Online citations, reference lists, and bibliographies.
← Back to Search

Two Birds With One Stone: Two-Factor Authentication With Security Beyond Conventional Bound

Ding Wang, P. Wang
Published 2018 · Computer Science

Cite This
Download PDF
Analyze on Scholarcy
Share
As the most prevailing two-factor authentication mechanism, smart-card-based password authentication has been a subject of intensive research in the past two decades, and hundreds of this type of schemes have wave upon wave been proposed. In most of these studies, there is no comprehensive and systematical metric available for schemes to be assessed objectively, and the authors present new schemes with assertions of the superior aspects over previous ones, while overlooking dimensions on which their schemes fare poorly. Unsurprisingly, most of them are far from satisfactory—either are found short of important security goals or lack of critical properties, especially being stuck with the security-usability tension. To overcome this issue, in this work we first explicitly define a security model that can accurately capture the practical capabilities of an adversary and then suggest a broad set of twelve properties framed as a systematic methodology for comparative evaluation, allowing schemes to be rated across a common spectrum. As our main contribution, a new scheme is advanced to resolve the various issues arising from user corruption and server compromise, and it is formally proved secure under the harshest adversary model so far. In particular, by integrating “honeywords”, traditionally the purview of system security, with a “fuzzy-verifier”, our scheme hits “two birds”: it not only eliminates the long-standing security-usability conflict that is considered intractable in the literature, but also achieves security guarantees beyond the conventional optimal security bound.
This paper references
10.1145/322510.322514
Public-key cryptography and password protocols
S. Halevi (1999)
10.1016/j.comcom.2008.11.026
More secure remote user authentication scheme
Sang-Kyun Kim (2009)
10.1109/JSYST.2015.2416396
Lightweight and Energy-Efficient Mutual Authentication and Key Agreement Scheme With User Anonymity for Secure Communication in Global Mobility Networks
Prosanta Gope (2016)
10.14722/NDSS.2014.23167
Two-Factor Authentication Resilient to Server Compromise Using Mix-Bandwidth Devices
Maliheh Shirvanian (2014)
10.1016/j.jnca.2013.02.034
An enhanced smart card based remote user password authentication scheme
X. Li (2013)
10.1007/978-3-319-24174-6_24
Small Tweaks Do Not Help: Differential Power Analysis of MILENAGE Implementations in 3G/4G USIM Cards
J. Liu (2015)
10.1007/978-3-642-31540-4_9
Secure password-based remote user authentication scheme with non-tamper resistant smart cards
Ding Wang (2012)
10.1016/j.adhoc.2014.03.003
Understanding security failures of two-factor authentication schemes for real-time applications in hierarchical wireless sensor networks
Ding Wang (2014)
10.1016/j.comcom.2010.04.005
Robust authentication and key agreement scheme preserving the privacy of secret key
Ren-Chiun Wang (2011)
10.1145/2593686
Cloud security: a gathering storm
M. Nanavati (2014)
10.1109/MSP.2011.150
A Research Agenda Acknowledging the Persistence of Passwords
C. Herley (2012)
Amid widespread data breaches in China
R. Martin (2011)
10.1016/j.mcm.2011.07.001
Design of improved password authentication and update scheme based on elliptic curve cryptography
S. H. Islam (2013)
10.1109/TIE.2009.2028351
Anonymity Enhancement on Robust and Efficient Password-Authenticated Key Agreement Using Smart Cards
Xiangxue Li (2010)
10.1016/j.comnet.2005.01.013
Efficient remote user authentication scheme using smart card
R. Lu (2005)
New Remote Mutual Authentication Scheme using Smart Cards
R. Ramasamy (2009)
10.1016/j.compeleceng.2011.11.010
An improved dynamic ID-based remote user authentication with key agreement scheme
F. Wen (2012)
