research-article

Formal Analysis of Mobile Multi-Factor Authentication with Single Sign-On Login

Authors:
Giada Sciarretta

Security 8 Trust, FBK, Trento, Italia

Security 8 Trust, FBK, Trento, Italia
View Profile

,
Roberto Carbone

Security 8 Trust, FBK, Trento, Italia

Security 8 Trust, FBK, Trento, Italia
View Profile

,
Silvio Ranise

Security 8 Trust, FBK, Trento, Italia

Security 8 Trust, FBK, Trento, Italia
View Profile

,
Luca Viganò

Department of Informatics, King’s College London, London, United Kingdom

Department of Informatics, King’s College London, London, United Kingdom

0000-0001-9916-271X
View Profile

Authors Info & Claims

ACM Transactions on Privacy and Security Volume 23 Issue 3Article No.: 13pp 1–37https://doi.org/10.1145/3386685

Published:06 June 2020Publication History

ACM Transactions on Privacy and Security

Abstract

Over the last few years, there has been an almost exponential increase in the number of mobile applications that deal with sensitive data, such as applications for e-commerce or health. When dealing with sensitive data, classical authentication solutions based on username-password pairs are not enough, and multi-factor authentication solutions that combine two or more authentication factors of different categories are required instead. Even if several solutions are currently used, their security analyses have been performed informally or semiformally at best, and without a reference model and a precise definition of the multi-factor authentication property. This makes a comparison among the different solutions both complex and potentially misleading. In this article, we first present the design of two reference models for native applications based on the requirements of two real-world use-case scenarios. Common features between them are the use of one-time password approaches and the support of a single sign-on experience. Then, we provide a formal specification of our threat model and the security goals, and discuss the automated security analysis that we performed. Our formal analysis validates the security goals of the two reference models we propose and provides an important building block for the formal analysis of different multi-factor authentication solutions.

