Paper 2018/033

Two-Factor Password-Authenticated Key Exchange with End-to-End Password Security

Stanislaw Jarecki, Mohammed Jubur, Hugo Krawczyk, Maliheh Shirvanian, and Nitesh Saxena


We present a secure two-factor authentication (TFA) scheme based on the possession by the user of a password and a crypto-capable device. Security is ``end-to-end" in the sense that the attacker can attack all parts of the system, including all communication links and any subset of parties (servers, devices, client terminals), can learn users' passwords, and perform active and passive attacks, online and offline. In all cases the scheme provides the highest attainable security bounds given the set of compromised components. Our solution builds a TFA scheme using any Device-Enhanced PAKE, defined by Jarecki et al., and any Short Authenticated String (SAS) Message Authentication, defined by Vaudenay. We show an efficient instantiation of this modular construction which utilizes any password-based client-server authentication method, with or without reliance on public-key infrastructure. The security of the proposed scheme is proven in a formal model that we formulate as an extension of the traditional PAKE model. We also report on a prototype implementation of our schemes, including TLS-based and PKI-free variants, as well as several instantiations of the SAS mechanism, all demonstrating the practicality of our approach. Finally, we present a usability study evaluating the viability of our protocol contrasted with the traditional PIN-based TFA approach in terms of efficiency, potential for errors, user experience and security perception of the underlying manual process.

Note: This revision expands on the PKC 2018 publication by (1) reporting on extensive usability studies of the TFA protocol, including several variants of implementing the human-assisted "checksum verification", a key step in the protocol, and (2) including the details of all security proofs, with all cases of party corruptions considered in our security model.

Available format(s)
Cryptographic protocols
Publication info
A major revision of an IACR publication in PKC 2018
password authenticationtwo-factor authenticationshort authenticated string model
Contact author(s)
stanislawjarecki @ gmail com
2020-08-31: last of 4 revisions
2018-01-08: received
See all versions
Short URL
Creative Commons Attribution


      author = {Stanislaw Jarecki and Mohammed Jubur and Hugo Krawczyk and Maliheh Shirvanian and Nitesh Saxena},
      title = {Two-Factor Password-Authenticated Key Exchange with End-to-End Password Security},
      howpublished = {Cryptology ePrint Archive, Paper 2018/033},
      year = {2018},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.