Reverse-Engineering a Cryptographic RFID Tag
Karsten Nohl (2008)
10.1016/j.cose.2005.03.006
Robust remote authentication scheme with smart cards
C. Fan (2005)
10.1007/978-3-319-45744-4_6
On the Implications of Zipf's Law in Passwords
Ding Wang (2016)
10.1109/SP.2015.41
Security of the J-PAKE Password-Authenticated Key Exchange Protocol
M. Abdalla (2015)
10.1016/j.csi.2008.09.020
Weaknesses and improvement of Wang et al.'s remote user password authentication scheme for resource-limited environments
Hao-Rung Chung (2009)
Smart card security from a programming language and static analysis perspective
X. Leroy (2013)
10.1007/978-3-642-30436-1_40
Password Protected Smart Card and Memory Stick Authentication Against Off-line Dictionary Attacks
Y. Wang (2012)
10.1109/TCE.2004.1309437
Further improvement of an efficient password based remote user authentication scheme using smart cards
E. Yoon (2004)
10.1155/2013/786587
An Improved Dynamic ID-Based Remote User Authentication with Key Agreement Scheme
Juan Qu (2013)
10.1016/j.jisa.2015.06.003
A secure password-based authentication and key agreement scheme using smart cards
Dheerendra Mishra (2015)
10.1016/j.ins.2015.03.070
Preserving privacy for free: Efficient and provably secure two-factor authentication scheme with user anonymity
Ding Wang (2015)
10.1109/TIE.2009.2016508
Improvements of Juang 's Password-Authenticated Key Agreement Scheme Using Smart Cards
Da-Zhi Sun (2009)
10.1080/19393555.2011.560921
Secure Dynamic Identity-Based Authentication Scheme Using Smart Cards
S. Sood (2011)
10.1109/TDSC.2013.2297110
Robust Multi-Factor Authentication for Fragile Communications
Xinyi Huang (2014)
Password cracking HPC
J. Gosney (2012)
10.1002/sec.1229
Privacy preserving smartcard-based authentication system with provable security
Jin Wook Byun (2015)
10.1016/j.jnca.2012.01.007
Dynamic ID-based remote user password authentication schemes using smart cards: A review
R. Madhusudhan (2012)
10.1109/TPDS.2012.282
Efficient Two-Server Password-Only Authenticated Key Exchange
X. Yi (2013)
10.1109/SP.2012.49
The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords
J. Bonneau (2012)
10.6138/JIT.2012.13.3.04
Improvement on a Smart Card Based Password Authentication Scheme
D. He (2012)
10.1007/978-3-319-27659-5_16
Offline Dictionary Attack on Password Authentication Schemes Using Smart Cards
Ding Wang (2013)
The Quest to Replace Passwords : a Framework for Comparative Evaluation of Web Authentication Schemes
Dimitriadis Evangelos (2016)
10.1007/978-3-319-24177-7_23
The Emperor's New Password Creation Policies: An Evaluation of Leading Web Services and the Effect of Role in Resisting Against Online Guessing
Ding Wang (2015)
10.1109/30.826377
A new remote user authentication scheme using smart cards
M. Hwang (2000)
10.1007/11894063_11
Implementing Cryptographic Pairings on Smartcards
M. Scott (2006)
32 million RockYou passwords stolen
C. Allan (2009)
10.1145/2508859.2516671
Honeywords: making password-cracking detectable
A. Juels (2013)
10.1109/TWC.2008.080128
Two-factor user authentication in wireless sensor networks
M. Das (2009)
10.1016/j.jcss.2013.07.004
A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture
K. Xue (2014)
On Limitations of Designing Leakage-Resilient Password Systems: Attacks, Principals and Usability
Qiang Yan (2012)
10.1016/j.jcss.2005.10.001
A password authentication scheme over insecure networks
I. Liao (2006)
10.1109/TIE.2008.921677
Robust and Efficient Password-Authenticated Key Agreement Using Smart Cards
W. Juang (2008)
10.1109/TCE.2004.1277863
Weaknesses and improvements of an efficient password based remote user authentication scheme using smart cards
W. Ku (2004)
10.1109/TIFS.2015.2439964
A Secure Biometrics-Based Multi-Server Authentication Protocol Using Smart Cards
Vanga Odelu (2015)
Examining smartcard security under the threat of power analysis attacks
T. S. Messerges (2002)
10.1002/SEC.550
On robust key agreement based on public key authentication
