research-article

Formal Analysis of Mobile Multi-Factor Authentication with Single Sign-On Login

Authors:

Giada Sciarretta,

Roberto Carbone,

Luca ViganòAuthors Info & Claims

ACM Transactions on Privacy and Security (TOPS), Volume 23, Issue 3

Article No.: 13, Pages 1 - 37

https://doi.org/10.1145/3386685

Published: 06 June 2020 Publication History

Abstract

Over the last few years, there has been an almost exponential increase in the number of mobile applications that deal with sensitive data, such as applications for e-commerce or health. When dealing with sensitive data, classical authentication solutions based on username-password pairs are not enough, and multi-factor authentication solutions that combine two or more authentication factors of different categories are required instead. Even if several solutions are currently used, their security analyses have been performed informally or semiformally at best, and without a reference model and a precise definition of the multi-factor authentication property. This makes a comparison among the different solutions both complex and potentially misleading. In this article, we first present the design of two reference models for native applications based on the requirements of two real-world use-case scenarios. Common features between them are the use of one-time password approaches and the support of a single sign-on experience. Then, we provide a formal specification of our threat model and the security goals, and discuss the automated security analysis that we performed. Our formal analysis validates the security goals of the two reference models we propose and provides an important building block for the formal analysis of different multi-factor authentication solutions.

References

[1]

Android. 2017. Handling Android App Links. Retrieved from https://developer.android.com/training/app-links/index.html.

[2]

Android. 2019. Android Security 8 Privacy 2018 Year in Review. Retrieved from https://source.android.com/security/reports/Google_Android_Security_2018_Report_Final.pdf.

[3]

A. Armando, W. Arsac, T. Avanesov, M. Barletta, A. Calvi, A. Cappai, R. Carbone, Y. Chevalier, L. Compagna, J. Cuéllar, G. Erzse, S. Frau, M. Minea, S. Mödersheim, D. von Oheimb, G. Pellegrino, S.E. Ponta, M. Rocchetto, M. Rusinowitch, M. Torabi Dashti, M. Turuani, and L. Viganò. 2012. The AVANTSSAR platform for the automated validation of trust and security of service-oriented architectures. In Proceedings of the 18th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS'12). Springer, 267--282. https://doi.org/10.1007/978-3-642-28756-5_19

[4]

A. Armando, R. Carbone, and L. Compagna. 2016. SATMC: A SAT-based model checker for security protocols, business processes, and security APIs. International Journal on Software Tools for Technology Transfer (STTT) 18, 2 (2016), 187--204.

Digital Library

[5]

A. Armando, R. Carbone, L. Compagna, J. Cuéllar, and L. Tobarra. 2008. Formal analysis of SAML 2.0 web browser single sign-on: Breaking the SAML-based single sign-on for Google apps. In Proceedings of the 6th ACM Workshop on Formal Methods in Security Engineering (FMSE’08). 1--10. https://doi.org/10.1145/1456396.1456397

[6]

A. Armando, R. Carbone, and L. L. Zanetti. 2013. Formal modeling and automatic security analysis of two-factor and two-channel authentication protocols. In Proceedings of 7th International Conference on Network and System Security (NSS’13). 728--734. https://doi.org/10.1007/978-3-642-38631-2_63

[7]

A. Armando and L. Compagna. 2008. SAT-based model-checking for security protocols analysis. International Journal of Information Security 7, 1 (2008), 3--32.

Digital Library

[8]

AVANTSSAR Project. 2008. Deliverable D2.3 (update) ASLan++ specification and tutorial. Retrieved from http://www.avantssar.eu/pdf/deliverables/avantssar-d2-3_update.pdf. Also available at https://stfbk.github.io/complementary/TOPS2020.

[9]

C. Bansal, K. Bhargavan, and S. Maffeis. 2012. Discovering concrete attacks on website authorization by formal analysis. In Proceedings of 25th IEEE Computer Security Foundations Symposium (CSF’12). 247--262. https://doi.org/10.1109/CSF.2012.27

[10]

D. A. Basin, C. Cremers, and C. A. Meadows. 2018. Model checking security protocols. In Handbook of Model Checking. 727--762.

[11]

BBA. 2017. An app-etite for banking. Retrieved from https://www.bba.org.uk/wp-content/uploads/2017/06/WWBN-IV.pdf.

[12]

B. Blanchet, B. Smyth, V. Cheval, and M. Sylvestre. 2018. ProVerif 2.00: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial. Retrieved from https://prosecco.gforge.inria.fr/personal/bblanche/proverif/manual.pdf.

