Paper 2022/1682

Interactive Authentication

Deepak Maram, Cornell University, Mysten Labs
Mahimna Kelkar, Cornell University
Ittay Eyal, Technion – Israel Institute of Technology
Abstract

Authentication is the first, crucial step in securing digital assets like cryptocurrencies and online services like banking. It relies on principals maintaining exclusive access to credentials like cryptographic signing keys, passwords, and physical devices. But both individuals and organizations struggle to manage their credentials, resulting in loss of assets and identity theft. In this work, we study mechanisms with back-and-forth interaction with the principals. For example, a user receives an email notification about sending money from her bank account and is given a period of time to abort. We define the authentication problem, where a mechanism interacts with a user and an attacker. A mechanism's success depends on the scenario, namely, which credentials each principal knows. The profile of a mechanism is the set of scenarios in which it succeeds. The subset relation on profiles defines a partial order on mechanisms. We bound the profile size and discover three types of novel mechanisms that are maximally secure. We show the efficacy of our model by analyzing existing mechanisms and make concrete improvement proposals: Using sticky messages for security notifications, prioritizing credentials when accessing one's bank account, and using one of our maximal mechanisms to improve a popular cryptocurrency wallet. We demonstrate the practicality of our mechanisms by implementing the latter.

Note: Extended version of the CCS paper

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Published elsewhere. ACM CCS 2024
DOI
10.1145/3658644.3670378
Keywords
key managementauthenticationformal security modelsmulti-factor auth
Contact author(s)
sm2686 @ cornell edu
mahimna @ cs cornell edu
ittay @ technion ac il
History
2024-07-22: last of 5 revisions
2022-12-03: received
See all versions
Short URL
https://ia.cr/2022/1682
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2022/1682,
      author = {Deepak Maram and Mahimna Kelkar and Ittay Eyal},
      title = {Interactive Authentication},
      howpublished = {Cryptology {ePrint} Archive, Paper 2022/1682},
      year = {2022},
      doi = {10.1145/3658644.3670378},
      url = {https://eprint.iacr.org/2022/1682}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.