An Extensive Formal Analysis of Multi-factor Authentication Protocols

  title={An Extensive Formal Analysis of Multi-factor Authentication Protocols},
  author={Charlie Jacomme and Steve Kremer},
  journal={ACM Transactions on Privacy and Security (TOPS)},
  pages={1 - 34}
Passwords are still the most widespread means for authenticating users, even though they have been shown to create huge security problems. This motivated the use of additional authentication mechanisms in so-called multi-factor authentication protocols. In this article, we define a detailed threat model for this kind of protocol: While in classical protocol analysis attackers control the communication network, we take into account that many communications are performed over TLS channels, that… Expand
1 Citations
Security Analysis and Bypass User Authentication Bound to Device of Windows Hello in the Wild
  • Ejin Kim, Hyoung-Kee Choi
  • Computer Science
  • Secur. Commun. Networks
  • 2021
The results show that, on a hardware-unsupported device, the authentication data for Windows Hello is not properly protected, and this paper proposes a migration attack to compromise Windows Hello’s security. Expand


Formal Modeling and Automatic Security Analysis of Two-Factor and Two-Channel Authentication Protocols
A formal model and mechanical security analysis of two protocols for two-factor and two-channel authentication for web applications that relies on the user’s mobile phone as a second authentication factor and the GSM/3G communication infrastructure as the second communication channel is provided. Expand
Automated Analysis of Security Protocols with Global State
A process calculus which is a variant of the applied pi calculus with constructs for manipulation of a global state by processes running in parallel is proposed and it is shown that this language can be translated to MSR rules whilst preserving all security properties expressible in a dedicated first-order logic for security properties. Expand
Formal Analysis of the FIDO 1.x Protocol
This paper presents a formal analysis of FIDO, a protocol that aims to provide either a passwordless experience or an extra security layer for user authentication over the Internet and shows that ignoring some optional steps of the standard could lead to the implementation of a flawed authentication process. Expand
On the security of public key protocols
  • D. Dolev, A. Yao
  • Computer Science
  • 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981)
  • 1981
Several models are formulated in which the security of protocols can be discussed precisely, and algorithms and characterizations that can be used to determine protocol security in these models are given. Expand
Modeling Human Errors in Security Protocols
It is shown how the Tamarin tool can be used to automatically analyze security protocols involving human errors, and provides a starting point for a fine-grained classification of security protocols from a usable-security perspective. Expand
Modeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif
  • B. Blanchet
  • Mathematics, Computer Science
  • Found. Trends Priv. Secur.
  • 2016
This survey presents an overview of the research on ProVerif, an automatic symbolic protocol verifier that automatically translates this protocol description into Horn clauses and determines whether the desired security properties hold by resolution on these clauses. Expand
A Complete Characterization of Secure Human-Server Communication
A general communication topology model is introduced to facilitate the analysis of security protocols in this setting and can serve to guide the design of novel solutions for applications and to quickly exclude proposals that cannot possibly offer secure communication. Expand
The Applied Pi Calculus: Mobile Values, New Names, and Secure Communication
The applied pi calculus is defined, a simple, general extension of the pi calculus in which values can be formed from names via the application of built-in functions, subject to equations, and sent as messages. Expand
The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes
It is concluded that many academic proposals to replace text passwords for general-purpose user authentication on the web have failed to gain traction because researchers rarely consider a sufficiently wide range of real-world constraints. Expand
Mobile values, new names, and secure communication
A simple, general extension of the pi calculus with value passing, primitive functions, and equations among terms is introduced, and semantics and proof techniques for this extended language are developed and applied in reasoning about some security protocols. Expand