UAB - The University of Alabama at Birmingham

Mix Bandwidth TFA

Two-factor authentication (TFA), enabled by hardware tokens and personal devices, is gaining momentum. The security of TFA schemes relies upon a human-memorable password p drawn from some implicit dictionary D and a t-bit device-generated one-time PIN z. Compared to password-only authentication, TFA reduces the probability of adversary’s online guessing attack to 1/(|D|*2^t) (and to 1/2^t if the password p is leaked). However, known TFA schemes do not improve security in the face of offline dictionary attacks, because an adversary who compromises the service and learns a (salted) password hash can still recover the password with O(|D|) amount of effort. This password might be reused by the user at another site employing password-only authentication.

We present a suite of efficient novel TFA protocols which improve upon password-only authentication by a factor of 2^t with regards to both the online guessing attack and the offline dictionary attack. To argue the security of the presented protocols, we first provide a formal treatment of TFA schemes in general. The TFA protocols we present enable utilization of devices that are connected to the client over several channel types, formed using manual PIN entry, visual QR code capture, wireless communication (Bluetooth or WiFi), and combinations thereof. Utilizing these various communication settings we design, implement, and evaluate the performance of 13 different TFA mechanisms, and we analyze them with respect to security, usability (manual effort needed beyond typing a password), and deployability (need for additional hardware or software), showing consistent advantages over known TFA schemes.

The idea underlying all our TFA protocols is for the server to store a randomized hash of the password, h = H(p|s), and for the device to store the corresponding random secret s as shown in the following figure. The authentication protocol then checks whether the user types the correct password p and owns the device, which stores s. If F_k is computed on a nonce x – e.g. equal to the current time, or chosen as a challenge by the server – the device could output z = s xor F_k(x) as its PIN without exposing s , and the server can verify the (password, PIN) pair (p, z) against the hash H(p; s) by recomputing s as z xor F_k(x). Such protocol is 1/(|D| * 2^t)-secure against online guessing even in the presence of lunch-time attacks on the device and man-in-the-middle attacks on the communication channel between the client and the device. As for an offline dictionary attack after a server corruption, the attacker needs s to verify password guesses, making the off-line dictionary attack time grow to O(|D| * 2^t).

 

Our LBD-PIN variant, Low-bandwidth TFA mechanism with PIN entry

Our LBD-PIN variant, Low-bandwidth TFA mechanism with PIN entry

People

Faculty

Student

External Collaborators:

  • Stanislaw Jarecki (Associate Professor; School of Information and Computer Sciences, University of California at Irvine)
  • Naveen Nathan (Graduate student; School of Information and Computer Sciences, University of California at Irvine)

Publication

  • Two-Factor Authentication Resilient to Server Compromise Using Mix-Bandwidth Devices.
    Maliheh Shirvanian, Stanislaw Jarecki, Nitesh Saxena, Naveen Nathan.
    In the Network and Distributed System Security Symposium (NDSS), February 2014.
    [pdf]