research-article

Public Access

Proximity-Proof: Secure and Usable Mobile Two-Factor Authentication

Authors:

Terri HedgpethAuthors Info & Claims

MobiCom '18: Proceedings of the 24th Annual International Conference on Mobile Computing and Networking

Pages 401 - 415

https://doi.org/10.1145/3241539.3241574

Published: 15 October 2018 Publication History

All formats PDF

Abstract

Mobile two-factor authentication (2FA) has become commonplace along with the popularity of mobile devices. Current mobile 2FA solutions all require some form of user effort which may seriously affect the experience of mobile users, especially senior citizens or those with disability such as visually impaired users. In this paper, we propose Proximity-Proof, a secure and usable mobile 2FA system without involving user interactions. Proximity-Proof automatically transmits a user's 2FA response via inaudible OFDM-modulated acoustic signals to the login browser. We propose a novel technique to extract individual speaker and microphone fingerprints of a mobile device to defend against the powerful man-in-the-middle (MiM) attack. In addition, Proximity-Proof explores two-way acoustic ranging to thwart the co-located attack. To the best of our knowledge, Proximity-Proof is the first mobile 2FA scheme resilient to the MiM and co-located attacks. We empirically analyze that Proximity-Proof is at least as secure as existing mobile 2FA solutions while being highly usable. We also prototype Proximity-Proof and confirm its high security, usability, and efficiency through comprehensive user experiments.

References

[1]

https://goo.gl/PRkb95

[2]

https://www.w3schools.com/html/html5_audio.asp

[3]

https://www.authy.com.

[4]

https://www.duosecurity.com/product/methods/duo-mobile

[5]

https://www.encapsecurity.com/

[6]

https://goo.gl/YfmhDF

[7]

https://www.google.com/landing/2step/

[8]

https://goo.gl/gXWqjp

[9]

https://www.yubico.com/

[10]

D. Chen, X. Mao, Z. Qin, W. Wang, X.-Y. Li, and Z. Qin. 2015. WirelessDevice Authentication Using Acoustic Hardware Fingerprints. BigCom. Taiyuan, China. (August 2015).

[11]

D. Chen, N. Zhang, Z. Qin, X. Mao, Z. Qin, X. Shen, and X. Li. 2017.S2M: A Lightweight Acoustic Fingerprints-based Wireless Device AuthenticationProtocol. IEEE Internet of Things Journal 4,1 (2017), 88--100.%%

[12]

A. Czeski, M. Dietz, T. Kohno, D. Wallach, and D. Balfanz. 2012.Strengthening User Authentication through Opportunistic CryptographicIdentity Assertions. ACM CCS. Raleigh, NC. (October 2012).

Digital Library

[13]

A. Das, N. Borisov, and M. Caesar. 2014. Do You Hear What I Hear?: FingerprintingSmart Devices Through Embedded Acoustic Components.ACM CCS. Scottsdale, AZ. (November 2014).

Digital Library

[14]

T. Derham, S. Doughty, K.Woodbridge, and C. Baker. 2007. Design andEvaluation of a Low-Cost Multistatic Netted Radar System. IET Radar,Sonar & Navigation 1,5 (October 2007), 362--368 .

[15]

https://goo.gl/RBGkX3

[16]

https://goo.gl/Vy32JP%

[17]

N. Gunson, D. Marshall, H. Morton, and M. Jack. 2011. User Perceptionsof Security and Usability of Single-Factor and Two-Factor Authenticationin Automated Telephone Banking. Computers & Security 30, 4 (June2011), 208--220.

Digital Library

[18]

N. Karapanos, C. Marforio, C. Soriente, and S. Capkun. 2015. Sound-Proof: Usable Two-Factor Authentication Based on Ambient Sound.USENIX Security. Washington, DC. (November 2014).

Digital Library

[19]

K. Kulpa. 2006. Continuous Wave Radars-Monostatic, Multistatic andNetwork. Advances in Sensing with Security Applications (2006), 215-242.

[20]

T. Li, Y. Chen, J. Sun, X. Jin, and Y. Zhang. 2016. Ilock: Immediate andAutomatic Locking of Mobile Devices Against Data Theft. ACM CCS. Vienna, Austria. (October 2016).

Digital Library

[21]

D. Mackay. 2003. Information Theory, Inference and Learning Algorithms. Cambridge university press.

Digital Library

[22]

W. Mao, J. He, and L. Qiu. 2016. CAT: High-Precision Acoustic MotionTracking. ACM MobiCom. New York, NY, USA. (October 2016).