Feng Hao (2014)
10.1002/sec.315
Robust smart-cards-based user authentication scheme with user anonymity
Shuhua Wu (2012)
15 Million passwords appear to have leaked from 000webhost
T. Fox-Brewster (2015)
10.1145/948109.948142
Security proofs for an efficient password-based key exchange
Emmanuel Bresson (2003)
Robust smartcard - based remote user password authentication scheme Novel anonymous authentication scheme using smart cards
J. Liao
10.1007/978-3-319-18467-8_32
Chaotic Chebyshev Polynomials Based Remote User Authentication Scheme in Client-Server Environment
T. Truong (2015)
10.1002/sec.1299
An enhanced privacy preserving remote user authentication scheme with provable security
Shehzad Ashraf Chaudhry (2015)
10.1007/978-3-642-34601-9_35
Cryptanalysis of Two Dynamic ID-Based Remote User Authentication Schemes for Multi-server Architecture
Ding Wang (2012)
10.1016/j.comnet.2014.07.010
On the anonymity of two-factor authentication schemes for wireless sensor networks: Attacks, principle and solutions
Ding Wang (2014)
10.1145/2810103.2813722
Optimal Distributed Password Verification
J. Camenisch (2015)
10.1145/1613676.1613679
Efficient and secure authenticated key exchange using weak passwords
Jonathan Katz (2009)
10.1002/sec.1305
A new authenticated key agreement scheme based on smart cards providing user anonymity with formal proof
F. Wu (2015)
10.1002/sec.1238
User authentication scheme preserving anonymity for ubiquitous devices
Benchaa Djellali (2015)
10.1145/1754288.1754303
An improvement of Xu et al.'s authentication scheme using smart cards
S. Sood (2010)
10.1007/11535218_33
HMQV: A High-Performance Secure Diffie-Hellman Protocol
H. Krawczyk (2005)
10.1145/2764465
Remote Data Auditing in Cloud Computing Environments: A Survey, Taxonomy, and Open Issues
M. Sookhak (2015)
10.1002/dac.2858
Cryptanalysis and security enhancement of a robust two-factor authentication and key agreement protocol
Q. Xie (2016)
10.1002/sec.605
A simple and robust anonymous two-factor authenticated key exchange protocol
Xiaowei Li (2013)
Security of the jpake password-authenticated key exchange protocol
M. Abdalla (2015)
10.1109/TCE.2003.1261225
A remote user authentication scheme using smart cards with forward secrecy
A. Awasthi (2003)
10.1126/science.347.6221.468
Privacy. Credit card study blows holes in anonymity.
J. Bohannon (2015)
The Secure Remote Password Protocol
T. D. Wu (1998)
10.1016/j.csi.2008.09.006
An improved smart card based password authentication scheme with provable security
J. Xu (2009)
10.1145/2976749.2978339
Targeted Online Password Guessing: An Underestimated Threat
Ding Wang (2016)
10.1109/TIFS.2014.2362979
An Efficient Generic Framework for Three-Factor Authentication With Provably Secure Instantiation
Jiangshan Yu (2014)
10.1109/TDSC.2014.2355850
Anonymous Two-Factor Authentication in Distributed Systems: Certain Goals Are Beyond Attainment
Ding Wang (2015)
10.1109/TIFS.2017.2721359
Zipf’s Law in Passwords
Ding Wang (2017)
10.1016/j.csi.2004.02.002
Improvement of Chien et al.'s remote user authentication scheme using smart cards
Sung-Woon Lee (2005)
10.1002/dac.2793
Design and analysis of an improved smartcard-based remote user password authentication scheme
S. H. Islam (2016)
10.1109/TPDS.2013.230
Further Observations on Smart-Card-Based Password-Authenticated Key Agreement in Distributed Systems
Xinyi Huang (2014)
10.14722/NDSS.2014.23357
The Tangled Web of Password Reuse
A. Das (2014)
10.1002/dac.2644
Improvement of robust smart-card-based password authentication scheme
Qi Jiang (2015)
10.5755/j01.itc.40.3.632
A Robust Remote User Authentication Scheme Using Smart Card
C. Li (2011)
10.1016/j.compeleceng.2014.05.007
An improved remote user authentication scheme with key agreement
S. Kumari (2014)
10.1145/2897845.2897916
The Request for Better Measurement: A Comparative Evaluation of Two-Factor Authentication Schemes
Ding Wang (2016)
Bcrypt is great, but is password cracking infeasible?
