Passwords are still the most widespread means for authenticating users, even though they have been shown to create huge security problems. This motivated the use of additional authentication mechanisms in so-called multi-factor authentication protocols. In this article, we define a detailed threat model for this kind of protocol: While in classical protocol analysis attackers control the communication network, we take into account that many communications are performed over TLS channels, that computers may be infected by different kinds of malware, that attackers could perform phishing, and that humans may omit some actions. We formalize this model in the applied pi calculus and perform an extensive analysis and comparison of several widely used protocols—variants of Google 2-step and FIDO’s U2F (Yubico’s Security Key token). The analysis is completely automated, generating systematically all combinations of threat scenarios for each of the protocols and using the P ROVERIF tool for automated protocol analysis. To validate our model and attacks, we demonstrate their feasibility in practice, even though our experiments are run in a laboratory environment. Our analysis highlights weaknesses and strengths of the different protocols. It allows us to suggest several small modifications of the existing protocols that are easy to implement, as well as an extension of Google 2-step that improves security in several threat scenarios.

中文翻译：

---

多因素身份验证协议的广泛形式分析

密码仍然是验证用户身份的最普遍手段，尽管它们已被证明会产生巨大的安全问题。这促使在所谓的多因素身份验证协议中使用额外的身份验证机制。在本文中，我们为这种协议定义了一个详细的威胁模型：虽然在经典协议分析中攻击者控制通信网络，但我们考虑到许多通信是通过 TLS 通道执行的，计算机可能会被不同类型的恶意软件感染，攻击者可以执行网络钓鱼，并且人类可能会忽略某些操作。我们在应用 pi 演算中形式化了这个模型，并对几种广泛使用的协议进行了广泛的分析和比较——谷歌两步和FIDO的U2F（Yubico 的安全密钥令牌）。分析是完全自动化的，系统地为每个协议生成威胁场景的所有组合，并使用 P罗威夫用于自动协议分析的工具。为了验证我们的模型和攻击，我们在实践中证明了它们的可行性，即使我们的实验是在实验室环境中运行的。我们的分析突出了不同协议的弱点和优势。它允许我们建议对现有协议进行一些易于实现的小修改，以及扩展谷歌两步这提高了几个威胁场景中的安全性。