Skip to main content
SpringerLink
Log in

On the Usability of Two-Factor Authentication

  • Conference paper
  • First Online:
International Conference on Security and Privacy in Communication Networks (SecureComm 2014)

Abstract

Smart-card-based password authentication, known as two-factor authentication, is one of the most widely used security mechanisms to validate the legitimacy of a remote client, who must hold a valid smart card and the correct password in order to successfully login the server. So far the research on this domain has mainly focused on developing more secure, privacy-preserving and efficient protocols, which has led to numerous efficient proposals with a diversity of security provisions, yet little attention has been directed towards another important aspect, i.e. the usability of a scheme. This paper focuses on the study of two specific security threats on usability in two-factor authentication. Using two representative protocols as case studies, we demonstrate two types of security threats on usability: (1) Password change attack, which may easily render the smart card completely unusable by changing the password to a random value; and (2) De-synchronization attack, which breaks the consistence of the pseudo-identities between the user and the server. These threats, though realistic in practice, have been paid little attention in the literature. In addition to revealing the vulnerabilities, we discuss how to thwart these security threats and secure the protocols.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://dazzlepod.com/csdn/.

  2. 2.

    http://www.hardwareheaven.com/news.php?newsid=526.

References

  1. Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: IEEE S&P 2012, pp. 538–552. IEEE Computer Society (2012)

    Google Scholar 

  2. Burr, W., Dodson, D., Perlner, R., Polk, W., Gupta, S., Nabbus, E.: NIST SP800-63-1 - electronic authentication guideline. Technical report, NIST, Reston, VA (2006)

    Google Scholar 

  3. Chen, B.L., Kuo, W.C., Wuu, L.C.: Robust smart-card-based remote user password authentication scheme. Int. J. Commun. Syst. 27(2), 377–389 (2014)

    Article  Google Scholar 

  4. Chen, C., Tang, S., Mitchell, C.J.: Building general-purpose security services on EMV payment cards. In: Keromytis, A.D., Di Pietro, R. (eds.) SecureComm 2012. LNICST, vol. 106, pp. 29–44. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  5. Das, M., Saxena, A., Gulati, V.: A dynamic ID-based remote user authentication scheme. IEEE Trans. Consum. Electron. 50(2), 629–631 (2004)

    Article  Google Scholar 

  6. He, D., Kumar, N., Khan, M.K., Lee, J.H.: Anonymous two-factor authentication for consumer roaming service in global mobility networks. IEEE Trans. Consum. Electron. 59(4), 811–817 (2013)

    Article  Google Scholar 

  7. Huang, X., Chen, X., Li, J., Xiang, Y., Xu, L.: Further observations on smart-card-based password-authenticated key agreement in distributed systems. IEEE Trans. Parallel Distrib. Syst. 25(7), 1767–1775 (2014)

    Article  Google Scholar 

  8. Kumari, S., Khan, M.K.: Cryptanalysis and improvement of a robust smart-card-based remote user password authentication scheme. Int. J. Commun. Syst. (2013). doi:http://dx.doi.org/10.1002/dac.2590

  9. Li, C.T.: A new password authentication and user anonymity scheme based on elliptic curve cryptography and smart card. IET Inform. Secur. 7(1), 3–10 (2013)

    Article  MathSciNet  Google Scholar 

  10. Li, X., Qiu, W., Zheng, D., Chen, K., Li, J.: Anonymity enhancement on robust and efficient password-authenticated key agreement using smart cards. IEEE Trans. Ind. Electron. 57(2), 793–800 (2010)

    Article  Google Scholar 

  11. Madhusudhan, R., Mittal, R.: Dynamic ID-based remote user password authentication schemes using smart cards: a review. J. Netw. Comput. Appl. 35(4), 1235–1248 (2012)

    Article  Google Scholar 

  12. Messerges, T.S., Dabbish, E.A., Sloan, R.H.: Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 51(5), 541–552 (2002)

    Article  MathSciNet  Google Scholar 

  13. Oswald, D., Paar, C.: Breaking mifare DESFire MF3ICD40: power analysis and templates in the real world. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 207–222. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  14. Wang, D., He, D., Wang, P., Chu, C.H.: Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment. IEEE Trans. Depend. Secur. Comput. (2014). doi:http://dx.doi.org/10.1109/TDSC.2014.2355850

  15. Wang, D., Ma, C.G., Wang, P., Chen, Z.: iPass: robust smart card based password authentication scheme against smart card loss problem. J. Comput. Syst. Sci. (in press, 2014). http://eprint.iacr.org/2012/439.pdf

  16. Wen, F., Susilo, W., Yang, G.: A secure and effective anonymous user authentication scheme for roaming service in global mobility networks. Wireless Pers. Commun. 73(3), 993–1004 (2013)

    Article  Google Scholar 

  17. Yang, G., Wong, D., Wang, H., Deng, X.: Two-factor mutual authentication based on smart cards and passwords. J. Comput. Syst. Sci. 74(7), 1160–1172 (2008)

    Article  MathSciNet  MATH  Google Scholar 

Download references

Acknowledgment

This research was partially supported by the National Natural Science Foundation of China (NSFC) under Grant No.61472016.

Author information

Authors and Affiliations

  1. School of EECS, Peking University, Beijing, 100871, China

    Ding Wang

  2. National Engineering Research Center for Software Engineering, Beijing, 100871, China

    Ding Wang & Ping Wang

  3. School of Software and Microelectronics, Peking University, Beijing, 100260, China

    Ping Wang

Authors
  1. Ding Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ping Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ding Wang .

Editor information

Editors and Affiliations

  1. CAS, Institute of Information Engineering CAS, Beijing, China

    Jing Tian

  2. Institute of Information Engineering, CAS, Beijing, China

    Jiwu Jing

  3. IBM Thomas J. Watson Research Center, New York, New York, USA

    Mudhakar Srivatsa

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Wang, D., Wang, P. (2015). On the Usability of Two-Factor Authentication. In: Tian, J., Jing, J., Srivatsa, M. (eds) International Conference on Security and Privacy in Communication Networks. SecureComm 2014. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 152. Springer, Cham. https://doi.org/10.1007/978-3-319-23829-6_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-23829-6_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-23828-9

  • Online ISBN: 978-3-319-23829-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation