skip to main content
10.1145/3374664.3375727acmconferencesArticle/Chapter ViewAbstractPublication PagescodaspyConference Proceedingsconference-collections
research-article

The Good, the Bad and the (Not So) Ugly of Out-of-Band Authentication with eID Cards and Push Notifications: Design, Formal and Risk Analysis

Published: 16 March 2020 Publication History

Abstract

Everyday life is permeated by new technologies allowing people to perform almost any kind of operation from their smart devices. Although this is amazing from a convenience perspective, it may result in several security issues concerning the need for authenticating users in a proper and secure way. Electronic identity cards (also called eID cards) play a very important role in this regard, due to the high level of assurance they provide in identification and authentication processes. However, authentication solutions relying on them are still uncommon and suffer from many usability limitations. In this paper, we thus present the design and implementation of a novel passwordless, multi-factor authentication protocol based on eID cards. To reduce known usability issues while keeping a high level of security, our protocol leverages push notifications and mobile devices equipped with NFC, which can be used to interact with eID cards. In addition, we evaluate the security of the protocol through a formal security analysis and a risk analysis, whose results emphasize the acceptable level of security.

References

[1]
Alessandro Armando, Wihem Arsac, Tigran Avanesov, Michele Barletta, Alberto Calvi, Alessandro Cappai, Roberto Carbone, Yannick Chevalier, Luca Compagna, Jorge Cuéllar, Gabriel Erzse, Simone Frau, Marius Minea, Sebastian Mödersheim, David von Oheimb, Giancarlo Pellegrino, Serena Elisa Ponta, Marco Rocchetto, Michael Rusinowitch, Mohammad Torabi Dashti, Mathieu Turuani, and Luca Viganò. 2012. The AVANTSSAR Platform for the Automated Validation of Trust and Security of Service-Oriented Architectures. In Tools and Algorithms for the Construction and Analysis of Systems. Springer, 267--282. https://doi.org/10.1007/978--3--642--28756--5_19
[2]
Alessandro Armando, Roberto Carbone, and Luca Compagna. 2016. SATMC: a SAT-based model checker for security protocols, business processes, and security APIs. International Journal on Software Tools for Technology Transfer, Vol. 18, 2 (April 2016), 187--204. https://doi.org/10.1007/s10009-015-0385-y
[3]
AVANTSSAR. 2011. ASLan
[4]
specification and tutorial. Deliverable D2.3 . http://www.avantssar.eu/pdf/deliverables/avantssar-d2--3_update.pdf Also available at https://stfbk.github.io/complementary/CODASPY2020.
[5]
Bruno Blanchet, Ben Smyth, Vincent Cheval, and Marc Sylvestre. 2018. ProVerif 2.00: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial . https://prosecco.gforge.inria.fr/personal/bblanche/proverif/manual.pdf
[6]
Jeff Broberg. 2017. What to look for in Multi-factor Authentication . OneLogin. https://www.onelogin.com/blog/what-to-look-for-in-multi-factor-authentication
[7]
Danny Dolev and Andrew C. Yao. 1983. On the security of public key protocols. IEEE Trans. Information Theory, Vol. 29, 2 (1983), 198--207. https://doi.org/10.1109/TIT.1983.1056650
[8]
Duo. 2019. Guide to Two-Factor Authentication: Enrollment Guide . https://guide.duo.com/enrollment
[9]
Federal Office for information Security. 2019. eID infrastructure . https://www.bsi.bund.de/EN/Topics/ElectrIDDocuments/German-eID/eID-Infrastructure/eID-Infrastructure_node.html
[10]
FIDO Alliance. 2019 a. FIDO Alliance . https://fidoalliance.org/
[11]
FIDO Alliance. 2019 b. Specifications Overview . https://fidoalliance.org/specifications/
[12]
Firebase. 2019. Firebase Cloud Messaging . https://firebase.google.com/docs/cloud-messaging
[13]
Gemalto. 2019. The Digital Identity Revolution . https://www.gemalto.com/govt/identity/digital-identity-services/mobile-id
[14]
GIXEL. 2009. European Card for e-Services and National e-ID Applications .
[15]
Martin Gontovnikas. 2017. Is Passwordless Authentication More Secure Than Passwords? Auth0. https://auth0.com/blog/is-passwordless-authentication-more-secure-than-passwords/
[16]
Paul A. Grassi, Michael E. Garcia, and James L. Fenton. 2017a. Digital Identity Guidelines . NIST. https://doi.org/10.6028/NIST.SP.800--63--3
[17]
Paul A. Grassi, Elaine M. Newton, Ray A. Perlner, Andrew R. Regenscheid, James L. Fenton, William E. Burr, Justin P. Richer, Naomi B. Lefkovitz, Jamie M. Danker, Yee-Yin Choong, Kristen K. Greene, and Mary F. Theofanos. 2017b. Digital Identity Guidelines: Authentication and Lifecycle Management . NIST. https://doi.org/10.6028/NIST.SP.800--63b
[18]
ICAO. 2015. Machine Readable Travel Documents . https://www.icao.int/publications/pages/publication.aspx?docnum=9303
[19]
International Organization for Standardization. 2013. ISO/IEC 29115:2013 -- Information technology -- Security techniques -- Entity authentication assurance framework . https://www.iso.org/standard/45138.html
[20]
IPZS. 2015. CIE 3.0 -- Specifiche Chip . http://www.cartaidentita.interno.gov.it/wp-content/uploads/2016/07/cie_3.0_-_specifiche_chip.pdf
[21]
ITU. 2006. Information technology -- Open Systems Interconnection -- The Directory: Public-key and attribute certificate frameworks . http://handle.itu.int/11.1002/1000/13031
[22]
Simon Meier, Benedikt Schmidt, Cas Cremers, and David A. Basin. 2013. The TAMARIN Prover for the Symbolic Analysis of Security Protocols. In Computer Aided Verification. Springer, 696--701. https://doi.org/10.1007/978--3--642--39799--8_48
[23]
NIST. 2017. Digital Identity Guidelines . https://pages.nist.gov/800--63--3/
[24]
NIST. 2019 a. National Institute of Standards and Technology . https://www.nist.gov/
[25]
NIST. 2019 b. Vulnerability Metrics . https://nvd.nist.gov/vuln-metrics/cvss
[26]
OAuth. 2019. Access Tokens . https://www.oauth.com/oauth2-servers/access-tokens/
[27]
OWASP. 2018. OWASP Risk Rating Methodology . https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
[28]
OWASP. 2019. The OWASPtextsuperscript? Foundation . https://www.owasp.org/
[29]
Olivier Pereira, Florentin Rochet, and Cyrille Wiedling. 2017. Formal Analysis of the FIDO 1.x Protocol. In Foundations and Practice of Security . Springer, 68--82. https://doi.org/10.1007/978--3--319--75650--9_5
[30]
Giada Sciarretta, Roberto Carbone, Silvio Ranise, and Luca Viganò. 2018. Design, Formal Specification and Analysis of Multi-Factor Authentication Solutions with a Single Sign-On Experience. In Principles of Security and Trust . Springer, 188--213. https://doi.org/10.1007/978--3--319--89722--6_8
[31]
The European Parliament and the Council of the European Union. 2014. Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. In Official Journal of the European Union, Vol. L 257/73. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32014R0910
[32]
Verizon. 2017. 2017 Data Breach Investigations Report . https://enterprise.verizon.com/resources/reports/2017_dbir.pdf

