Skip to main content
SpringerLink
Log in

AuthGuide: Analyzing Security, Privacy and Usability Trade-Offs in Multi-factor Authentication

  • Conference paper
  • First Online:
Trust, Privacy and Security in Digital Business (TrustBus 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12927))

Included in the following conference series:

Abstract

Multi-factor authentication (MFA) reduces the risk of compromised credentials. However, selecting, configuring and combining different authentication factors is a challenge for both security administrators and end-users, as the configuration possibilities are large and the implications of choices on security, privacy and usability are not always well understood. This concern is further aggravated when the security administrator grants the end-user some flexibility for the selection of authentication factors, or when the latter are combined in a risk-adaptive manner. In this work, we present AuthGuide, an authentication knowledge and configuration framework that increases the awareness about these trade-offs. Additionally, it raises the level of abstraction to configure MFA for a given identity and access management (IAM) platform through a series of questions by mapping the responses onto the IAM’s workflow of authentication steps for registration and login. We implemented AuthGuide, validated it on top of the open source Keycloak IAM, and evaluated the effectiveness of our framework to analyze the security, privacy and usability trade-offs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Google Pixel 4 Face Unlock works if eyes are shut (2019), https://www.bbc.com/news/technology-50085630.

  2. 2.

    Samsung: Anyone’s thumbprint can unlock Galaxy S10 phone (2019), https://www.bbc.co.uk/news/technology-50080586.

  3. 3.

    Safeonweb, Use two-factor authentication (2020), https://www.safeonweb.be/en/use-two-factor-authentication.

  4. 4.

    Have I Been Pwned?, https://haveibeenpwned.com/.

  5. 5.

    Exodus Privacy: LastPass 4.11.18.6150 has 7 trackers (Mar 2021), https://reports.exodus-privacy.eu.org/en/reports/165465/.

  6. 6.

    https://www.drools.org.

References

  1. Andriamilanto, N., Allard, T., Guelvouit, G.L.: “Guess Who?’’ Large-scale data-centric study of the adequacy of browser fingerprints for web authentication. In: Barolli, L., Poniszewska-Maranda, A., Park, H. (eds.) IMIS 2020. AISC, vol. 1195, pp. 161–172. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-50399-4_16

    Chapter  Google Scholar 

  2. Dasgupta, D., Roy, A., Nag, A.: Toward the design of adaptive selection strategies for multi-factor authentication. Comput. Secur. 63, 85–116 (2016). https://doi.org/10.1016/j.cose.2016.09.004, https://www.sciencedirect.com/science/article/pii/S016740481630102X

  3. Dasgupta, D., Roy, A., Nag, A.: Multi-factor authentication. In: Advances in User Authentication. ISFS, pp. 185–233. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-58808-7_5

    Chapter  Google Scholar 

  4. Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14527-8_1

    Chapter  Google Scholar 

  5. Grassi, P., et al.: Digital identity guidelines: authentication and lifecycle management [including updates as of 03–02-2020] (01 December 2017). https://doi.org/10.6028/NIST.SP.800-63b

  6. Karegar, F., Pettersson, J.S., Fischer-Hübner, S.: Fingerprint recognition on mobile devices: widely deployed, rarely understood. In: Doerr, S., Fischer, M., Schrittwieser, S., Herrmann, D. (eds.) Proceedings of the 13th International Conference on Availability, Reliability and Security, ARES 2018, Hamburg, Germany, August 27–30, 2018, pp. 39:1–39:9. ACM (2018). https://doi.org/10.1145/3230833.3234514

  7. Klieme, E., Wilke, J., van Dornick, N., Meinel, C.: FIDOnuous: a FIDO2/WebAuthn extension to support continuous web authentication. In: 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 1857–1867 (2020). https://doi.org/10.1109/TrustCom50675.2020.00254

  8. Laperdrix, P., Avoine, G., Baudry, B., Nikiforakis, N.: Morellian analysis for browsers: making web authentication stronger with canvas fingerprinting. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds.) DIMVA 2019. LNCS, vol. 11543, pp. 43–66. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22038-9_3

    Chapter  Google Scholar 

  9. Lee, K., Kaiser, B., Mayer, J., Narayanan, A.: An empirical study of wireless carrier authentication for sim swaps. USENIX Association, Virtual Conference (August 2020). https://www.usenix.org/system/files/soups2020-lee.pdf

  10. Ometov, A., Bezzateev, S., Mäkitalo, N., Andreev, S., Mikkonen, T., Koucheryavy, Y.: Multi-factor authentication: a survey. Cryptography 2(1), 1 (2018). https://doi.org/10.3390/cryptography2010001, https://www.mdpi.com/2410-387X/2/1/1

  11. Oogami, W., Gomi, H., Yamaguchi, S., Yamanaka, S., Higurashi, T.: Observation study on usability challenges for fingerprint authentication using WebAuthn-enabled android smartphones. In: Symposium on Usable Privacy and Security (SOUPS 2020). USENIX Association (August 2020)

    Google Scholar 

  12. Spooren, J., Preuveneers, D., Joosen, W.: Mobile device fingerprinting considered harmful for risk-based authentication. In: Proceedings of the Eighth European Workshop on System Security. EuroSec 2015. Association for Computing Machinery, New York (2015). https://doi.org/10.1145/2751323.2751329

  13. Torres, C.F., Jonker, H., Mauw, S.: FP-Block: usable web privacy by controlling browser fingerprinting. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015, Part II. LNCS, vol. 9327, pp. 3–19. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24177-7_1

    Chapter  Google Scholar 

  14. Wang, D., Zhang, X., Zhang, Z., Wang, P.: Understanding security failures of multi-factor authentication schemes for multi-server environments. Comput. Secur. 88, 101619 (2020). https://doi.org/10.1016/j.cose.2019.101619, https://www.sciencedirect.com/science/article/pii/S016740481930166X

Download references

Acknowledgments

This research is partially funded by the Research Fund KU Leuven and by the Flemish Government’s Cybersecurity Initiative Flanders. Work for this paper was supported by the European Commission through the H2020 project CyberSec4Europe (https://www.cybersec4europe.eu/) under grant No. 830929.

Author information

Authors and Affiliations

  1. imec-DistriNet, KU Leuven, Celestijnenlaan 200A, 3001, Heverlee, Belgium

    Davy Preuveneers, Sander Joos & Wouter Joosen

Authors
  1. Davy Preuveneers
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sander Joos
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Wouter Joosen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Davy Preuveneers .

Editor information

Editors and Affiliations

  1. Karlstad University, Karlstad, Sweden

    Simone Fischer-Hübner

  2. University of Piraeus, Piraeus, Greece

    Costas Lambrinoudakis

  3. Johannes Kepler University of Linz, Linz, Austria

    Gabriele Kotsis

  4. Vienna University of Technology, Vienna, Austria

    A Min Tjoa

  5. Johannes Kepler University of Linz, Linz, Austria

    Ismail Khalil

Appendix

Appendix

Fig. 3.
figure 3

Analyzing MFA requirements with a Drools ruleset, illustrating an example ‘SHALL’ and ‘SHOULD’ requirement for passwords from NIST SP 800-63B.

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Preuveneers, D., Joos, S., Joosen, W. (2021). AuthGuide: Analyzing Security, Privacy and Usability Trade-Offs in Multi-factor Authentication. In: Fischer-Hübner, S., Lambrinoudakis, C., Kotsis, G., Tjoa, A.M., Khalil, I. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2021. Lecture Notes in Computer Science(), vol 12927. Springer, Cham. https://doi.org/10.1007/978-3-030-86586-3_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-86586-3_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-86585-6

  • Online ISBN: 978-3-030-86586-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation