Paper 2022/1685

CoRA: Collaborative Risk-Aware Authentication

Mastooreh Salajegheh
Shashank Agrawal
Maliheh Shirvanian
Mihai Christodorescu,
Payman Mohassel

Today, authentication faces the trade-off of security versus usability. Two factor authentication, for example, is one way to improve security at the cost of requiring user interaction for every round of authentication. Most 2FA methods are bound to user's phone and fail if the phone is not available. We propose CoRA, a Collaborative Risk-aware Authentication method that takes advantage of any and many devices that the user owns. CoRA increases security, and preserves usability and privacy by using threshold MACs and by tapping into the knowledge of the devices instead of requiring user knowledge or interaction. Using CoRA, authentication tokens are generated collaboratively by multiple devices owned by the user, and the token is accompanied by a risk factor that indicates the reliability of the token to the authentication server. CoRA relies on a device-centric trust assessment to determine the relative risk factor and on threshold cryptography to ensure no single point of failure. CoRA does not assume any secure element or physical security for the devices. In this paper, we present the architecture and security analysis of CoRA. In an associated user study we discover that 78% of users have at least three devices with them at most times, and 93% have at least two, suggesting that deploying CoRA multi-factor authentication is practical today.

Available format(s)
Publication info
Authentication MFA Threshold MFA
Contact author(s)
salajegheh @ gmail com
sagrawal @ pm me
maliheh21 @ gmail com
mihaic @ gmail com
2022-12-05: approved
2022-12-04: received
See all versions
Short URL
Creative Commons Attribution-NonCommercial


      author = {Mastooreh Salajegheh and Shashank Agrawal and Maliheh Shirvanian and Mihai Christodorescu, and Payman Mohassel},
      title = {CoRA: Collaborative Risk-Aware Authentication},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1685},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.