The Experts below are selected from a list of 38082 Experts worldwide ranked by ideXlab platform
Ariel Pomputius - One of the best experts on this subject based on the ideXlab platform.
-
A Review of Two-Factor Authentication: Suggested Security Effort Moves to Mandatory.
Medical reference services quarterly, 2018Co-Authors: Ariel PomputiusAbstract:Two-Factor Authentication has been available to technology consumers for a long time, and a few years ago businesses and institutions began implementing optional Two-Factor Authentication to improv...
-
A Review of Two-Factor Authentication: Suggested Security Effort Moves to Mandatory.
Medical reference services quarterly, 2018Co-Authors: Ariel PomputiusAbstract:Two-Factor Authentication has been available to technology consumers for a long time, and a few years ago businesses and institutions began implementing optional Two-Factor Authentication to improve digital security. Now more universities and hospitals are moving from optional to mandatory Two-Factor Authentication, and employees used to Two-Factor Authentication for their personal digital life must adjust to using Two-Factor Authentication in their work flow. This column will review some of the ongoing and emergent aspects of Two-Factor Authentication to enhance security in an ever-changing digital landscape.
Ping Wang - One of the best experts on this subject based on the ideXlab platform.
-
On the Usability of Two-Factor Authentication
2016Co-Authors: Ding Wang, Ping WangAbstract:Abstract. Smart-card-based password Authentication, known as Two-Factor Authentication, is one of the most widely used security mechanisms to validate the legitimacy of a remote client, who must hold a valid smart card and the correct password in order to successfully login the server. So far the research on this domain has mainly focused on developing more secure, privacy-preserving and efficient protocols, which has led to numerous efficient proposals with a diversity of security provisions, yet little attention has been directed towards another important aspect, i.e. the usability of a scheme. This paper focuses on the study of two specific security threats on usability in Two-Factor Authentication. Using two representative protocols as case studies, we demonstrate two type-s of security threats on usability: (1) Password change attack, which may easily render the smart card completely unusable by changing the password to a random value; and (2) De-synchronization attack, which breaks the consistence of the pseudo-identities between the user and the server. These threats, though realistic in practice, have been paid little attention in the literature. In addition to revealing the vulnerabilities, we discuss how to thwart these security threats and secure the protocols. Key words: Two-Factor Authentication, Usability, User anonymity.
-
SecureComm (1) - On the Usability of Two-Factor Authentication
Lecture Notes of the Institute for Computer Sciences Social Informatics and Telecommunications Engineering, 2015Co-Authors: Ding Wang, Ping WangAbstract:Smart-card-based password Authentication, known as Two-Factor Authentication, is one of the most widely used security mechanisms to validate the legitimacy of a remote client, who must hold a valid smart card and the correct password in order to successfully login the server. So far the research on this domain has mainly focused on developing more secure, privacy-preserving and efficient protocols, which has led to numerous efficient proposals with a diversity of security provisions, yet little attention has been directed towards another important aspect, i.e. the usability of a scheme. This paper focuses on the study of two specific security threats on usability in Two-Factor Authentication. Using two representative protocols as case studies, we demonstrate two types of security threats on usability: (1) Password change attack, which may easily render the smart card completely unusable by changing the password to a random value; and (2) De-synchronization attack, which breaks the consistence of the pseudo-identities between the user and the server. These threats, though realistic in practice, have been paid little attention in the literature. In addition to revealing the vulnerabilities, we discuss how to thwart these security threats and secure the protocols.