Digital Library

[23]

R. Nandakumar, V. Iyer, D. Tan, and S. Gollakota. 2016. FingerIO: UsingActive Sonar for Fine-Grained Finger Tracking. ACM CHI. San Jose,CA. (May 2016).

Digital Library

[24]

R. Peeters, J. Hermans, P. Maene, K. Grenman, K. Halunen, and J.Haikio. 2017. n-Auth: Mobile Authentication Done Right. ACSAC. Orlando, FL. (December 2017).

Digital Library

[25]

C. Peng, G. Shen, Y. Zhang, Y. Li, and K. Tan. 2007. BeepBeep: A HighAccuracy Acoustic Ranging System using COTS Mobile Devices. ACM Sensys. Sydney, Australia. (November 2007).

Digital Library

[26]

A. Rosati. 2017. Two Factor Authentication Using Near Field Communications.(March 2017). US Patent 9594896.

[27]

M. Shirvanian, S. Jarecki, N. Saxena, and N. Nathan. 2014. Two-FactorAuthentication Resilient to Server Compromise Using Mix-BandwidthDevices. NDSS. San Diego, CA. (February 2014).

[28]

B. Shrestha, M. Shirvanian, P. Shrestha, and N. Saxena. 2016. TheSounds of the Phones: Dangers of Zero-Effort Second Factor Loginbased on Ambient Audio. ACM CCS. Vienna, Austria. (October2016).

Digital Library

[29]

T. Szabo. 1994. Time Domain Wave Equations for Lossy Media Obeying aFrequency Power Law. The Journal of the Acoustical Society of America96,1 (1994), 492--500.

[30]

Q. Wang, K. Ren, M. Zhou, T. Lei, D. Koutsonikolas, and L. Su. 2016.Messages Behind the Sound: Real-Time Hidden Acoustic Signal Capturewith Smartphones. ACM MobiCom. New York City, NY. (October2016).

Digital Library

[31]

W. Wang and H. Shao. 2013. Performance Prediction of a SynchronizationLink for Distributed Aerospace Wireless Systems. The ScientificWorld Journal (July 2013).

[32]

T. Wei and X. Zhang. 2015. Mtrack: High-Precision Passive TrackingUsing Millimeter Wave Radios. ACM MobiCom. Paris, France.(September 2015).

Digital Library

[33]

C. Weir, G. Douglas, T. Richardson, and M. Jack. 2009. Usable security:User preferences for authentication methods in eBanking and theeffects of experience. Interacting with Computers 22,3 (October 2009),153--164.

Digital Library

[34]

Z. Zhou, W. Diao, X. Liu, and K. Zhang. 2014. Acoustic FingerprintingRevisited: Generate Stable Device ID Stealthy with Inaudible Sound. ACM CCS. Scottsdale, AZ. (November 2014).

Digital Library

Cited By

Jubur MShrestha PSaxena N(2025)An In-Depth Analysis of Password Managers and Two-Factor Authentication ToolsACM Computing Surveys10.1145/371111757:5(1-32)Online publication date: 24-Jan-2025
https://dl.acm.org/doi/10.1145/3711117
Huang LWang C(2025)Biometric Encoding for Replay-Resistant Smartphone User Authentication Using HandgripsIEEE Transactions on Mobile Computing10.1109/TMC.2024.347467324:2(1230-1248)Online publication date: Feb-2025
https://doi.org/10.1109/TMC.2024.3474673
Cao YDhekne AAmmar MKim YKim JKoushanfar FRasmussen K(2024)UWB-Auth: A UWB-based Two Factor Authentication PlatformProceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3643833.3656113(185-195)Online publication date: 27-May-2024
https://dl.acm.org/doi/10.1145/3643833.3656113
Show More Cited By

Index Terms

Proximity-Proof: Secure and Usable Mobile Two-Factor Authentication
1. Security and privacy
  1. Security services
    1. Authentication
      1. Multi-factor authentication

Recommendations

User Perceptions of Security and Usability of Mobile-Based Single Password Authentication and Two-Factor Authentication
Data Privacy Management, Cryptocurrencies and Blockchain Technology
Abstract
Two-factor authentication provides a significant improvement over the security of traditional password-based authentication by requiring users to provide an additional authentication factor, e.g., a code generated by a security token. In this ...
The Case for Mobile Two-Factor Authentication

Mobile two-factor authentication systems can provide three security guarantees. First, a compromised PIN won't provide a way to authenticate an attacker or provide any extra information about the corresponding phone. Second, a stolen phone won't provide ...
Advanced security of two-factor authentication system using stego QR code

