SecurePay: Strengthening Two-Factor Authentication for Arbitrary Transactions

Radhesh Krishnan Konoth, Bjorn Fischer, Wan Fokkink, Elias Athanasopoulos, Kaveh Razavi, Herbert Bos

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

12 Downloads (Pure)


Secure transactions on the Internet often rely on two-factor authentication (2FA) using mobile phones. In most existing schemes, the separation between the factors is weak and a compromised phone may be enough to break 2FA. In this paper, we identify the basic principles for securing any transaction using mobile-based 2FA. In particular, we argue that the computing system should not only provide isolation between the two factors, but also the integrity of the transaction, while involving the user in confirming the authenticity of the transaction. We show for the first time how these properties can be provided on commodity mobile phones, securing 2FA-protected transactions even when the operating system on the phone is fully compromised. We explore the challenges in the design and implementation of SecurePay, and evaluate the first formally-verified solution that utilizes the ARM TrustZone technology to provide the necessary integrity and authenticity guarantees for mobile-based 2FA. For our evaluation, we integrated SecurePay in ten existing apps, all of which required minimal changes and less than 30 minutes of work. Moreover, if code modifications are not an option, SecurePay can still be used as a secure drop-in replacement for existing (insecure) SMS-based 2FA solutions.

Original languageEnglish
Title of host publication2020 IEEE European Symposium on Security and Privacy (EuroS&P)
Subtitle of host publication[Proceedings]
PublisherInstitute of Electrical and Electronics Engineers Inc.
Number of pages18
ISBN (Electronic)9781728150871
ISBN (Print)9781728150888
Publication statusPublished - 2020
Event5th IEEE European Symposium on Security and Privacy, Euro S and P 2020 - Virtual, Genoa, Italy
Duration: 7 Sept 202011 Sept 2020


Conference5th IEEE European Symposium on Security and Privacy, Euro S and P 2020
CityVirtual, Genoa


  • Mobile Security
  • Trusted Execution Environment
  • Two-Factor Authentication


Dive into the research topics of 'SecurePay: Strengthening Two-Factor Authentication for Arbitrary Transactions'. Together they form a unique fingerprint.

Cite this