical Standards on Strong Customer Authentication and common and secure communication under Article 98 of PSD2 (2017). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018R0389&from=EN

Furst, K., Lang, W.W., Nolle, D.E.: Internet banking: Developments and prospects. Economic and Policy Analysis Working Paper No. 2000-9, Office of the Comptroller of the Currency (2000)

Hao, F., Clarke, D.: Security analysis of a multi-factor authenticated key exchange protocol. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 1–11. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31284-7_1 CrossRef

10.

Kennedy, E., Millard, C.: Data security and multi-factor authentication: analysis of requirements under EU law and in selected EU Member States. Comput. Law Secur. Rev. 32, 91–110 (2016) CrossRef

11.

Krol, K., Philippou, E., Cristofaro, E.D., Sasse, M.A.: “They brought in the horrible key ring thing!” Analysing the Usability of Two-Factor Authentication in UK Online Banking. CoRR abs/1501.04434. University College London (2015)

12.

NIST: Special Publication - Digital Identity Guidelines (2017). https://pages.nist.gov/800-63-3/

13.

Sciarretta, G., Carbone, R., Ranise, S., Viganò, L.: Design, formal specification and analysis of multi-factor authentication solutions with a single sign-on experience. In: Bauer, L., Küsters, R. (eds.) POST 2018. LNCS, vol. 10804, pp. 188–213. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89722-6_8 CrossRef

14.

Weir, C.S., Douglas, G., Richardson, T., Jack, M.: Usable security: user preferences for authentication methods in eBanking and the effects of experience. Interact. Comput. 22(3), 153–164 (2010) CrossRef

Titel

MuFASA: A Tool for High-level Specification and Analysis of Multi-factor Authentication Protocols

Buch

Emerging Technologies for Authorization and Authentication

Print ISBN: 978-3-030-39748-7

Electronic ISBN: 978-3-030-39749-4

https://doi.org/10.1007/978-3-030-39749-4

DOI

https://doi.org/10.1007/978-3-030-39749-4_9

Autoren:

Federico Sinigaglia
Roberto Carbone
Gabriele Costa
Silvio Ranise

Verlag

Springer International Publishing

Sequenznummer

Premium Partner

Bildnachweise