Many financial institutions are trying to protect their customers by offering improved and more secure technologies for authentication. One of the most common is two-factor authentication (2FA), which presents many vulnerabilities that allow attackers to ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

MobiCom '18: Proceedings of the 24th Annual International Conference on Mobile Computing and Networking

October 2018

884 pages

ISBN:9781450359030

DOI:10.1145/3241539

General Chairs:
Rajeev Shorey
TCS Innovation Labs, India
,
Rohan Murty
Soroco, USA/India
,
Program Chairs:
Yingying (Jennifer) Chen
WINLAB, Rutgers University, USA
,
Kyle Jamieson
Princeton University, USA

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGMOBILE: ACM Special Interest Group on Mobility of Systems, Users, Data and Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 October 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

MobiCom '18

Sponsor:

SIGMOBILE

MobiCom '18: The 24th Annual International Conference on Mobile Computing and Networking

October 29 - November 2, 2018

New Delhi, India

Acceptance Rates

MobiCom '18 Paper Acceptance Rate 42 of 187 submissions, 22%;

Overall Acceptance Rate 440 of 2,972 submissions, 15%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

35
Total Citations
View Citations
1,763
Total Downloads

Downloads (Last 12 months)265
Downloads (Last 6 weeks)27

Reflects downloads up to 01 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Jubur MShrestha PSaxena N(2025)An In-Depth Analysis of Password Managers and Two-Factor Authentication ToolsACM Computing Surveys10.1145/371111757:5(1-32)Online publication date: 24-Jan-2025
https://dl.acm.org/doi/10.1145/3711117
Huang LWang C(2025)Biometric Encoding for Replay-Resistant Smartphone User Authentication Using HandgripsIEEE Transactions on Mobile Computing10.1109/TMC.2024.347467324:2(1230-1248)Online publication date: Feb-2025
https://doi.org/10.1109/TMC.2024.3474673
Cao YDhekne AAmmar MKim YKim JKoushanfar FRasmussen K(2024)UWB-Auth: A UWB-based Two Factor Authentication PlatformProceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3643833.3656113(185-195)Online publication date: 27-May-2024
https://dl.acm.org/doi/10.1145/3643833.3656113
Shrestha PMahdad ASaxena N(2024)Sound-based Two-factor Authentication: Vulnerabilities and RedesignACM Transactions on Privacy and Security10.1145/363217527:1(1-27)Online publication date: 10-Jan-2024
https://dl.acm.org/doi/10.1145/3632175
Ren YYang TXia ZLiu HYu JLiu BLi H(2024)Robust Mobile Two-Factor Authentication Leveraging Acoustic FingerprintingIEEE Transactions on Mobile Computing10.1109/TMC.2024.339118423:12(11105-11120)Online publication date: Dec-2024
https://doi.org/10.1109/TMC.2024.3391184
Zhou MZhou YSu SWang QLi QHu SYu CLi Z(2024)FingerPattern: Securing Pattern Lock via Fingerprint-Dependent Friction SoundIEEE Transactions on Mobile Computing10.1109/TMC.2023.333814823:6(7210-7224)Online publication date: Jun-2024
https://doi.org/10.1109/TMC.2023.3338148
Ghose NGupta KLazos LLi MXu ZLi J(2024)ZITA: Zero-Interaction Two-Factor Authentication using Contact Traces and In-band Proximity VerificationIEEE Transactions on Mobile Computing10.1109/TMC.2023.3321514(1-16)Online publication date: 2024
https://doi.org/10.1109/TMC.2023.3321514
Guo ZYan HCao JYang JNiu BLi ALi H(2024)ADEAS: Authentication Using Doppler Effect of Acoustic Signals Caused by Hands MovingIEEE Internet of Things Journal10.1109/JIOT.2024.345069211:24(40009-40025)Online publication date: 15-Dec-2024
https://doi.org/10.1109/JIOT.2024.3450692
Park SSeo CWang XLee YSeo S(2024)Exclusively in-store: Acoustic location authentication for stationary business devicesJournal of Network and Computer Applications10.1016/j.jnca.2024.104028(104028)Online publication date: Sep-2024
https://doi.org/10.1016/j.jnca.2024.104028
Jakubeit PPeter Avan Steen M(2024)SPAWN: Seamless Proximity-Based Authentication by Utilizing the Existent WiFi EnvironmentInformation Security Theory and Practice10.1007/978-3-031-60391-4_1(1-16)Online publication date: 18-Jun-2024
https://doi.org/10.1007/978-3-031-60391-4_1
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

EPUB

View this article in ePub.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten