Abstract
Passwords are still the most widespread means for authenticating users, even though they have been shown to create huge security problems. This motivated the use of additional authentication mechanisms in so-called multi-factor authentication protocols. In this article, we define a detailed threat model for this kind of protocol: While in classical protocol analysis attackers control the communication network, we take into account that many communications are performed over TLS channels, that computers may be infected by different kinds of malware, that attackers could perform phishing, and that humans may omit some actions. We formalize this model in the applied pi calculus and perform an extensive analysis and comparison of several widely used protocols—variants of Google 2-step and FIDO’s U2F (Yubico’s Security Key token). The analysis is completely automated, generating systematically all combinations of threat scenarios for each of the protocols and using the PROVERIF tool for automated protocol analysis. To validate our model and attacks, we demonstrate their feasibility in practice, even though our experiments are run in a laboratory environment. Our analysis highlights weaknesses and strengths of the different protocols. It allows us to suggest several small modifications of the existing protocols that are easy to implement, as well as an extension of Google 2-step that improves security in several threat scenarios.
- Martín Abadi, Bruno Blanchet, and Cédric Fournet. 2017. The applied Pi calculus: Mobile values, new names, and secure communication. J. ACM 65, 1, Article 1 (Oct. 2017), 41 pages. Google Scholar
Digital Library
- Martín Abadi and Cédric Fournet. 2001. Mobile values, new names, and secure communication. In Proceedings of the 28th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’01). ACM, New York, NY, 104--115. DOI:https://doi.org/10.1145/360204.360213 Google Scholar
Digital Library
- Alessandro Armando, Roberto Carbone, and Luca Zanetti. 2013. Formal modeling and automatic security analysis of two-factor and two-channel authentication protocols. In Proceedings of the Network and System Security: 7th International Conference (NSS’13), Javier Lopez, Xinyi Huang, and Ravi Sandhu (Eds.). Springer, Berlin, 728--734. DOI:https://doi.org/10.1007/978-3-642-38631-2_63Google Scholar
Cross Ref
- D. Basin, S. Radomirovic, and L. Schmid. 2016. Modeling human errors in security protocols. In Proceedings of the 2016 IEEE 29th Computer Security Foundations Symposium (CSF’16). 325--340. DOI:https://doi.org/10.1109/CSF.2016.30Google Scholar
Cross Ref
- David A. Basin, Sasa Radomirovic, and Michael Schläpfer. 2015. A complete characterization of secure human-server communication. In Proceedings of the IEEE 28th Computer Security Foundations Symposium (CSF’15). 199--213. DOI:https://doi.org/10.1109/CSF.2015.21 Google Scholar
Digital Library
- Vijay Bharadwaj, Hubert Le Van Gong, Dirk Balfanz, Alexei Czeskis, Arnar Birgisson, Jeff Hodges, Michael B. Jones, Rolf Lindemann, and J. C. Jones. 2017. Web Authentication: An API for Accessing Public Key Credentials. Retrieved from https://www.w3.org/TR/2017/WD-webauthn-20171205/.Google Scholar
- Bruno Blanchet. 2016. Modeling and verifying security protocols with the applied Pi calculus and ProVerif. Found. Trends Priv. Secur. 1, 1--2 (2016), 1--135. DOI:https://doi.org/10.1561/3300000004 Google Scholar
Digital Library
- Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. 2012. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP’12). IEEE, 553--567. DOI:https://doi.org/10.1109/SP.2012.44 Google Scholar
Digital Library
- D. Dolev and A. C. Yao. 1981. On the security of public key protocols. In Proceedings of the 22nd Symposium on Foundations of Computer Science (FOCS’81). IEEE, 350--357. Google Scholar
Digital Library
- Daniel Fett, Ralf Küsters, and Guido Schmitz. 2014. An expressive model for the web infrastructure: Definition and application to the BrowserID SSO system. In Proceedings of the 35th IEEE Symposium on Security and Privacy (S8P’14). IEEE Computer Society, 673--688. Google Scholar
