Abstract
Over the last few years, there has been an almost exponential increase in the number of mobile applications that deal with sensitive data, such as applications for e-commerce or health. When dealing with sensitive data, classical authentication solutions based on username-password pairs are not enough, and multi-factor authentication solutions that combine two or more authentication factors of different categories are required instead. Even if several solutions are currently used, their security analyses have been performed informally or semiformally at best, and without a reference model and a precise definition of the multi-factor authentication property. This makes a comparison among the different solutions both complex and potentially misleading. In this article, we first present the design of two reference models for native applications based on the requirements of two real-world use-case scenarios. Common features between them are the use of one-time password approaches and the support of a single sign-on experience. Then, we provide a formal specification of our threat model and the security goals, and discuss the automated security analysis that we performed. Our formal analysis validates the security goals of the two reference models we propose and provides an important building block for the formal analysis of different multi-factor authentication solutions.
- Android. 2017. Handling Android App Links. Retrieved from https://developer.android.com/training/app-links/index.html.Google Scholar
- Android. 2019. Android Security 8 Privacy 2018 Year in Review. Retrieved from https://source.android.com/security/reports/Google_Android_Security_2018_Report_Final.pdf.Google Scholar
- A. Armando, W. Arsac, T. Avanesov, M. Barletta, A. Calvi, A. Cappai, R. Carbone, Y. Chevalier, L. Compagna, J. Cuéllar, G. Erzse, S. Frau, M. Minea, S. Mödersheim, D. von Oheimb, G. Pellegrino, S.E. Ponta, M. Rocchetto, M. Rusinowitch, M. Torabi Dashti, M. Turuani, and L. Viganò. 2012. The AVANTSSAR platform for the automated validation of trust and security of service-oriented architectures. In Proceedings of the 18th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS'12). Springer, 267--282. https://doi.org/10.1007/978-3-642-28756-5_19Google Scholar
- A. Armando, R. Carbone, and L. Compagna. 2016. SATMC: A SAT-based model checker for security protocols, business processes, and security APIs. International Journal on Software Tools for Technology Transfer (STTT) 18, 2 (2016), 187--204. DOI:https://doi.org/10.1007/s10009-015-0385-yGoogle ScholarDigital Library
- A. Armando, R. Carbone, L. Compagna, J. Cuéllar, and L. Tobarra. 2008. Formal analysis of SAML 2.0 web browser single sign-on: Breaking the SAML-based single sign-on for Google apps. In Proceedings of the 6th ACM Workshop on Formal Methods in Security Engineering (FMSE’08). 1--10. https://doi.org/10.1145/1456396.1456397Google Scholar
- A. Armando, R. Carbone, and L. L. Zanetti. 2013. Formal modeling and automatic security analysis of two-factor and two-channel authentication protocols. In Proceedings of 7th International Conference on Network and System Security (NSS’13). 728--734. https://doi.org/10.1007/978-3-642-38631-2_63Google Scholar
- A. Armando and L. Compagna. 2008. SAT-based model-checking for security protocols analysis. International Journal of Information Security 7, 1 (2008), 3--32. DOI:https://doi.org/10.1007/s10207-007-0041-yGoogle ScholarDigital Library
- AVANTSSAR Project. 2008. Deliverable D2.3 (update) ASLan++ specification and tutorial. Retrieved from http://www.avantssar.eu/pdf/deliverables/avantssar-d2-3_update.pdf. Also available at https://stfbk.github.io/complementary/TOPS2020.Google Scholar
