Abstract
Multi-factor authentication (MFA) reduces the risk of compromised credentials. However, selecting, configuring and combining different authentication factors is a challenge for both security administrators and end-users, as the configuration possibilities are large and the implications of choices on security, privacy and usability are not always well understood. This concern is further aggravated when the security administrator grants the end-user some flexibility for the selection of authentication factors, or when the latter are combined in a risk-adaptive manner. In this work, we present AuthGuide, an authentication knowledge and configuration framework that increases the awareness about these trade-offs. Additionally, it raises the level of abstraction to configure MFA for a given identity and access management (IAM) platform through a series of questions by mapping the responses onto the IAM’s workflow of authentication steps for registration and login. We implemented AuthGuide, validated it on top of the open source Keycloak IAM, and evaluated the effectiveness of our framework to analyze the security, privacy and usability trade-offs.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Google Pixel 4 Face Unlock works if eyes are shut (2019), https://www.bbc.com/news/technology-50085630.
- 2.
Samsung: Anyone’s thumbprint can unlock Galaxy S10 phone (2019), https://www.bbc.co.uk/news/technology-50080586.
- 3.
Safeonweb, Use two-factor authentication (2020), https://www.safeonweb.be/en/use-two-factor-authentication.
- 4.
Have I Been Pwned?, https://haveibeenpwned.com/.
- 5.
Exodus Privacy: LastPass 4.11.18.6150 has 7 trackers (Mar 2021), https://reports.exodus-privacy.eu.org/en/reports/165465/.
- 6.
References
Andriamilanto, N., Allard, T., Guelvouit, G.L.: “Guess Who?’’ Large-scale data-centric study of the adequacy of browser fingerprints for web authentication. In: Barolli, L., Poniszewska-Maranda, A., Park, H. (eds.) IMIS 2020. AISC, vol. 1195, pp. 161–172. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-50399-4_16
Dasgupta, D., Roy, A., Nag, A.: Toward the design of adaptive selection strategies for multi-factor authentication. Comput. Secur. 63, 85–116 (2016). https://doi.org/10.1016/j.cose.2016.09.004, https://www.sciencedirect.com/science/article/pii/S016740481630102X
Dasgupta, D., Roy, A., Nag, A.: Multi-factor authentication. In: Advances in User Authentication. ISFS, pp. 185–233. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-58808-7_5
Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14527-8_1
Grassi, P., et al.: Digital identity guidelines: authentication and lifecycle management [including updates as of 03–02-2020] (01 December 2017). https://doi.org/10.6028/NIST.SP.800-63b
Karegar, F., Pettersson, J.S., Fischer-Hübner, S.: Fingerprint recognition on mobile devices: widely deployed, rarely understood. In: Doerr, S., Fischer, M., Schrittwieser, S., Herrmann, D. (eds.) Proceedings of the 13th International Conference on Availability, Reliability and Security, ARES 2018, Hamburg, Germany, August 27–30, 2018, pp. 39:1–39:9. ACM (2018). https://doi.org/10.1145/3230833.3234514
Klieme, E., Wilke, J., van Dornick, N., Meinel, C.: FIDOnuous: a FIDO2/WebAuthn extension to support continuous web authentication. In: 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 1857–1867 (2020). https://doi.org/10.1109/TrustCom50675.2020.00254
Laperdrix, P., Avoine, G., Baudry, B., Nikiforakis, N.: Morellian analysis for browsers: making web authentication stronger with canvas fingerprinting. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds.) DIMVA 2019. LNCS, vol. 11543, pp. 43–66. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22038-9_3
Lee, K., Kaiser, B., Mayer, J., Narayanan, A.: An empirical study of wireless carrier authentication for sim swaps. USENIX Association, Virtual Conference (August 2020). https://www.usenix.org/system/files/soups2020-lee.pdf
Ometov, A., Bezzateev, S., Mäkitalo, N., Andreev, S., Mikkonen, T., Koucheryavy, Y.: Multi-factor authentication: a survey. Cryptography 2(1), 1 (2018). https://doi.org/10.3390/cryptography2010001, https://www.mdpi.com/2410-387X/2/1/1
Oogami, W., Gomi, H., Yamaguchi, S., Yamanaka, S., Higurashi, T.: Observation study on usability challenges for fingerprint authentication using WebAuthn-enabled android smartphones. In: Symposium on Usable Privacy and Security (SOUPS 2020). USENIX Association (August 2020)
Spooren, J., Preuveneers, D., Joosen, W.: Mobile device fingerprinting considered harmful for risk-based authentication. In: Proceedings of the Eighth European Workshop on System Security. EuroSec 2015. Association for Computing Machinery, New York (2015). https://doi.org/10.1145/2751323.2751329
Torres, C.F., Jonker, H., Mauw, S.: FP-Block: usable web privacy by controlling browser fingerprinting. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015, Part II. LNCS, vol. 9327, pp. 3–19. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24177-7_1
Wang, D., Zhang, X., Zhang, Z., Wang, P.: Understanding security failures of multi-factor authentication schemes for multi-server environments. Comput. Secur. 88, 101619 (2020). https://doi.org/10.1016/j.cose.2019.101619, https://www.sciencedirect.com/science/article/pii/S016740481930166X
Acknowledgments
This research is partially funded by the Research Fund KU Leuven and by the Flemish Government’s Cybersecurity Initiative Flanders. Work for this paper was supported by the European Commission through the H2020 project CyberSec4Europe (https://www.cybersec4europe.eu/) under grant No. 830929.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Appendix
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Preuveneers, D., Joos, S., Joosen, W. (2021). AuthGuide: Analyzing Security, Privacy and Usability Trade-Offs in Multi-factor Authentication. In: Fischer-Hübner, S., Lambrinoudakis, C., Kotsis, G., Tjoa, A.M., Khalil, I. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2021. Lecture Notes in Computer Science(), vol 12927. Springer, Cham. https://doi.org/10.1007/978-3-030-86586-3_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-86586-3_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-86585-6
Online ISBN: 978-3-030-86586-3
eBook Packages: Computer ScienceComputer Science (R0)