Paper 2015/1131

On the Usability of Two-Factor Authentication

Ding Wang and Ping Wang

Abstract

Smart-card-based password authentication, known as two-factor authentication, is one of the most widely used security mechanisms to validate the legitimacy of a remote client, who must hold a valid smart card and the correct password in order to successfully login the server. So far the research on this domain has mainly focused on developing more secure, privacy-preserving and efficient protocols, which has led to numerous efficient proposals with a diversity of security provisions, yet little attention has been directed towards another important aspect, i.e. the usability of a scheme. This paper focuses on the study of two specific security threats on usability in two-factor authentication. Using two representative protocols as case studies, we demonstrate two types of security threats on usability: (1) Password change attack, which may easily render the smart card completely unusable by changing the password to a random value; and (2) De-synchronization attack, which breaks the consistence of the pseudo-identities between the user and the server. These threats, though realistic in practice, have been paid little attention in the literature. In addition to revealing the vulnerabilities, we discuss how to thwart these security threats and secure the protocols.

Note: This is a full version of the paper presented at SecureComm 2014.

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. Minor revision. Proceedings of 10th International Conference on Security and Privacy in Communication Networks (SecureComm 2014)
DOI
10.1007/978-3-319-23829-6 11
Contact author(s)
wangdingg @ yeah net
History
2015-11-26: received
Short URL
https://ia.cr/2015/1131
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2015/1131,
      author = {Ding Wang and Ping Wang},
      title = {On the Usability of Two-Factor Authentication},
      howpublished = {Cryptology ePrint Archive, Paper 2015/1131},
      year = {2015},
      doi = {10.1007/978-3-319-23829-6 11},
      note = {\url{https://eprint.iacr.org/2015/1131}},
      url = {https://eprint.iacr.org/2015/1131}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.