- C. Bansal, K. Bhargavan, and S. Maffeis. 2012. Discovering concrete attacks on website authorization by formal analysis. In Proceedings of 25th IEEE Computer Security Foundations Symposium (CSF’12). 247--262. https://doi.org/10.1109/CSF.2012.27Google Scholar
- D. A. Basin, C. Cremers, and C. A. Meadows. 2018. Model checking security protocols. In Handbook of Model Checking. 727--762. DOI:https://doi.org/10.1007/978-3-319-10575-8_22Google Scholar
- BBA. 2017. An app-etite for banking. Retrieved from https://www.bba.org.uk/wp-content/uploads/2017/06/WWBN-IV.pdf.Google Scholar
- B. Blanchet, B. Smyth, V. Cheval, and M. Sylvestre. 2018. ProVerif 2.00: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial. Retrieved from https://prosecco.gforge.inria.fr/personal/bblanche/proverif/manual.pdf.Google Scholar
- E. Chen, Y. Pei, S. Chen, Y. Tian, R. Kotcher, and P. Tague. 2014. OAuth demystified for mobile application developers. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’14). https://doi.org/10.1145/2660267.2660323Google Scholar
- D. Dolev and A. Yao. 1983. On the security of public-key protocols. In IEEE Transactions on Information Theory 2, 29 (1983), 198--208. https://doi.org/10.1109/TIT.1983.1056650Google ScholarDigital Library
- European Banking Authority. 2014. Final guidelines on the security of Internet payments.Google Scholar
- European Commission. 2016. Regulation EU 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).Google Scholar
- European Parliament. 2014. Regulation 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. Retrieved from http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32014R09108from=EN.Google Scholar
- Facebook. 2015. Getting started with the Facebook SDK for Android. Retrieved from https://developers.facebook.com/docs/android/getting-started/facebook-sdk-for-android/.Google Scholar
- S. Fahl, M. Harbach, M. Oltrogge, T. Muders, and M. Smith. 2013. Hey, you, get off of my clipboard—On how usability trumps security in Android password managers. In Financial Cryptography and Data Security. 144--161. DOI:https://doi.org/10.1007/978-3-642-39884-1_12Google Scholar
- D. Fett, R. Küsters, and G. Schmitz. 2014. An expressive model for the web infrastructure: Definition and application to the BrowserID SSO system. In Proceedings of the 35th IEEE Symposium on Security and Privacy (S8P’14). IEEE Computer Society, 673--688.Google Scholar
- D. Fett, R. Küsters, and G. Schmitz. 2016. A comprehensive formal security analysis of OAuth 2.0. In Proceedings of the 23rd ACM SIGSAC Conference on Computer and Communications Security (CCS’16). ACM, 1204--1215. https://doi.org/10.1145/2976749.2978385Google Scholar
- D. Fett, R. Küsters, and G. Schmitz. 2017. The web SSO standard OpenID connect: In-depth formal security analysis and security guidelines. In Proceedings of the 30th Computer Security Foundations Symposium (CSF’17). IEEE Computer Society. https://doi.org/10.1109/CSF.2017.20Google Scholar
- Google. 2019. Google Authenticator. Retrieved from https://support.google.com/accounts/answer/1066447?hl=en.Google Scholar
- P. A. Grassi, J. L. Fenton, E. M. Newton, R. A. Perlner, A. R. Regenscheid, W. E. Burr, and J. P. Richer. 2017. Digital Identity Guidelines. National Institute of Standards and Technology. DOI:https://doi.org/10.6028/NIST.SP.800-63bGoogle Scholar
- D. He, M. Naveed, C. A. Gunter, and K. Nahrstedt. 2014. Security Concerns in Android mHealth App. Retrieved from https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4419898/.Google Scholar
- IETF. 2005. HOTP: An HMAC-Based One-Time Password Algorithm. Retrieved from https://tools.ietf.org/html/rfc4226.Google Scholar
- IETF. 2010. OCRA: OATH Challenge-Response Algorithms. Retrieved from https://tools.ietf.org/id/draft-mraihi-mutual-oath-hotp-variants-11.html.Google Scholar
- IETF. 2011. TOTP: Time-Based One-Time Password Algorithm. Retrieved from https://tools.ietf.org/html/rfc6238.Google Scholar
- IETF. 2012. The OAuth 2.0 Authorization Framework. Retrieved from http://tools.ietf.org/html/rfc6749.Google Scholar
- IETF. 2015. Proof Key for Code Exchange by OAuth Public Clients. Retrieved from https://tools.ietf.org/html/rfc7636.Google Scholar
- Internet-Draft. 2019. OAuth 2.0 Security Best Current Practice. Retrieved from https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13.Google Scholar
- iOS. 2017. Universal Links for Developers. Retrieved from https://developer.apple.com/ios/universal-links/.Google Scholar
- C. Jacomme and S. Kremer. 2018. An extensive formal analysis of multi-factor authentication protocols. In 31st IEEE Computer Security Foundations Symposium (CSF’18). 1--15. DOI:https://doi.org/10.1109/CSF.2018.00008Google Scholar
- L. Lamport. 1981. Password authentication with insecure communication. Communications of the ACM 24, 11 (1981), 770--772. http://doi.acm.org/10.1145/358790.358797Google ScholarDigital Library
- G. Lowe. 1997. A hierarchy of authentication specifications. In 10th IEEE Workshop on Computer Security Foundations.Google ScholarDigital Library
- S. Meier, B. Schmidt, C. Cremers, and D. A. Basin. 2013. The TAMARIN prover for the symbolic analysis of security protocols. In Computer Aided Verification - 25th International Conference (CAV’13), Proceedings. 696--701. DOI:https://doi.org/10.1007/978-3-642-39799-8_48Google Scholar
- Ministero dell’Interno. 2019. Carta di Identità Elettronica. Retrieved from https://www.cartaidentita.interno.gov.it/.Google Scholar
- S. Mödersheim and L. Viganò. 2009. Secure pseudonymous channels. In Proceedings of the 14th European Symposium on Research in Computer Security (ESORICS’09). 337--354. https://doi.org/10.1007/978-3-642-04444-1_21Google Scholar
- OASIS. 2005. SAML V2.0 technical overview. Retrieved from https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf.Google Scholar
- OAuth Working Group. 2016. OAuth 2.0 for Native Apps. Retrieved from https://tools.ietf.org/html/rfc8252.Google Scholar
- OIDF. 2014. OpenID Connect Core 1.0. Retrieved from http://openid.net/specs/openid-connect-core-1_0.html.Google Scholar
- V. Osmani, S. Forti, O. Mayora, and D. Conforti. 2017. Challenges and opportunities in evolving TreC personal health record platform. In 11th EAI International Conference on Pervasive Computing Technologies for HealthcareGoogle Scholar
- S. Pai, Y. Sharma, S. Kumar, R. M. Pai, and S. Singh. 2011. Formal verification of OAuth 2.0 using Alloy framework. In Proceedings of the IEEE International Conference on Communication Systems and Network Technologies (CSNT’11). 655--659. DOI:https://doi.org/10.1109/CSNT.2011.141Google Scholar
- O. Pereira, F. Rochet, and C. Wiedling. 2017. Formal analysis of the FIDO 1.x protocol. In Foundations and Practice of Security - 10th International Symposium (FPS’17). 68--82. DOI:https://doi.org/10.1007/978-3-319-75650-9_5Google Scholar
- M. Pohl. 2017. 325,000 mobile health apps available in 2017 -- Android now the leading mHealth platform. Retrieved from https://research2guidance.com/325000-mobile-health-apps-available-in-2017/.Google Scholar
- G. Sciarretta, R. Carbone, S. Ranise, and A. Armando. 2017. Anatomy of the Facebook solution for mobile single sign-on: Security assessment and improvements.Journal of Computers 8 Security 71 (2017), 71--86. DOI:https://doi.org/10.1016/j.cose.2017.04.011Google Scholar
- G. Sciarretta, R. Carbone, S. Ranise, and L. Viganò. 2018. Design, formal specification and analysis of multi-factor authentication solutions with a single sign-on experience. In Principles of Security and Trust (POST'18), L. Bauer and R. Küsters (Eds.). Springer International Publishing, 188--213. DOI:https://doi.org/10.1007/978-3-319-89722-6_8Google Scholar
