Paper 2017/158

Passphone: Outsourcing Phone-based Web Authentication while Protecting User Privacy

Martin Potthast, Christian Forler, Eik List, and Stefan Lucks

Abstract

This work introduces PassPhone, a new smartphone-based authentication scheme that outsources user verification to a trusted third party without sacrificing privacy: neither can the trusted third party learn the relation between users and service providers, nor can service providers learn those of their users to others. When employed as a second factor in conjunction with, for instance, passwords as a first factor, our scheme maximizes the deployability of two-factor authentication for service providers while maintaining user privacy. We conduct a twofold formal analysis of our scheme, the first regarding its general security, and the second regarding anonymity and unlinkability of its users. Moreover, we provide an automatic analysis using AVISPA, a comparative evaluation to existing schemes under Bonneau et al.'s framework, and an evaluation of a prototypical implementation.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. Major revision. NordSec2016
DOI
10.1007/978-3-319-47560-8
Keywords
two-factor authenticationunlinkability
Contact author(s)
eik list @ uni-weimar de
History
2017-02-22: received
Short URL
https://ia.cr/2017/158
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2017/158,
      author = {Martin Potthast and Christian Forler and Eik List and Stefan Lucks},
      title = {Passphone: Outsourcing Phone-based Web Authentication while Protecting User Privacy},
      howpublished = {Cryptology ePrint Archive, Paper 2017/158},
      year = {2017},
      doi = {10.1007/978-3-319-47560-8},
      note = {\url{https://eprint.iacr.org/2017/158}},
      url = {https://eprint.iacr.org/2017/158}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.