-
Anonymous Two-Factor Authentication: Certain Goals Are Beyond Attainment
2015Co-Authors: Ding Wang, Ping WangAbstract:Abstract. Despite a decade of intensive research, it still remains a challenge to design a practical dynamic id-based Two-Factor Authentication scheme, for the designers are confronted with an impressive list of security requirements (e.g., resistance to mart card loss attack) and desirable attributes (e.g., local and secure password update). Dozens of solutions have been proposed, yet most of them are shortly found either unable to satisfy some security requirements or short of important features. To overcome this unsatisfactory situation, researchers often work around it in hopes of a new solution (but no one has succeeded so far), while paying little attention to the question: Whether or not there are inherent limitations (conflicts) that prevents us from designing an ideal scheme that satisfies all of these goals? In this work, we attempt to provide an answer to this question. We revisit two latest (and reprentative) proposals, i.e. Xie’s scheme and Li’s scheme, and explore some inherent conflicts and unavoidable trade-offs in designing such schemes. Our results highly indicate that, under the current widely accepted adversary model, certain goals are beyond attainment. To the best of knowledge, the present study makes the first step towards understanding the underlying evaluation metric for dynamic id-based Two-Factor Authentication, which we believe will facilitate better design of Two-Factor protocols that offer acceptable trade-offs between usability, security and privacy
-
on the anonymity of two factor Authentication schemes for wireless sensor networks
Computer Networks, 2014Co-Authors: Ding Wang, Ping WangAbstract:Display Omitted We demonstrate privacy breaches into two password Authentication schemes for WSNs.Public-key techniques are indispensible to achieve user untraceability.Our principle is applicable to Two-Factor Authentication for universal environments.We discuss the viable solutions to practical realization of user anonymity.Experimental timings of related public-key operations on small devices are reported. Anonymity is among the important properties of Two-Factor Authentication schemes for wireless sensor networks (WSNs) to preserve user privacy. Though impressive efforts have been devoted to designing schemes with user anonymity by only using lightweight symmetric-key primitives such as hash functions and block ciphers, to the best of our knowledge none has succeeded so far. In this work, we take an initial step to shed light on the rationale underlying this prominent issue. Firstly, we scrutinize two previously-thought sound schemes, namely Fan et al.'s scheme and Xue et al.'s scheme, and demonstrate the major challenges in designing a scheme with user anonymity.Secondly, using these two foremost schemes as case studies and on the basis of the work of Halevi-Krawczyk (1999) 44 and Impagliazzo-Rudich (1989) 43, we put forward a general principle: Public-key techniques are intrinsically indispensable to construct a Two-Factor Authentication scheme that can support user anonymity. Furthermore, we discuss the practical solutions to realize user anonymity. Remarkably, our principle can be applied to Two-Factor schemes for universal environments besides WSNs, such as the Internet, global mobility networks and mobile clouds. We believe that our work contributes to a better understanding of the inherent complexity in achieving user privacy, and will establish a groundwork for developing more secure and efficient privacy-preserving Two-Factor Authentication schemes.
Ding Wang - One of the best experts on this subject based on the ideXlab platform.
-
On the Usability of Two-Factor Authentication
2016Co-Authors: Ding Wang, Ping WangAbstract:Abstract. Smart-card-based password Authentication, known as Two-Factor Authentication, is one of the most widely used security mechanisms to validate the legitimacy of a remote client, who must hold a valid smart card and the correct password in order to successfully login the server. So far the research on this domain has mainly focused on developing more secure, privacy-preserving and efficient protocols, which has led to numerous efficient proposals with a diversity of security provisions, yet little attention has been directed towards another important aspect, i.e. the usability of a scheme. This paper focuses on the study of two specific security threats on usability in Two-Factor Authentication. Using two representative protocols as case studies, we demonstrate two type-s of security threats on usability: (1) Password change attack, which may easily render the smart card completely unusable by changing the password to a random value; and (2) De-synchronization attack, which breaks the consistence of the pseudo-identities between the user and the server. These threats, though realistic in practice, have been paid little attention in the literature. In addition to revealing the vulnerabilities, we discuss how to thwart these security threats and secure the protocols. Key words: Two-Factor Authentication, Usability, User anonymity.
-
SecureComm (1) - On the Usability of Two-Factor Authentication
Lecture Notes of the Institute for Computer Sciences Social Informatics and Telecommunications Engineering, 2015Co-Authors: Ding Wang, Ping WangAbstract:Smart-card-based password Authentication, known as Two-Factor Authentication, is one of the most widely used security mechanisms to validate the legitimacy of a remote client, who must hold a valid smart card and the correct password in order to successfully login the server. So far the research on this domain has mainly focused on developing more secure, privacy-preserving and efficient protocols, which has led to numerous efficient proposals with a diversity of security provisions, yet little attention has been directed towards another important aspect, i.e. the usability of a scheme. This paper focuses on the study of two specific security threats on usability in Two-Factor Authentication. Using two representative protocols as case studies, we demonstrate two types of security threats on usability: (1) Password change attack, which may easily render the smart card completely unusable by changing the password to a random value; and (2) De-synchronization attack, which breaks the consistence of the pseudo-identities between the user and the server. These threats, though realistic in practice, have been paid little attention in the literature. In addition to revealing the vulnerabilities, we discuss how to thwart these security threats and secure the protocols.
