Cryptology ePrint Archive: Report 2017/158
Passphone: Outsourcing Phone-based Web Authentication while Protecting User Privacy
Martin Potthast and Christian Forler and Eik List and Stefan Lucks
Abstract: This work introduces PassPhone, a new smartphone-based authentication scheme that outsources user verification to a trusted third party without sacrificing privacy: neither can the trusted third party learn the relation between users and service providers, nor can service providers learn those of their users to others. When employed as a second factor in conjunction with, for instance, passwords as a first factor, our scheme maximizes the deployability of two-factor authentication for service providers while maintaining user privacy.
We conduct a twofold formal analysis of our scheme, the first regarding its general security, and the second regarding anonymity and unlinkability of its users. Moreover, we provide an automatic analysis using AVISPA, a comparative evaluation to existing schemes under Bonneau et al.'s framework, and an evaluation of a prototypical implementation.
Category / Keywords: cryptographic protocols / two-factor authentication, unlinkability
Original Publication (with major differences): NordSec2016
Date: received 17 Feb 2017
Contact author: eik list at uni-weimar de
Available format(s): PDF | BibTeX Citation
Version: 20170222:154407 (All versions of this report)
Short URL: ia.cr/2017/158
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]