Digital Library
- FIDO. 2018. Universal 2nd Factor (U2F). Retrieved from https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/FIDO-U2F-COMPLETE-v1.2-ps-20170411.pdf.Google Scholar
- Google 2018. Google 2 Step Verification.Retrieved January 2018 from https://www.google.com/landing/2step/.Google Scholar
- Paul A. Grassi, James L. Fenton, Elaine M. Newton, Ray A. Perlner, Andrew R. Regenscheid, William E. Burr, Justin P. Richer, Naomi B. Lefkovitz, Jamie M. Danker, Kristen K. Choong, Yee-Yin Greene, and Mary F. Theofanos. 2017. NIST Special Publication 800-63B: Digital Identity Guidelines—Authentication and Lifecycle Management. Retrieved from https://doi.org/10.6028/NIST.SP.800-63b.Google Scholar
- Paul A. Grassi, Michael E. Garcia, and James L. Fenton. 2017. NIST Special Publication 800-63-3: Digital Identity Guidelines. Retrieved from https://doi.org/10.6028/NIST.SP.800-63-3.Google Scholar
- Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2018. Spectre Attacks: Exploiting Speculative Execution. Retrieved from https://spectreattack.com/spectre.pdf.Google Scholar
- Steve Kremer and Robert Künnemann. 2016. Automated analysis of security protocols with global state. J. Comput. Secur. 24, 5 (2016), 583--616. DOI:https://doi.org/10.3233/JCS-160556Google Scholar
Cross Ref
- Robert Künnemann and Graham Steel. 2013. YubiSecure? Formal Security Analysis Results for the Yubikey and YubiHSM. Springer, Berlin, 257--272. DOI:https://doi.org/10.1007/978-3-642-38004-4_17Google Scholar
- Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown. Retrieved from https://meltdownattack.com/meltdown.pdf.Google Scholar
- Robert Morris and Ken Thompson. 1979. Password security: A case history. Commun. ACM 22, 11 (1979), 594--597. Google Scholar
Digital Library
- Olivier Pereira, Florentin Rochet, and Cyrille Wiedling. 2017. Formal analysis of the Fido 1.x protocol. In Proceedings of the 10th International Symposium on Foundations 8 Practice of Security,Lecture Notes in Computer Science. Springer.Google Scholar
- Andrey Popov, Magnus Nystrom, Dirk Balfanz, Adam Langley, Nick Harper, and Jeff Hodges. 2018. Token Binding over HTTP. Retrieved from draft-ietf-tokbind-https-12 and https://datatracker.ietf.org/doc/html/draft-ietf-tokbind-https-12.Google Scholar
- Source files 2018. Proverif source files and scripts. https://gitlab.inria.fr/cjacomme/multi-factor-authentication-proverif-examples.Google Scholar
- G Suite team. 2017. G Suite updates. Retrieved from https://gsuiteupdates.googleblog.com/2017/02/improved-phone-prompts-for-2-step.html.Google Scholar
- Yubico 2018. FIDO Yubikey. Retrieved January 2018 from https://www.yubico.com/solutions/fido-u2f/.Google Scholar
Index Terms
An Extensive Formal Analysis of Multi-factor Authentication Protocols
Recommendations
Finite-state analysis of two contract signing protocols
Optimistic contract signing protocols allow two parties to commit to a previously agreed upon contract, relying on a third party to abort or confirm the contract if needed. These protocols are relatively subtle, since there may be interactions between ...
Multi-factor password-authenticated key exchange
AISC '10: Proceedings of the Eighth Australasian Conference on Information Security - Volume 105We consider a new form of authenticated key exchange which we call multi-factor password-authenticated key exchange, where session establishment depends on successful authentication of multiple short secrets that are complementary in nature, such as a ...
Verification of security protocols with lists: From length one to unbounded length
Security and Trust PrinciplesWe present a novel, simple technique for proving secrecy properties for security protocols that manipulate lists of unbounded length, for an unbounded number of sessions. More specifically, our technique relies on the Horn clause approach used in the ...






Comments