Cited By

View all
  • (2024)A Risk Assessment of the Hungarian Eid CardScientific Bulletin10.2478/bsaft-2024-001029:1(91-102)Online publication date: 7-Jun-2024
  • (2024)An Automated Multi-Layered Methodology to Assist the Secure and Risk-Aware Design of Multi-Factor Authentication ProtocolsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.329621021:4(1935-1950)Online publication date: Jul-2024
  • (2021)Securing Remote Access to Information Systems of Critical Infrastructure Using Two-Factor AuthenticationElectronics10.3390/electronics1015181910:15(1819)Online publication date: 29-Jul-2021

Index Terms

  1. The Good, the Bad and the (Not So) Ugly of Out-of-Band Authentication with eID Cards and Push Notifications: Design, Formal and Risk Analysis

        Recommendations

        Comments

        Information & Contributors

        Information

        Published In

        cover image ACM Conferences
        CODASPY '20: Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy
        March 2020
        392 pages
        ISBN:9781450371070
        DOI:10.1145/3374664
        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

        Sponsors

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        Published: 16 March 2020

        Permissions

        Request permissions for this article.

        Check for updates

        Author Tags

        1. eid cards
        2. formal analysis
        3. multi-factor authentication
        4. passwordless
        5. push notifications
        6. risk analysis
        7. security protocols

        Qualifiers

        • Research-article

        Conference

        CODASPY '20
        Sponsor:

        Acceptance Rates

        Overall Acceptance Rate 149 of 789 submissions, 19%

        Contributors

        Other Metrics

        Bibliometrics & Citations

        Bibliometrics

        Article Metrics

        • Downloads (Last 12 months)25
        • Downloads (Last 6 weeks)1
        Reflects downloads up to 20 Feb 2025

        Other Metrics

        Citations

        Cited By

        View all
        • (2024)A Risk Assessment of the Hungarian Eid CardScientific Bulletin10.2478/bsaft-2024-001029:1(91-102)Online publication date: 7-Jun-2024
        • (2024)An Automated Multi-Layered Methodology to Assist the Secure and Risk-Aware Design of Multi-Factor Authentication ProtocolsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.329621021:4(1935-1950)Online publication date: Jul-2024
        • (2021)Securing Remote Access to Information Systems of Critical Infrastructure Using Two-Factor AuthenticationElectronics10.3390/electronics1015181910:15(1819)Online publication date: 29-Jul-2021

        View Options

        Login options

        View options

        PDF

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        Figures

        Tables

        Media

        Share

        Share

        Share this Publication link

        Share on social media