SecurePay: Strengthening Two-Factor Authentication for Arbitrary Transactions

Radhesh Krishnan Konoth; Bjorn Fischer; Wan Fokkink; Elias Athanasopoulos; Kaveh Razavi; Herbert Bos

doi:10.1109/EuroSP48549.2020.00043

SecurePay: Strengthening Two-Factor Authentication for Arbitrary Transactions

Radhesh Krishnan Konoth, Bjorn Fischer, Wan Fokkink, Elias Athanasopoulos, Kaveh Razavi, Herbert Bos

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

12 Downloads (Pure)

Abstract

Secure transactions on the Internet often rely on two-factor authentication (2FA) using mobile phones. In most existing schemes, the separation between the factors is weak and a compromised phone may be enough to break 2FA. In this paper, we identify the basic principles for securing any transaction using mobile-based 2FA. In particular, we argue that the computing system should not only provide isolation between the two factors, but also the integrity of the transaction, while involving the user in confirming the authenticity of the transaction. We show for the first time how these properties can be provided on commodity mobile phones, securing 2FA-protected transactions even when the operating system on the phone is fully compromised. We explore the challenges in the design and implementation of SecurePay, and evaluate the first formally-verified solution that utilizes the ARM TrustZone technology to provide the necessary integrity and authenticity guarantees for mobile-based 2FA. For our evaluation, we integrated SecurePay in ten existing apps, all of which required minimal changes and less than 30 minutes of work. Moreover, if code modifications are not an option, SecurePay can still be used as a secure drop-in replacement for existing (insecure) SMS-based 2FA solutions.

Original language	English
Title of host publication	2020 IEEE European Symposium on Security and Privacy (EuroS&P)
Subtitle of host publication	[Proceedings]
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	569-586
Number of pages	18
ISBN (Electronic)	9781728150871
ISBN (Print)	9781728150888
DOIs	https://doi.org/10.1109/EuroSP48549.2020.00043
Publication status	Published - 2020
Event	5th IEEE European Symposium on Security and Privacy, Euro S and P 2020 - Virtual, Genoa, Italy Duration: 7 Sept 2020 → 11 Sept 2020

Conference

Conference	5th IEEE European Symposium on Security and Privacy, Euro S and P 2020
Country/Territory	Italy
City	Virtual, Genoa
Period	7/09/20 → 11/09/20

Keywords

Mobile Security
Trusted Execution Environment
Two-Factor Authentication

Access to Document

10.1109/EuroSP48549.2020.00043

SecurePayAccepted author manuscript, 4.31 MBLicence: Article 25fa Dutch Copyright Act

Handle.net

Persistent link

Cite this

Konoth, R. K., Fischer, B., Fokkink, W., Athanasopoulos, E., Razavi, K., & Bos, H. (2020). SecurePay: Strengthening Two-Factor Authentication for Arbitrary Transactions. In 2020 IEEE European Symposium on Security and Privacy (EuroS&P): [Proceedings] (pp. 569-586). Article 9230396 Institute of Electrical and Electronics Engineers Inc.. Advance online publication. https://doi.org/10.1109/EuroSP48549.2020.00043

@inproceedings{b7186a43c9b2406b9e9aaf5532210ac2,

title = "SecurePay: Strengthening Two-Factor Authentication for Arbitrary Transactions",

abstract = "Secure transactions on the Internet often rely on two-factor authentication (2FA) using mobile phones. In most existing schemes, the separation between the factors is weak and a compromised phone may be enough to break 2FA. In this paper, we identify the basic principles for securing any transaction using mobile-based 2FA. In particular, we argue that the computing system should not only provide isolation between the two factors, but also the integrity of the transaction, while involving the user in confirming the authenticity of the transaction. We show for the first time how these properties can be provided on commodity mobile phones, securing 2FA-protected transactions even when the operating system on the phone is fully compromised. We explore the challenges in the design and implementation of SecurePay, and evaluate the first formally-verified solution that utilizes the ARM TrustZone technology to provide the necessary integrity and authenticity guarantees for mobile-based 2FA. For our evaluation, we integrated SecurePay in ten existing apps, all of which required minimal changes and less than 30 minutes of work. Moreover, if code modifications are not an option, SecurePay can still be used as a secure drop-in replacement for existing (insecure) SMS-based 2FA solutions.",

keywords = "Mobile Security, Trusted Execution Environment, Two-Factor Authentication",

author = "Konoth, {Radhesh Krishnan} and Bjorn Fischer and Wan Fokkink and Elias Athanasopoulos and Kaveh Razavi and Herbert Bos",

year = "2020",

doi = "10.1109/EuroSP48549.2020.00043",

language = "English",

isbn = "9781728150888",

pages = "569--586",

booktitle = "2020 IEEE European Symposium on Security and Privacy (EuroS&P)",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

address = "United States",

note = "5th IEEE European Symposium on Security and Privacy, Euro S and P 2020 ; Conference date: 07-09-2020 Through 11-09-2020",

}

Konoth, RK, Fischer, B, Fokkink, W, Athanasopoulos, E, Razavi, K & Bos, H 2020, SecurePay: Strengthening Two-Factor Authentication for Arbitrary Transactions. in 2020 IEEE European Symposium on Security and Privacy (EuroS&P): [Proceedings]., 9230396, Institute of Electrical and Electronics Engineers Inc., pp. 569-586, 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020, Virtual, Genoa, Italy, 7/09/20. https://doi.org/10.1109/EuroSP48549.2020.00043

SecurePay: Strengthening Two-Factor Authentication for Arbitrary Transactions. / Konoth, Radhesh Krishnan; Fischer, Bjorn; Fokkink, Wan et al.
2020 IEEE European Symposium on Security and Privacy (EuroS&P): [Proceedings]. Institute of Electrical and Electronics Engineers Inc., 2020. p. 569-586 9230396.

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - SecurePay: Strengthening Two-Factor Authentication for Arbitrary Transactions

AU - Konoth, Radhesh Krishnan

AU - Fischer, Bjorn

AU - Fokkink, Wan

AU - Athanasopoulos, Elias

AU - Razavi, Kaveh

AU - Bos, Herbert

PY - 2020

Y1 - 2020

N2 - Secure transactions on the Internet often rely on two-factor authentication (2FA) using mobile phones. In most existing schemes, the separation between the factors is weak and a compromised phone may be enough to break 2FA. In this paper, we identify the basic principles for securing any transaction using mobile-based 2FA. In particular, we argue that the computing system should not only provide isolation between the two factors, but also the integrity of the transaction, while involving the user in confirming the authenticity of the transaction. We show for the first time how these properties can be provided on commodity mobile phones, securing 2FA-protected transactions even when the operating system on the phone is fully compromised. We explore the challenges in the design and implementation of SecurePay, and evaluate the first formally-verified solution that utilizes the ARM TrustZone technology to provide the necessary integrity and authenticity guarantees for mobile-based 2FA. For our evaluation, we integrated SecurePay in ten existing apps, all of which required minimal changes and less than 30 minutes of work. Moreover, if code modifications are not an option, SecurePay can still be used as a secure drop-in replacement for existing (insecure) SMS-based 2FA solutions.

AB - Secure transactions on the Internet often rely on two-factor authentication (2FA) using mobile phones. In most existing schemes, the separation between the factors is weak and a compromised phone may be enough to break 2FA. In this paper, we identify the basic principles for securing any transaction using mobile-based 2FA. In particular, we argue that the computing system should not only provide isolation between the two factors, but also the integrity of the transaction, while involving the user in confirming the authenticity of the transaction. We show for the first time how these properties can be provided on commodity mobile phones, securing 2FA-protected transactions even when the operating system on the phone is fully compromised. We explore the challenges in the design and implementation of SecurePay, and evaluate the first formally-verified solution that utilizes the ARM TrustZone technology to provide the necessary integrity and authenticity guarantees for mobile-based 2FA. For our evaluation, we integrated SecurePay in ten existing apps, all of which required minimal changes and less than 30 minutes of work. Moreover, if code modifications are not an option, SecurePay can still be used as a secure drop-in replacement for existing (insecure) SMS-based 2FA solutions.

KW - Mobile Security

KW - Trusted Execution Environment

KW - Two-Factor Authentication

UR - http://www.scopus.com/inward/record.url?scp=85096598681&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85096598681&partnerID=8YFLogxK

U2 - 10.1109/EuroSP48549.2020.00043

DO - 10.1109/EuroSP48549.2020.00043

M3 - Conference contribution

AN - SCOPUS:85096598681

SN - 9781728150888

SP - 569

EP - 586

BT - 2020 IEEE European Symposium on Security and Privacy (EuroS&P)

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020

Y2 - 7 September 2020 through 11 September 2020

ER -

SecurePay: Strengthening Two-Factor Authentication for Arbitrary Transactions

Abstract

Conference

Keywords

Access to Document

Handle.net

Other files and links

Fingerprint

Cite this