Abstract
Secure transactions on the Internet often rely on two-factor authentication (2FA) using mobile phones. In most existing schemes, the separation between the factors is weak and a compromised phone may be enough to break 2FA. In this paper, we identify the basic principles for securing any transaction using mobile-based 2FA. In particular, we argue that the computing system should not only provide isolation between the two factors, but also the integrity of the transaction, while involving the user in confirming the authenticity of the transaction. We show for the first time how these properties can be provided on commodity mobile phones, securing 2FA-protected transactions even when the operating system on the phone is fully compromised. We explore the challenges in the design and implementation of SecurePay, and evaluate the first formally-verified solution that utilizes the ARM TrustZone technology to provide the necessary integrity and authenticity guarantees for mobile-based 2FA. For our evaluation, we integrated SecurePay in ten existing apps, all of which required minimal changes and less than 30 minutes of work. Moreover, if code modifications are not an option, SecurePay can still be used as a secure drop-in replacement for existing (insecure) SMS-based 2FA solutions.
Original language | English |
---|---|
Title of host publication | 2020 IEEE European Symposium on Security and Privacy (EuroS&P) |
Subtitle of host publication | [Proceedings] |
Publisher | Institute of Electrical and Electronics Engineers Inc. |
Pages | 569-586 |
Number of pages | 18 |
ISBN (Electronic) | 9781728150871 |
ISBN (Print) | 9781728150888 |
DOIs | |
Publication status | Published - 2020 |
Event | 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020 - Virtual, Genoa, Italy Duration: 7 Sept 2020 → 11 Sept 2020 |
Conference
Conference | 5th IEEE European Symposium on Security and Privacy, Euro S and P 2020 |
---|---|
Country/Territory | Italy |
City | Virtual, Genoa |
Period | 7/09/20 → 11/09/20 |
Funding
We thank the anonymous reviewers for their valuable comments and input to improve the paper. This research was supported by the MALPAY consortium, consisting of the Dutch national police, ING, ABN AMRO, Rabobank, Fox-IT, and TNO. This paper represents the position of the authors and not that of the aforementioned consortium partners. This work further received funding from European Union’s Horizon 2020 research and innovation program under grant agreements No. 786669 (ReAct), No. 830929 (CyberSec4Europe), the Netherlands Organisation for Scientific Research under grant agreement 016.Veni.192.262, and the RESTART program of the Research Promotion Foundation, under grant agreement ENTERPRISES/0916/0063 (PERSONAS).
Funders | Funder number |
---|---|
Dutch National Police | |
European Union’s Horizon 2020 research and innovation program | 830929 |
Horizon 2020 Framework Programme | 786669 |
Research Promotion Foundation | ENTERPRISES/0916/0063 |
Nederlandse Organisatie voor Wetenschappelijk Onderzoek |
Keywords
- Mobile Security
- Trusted Execution Environment
- Two-Factor Authentication