-
Anonymous Two-Factor Authentication: Certain Goals Are Beyond Attainment
2015Co-Authors: Ding Wang, Ping WangAbstract:Abstract. Despite a decade of intensive research, it still remains a challenge to design a practical dynamic id-based Two-Factor Authentication scheme, for the designers are confronted with an impressive list of security requirements (e.g., resistance to mart card loss attack) and desirable attributes (e.g., local and secure password update). Dozens of solutions have been proposed, yet most of them are shortly found either unable to satisfy some security requirements or short of important features. To overcome this unsatisfactory situation, researchers often work around it in hopes of a new solution (but no one has succeeded so far), while paying little attention to the question: Whether or not there are inherent limitations (conflicts) that prevents us from designing an ideal scheme that satisfies all of these goals? In this work, we attempt to provide an answer to this question. We revisit two latest (and reprentative) proposals, i.e. Xie’s scheme and Li’s scheme, and explore some inherent conflicts and unavoidable trade-offs in designing such schemes. Our results highly indicate that, under the current widely accepted adversary model, certain goals are beyond attainment. To the best of knowledge, the present study makes the first step towards understanding the underlying evaluation metric for dynamic id-based Two-Factor Authentication, which we believe will facilitate better design of Two-Factor protocols that offer acceptable trade-offs between usability, security and privacy
-
on the anonymity of two factor Authentication schemes for wireless sensor networks
Computer Networks, 2014Co-Authors: Ding Wang, Ping WangAbstract:Display Omitted We demonstrate privacy breaches into two password Authentication schemes for WSNs.Public-key techniques are indispensible to achieve user untraceability.Our principle is applicable to Two-Factor Authentication for universal environments.We discuss the viable solutions to practical realization of user anonymity.Experimental timings of related public-key operations on small devices are reported. Anonymity is among the important properties of Two-Factor Authentication schemes for wireless sensor networks (WSNs) to preserve user privacy. Though impressive efforts have been devoted to designing schemes with user anonymity by only using lightweight symmetric-key primitives such as hash functions and block ciphers, to the best of our knowledge none has succeeded so far. In this work, we take an initial step to shed light on the rationale underlying this prominent issue. Firstly, we scrutinize two previously-thought sound schemes, namely Fan et al.'s scheme and Xue et al.'s scheme, and demonstrate the major challenges in designing a scheme with user anonymity.Secondly, using these two foremost schemes as case studies and on the basis of the work of Halevi-Krawczyk (1999) 44 and Impagliazzo-Rudich (1989) 43, we put forward a general principle: Public-key techniques are intrinsically indispensable to construct a Two-Factor Authentication scheme that can support user anonymity. Furthermore, we discuss the practical solutions to realize user anonymity. Remarkably, our principle can be applied to Two-Factor schemes for universal environments besides WSNs, such as the Internet, global mobility networks and mobile clouds. We believe that our work contributes to a better understanding of the inherent complexity in achieving user privacy, and will establish a groundwork for developing more secure and efficient privacy-preserving Two-Factor Authentication schemes.
Srdjan Capkun - One of the best experts on this subject based on the ideXlab platform.
-
USENIX Security Symposium - Sound-proof: usable Two-Factor Authentication based on ambient sound
2015Co-Authors: Nikolaos Karapanos, Claudio Marforio, Claudio Soriente, Srdjan CapkunAbstract:Two-Factor Authentication protects online accounts even if passwords are leaked. Most users, however, prefer password-only Authentication. One reason why Two-Factor Authentication is so unpopular is the extra steps that the user must complete in order to log in. Currently deployed Two-Factor Authentication mechanisms require the user to interact with his phone to, for example, copy a verification code to the browser. Two-Factor Authentication schemes that eliminate user-phone interaction exist, but require additional software to be deployed. In this paper we propose Sound-Proof, a usable and deployable Two-Factor Authentication mechanism. Sound-Proof does not require interaction between the user and his phone. In Sound-Proof the second Authentication factor is the proximity of the user's phone to the device being used to log in. The proximity of the two devices is verified by comparing the ambient noise recorded by their microphones. Audio recording and comparison are transparent to the user, so that the user experience is similar to the one of password-only Authentication. Sound-Proof can be easily deployed as it works with current phones and major browsers without plugins. We build a prototype for both Android and iOS. We provide empirical evidence that ambient noise is a robust discriminant to determine the proximity of two devices both indoors and outdoors, and even if the phone is in a pocket or purse. We conduct a user study designed to compare the perceived usability of Sound-Proof with Google 2-Step Verification. Participants ranked Sound-Proof as more usable and the majority would be willing to use Sound-Proof even for scenarios in which Two-Factor Authentication is optional.
