Online citations, reference lists, and bibliographies.
← Back to Search

Design, Formal Specification And Analysis Of Multi-Factor Authentication Solutions With A Single Sign-On Experience

Giada Sciarretta, R. Carbone, Silvio Ranise, L. Viganò
Published 2018 · Computer Science

Save to my Library
Download PDF
Analyze on Scholarcy Visualize in Litmaps
Reduce the time it takes to create your bibliography by a factor of 10 by using the world’s favourite reference manager
Time to take this seriously.
Get Citationsy
Over the last few years, there has been an almost exponential increase of the number of mobile applications that deal with sensitive data, such as applications for e-commerce or health. When dealing with sensitive data, classical authentication solutions based on username-password pairs are not enough, and multi-factor authentication solutions that combine two or more authentication elements of different categories are required. Many different such solutions are available, but they usually cover the scenario of a user accessing web applications on their laptops, whereas in this paper we focus on native mobile applications. This changes the exploitable attack surface and thus requires a specific analysis. In this paper, we present the design, the formal specification and the security analysis of a solution that allows users to access different mobile applications through a multi-factor authentication solution providing a Single Sign-On experience. The formal and automated analysis that we performed validates the security goals of the solution we propose.
This paper references
Password authentication with insecure communication
L. Lamport (1981)
On the security of public key protocols
D. Dolev (1983)
A hierarchy of authentication specifications
G. Lowe (1997)
Distributed Systems: Concepts and Design (4th Edition) (International Computer Science)
Coulouris (2005)
Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps
A. Armando (2008)
Secure Pseudonymous Channels
S. Mödersheim (2009)
Formal Verification of OAuth 2.0 Using Alloy Framework
S. Pai (2011)
The AVANTSSAR Platform for the Automated Validation of Trust and Security of Service-Oriented Architectures
A. Armando (2012)
Discovering Concrete Attacks on Website Authorization by Formal Analysis
Chetan Bansal (2012)
Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services
R. Wang (2012)
The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems
San-Tsai Sun (2012)
Formal Modeling and Automatic Security Analysis of Two-Factor and Two-Channel Authentication Protocols
A. Armando (2013)
Towards Enhancing the Security of OAuth Implementations in Smart Phones
M. Shehab (2014)
An Expressive Model for the Web Infrastructure: Definition and Application to the Browser ID SSO System
Daniel Fett (2014)
OAuth Demystified for Mobile Application Developers
E. Y. Chen (2014)
Formal Analysis of a Single Sign-On Protocol Implementation for Android
Quanqi Ye (2015)
Verification for OAuth Using ASLan++
Haixing Yan (2015)
SATMC: a SAT-based model checker for security protocols, business processes, and security APIs
A. Armando (2016)
Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications
Avinash Sudhodanan (2016)
Security of Mobile Single Sign-On: A Rational Reconstruction of Facebook Login Solution
Giada Sciarretta (2016)
A Comprehensive Formal Security Analysis of OAuth 2.0
Daniel Fett (2016)
Anatomy of the Facebook solution for mobile single sign-on: Security assessment and improvements
Giada Sciarretta (2017)
The Web SSO Standard OpenID Connect: In-depth Formal Security Analysis and Security Guidelines
Daniel Fett (2017)

This paper is referenced by
Semantic Scholar Logo Some data provided by SemanticScholar