[13]

E. Chen, Y. Pei, S. Chen, Y. Tian, R. Kotcher, and P. Tague. 2014. OAuth demystified for mobile application developers. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’14). https://doi.org/10.1145/2660267.2660323

[14]

D. Dolev and A. Yao. 1983. On the security of public-key protocols. In IEEE Transactions on Information Theory 2, 29 (1983), 198--208. https://doi.org/10.1109/TIT.1983.1056650

Digital Library

[15]

European Banking Authority. 2014. Final guidelines on the security of Internet payments.

[16]

European Commission. 2016. Regulation EU 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).

[17]

European Parliament. 2014. Regulation 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. Retrieved from http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32014R09108from=EN.

[18]

Facebook. 2015. Getting started with the Facebook SDK for Android. Retrieved from https://developers.facebook.com/docs/android/getting-started/facebook-sdk-for-android/.

[19]

S. Fahl, M. Harbach, M. Oltrogge, T. Muders, and M. Smith. 2013. Hey, you, get off of my clipboard—On how usability trumps security in Android password managers. In Financial Cryptography and Data Security. 144--161.

[20]

D. Fett, R. Küsters, and G. Schmitz. 2014. An expressive model for the web infrastructure: Definition and application to the BrowserID SSO system. In Proceedings of the 35th IEEE Symposium on Security and Privacy (S8P’14). IEEE Computer Society, 673--688.

[21]

D. Fett, R. Küsters, and G. Schmitz. 2016. A comprehensive formal security analysis of OAuth 2.0. In Proceedings of the 23rd ACM SIGSAC Conference on Computer and Communications Security (CCS’16). ACM, 1204--1215. https://doi.org/10.1145/2976749.2978385

[22]

D. Fett, R. Küsters, and G. Schmitz. 2017. The web SSO standard OpenID connect: In-depth formal security analysis and security guidelines. In Proceedings of the 30th Computer Security Foundations Symposium (CSF’17). IEEE Computer Society. https://doi.org/10.1109/CSF.2017.20

[23]

Google. 2019. Google Authenticator. Retrieved from https://support.google.com/accounts/answer/1066447?hl=en.

[24]

P. A. Grassi, J. L. Fenton, E. M. Newton, R. A. Perlner, A. R. Regenscheid, W. E. Burr, and J. P. Richer. 2017. Digital Identity Guidelines. National Institute of Standards and Technology.

[25]

D. He, M. Naveed, C. A. Gunter, and K. Nahrstedt. 2014. Security Concerns in Android mHealth App. Retrieved from https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4419898/.

[26]

IETF. 2005. HOTP: An HMAC-Based One-Time Password Algorithm. Retrieved from https://tools.ietf.org/html/rfc4226.

[27]

IETF. 2010. OCRA: OATH Challenge-Response Algorithms. Retrieved from https://tools.ietf.org/id/draft-mraihi-mutual-oath-hotp-variants-11.html.

[28]

IETF. 2011. TOTP: Time-Based One-Time Password Algorithm. Retrieved from https://tools.ietf.org/html/rfc6238.

[29]

IETF. 2012. The OAuth 2.0 Authorization Framework. Retrieved from http://tools.ietf.org/html/rfc6749.

[30]

IETF. 2015. Proof Key for Code Exchange by OAuth Public Clients. Retrieved from https://tools.ietf.org/html/rfc7636.

[31]

Internet-Draft. 2019. OAuth 2.0 Security Best Current Practice. Retrieved from https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13.

[32]

iOS. 2017. Universal Links for Developers. Retrieved from https://developer.apple.com/ios/universal-links/.

[33]

C. Jacomme and S. Kremer. 2018. An extensive formal analysis of multi-factor authentication protocols. In 31st IEEE Computer Security Foundations Symposium (CSF’18). 1--15.

[34]

L. Lamport. 1981. Password authentication with insecure communication. Communications of the ACM 24, 11 (1981), 770--772. http://doi.acm.org/10.1145/358790.358797

Digital Library

[35]

G. Lowe. 1997. A hierarchy of authentication specifications. In 10th IEEE Workshop on Computer Security Foundations.

Digital Library

[36]

S. Meier, B. Schmidt, C. Cremers, and D. A. Basin. 2013. The TAMARIN prover for the symbolic analysis of security protocols. In Computer Aided Verification - 25th International Conference (CAV’13), Proceedings. 696--701.

[37]

Ministero dell’Interno. 2019. Carta di Identità Elettronica. Retrieved from https://www.cartaidentita.interno.gov.it/.

