Symbolon: Enabling Flexible Multi-device-based User Authentication

Thalia Laing, Eduard Marin*, Mark D. Ryan, Joshua Schiffman, Gaetan Wattiau

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Hardware tokens are increasingly used to support second-factor and passwordless authentication schemes. While these devices improve security over weaker factors like passwords, they suffer from a number of security and practical issues. We present the design and implementation of Symbolon, a system that allows users to authenticate to an online service in a secure and flexible manner by using multiple personal devices (e.g., their smartphone and smart watch) together, in place of a password. The core idea behind Symbolon is to let users authenticate only if they carry a sufficient number of their personal devices and give explicit consent. We use threshold cryptography at the client side to protect against strong adversaries while overcoming the limitations of multi-factor authentication in terms of flexibility. Symbolon is compatible with FIDO servers, but improves the client-side experience compared to FIDO in terms of security, privacy, and user control. We design Symbolon such that the user can (i) authenticate using a flexible selection of devices, which we call 'authenticators'; (ii) define fine-grained threshold policies that enforce user consent without involving or modifying online services; and (iii) add or revoke authenticators without needing to generate new cryptographic keys or manually (un)register them with online services. Finally, we present a detailed design and analyse the security, privacy and practical properties of Symbolon; this includes a formal proof using ProVerif to show the required security properties are satisfied.

Original languageEnglish
Title of host publication2022 IEEE Conference on Dependable and Secure Computing (DSC)
PublisherInstitute of Electrical and Electronics Engineers (IEEE)
Number of pages12
ISBN (Electronic)9781665421416
ISBN (Print)9781665421423 (PoD)
DOIs
Publication statusPublished - 26 Sept 2022
Event5th IEEE Conference on Dependable and Secure Computing, DSC 2022 - Edinburgh, United Kingdom
Duration: 22 Jun 202224 Jun 2022

Publication series

NameIEEE Conference on Dependable and Secure Computing
PublisherIEEE

Conference

Conference5th IEEE Conference on Dependable and Secure Computing, DSC 2022
Country/TerritoryUnited Kingdom
CityEdinburgh
Period22/06/2224/06/22

Bibliographical note

Funding Information:
Mark Ryan gratefully acknowledges his appointment as HP Research Chair generously supported by HP Labs. We also gratefully acknowledge financial support from EPSRC under grants EP/V000454/1 (CAP-TEE: Capability Architectures for Trusted Execution); EP/S030867/1 (SIPP - Secure IoT Processor Platform with Remote Attestation); and EP/R012598/1 (User-controlled hardware security anchors: evaluation and designs).

Publisher Copyright:
© 2022 IEEE.

Keywords

  • authentication
  • FIDO
  • proverif
  • signatures
  • threshold cryptography

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Information Systems and Management
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'Symbolon: Enabling Flexible Multi-device-based User Authentication'. Together they form a unique fingerprint.

Cite this