Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Emerging Technologies for Authorization and Authentication

ETAA 2019: Emerging Technologies for Authorization and Authentication pp 138–155Cite as

MuFASA: A Tool for High-level Specification and Analysis of Multi-factor Authentication Protocols

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11967))

Abstract

In recent years, the usage of online services (e.g., banking) has considerably increased. To protect the sensitive resources managed by these services against attackers, Multi-Factor Authentication (MFA) has been widely adopted. To date, a variety of MFA protocols have been implemented, leveraging different designs and features and providing a non-homogeneous level of security and user experience. Public and private authorities have defined laws and guidelines to guide the design of more secure and usable MFA protocols, but their influence on existing MFA implementations remains unclear.

We present MuFASA, a tool for high-level specification and analysis of MFA protocols, which aims at supporting normal users and security experts (in the design phase of an MFA protocol), providing a high level report regarding possible risks associated to the specified MFA protocol, its resistance to a set of attacker models (defined by NIST), its ease-of-use and its compliance with a set of security requirements derived from European laws.

This work has been partially supported by the EU Horizon 2020 projects FINSEC (grant agreement No 786727) and SPARTA (grant agreement No 830892), by the IMT PAI (Programma di Attività Integrata) project VeriOSS, and by the activity 19183 Teîchos of the action line Digital Finance of the AT Digital.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    https://www.nordea.se/.

  2. 2.

    https://www.nordea.se/Images/154-21252/quickguide-cardreader.PDF.

  3. 3.

    https://www.nordea.se/Images/154-300029/Broschyr_skaffa_Mobilt_BankID.pdf.

  4. 4.

    We use “;” to separate the elements of the sequence.

References

  1. Armando, A., Carbone, R., Zanetti, L.: Formal modeling and automatic security analysis of two-factor and two-channel authentication protocols. In: Lopez, J., Huang, X., Sandhu, R. (eds.) NSS 2013. LNCS, vol. 7873, pp. 728–734. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38631-2_63

    Chapter  Google Scholar 

  2. Cristofaro, E.D., Du, H., Freudiger, J., Norcie, G.: Two-Factor or not Two-Factor? A Comparative Usability Study of Two-Factor Authentication. CoRR abs/1309.5344. University College London (2013)

    Google Scholar 

  3. DeFigueiredo, D.: The case for mobile two-factor authentication. IEEE Secur. Priv. 9, 81–85 (2011)

    Article  Google Scholar 

  4. European Banking Authority: Recommendations for the Security of Internet Payments (2013). https://www.ecb.europa.eu/pub/pdf/other/recommendationssecurityinternetpaymentsoutcomeofpcfinalversionafterpc201301en.pdf

  5. European Banking Authority: Recommendations for the Security of Mobile Payments - DRAFT (2013). https://www.ecb.europa.eu/paym/cons/pdf/131120/recommendationsforthesecurityofmobilepaymentsdraftpc201311en.pdf

  6. European Banking Authority: Directive 2015/2366 of the European Parliament and of the Council on payment services in the internal market (PSD2) (2015). https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32015L2366

  7. European Banking Authority: Regulatory Technical Standards on Strong Customer Authentication and common and secure communication under Article 98 of PSD2 (2017). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018R0389&from=EN

  8. Furst, K., Lang, W.W., Nolle, D.E.: Internet banking: Developments and prospects. Economic and Policy Analysis Working Paper No. 2000-9, Office of the Comptroller of the Currency (2000)

    Google Scholar 

  9. Hao, F., Clarke, D.: Security analysis of a multi-factor authenticated key exchange protocol. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 1–11. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31284-7_1

    Chapter  Google Scholar 

  10. Kennedy, E., Millard, C.: Data security and multi-factor authentication: analysis of requirements under EU law and in selected EU Member States. Comput. Law Secur. Rev. 32, 91–110 (2016)

    Article  Google Scholar 

  11. Krol, K., Philippou, E., Cristofaro, E.D., Sasse, M.A.: “They brought in the horrible key ring thing!” Analysing the Usability of Two-Factor Authentication in UK Online Banking. CoRR abs/1501.04434. University College London (2015)