- M. Shehab and F. Mohsen. 2014. Towards enhancing the security of OAuth implementations in smart phones. In IEEE International Conference on Mobile Services (MS’14). 39--46. DOI:https://doi.org/10.1109/MobServ.2014.15Google Scholar
- F. Sinigaglia, R. Carbone, G. Costa, and N. Zannone. 2020. A survey on multi-factor authentication for online banking in the wild. Comput. Security (2020), 101745. DOI:https://doi.org/10.1016/j.cose.2020.101745Google Scholar
- A. Sudhodanan, A. Armando, R. Carbone, and L. Compagna. 2016. Attack patterns for black-box security testing of multi-party web applications. In Proceedings of the 23nd Annual Network and Distributed System Security Symposium (NDSS'16).Google Scholar
- S. Sun and K. Beznosov. 2012. The devil is in the (implementation) details: An empirical analysis of OAuth SSO systems. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’12). DOI:https://doi.org/10.1145/2382196.2382238Google Scholar
- L. Viganò. 2013. The SPaCIoS project: Secure provision and consumption in the Internet of services. In 6th IEEE International Conference on Software Testing (ICST'13), Verification and Validation. 497--498. DOI:https://doi.org/10.1109/ICST.2013.75Google ScholarDigital Library
- D. von Oheimb and S. Mödersheim. 2010. ASLan++ — A formal security specification language for distributed systems. In Proceedings of the 9th International Symposium on Formal Methods for Components and Objects (FMCO’10), revised papers (LNCS 6957). Springer, 1--22. DOI:https://doi.org/10.1007/978-3-642-25271-6_1Google Scholar
- R. Wang, S. Chen, and X. Wang. 2012. Signing me onto your accounts through Facebook and Google: A traffic-guided security study of commercially deployed single-sign-on web services. In Proceedings of the IEEE Symposium on Security and Privacy (S8P’12). 365--379. DOI:https://doi.org/10.1109/SP.2012.30Google Scholar
- H. Yan, H. Fang, C. Kuka, and H. Zhu. 2015. Verification for OAuth using ASLan++. In Proceedings of 16th IEEE International Symposium on High Assurance Systems Engineering (HASE’15). 76--84. DOI:https://doi.org/10.1109/HASE.2015.20Google Scholar
- R. Yang, W. C. Lau, and T. Liu. 2016. Signing into one billion mobile app accounts effortlessly with OAuth2.0. In Black Hat Europe.Google Scholar
- Q. Ye, G. Bai, K. Wang, and J. S. Dong. 2015. Formal analysis of a single sign-on protocol implementation for Android. In Proceedings of the 20th ICECCS. 90--99. DOI:https://doi.org/10.1109/ICECCS.2015.20Google Scholar
- Yubico. 2019. YubiKey NEO. Retrieved from https://www.yubico.com/products/yubikey-hardware/yubikey-neo.Google Scholar
Index Terms
- Formal Analysis of Mobile Multi-Factor Authentication with Single Sign-On Login
Recommendations
Toward a Unique IoT Network via Single Sign-On Protocol and Message Queue
Computer Information Systems and Industrial ManagementAbstractInternet of Things (IoT), currently, is one of the most rapidly developing technology trends. However, at present, users, devices, and applications using IoT services mainly connect to IoT service providers in a client-server model. Each IoT ...
A formal construction of certificateless proxy multi-signature scheme
Proxy multi-signature is a scheme that allows a proxy signer to sign messages on behalf of a group of original signers. To our best knowledge, most of the existing proxy multi-signature schemes are proposed in public key infrastructure or identity-based ...
DISTINCT: Identity Theft using In-Browser Communications in Dual-Window Single Sign-On
CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications SecuritySingle Sign-On (SSO) protocols like OAuth 2.0 and OpenID Connect 1.0 are cornerstones of modern web security, and have received much academic attention. Users sign in at a trusted Identity Provider (IdP) that subsequently allows many Service Providers (...
Comments