Two-Factor Authentication Resilient to Server Compromise Using Mix-Bandwidth Devices

Maliheh Shirvanian, Stanislaw Jarecki, Nitesh Saxena, Naveen Nathan
2014 Proceedings 2014 Network and Distributed System Security Symposium   unpublished
Two-factor authentication (TFA), enabled by hardware tokens and personal devices, is gaining momentum. The security of TFA schemes relies upon a human-memorable password p drawn from some implicit dictionary D and a t-bit device-generated one-time PIN z. Compared to password-only authentication, TFA reduces the probability of adversary's online guessing attack to 1/(|D| ⇤ 2 t ) (and to 1/2 t if the password p is leaked). However, known TFA schemes do not improve security in the face of offline
more » ... ictionary attacks, because an adversary who compromises the service and learns a (salted) password hash can still recover the password with O(|D|) amount of effort. This password might be reused by the user at another site employing password-only authentication. We present a suite of efficient novel TFA protocols which improve upon password-only authentication by a factor of 2 t with regards to both the online guessing attack and the offline dictionary attack. To argue the security of the presented protocols, we first provide a formal treatment of TFA schemes in general. The TFA protocols we present enable utilization of devices that are connected to the client over several channel types, formed using manual PIN entry, visual QR code capture, wireless communication (Bluetooth or WiFi), and combinations thereof. Utilizing these various communication settings we design, implement, and evaluate the performance of 13 different TFA mechanisms, and we analyze them with respect to security, usability (manual effort needed beyond typing a password), and deployability (need for additional hardware or software), showing consistent advantages over known TFA schemes. output z = s F k (x) as its PIN, and the server can verify the (password, PIN) pair (p, z) against the hash H(p, s) by recomputing s as z F k (x). Such protocol is 1/(|D| ⇤ 2 t )secure against online guessing even in the presence of lunchtime attacks on the device and man-in-the-middle attacks on the communication channel between the client and the device. As for an offline dictionary attack after a server corruption, the attacker needs s to verify password guesses, making the offline dictionary attack time grow to O(|D| ⇤ 2 t ). Note that the above TFA protocol exposes device secret s (and hence reduces the time of the off-line dictionary attack back to O(|D|)) to an attacker who corrupts the server after staging a lunch-time attack on the user's device or eavesdropping on the clientdevice communication. This motivates our public-key version of this scheme, which forces the dictionary attack time to O(|D| ⇤ 2 t ) steps even in this case. The crucial security parameter t in our protocols is bounded by the bit capacity of the device-to-client (D-to-C) channel, i.e. by the bit-length of the PIN. However, the security properties of our TFA protocols depend also on the (existence and the) capacity of the client-to-device (C-to-D) channel, which is not typically used in existing TFA schemes. This motivates exploring different implementations of the D-to-C and C-to-
doi:10.14722/ndss.2014.23167 fatcat:ag7e4re5obazhegnfeahyxzkcu