    Google Scholar 

  12. NIST: Special Publication - Digital Identity Guidelines (2017). https://pages.nist.gov/800-63-3/

  13. Sciarretta, G., Carbone, R., Ranise, S., Viganò, L.: Design, formal specification and analysis of multi-factor authentication solutions with a single sign-on experience. In: Bauer, L., Küsters, R. (eds.) POST 2018. LNCS, vol. 10804, pp. 188–213. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-89722-6_8

    Chapter  Google Scholar 

  14. Weir, C.S., Douglas, G., Richardson, T., Jack, M.: Usable security: user preferences for authentication methods in eBanking and the effects of experience. Interact. Comput. 22(3), 153–164 (2010)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. DIBRIS, Università degli Studi di Genova, Genova, Italy

    Federico Sinigaglia

  2. Security & Trust Research Unit, Fondazione Bruno Kessler, Trento, Italy

    Federico Sinigaglia, Roberto Carbone & Silvio Ranise

  3. SysMA Unit, IMT School for Advanced Studies, Lucca, Italy

    Gabriele Costa

Authors
  1. Federico Sinigaglia
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Roberto Carbone
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Gabriele Costa
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Silvio Ranise
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Federico Sinigaglia .

Editor information

Editors and Affiliations

  1. IIT-CNR, Pisa, Italy

    Andrea Saracino

  2. IIT-CNR, Pisa, Italy

    Paolo Mori

A Example Input

A Example Input

Here we provide an example of how the user fills the questionnaire to obtain protocol (2). Notice that the sequence of the reported questions only represent a specific path in the interpretation tree.

  1. 1.

    What is your 1st operation?

    • I insert some secret credentials (e.g., a password on a website)

    • I use a device (e.g., a card reader)

    • I use a software (e.g., an app on my smartphone)

    • I send/receive something on my mobile phone (e.g., an SMS)

    • None, I am authenticated

    • (a) Where are the secret credentials stored?

      • On a physical support (e.g., a piece of paper)

      • Nowhere, I remember them

  2. 2.

    What is your 2nd operation?

    • I insert some secret credentials (e.g., a password on a website)

    • I use a device (e.g., a card reader)

    • I use a software (e.g., an app on my smartphone)

    • I send/receive something on my mobile phone (e.g., an SMS)

    • None, I am authenticated

    • (a) Is the device personal? Can you use others’ devices?

      • Yes, it is personal

      • No, they are all exchangeable

    • (b) Among the followings, what do you need to use the device?

      • I must insert a secret code/pin

      • I must scan a part of my body (e.g., my fingerprint)

      • Nothing

    • (c) Is your device connected to something?

      • Yes, to my PC (e.g., through a USB cable)

      • Yes, to the internet (e.g., through the WiFi)

      • No, it is isolated

    • (d) Does it read some sort of input code?

      • Yes, it scans an optic code (e.g., barcode or QR code)

      • Yes, I personally digit it (e.g., a code displayed on a website)

      • No

    • (e) Does it recap the ongoing operation and ask for your confirmation?

      • Yes (e.g., “Your are paying x$ to y. Confirm?”)

      • No

    • (f) Does it return some code that you have to copy somewhere?

      • Yes

      • No

  3. 3.

    What is your 3rd operation?

    • I insert some secret credentials (e.g., a password on a website)

    • I use a device (e.g., a card reader)

    • I use a software (e.g., an app on my smartphone)

    • I send/receive something on my mobile phone (e.g., an SMS)

    • None, I am authenticated.

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Sinigaglia, F., Carbone, R., Costa, G., Ranise, S. (2020). MuFASA: A Tool for High-level Specification and Analysis of Multi-factor Authentication Protocols. In: Saracino, A., Mori, P. (eds) Emerging Technologies for Authorization and Authentication. ETAA 2019. Lecture Notes in Computer Science(), vol 11967. Springer, Cham. https://doi.org/10.1007/978-3-030-39749-4_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-39749-4_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-39748-7

  • Online ISBN: 978-3-030-39749-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation