Auth4App: Streamlining authentication for integrated cyber–physical environments

Abstract

The growing integration of mobile applications for user authentication has revolutionized user interactions with digital platforms, offering novel possibilities in user experience (UX). However, this paradigm shift poses significant security challenges. Leveraging smartphones for authentication purposes provides convenient and swift access to services, streamlining user interactions with various platforms through simple taps. Several institutions adopt static QR Codes generated from primary, unchanging user data (e.g., individual citizen national identification numbers) for physical authentication procedures like access turnstiles. However, relying on static data introduces critical security vulnerabilities as this data is susceptible to compromise. Implementing an One-Time Authentication Code (OTAC) approach appears promising in addressing these issues. Nevertheless, the absence of an integrated solution for developing a physical authentication process using OTAC leads to suboptimal API user experiences (UX APIs) and subsequent security vulnerabilities. In response to this challenge, we introduce Auth4App, a protocol set designed for identification and authentication using mobile applications. Auth4App comprises two core protocols: one dedicated to linking user credentials to mobile devices (i.e., identification), and the other for generating OTAC. We showcase the adaptability and practicality of Auth4App through three distinct case studies: a mobile-only scenario, integration of mobile devices with a turnstile, and integration of Auth4App with FIDO2. To ensure the robustness of the security protocols, Auth4App is evaluated using automated verification tools and argument proofs, solidifying the system’s reliability.