References

Android. 2017. Handling Android App Links. Retrieved from https://developer.android.com/training/app-links/index.html.Google Scholar
Android. 2019. Android Security 8 Privacy 2018 Year in Review. Retrieved from https://source.android.com/security/reports/Google_Android_Security_2018_Report_Final.pdf.Google Scholar
A. Armando, W. Arsac, T. Avanesov, M. Barletta, A. Calvi, A. Cappai, R. Carbone, Y. Chevalier, L. Compagna, J. Cuéllar, G. Erzse, S. Frau, M. Minea, S. Mödersheim, D. von Oheimb, G. Pellegrino, S.E. Ponta, M. Rocchetto, M. Rusinowitch, M. Torabi Dashti, M. Turuani, and L. Viganò. 2012. The AVANTSSAR platform for the automated validation of trust and security of service-oriented architectures. In Proceedings of the 18th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS'12). Springer, 267--282. https://doi.org/10.1007/978-3-642-28756-5_19Google Scholar
A. Armando, R. Carbone, and L. Compagna. 2016. SATMC: A SAT-based model checker for security protocols, business processes, and security APIs. International Journal on Software Tools for Technology Transfer (STTT) 18, 2 (2016), 187--204. DOI:https://doi.org/10.1007/s10009-015-0385-yGoogle ScholarDigital Library
A. Armando, R. Carbone, L. Compagna, J. Cuéllar, and L. Tobarra. 2008. Formal analysis of SAML 2.0 web browser single sign-on: Breaking the SAML-based single sign-on for Google apps. In Proceedings of the 6th ACM Workshop on Formal Methods in Security Engineering (FMSE’08). 1--10. https://doi.org/10.1145/1456396.1456397Google Scholar
A. Armando, R. Carbone, and L. L. Zanetti. 2013. Formal modeling and automatic security analysis of two-factor and two-channel authentication protocols. In Proceedings of 7th International Conference on Network and System Security (NSS’13). 728--734. https://doi.org/10.1007/978-3-642-38631-2_63Google Scholar
A. Armando and L. Compagna. 2008. SAT-based model-checking for security protocols analysis. International Journal of Information Security 7, 1 (2008), 3--32. DOI:https://doi.org/10.1007/s10207-007-0041-yGoogle ScholarDigital Library
AVANTSSAR Project. 2008. Deliverable D2.3 (update) ASLan++ specification and tutorial. Retrieved from http://www.avantssar.eu/pdf/deliverables/avantssar-d2-3_update.pdf. Also available at https://stfbk.github.io/complementary/TOPS2020.Google Scholar
C. Bansal, K. Bhargavan, and S. Maffeis. 2012. Discovering concrete attacks on website authorization by formal analysis. In Proceedings of 25th IEEE Computer Security Foundations Symposium (CSF’12). 247--262. https://doi.org/10.1109/CSF.2012.27Google Scholar
D. A. Basin, C. Cremers, and C. A. Meadows. 2018. Model checking security protocols. In Handbook of Model Checking. 727--762. DOI:https://doi.org/10.1007/978-3-319-10575-8_22Google Scholar
BBA. 2017. An app-etite for banking. Retrieved from https://www.bba.org.uk/wp-content/uploads/2017/06/WWBN-IV.pdf.Google Scholar
B. Blanchet, B. Smyth, V. Cheval, and M. Sylvestre. 2018. ProVerif 2.00: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial. Retrieved from https://prosecco.gforge.inria.fr/personal/bblanche/proverif/manual.pdf.Google Scholar
E. Chen, Y. Pei, S. Chen, Y. Tian, R. Kotcher, and P. Tague. 2014. OAuth demystified for mobile application developers. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’14). https://doi.org/10.1145/2660267.2660323Google Scholar
D. Dolev and A. Yao. 1983. On the security of public-key protocols. In IEEE Transactions on Information Theory 2, 29 (1983), 198--208. https://doi.org/10.1109/TIT.1983.1056650Google ScholarDigital Library
European Banking Authority. 2014. Final guidelines on the security of Internet payments.Google Scholar
European Commission. 2016. Regulation EU 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).Google Scholar
European Parliament. 2014. Regulation 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. Retrieved from http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32014R09108from=EN.Google Scholar
Facebook. 2015. Getting started with the Facebook SDK for Android. Retrieved from https://developers.facebook.com/docs/android/getting-started/facebook-sdk-for-android/.Google Scholar
S. Fahl, M. Harbach, M. Oltrogge, T. Muders, and M. Smith. 2013. Hey, you, get off of my clipboard—On how usability trumps security in Android password managers. In Financial Cryptography and Data Security. 144--161. DOI:https://doi.org/10.1007/978-3-642-39884-1_12Google Scholar
D. Fett, R. Küsters, and G. Schmitz. 2014. An expressive model for the web infrastructure: Definition and application to the BrowserID SSO system. In Proceedings of the 35th IEEE Symposium on Security and Privacy (S8P’14). IEEE Computer Society, 673--688.Google Scholar
D. Fett, R. Küsters, and G. Schmitz. 2016. A comprehensive formal security analysis of OAuth 2.0. In Proceedings of the 23rd ACM SIGSAC Conference on Computer and Communications Security (CCS’16). ACM, 1204--1215. https://doi.org/10.1145/2976749.2978385Google Scholar
D. Fett, R. Küsters, and G. Schmitz. 2017. The web SSO standard OpenID connect: In-depth formal security analysis and security guidelines. In Proceedings of the 30th Computer Security Foundations Symposium (CSF’17). IEEE Computer Society. https://doi.org/10.1109/CSF.2017.20Google Scholar
Google. 2019. Google Authenticator. Retrieved from https://support.google.com/accounts/answer/1066447?hl=en.Google Scholar
P. A. Grassi, J. L. Fenton, E. M. Newton, R. A. Perlner, A. R. Regenscheid, W. E. Burr, and J. P. Richer. 2017. Digital Identity Guidelines. National Institute of Standards and Technology. DOI:https://doi.org/10.6028/NIST.SP.800-63bGoogle Scholar
D. He, M. Naveed, C. A. Gunter, and K. Nahrstedt. 2014. Security Concerns in Android mHealth App. Retrieved from https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4419898/.Google Scholar
IETF. 2005. HOTP: An HMAC-Based One-Time Password Algorithm. Retrieved from https://tools.ietf.org/html/rfc4226.Google Scholar
IETF. 2010. OCRA: OATH Challenge-Response Algorithms. Retrieved from https://tools.ietf.org/id/draft-mraihi-mutual-oath-hotp-variants-11.html.Google Scholar
IETF. 2011. TOTP: Time-Based One-Time Password Algorithm. Retrieved from https://tools.ietf.org/html/rfc6238.Google Scholar