[38]

S. Mödersheim and L. Viganò. 2009. Secure pseudonymous channels. In Proceedings of the 14th European Symposium on Research in Computer Security (ESORICS’09). 337--354. https://doi.org/10.1007/978-3-642-04444-1_21

[39]

OASIS. 2005. SAML V2.0 technical overview. Retrieved from https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf.

[40]

OAuth Working Group. 2016. OAuth 2.0 for Native Apps. Retrieved from https://tools.ietf.org/html/rfc8252.

[41]

OIDF. 2014. OpenID Connect Core 1.0. Retrieved from http://openid.net/specs/openid-connect-core-1_0.html.

[42]

V. Osmani, S. Forti, O. Mayora, and D. Conforti. 2017. Challenges and opportunities in evolving TreC personal health record platform. In 11th EAI International Conference on Pervasive Computing Technologies for Healthcare

[43]

S. Pai, Y. Sharma, S. Kumar, R. M. Pai, and S. Singh. 2011. Formal verification of OAuth 2.0 using Alloy framework. In Proceedings of the IEEE International Conference on Communication Systems and Network Technologies (CSNT’11). 655--659.

[44]

O. Pereira, F. Rochet, and C. Wiedling. 2017. Formal analysis of the FIDO 1.x protocol. In Foundations and Practice of Security - 10th International Symposium (FPS’17). 68--82.

[45]

M. Pohl. 2017. 325,000 mobile health apps available in 2017 -- Android now the leading mHealth platform. Retrieved from https://research2guidance.com/325000-mobile-health-apps-available-in-2017/.

[46]

G. Sciarretta, R. Carbone, S. Ranise, and A. Armando. 2017. Anatomy of the Facebook solution for mobile single sign-on: Security assessment and improvements.Journal of Computers 8 Security 71 (2017), 71--86.

[47]

G. Sciarretta, R. Carbone, S. Ranise, and L. Viganò. 2018. Design, formal specification and analysis of multi-factor authentication solutions with a single sign-on experience. In Principles of Security and Trust (POST'18), L. Bauer and R. Küsters (Eds.). Springer International Publishing, 188--213.

[48]

M. Shehab and F. Mohsen. 2014. Towards enhancing the security of OAuth implementations in smart phones. In IEEE International Conference on Mobile Services (MS’14). 39--46.

[49]

F. Sinigaglia, R. Carbone, G. Costa, and N. Zannone. 2020. A survey on multi-factor authentication for online banking in the wild. Comput. Security (2020), 101745.

[50]

A. Sudhodanan, A. Armando, R. Carbone, and L. Compagna. 2016. Attack patterns for black-box security testing of multi-party web applications. In Proceedings of the 23nd Annual Network and Distributed System Security Symposium (NDSS'16).

[51]

S. Sun and K. Beznosov. 2012. The devil is in the (implementation) details: An empirical analysis of OAuth SSO systems. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’12).

[52]

L. Viganò. 2013. The SPaCIoS project: Secure provision and consumption in the Internet of services. In 6th IEEE International Conference on Software Testing (ICST'13), Verification and Validation. 497--498.

Digital Library

[53]

D. von Oheimb and S. Mödersheim. 2010. ASLan++ — A formal security specification language for distributed systems. In Proceedings of the 9th International Symposium on Formal Methods for Components and Objects (FMCO’10), revised papers (LNCS 6957). Springer, 1--22.

[54]

R. Wang, S. Chen, and X. Wang. 2012. Signing me onto your accounts through Facebook and Google: A traffic-guided security study of commercially deployed single-sign-on web services. In Proceedings of the IEEE Symposium on Security and Privacy (S8P’12). 365--379.

[55]

H. Yan, H. Fang, C. Kuka, and H. Zhu. 2015. Verification for OAuth using ASLan++. In Proceedings of 16th IEEE International Symposium on High Assurance Systems Engineering (HASE’15). 76--84.

[56]

R. Yang, W. C. Lau, and T. Liu. 2016. Signing into one billion mobile app accounts effortlessly with OAuth2.0. In Black Hat Europe.

[57]

Q. Ye, G. Bai, K. Wang, and J. S. Dong. 2015. Formal analysis of a single sign-on protocol implementation for Android. In Proceedings of the 20th ICECCS. 90--99.

[58]

Yubico. 2019. YubiKey NEO. Retrieved from https://www.yubico.com/products/yubikey-hardware/yubikey-neo.

