Online citations, reference lists, and bibliographies.

Design, Formal Specification And Analysis Of Multi-Factor Authentication Solutions With A Single Sign-On Experience

Giada Sciarretta, Roberto Carbone, Silvio Ranise, Luca Viganò
Published 2018 · Computer Science
Cite This
Download PDF
Analyze on Scholarcy
Share
Over the last few years, there has been an almost exponential increase of the number of mobile applications that deal with sensitive data, such as applications for e-commerce or health. When dealing with sensitive data, classical authentication solutions based on username-password pairs are not enough, and multi-factor authentication solutions that combine two or more authentication elements of different categories are required. Many different such solutions are available, but they usually cover the scenario of a user accessing web applications on their laptops, whereas in this paper we focus on native mobile applications. This changes the exploitable attack surface and thus requires a specific analysis. In this paper, we present the design, the formal specification and the security analysis of a solution that allows users to access different mobile applications through a multi-factor authentication solution providing a Single Sign-On experience. The formal and automated analysis that we performed validates the security goals of the solution we propose.
This paper references
10.1007/s10009-015-0385-y
SATMC: a SAT-based model checker for security protocols, business processes, and security APIs
Alessandro Armando (2015)
10.1109/CSNT.2011.141
Formal Verification of OAuth 2.0 Using Alloy Framework
Suhas A. Pai (2011)
10.1145/2382196.2382238
The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems
San-Tsai Sun (2012)
10.1145/2660267.2660323
OAuth Demystified for Mobile Application Developers
Eric Y. Chen (2014)
10.1007/978-3-642-04444-1_21
Secure Pseudonymous Channels
Sebastian Mödersheim (2009)
10.1109/ICECCS.2015.20
Formal Analysis of a Single Sign-On Protocol Implementation for Android
Quanqi Ye (2015)
10.1109/SP.2012.30
Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services
Rui Wang (2012)
10.1109/MobServ.2014.15
Towards Enhancing the Security of OAuth Implementations in Smart Phones
Mohamed Shehab (2014)
10.1109/SP.2014.49
An Expressive Model for the Web Infrastructure: Definition and Application to the Browser ID SSO System
Daniel Fett (2014)
10.1145/2976749.2978385
A Comprehensive Formal Security Analysis of OAuth 2.0
Daniel Fett (2016)
10.1109/HASE.2015.20
Verification for OAuth Using ASLan++
Haixing Yan (2015)
10.1109/CSF.2017.20
The Web SSO Standard OpenID Connect: In-depth Formal Security Analysis and Security Guidelines
Daniel Fett (2017)
10.1109/TIT.1983.1056650
On the security of public key protocols
D. Dolev (1981)
10.1109/CSF.2012.27
Discovering Concrete Attacks on Website Authorization by Formal Analysis
Chetan Bansal (2012)
10.1145/358790.358797
Password authentication with insecure communication
L. Lamport (1981)
10.1007/978-3-642-28756-5_19
The AVANTSSAR Platform for the Automated Validation of Trust and Security of Service-Oriented Architectures
Alessandro Armando (2012)
10.1016/j.cose.2017.04.011
Anatomy of the Facebook solution for mobile single sign-on: Security assessment and improvements
Giada Sciarretta (2017)
10.1145/1456396.1456397
Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps
A. Armando (2008)
10.14722/NDSS.2016.23286
Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications
Avinash Sudhodanan (2016)
10.1007/978-3-642-38631-2_63
Formal Modeling and Automatic Security Analysis of Two-Factor and Two-Channel Authentication Protocols
Alessandro Armando (2013)
10.5220/0005969001470158
Security of Mobile Single Sign-On: A Rational Reconstruction of Facebook Login Solution
Giada Sciarretta (2016)
10.1109/CSFW.1997.596782
A hierarchy of authentication specifications
G. Lowe (1997)
Distributed Systems: Concepts and Design (4th Edition) (International Computer Science)
Coulouris (2005)



This paper is referenced by
Semantic Scholar Logo Some data provided by SemanticScholar