IETF. 2012. The OAuth 2.0 Authorization Framework. Retrieved from http://tools.ietf.org/html/rfc6749.Google Scholar
IETF. 2015. Proof Key for Code Exchange by OAuth Public Clients. Retrieved from https://tools.ietf.org/html/rfc7636.Google Scholar
Internet-Draft. 2019. OAuth 2.0 Security Best Current Practice. Retrieved from https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13.Google Scholar
iOS. 2017. Universal Links for Developers. Retrieved from https://developer.apple.com/ios/universal-links/.Google Scholar
C. Jacomme and S. Kremer. 2018. An extensive formal analysis of multi-factor authentication protocols. In 31st IEEE Computer Security Foundations Symposium (CSF’18). 1--15. DOI:https://doi.org/10.1109/CSF.2018.00008Google Scholar
L. Lamport. 1981. Password authentication with insecure communication. Communications of the ACM 24, 11 (1981), 770--772. http://doi.acm.org/10.1145/358790.358797Google ScholarDigital Library
G. Lowe. 1997. A hierarchy of authentication specifications. In 10th IEEE Workshop on Computer Security Foundations.Google ScholarDigital Library
S. Meier, B. Schmidt, C. Cremers, and D. A. Basin. 2013. The TAMARIN prover for the symbolic analysis of security protocols. In Computer Aided Verification - 25th International Conference (CAV’13), Proceedings. 696--701. DOI:https://doi.org/10.1007/978-3-642-39799-8_48Google Scholar
Ministero dell’Interno. 2019. Carta di Identità Elettronica. Retrieved from https://www.cartaidentita.interno.gov.it/.Google Scholar
S. Mödersheim and L. Viganò. 2009. Secure pseudonymous channels. In Proceedings of the 14th European Symposium on Research in Computer Security (ESORICS’09). 337--354. https://doi.org/10.1007/978-3-642-04444-1_21Google Scholar
OASIS. 2005. SAML V2.0 technical overview. Retrieved from https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf.Google Scholar
OAuth Working Group. 2016. OAuth 2.0 for Native Apps. Retrieved from https://tools.ietf.org/html/rfc8252.Google Scholar
OIDF. 2014. OpenID Connect Core 1.0. Retrieved from http://openid.net/specs/openid-connect-core-1_0.html.Google Scholar
V. Osmani, S. Forti, O. Mayora, and D. Conforti. 2017. Challenges and opportunities in evolving TreC personal health record platform. In 11th EAI International Conference on Pervasive Computing Technologies for HealthcareGoogle Scholar
S. Pai, Y. Sharma, S. Kumar, R. M. Pai, and S. Singh. 2011. Formal verification of OAuth 2.0 using Alloy framework. In Proceedings of the IEEE International Conference on Communication Systems and Network Technologies (CSNT’11). 655--659. DOI:https://doi.org/10.1109/CSNT.2011.141Google Scholar
O. Pereira, F. Rochet, and C. Wiedling. 2017. Formal analysis of the FIDO 1.x protocol. In Foundations and Practice of Security - 10th International Symposium (FPS’17). 68--82. DOI:https://doi.org/10.1007/978-3-319-75650-9_5Google Scholar
M. Pohl. 2017. 325,000 mobile health apps available in 2017 -- Android now the leading mHealth platform. Retrieved from https://research2guidance.com/325000-mobile-health-apps-available-in-2017/.Google Scholar
G. Sciarretta, R. Carbone, S. Ranise, and A. Armando. 2017. Anatomy of the Facebook solution for mobile single sign-on: Security assessment and improvements.Journal of Computers 8 Security 71 (2017), 71--86. DOI:https://doi.org/10.1016/j.cose.2017.04.011Google Scholar
G. Sciarretta, R. Carbone, S. Ranise, and L. Viganò. 2018. Design, formal specification and analysis of multi-factor authentication solutions with a single sign-on experience. In Principles of Security and Trust (POST'18), L. Bauer and R. Küsters (Eds.). Springer International Publishing, 188--213. DOI:https://doi.org/10.1007/978-3-319-89722-6_8Google Scholar
M. Shehab and F. Mohsen. 2014. Towards enhancing the security of OAuth implementations in smart phones. In IEEE International Conference on Mobile Services (MS’14). 39--46. DOI:https://doi.org/10.1109/MobServ.2014.15Google Scholar
F. Sinigaglia, R. Carbone, G. Costa, and N. Zannone. 2020. A survey on multi-factor authentication for online banking in the wild. Comput. Security (2020), 101745. DOI:https://doi.org/10.1016/j.cose.2020.101745Google Scholar
A. Sudhodanan, A. Armando, R. Carbone, and L. Compagna. 2016. Attack patterns for black-box security testing of multi-party web applications. In Proceedings of the 23nd Annual Network and Distributed System Security Symposium (NDSS'16).Google Scholar
S. Sun and K. Beznosov. 2012. The devil is in the (implementation) details: An empirical analysis of OAuth SSO systems. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’12). DOI:https://doi.org/10.1145/2382196.2382238Google Scholar
L. Viganò. 2013. The SPaCIoS project: Secure provision and consumption in the Internet of services. In 6th IEEE International Conference on Software Testing (ICST'13), Verification and Validation. 497--498. DOI:https://doi.org/10.1109/ICST.2013.75Google ScholarDigital Library
D. von Oheimb and S. Mödersheim. 2010. ASLan++ — A formal security specification language for distributed systems. In Proceedings of the 9th International Symposium on Formal Methods for Components and Objects (FMCO’10), revised papers (LNCS 6957). Springer, 1--22. DOI:https://doi.org/10.1007/978-3-642-25271-6_1Google Scholar
R. Wang, S. Chen, and X. Wang. 2012. Signing me onto your accounts through Facebook and Google: A traffic-guided security study of commercially deployed single-sign-on web services. In Proceedings of the IEEE Symposium on Security and Privacy (S8P’12). 365--379. DOI:https://doi.org/10.1109/SP.2012.30Google Scholar
H. Yan, H. Fang, C. Kuka, and H. Zhu. 2015. Verification for OAuth using ASLan++. In Proceedings of 16th IEEE International Symposium on High Assurance Systems Engineering (HASE’15). 76--84. DOI:https://doi.org/10.1109/HASE.2015.20Google Scholar
R. Yang, W. C. Lau, and T. Liu. 2016. Signing into one billion mobile app accounts effortlessly with OAuth2.0. In Black Hat Europe.Google Scholar
Q. Ye, G. Bai, K. Wang, and J. S. Dong. 2015. Formal analysis of a single sign-on protocol implementation for Android. In Proceedings of the 20th ICECCS. 90--99. DOI:https://doi.org/10.1109/ICECCS.2015.20Google Scholar
Yubico. 2019. YubiKey NEO. Retrieved from https://www.yubico.com/products/yubikey-hardware/yubikey-neo.Google Scholar

