Abstract
Hardware tokens are increasingly used to support second-factor and passwordless authentication schemes. While these devices improve security over weaker factors like passwords, they suffer from a number of security and practical issues. We present the design and implementation of Symbolon, a system that allows users to authenticate to an online service in a secure and flexible manner by using multiple personal devices (e.g., their smartphone and smart watch) together, in place of a password. The core idea behind Symbolon is to let users authenticate only if they carry a sufficient number of their personal devices and give explicit consent. We use threshold cryptography at the client side to protect against strong adversaries while overcoming the limitations of multi-factor authentication in terms of flexibility. Symbolon is compatible with FIDO servers, but improves the client-side experience compared to FIDO in terms of security, privacy, and user control. We design Symbolon such that the user can (i) authenticate using a flexible selection of devices, which we call 'authenticators'; (ii) define fine-grained threshold policies that enforce user consent without involving or modifying online services; and (iii) add or revoke authenticators without needing to generate new cryptographic keys or manually (un)register them with online services. Finally, we present a detailed design and analyse the security, privacy and practical properties of Symbolon; this includes a formal proof using ProVerif to show the required security properties are satisfied.
Original language | English |
---|---|
Title of host publication | 2022 IEEE Conference on Dependable and Secure Computing (DSC) |
Publisher | Institute of Electrical and Electronics Engineers (IEEE) |
Number of pages | 12 |
ISBN (Electronic) | 9781665421416 |
ISBN (Print) | 9781665421423 (PoD) |
DOIs | |
Publication status | Published - 26 Sept 2022 |
Event | 5th IEEE Conference on Dependable and Secure Computing, DSC 2022 - Edinburgh, United Kingdom Duration: 22 Jun 2022 → 24 Jun 2022 |
Publication series
Name | IEEE Conference on Dependable and Secure Computing |
---|---|
Publisher | IEEE |
Conference
Conference | 5th IEEE Conference on Dependable and Secure Computing, DSC 2022 |
---|---|
Country/Territory | United Kingdom |
City | Edinburgh |
Period | 22/06/22 → 24/06/22 |
Bibliographical note
Funding Information:Mark Ryan gratefully acknowledges his appointment as HP Research Chair generously supported by HP Labs. We also gratefully acknowledge financial support from EPSRC under grants EP/V000454/1 (CAP-TEE: Capability Architectures for Trusted Execution); EP/S030867/1 (SIPP - Secure IoT Processor Platform with Remote Attestation); and EP/R012598/1 (User-controlled hardware security anchors: evaluation and designs).
Publisher Copyright:
© 2022 IEEE.
Keywords
- authentication
- FIDO
- proverif
- signatures
- threshold cryptography
ASJC Scopus subject areas
- Computer Networks and Communications
- Information Systems and Management
- Safety, Risk, Reliability and Quality