The Good, the Bad and the (Not So) Ugly of Out-of-Band Authentication with eID Cards and Push Notifications: Design, Formal and Risk Analysis

Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy Pub Date : 2020-03-16 DOI:10.1145/3374664.3375727

Marco Pernpruner, R. Carbone, Silvio Ranise, Giada Sciarretta

{"title":"The Good, the Bad and the (Not So) Ugly of Out-of-Band Authentication with eID Cards and Push Notifications: Design, Formal and Risk Analysis","authors":"Marco Pernpruner, R. Carbone, Silvio Ranise, Giada Sciarretta","doi":"10.1145/3374664.3375727","DOIUrl":null,"url":null,"abstract":"Everyday life is permeated by new technologies allowing people to perform almost any kind of operation from their smart devices. Although this is amazing from a convenience perspective, it may result in several security issues concerning the need for authenticating users in a proper and secure way. Electronic identity cards (also called eID cards) play a very important role in this regard, due to the high level of assurance they provide in identification and authentication processes. However, authentication solutions relying on them are still uncommon and suffer from many usability limitations. In this paper, we thus present the design and implementation of a novel passwordless, multi-factor authentication protocol based on eID cards. To reduce known usability issues while keeping a high level of security, our protocol leverages push notifications and mobile devices equipped with NFC, which can be used to interact with eID cards. In addition, we evaluate the security of the protocol through a formal security analysis and a risk analysis, whose results emphasize the acceptable level of security.","PeriodicalId":171521,"journal":{"name":"Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy","volume":"45 17 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-03-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3374664.3375727","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

Everyday life is permeated by new technologies allowing people to perform almost any kind of operation from their smart devices. Although this is amazing from a convenience perspective, it may result in several security issues concerning the need for authenticating users in a proper and secure way. Electronic identity cards (also called eID cards) play a very important role in this regard, due to the high level of assurance they provide in identification and authentication processes. However, authentication solutions relying on them are still uncommon and suffer from many usability limitations. In this paper, we thus present the design and implementation of a novel passwordless, multi-factor authentication protocol based on eID cards. To reduce known usability issues while keeping a high level of security, our protocol leverages push notifications and mobile devices equipped with NFC, which can be used to interact with eID cards. In addition, we evaluate the security of the protocol through a formal security analysis and a risk analysis, whose results emphasize the acceptable level of security.

查看原文本刊更多论文

使用eID卡和推送通知的带外认证的好、坏和(不那么)丑陋:设计、正式和风险分析

日常生活中充斥着新技术，人们可以通过智能设备进行几乎任何类型的操作。虽然从方便的角度来看，这是令人惊讶的，但它可能会导致一些安全问题，涉及到需要以适当和安全的方式对用户进行身份验证。电子身份证(又称eID卡)在这方面扮演非常重要的角色，因为它们在身份识别和认证过程中提供了高度的保证。但是，依赖于它们的身份验证解决方案仍然不常见，并且存在许多可用性限制。因此，本文提出了一种基于eID卡的新型无密码多因素认证协议的设计与实现。为了减少已知的可用性问题，同时保持高度的安全性，我们的协议利用推送通知和配备NFC的移动设备，可用于与eID卡交互。此外，我们通过正式的安全分析和风险分析来评估协议的安全性，其结果强调可接受的安全级别。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy

自引率

0.00%

发文量