Index Terms

Formal Analysis of Mobile Multi-Factor Authentication with Single Sign-On Login
1. Security and privacy

Recommendations

Toward a Unique IoT Network via Single Sign-On Protocol and Message Queue
Computer Information Systems and Industrial Management
Abstract
Internet of Things (IoT), currently, is one of the most rapidly developing technology trends. However, at present, users, devices, and applications using IoT services mainly connect to IoT service providers in a client-server model. Each IoT ...
Read More
A formal construction of certificateless proxy multi-signature scheme

Proxy multi-signature is a scheme that allows a proxy signer to sign messages on behalf of a group of original signers. To our best knowledge, most of the existing proxy multi-signature schemes are proposed in public key infrastructure or identity-based ...
Read More
DISTINCT: Identity Theft using In-Browser Communications in Dual-Window Single Sign-On
CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

Single Sign-On (SSO) protocols like OAuth 2.0 and OpenID Connect 1.0 are cornerstones of modern web security, and have received much academic attention. Users sign in at a trusted Identity Provider (IdP) that subsequently allows many Service Providers (...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Privacy and Security Volume 23, Issue 3
August 2020
158 pages
ISSN:2471-2566
EISSN:2471-2574
DOI:10.1145/3403643
Editor:
David Basin
ETH Zurich, Switzerland
Issue’s Table of Contents
Copyright © 2020 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 6 June 2020
- Online AM: 7 May 2020
- Accepted: 1 March 2020
- Revised: 1 December 2019
- Received: 1 August 2019
Published in tops Volume 23, Issue 3

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
OAuth
OpenID Connect
SATMC
eID card
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 6
  Total Citations
  View Citations
- 698
  Total Downloads
- Downloads (Last 12 months)77
- Downloads (Last 6 weeks)13
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

Formal Analysis of Mobile Multi-Factor Authentication with Single Sign-On Login

ACM Transactions on Privacy and Security

Abstract

References

Cited By

Index Terms

Recommendations

Toward a Unique IoT Network via Single Sign-On Protocol and Message Queue

A formal construction of certificateless proxy multi-signature scheme

DISTINCT: Identity Theft using In-Browser Communications in Dual-Window Single Sign-On