-
Sound-proof: usable Two-Factor Authentication based on ambient sound
Proceedings of the 24th USENIX Conference on Security Symposium (SEC '15), 2015Co-Authors: Nikolaos Karapanos, Claudio Marforio, Claudio Soriente, Srdjan CapkunAbstract:Two-Factor Authentication protects online accounts even if passwords are leaked. Most users, however, prefer password-only Authentication. One reason why Two-Factor Authentication is so unpopular is the extra steps that the user must complete in order to log in. Currently deployed Two-Factor Authentication mechanisms require the user to interact with his phone to, for example, copy a verification code to the browser. Two-Factor Authentication schemes that eliminate user-phone interaction exist, but require additional software to be deployed. In this paper we propose Sound-Proof, a usable and deployable Two-Factor Authentication mechanism. Sound-Proof does not require interaction between the user and his phone. In Sound-Proof the second Authentication factor is the proximity of the user's phone to the device being used to log in. The proximity of the two devices is verified by comparing the ambient noise recorded by their microphones. Audio recording and comparison are transparent to the user, so that the user experience is similar to the one of password-only Authentication. Sound-Proof can be easily deployed as it works with current phones and major browsers without plugins. We build a prototype for both Android and iOS. We provide empirical evidence that ambient noise is a robust discriminant to determine the proximity of two devices both indoors and outdoors, and even if the phone is in a pocket or purse. We conduct a user study designed to compare the perceived usability of Sound-Proof with Google 2-Step Verification. Participants ranked Sound-Proof as more usable and the majority would be willing to use Sound-Proof even for scenarios in which Two-Factor Authentication is optional.
Xiaotie Deng - One of the best experts on this subject based on the ideXlab platform.
-
ICICS - Formal analysis and systematic construction of Two-Factor Authentication scheme (short paper)
Information and Communications Security, 2006Co-Authors: Guomin Yang, Duncan S. Wong, Huaxiong Wang, Xiaotie DengAbstract:One of the most commonly used Two-Factor Authentication mechanisms is based on smart card and user's password. Throughout the years, there have been many schemes proposed, but most of them have already been found flawed due to the lack of formal security analysis. On the cryptanalysis of this type of schemes, in this paper, we further review two recently proposed schemes and show that their security claims are invalid. To address the current issue, we propose a new and simplified property set and a formal adversarial model for analyzing the security of this type of schemes. We believe that the property set and the adversarial model themselves are of independent interest. We then propose a new scheme and a generic construction framework. In particular, we show that a secure password based key exchange protocol can be transformed efficiently to a smartcard and password based Two-Factor Authentication scheme provided that there exist pseudorandom functions and collision-resistant hash functions.
-
Formal analysis and systematic construction of Two-Factor Authentication scheme (short paper)
Lecture Notes in Computer Science, 2006Co-Authors: Guomin Yang, Duncan S. Wong, Huaxiong Wang, Xiaotie DengAbstract:One of the most commonly used Two-Factor Authentication mechanisms is based on smart card and user's password. Throughout the years, there have been many schemes proposed, but most of them have already been found flawed due to the lack of formal security analysis. On the cryptanalysis of this type of schemes, in this paper, we further review two recently proposed schemes and show that their security claims are invalid. To address the current issue, we propose a new and simplified property set and a formal adversarial model for analyzing the security of this type of schemes. We believe that the property set and the adversarial model themselves are of independent interest. We then propose a new scheme and a generic construction framework. In particular, we show that a secure password based key exchange protocol can be transformed efficiently to a smartcard and password based Two-Factor Authentication scheme provided that there exist pseudorandom functions and collision-resistant hash functions.