Cited By

Pernpruner MCarbone RSciarretta GRanise S(2024)An Automated Multi-Layered Methodology to Assist the Secure and Risk-Aware Design of Multi-Factor Authentication ProtocolsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.329621021:4(1935-1950)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3296210
Almeida LFernández BZambrano DAlmachi APillajo HYoo S(2024)One-Time Passwords: A Literary Review of Different Protocols and Their ApplicationsAdvanced Research in Technologies, Information, Innovation and Sustainability10.1007/978-3-031-48855-9_16(205-219)Online publication date: 3-Jan-2024
https://doi.org/10.1007/978-3-031-48855-9_16
Pöhn DSeeber SHommel W(2023)Combining SABSA and Vis4Sec to the Process Framework IdMSecMan to Continuously Improve Identity Management Security in Heterogeneous ICT InfrastructuresApplied Sciences10.3390/app1304234913:4(2349)Online publication date: 11-Feb-2023
https://doi.org/10.3390/app13042349
Show More Cited By

Index Terms

Formal Analysis of Mobile Multi-Factor Authentication with Single Sign-On Login
1. Security and privacy

Recommendations

Toward a Unique IoT Network via Single Sign-On Protocol and Message Queue
Computer Information Systems and Industrial Management
Abstract
Internet of Things (IoT), currently, is one of the most rapidly developing technology trends. However, at present, users, devices, and applications using IoT services mainly connect to IoT service providers in a client-server model. Each IoT ...
A formal construction of certificateless proxy multi-signature scheme

Proxy multi-signature is a scheme that allows a proxy signer to sign messages on behalf of a group of original signers. To our best knowledge, most of the existing proxy multi-signature schemes are proposed in public key infrastructure or identity-based ...
DISTINCT: Identity Theft using In-Browser Communications in Dual-Window Single Sign-On
CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

Single Sign-On (SSO) protocols like OAuth 2.0 and OpenID Connect 1.0 are cornerstones of modern web security, and have received much academic attention. Users sign in at a trusted Identity Provider (IdP) that subsequently allows many Service Providers (...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Privacy and Security

ACM Transactions on Privacy and Security Volume 23, Issue 3

August 2020

158 pages

ISSN:2471-2566

EISSN:2471-2574

DOI:10.1145/3403643

Editor:
David Basin
ETH Zurich, Switzerland

Issue’s Table of Contents

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 June 2020

Online AM: 07 May 2020

Accepted: 01 March 2020

Revised: 01 December 2019

Received: 01 August 2019

Published in TOPS Volume 23, Issue 3

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
723
Total Downloads

Downloads (Last 12 months)88
Downloads (Last 6 weeks)10

Reflects downloads up to 26 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Pernpruner MCarbone RSciarretta GRanise S(2024)An Automated Multi-Layered Methodology to Assist the Secure and Risk-Aware Design of Multi-Factor Authentication ProtocolsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.329621021:4(1935-1950)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3296210
Almeida LFernández BZambrano DAlmachi APillajo HYoo S(2024)One-Time Passwords: A Literary Review of Different Protocols and Their ApplicationsAdvanced Research in Technologies, Information, Innovation and Sustainability10.1007/978-3-031-48855-9_16(205-219)Online publication date: 3-Jan-2024
https://doi.org/10.1007/978-3-031-48855-9_16
Pöhn DSeeber SHommel W(2023)Combining SABSA and Vis4Sec to the Process Framework IdMSecMan to Continuously Improve Identity Management Security in Heterogeneous ICT InfrastructuresApplied Sciences10.3390/app1304234913:4(2349)Online publication date: 11-Feb-2023
https://doi.org/10.3390/app13042349
Alawadhi MShaker Awad W(2023)Multi-Factor Authentication Modeling using Petri Nets: Review2023 International Conference on IT Innovation and Knowledge Discovery (ITIKD)10.1109/ITIKD56332.2023.10099567(1-5)Online publication date: 8-Mar-2023
https://doi.org/10.1109/ITIKD56332.2023.10099567
Yeoh WLiu MShore MJiang F(2023)Zero trust cybersecurityComputers and Security10.1016/j.cose.2023.103412133:COnline publication date: 1-Oct-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103412
Lin WYang GYeh K(2022)Integrating FIDO Authentication with New Digital Identity in Taiwan2022 IEEE 11th Global Conference on Consumer Electronics (GCCE)10.1109/GCCE56475.2022.10014031(311-312)Online publication date: 18-Oct-2022
https://doi.org/10.1109/GCCE56475.2022.10014031
Chitpinityon STossa M(2021)New Approach for Single Sign-on Improvement using Load Distribution Method2021 Research, Invention, and Innovation Congress: Innovation Electricals and Electronics (RI2C)10.1109/RI2C51727.2021.9559786(44-47)Online publication date: 1-Sep-2021
https://doi.org/10.1109/RI2C51727.2021.9559786

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Issue’s Table of Contents