J. Goldberg (2015)
A secure remote authentication scheme preserving user anonymity with non-tamper resistant smart cards
W. Horng (2010)
10.1016/j.jcss.2008.04.002
Two-factor mutual authentication based on smart cards and passwords
G. Yang (2008)
10.1007/978-3-319-17503-4_1
On Limitations of Designing Usable Leakage-Resilient Password Systems: Attacks, Principles and Usability
Qiang Yan (2012)
10.1016/S0167-4048(03)00616-3
A user friendly remote authentication scheme with smart cards
Shyi-Tsong Wu (2003)
10.1002/dac.2590
Cryptanalysis and improvement of 'a robust smart-card-based remote user password authentication scheme'
S. Kumari (2014)
10.1109/SP.2006.10
Cognitive authentication schemes safe against spyware
D. Weinshall (2006)
Robust anonymous two - factor authenticated key agreement schemem for mobile client - server environment
B. Hu (2016)
10.1016/j.compeleceng.2007.01.001
A new method for using hash functions to solve remote user authentication
T. Chen (2008)
10.1002/sec.977
An improved and provable remote user authentication scheme based on elliptic curve cryptosystem with user anonymity
Lili Xu (2015)
PhpBB asking users to change passwords following hack
E. Kovacs (2014)
10.1016/j.cose.2012.06.001
Exploiting hash functions to intensify the remote user authentication scheme
WenBin Hsieh (2012)
10.1002/dac.2368
Robust smart-card-based remote user password authentication scheme
Bae-Ling Chen (2014)
10.1109/TII.2012.2230639
Novel Anonymous Authentication Scheme Using Smart Cards
Jia-Lun Tsai (2013)
10.1016/j.comcom.2010.02.011
Cryptanalysis and security enhancement of a 'more efficient & secure dynamic ID-based remote user authentication scheme'
M. Khan (2011)
10.1016/j.jss.2010.07.062
Two robust remote user authentication protocols using smart cards
K. Yeh (2010)
10.1016/j.csi.2010.03.008
Advanced smart card based password authentication protocol
R. Song (2010)
10.1007/s11277-015-2721-7
An Effective and Robust Secure Remote User Authenticated Key Agreement Scheme Using Smart Cards in Wireless Communication Systems
Vanga Odelu (2015)
Hashdumps and passwords
M. Adeptus (2014)
Four years later, anthem breached again: Hackers stole credentials
T. Pham (2015)
10.1109/SP.2011.35
Using Fingerprint Authentication to Reduce System Security: An Empirical Study
H. Wimberly (2011)
10.1080/01611194.2013.797039
On the Privacy of Khan et al.'s Dynamic ID-Based Remote Authentication Scheme with User Anonymity
Da-Zhi Sun (2013)
10.1007/978-3-642-37682-5_34
An Enhanced Anonymous Authentication and Key Exchange Scheme Using Smartcard
Kyung-kug Kim (2012)
SP 800-63-2: NIST special publication - electronic authentication guideline
W. Burr (2013)
10.1109/SP.2014.50
A Study of Probabilistic Password Models
Jerry Ma (2014)
10.1109/SP.2014.11
Chip and Skim: Cloning EMV Cards with the Pre-play Attack
M. Bond (2014)
10.1016/j.future.2010.08.007
Security enhancement on an improvement on two remote user authentication schemes using smart cards
Tien-Ho Chen (2011)
10.1007/3-540-45539-6_11
Authenticated Key Exchange Secure against Dictionary Attacks
M. Bellare (2000)
10.1016/j.comcom.2008.11.019
Weaknesses and improvements of the Yoon-Ryu-Yoo remote user authentication scheme using smart cards
H. Hsiang (2009)
10.1002/dac.2468
Security flaws in two improved remote user authentication schemes using smart cards
C. Ma (2014)
10.1111/j.1751-0813.1997.tb12248.x
Whats in a name?
W. M. Ross (1989)



This paper is referenced by
10.1007/s11277-019-06755-7
Design of a Password Authentication and Key Agreement Scheme to Access e-Healthcare Services
S. Kumari (2019)
10.3390/s19092098
An Enhanced Lightweight IoT-based Authentication Scheme in Cloud Computing Circumstances
Rafael Martínez-Peláez (2019)
10.1007/978-3-030-00009-7_13
Revisiting Anonymous Two-Factor Authentication Schemes for Cloud Computing
Yaosheng Shen (2018)
10.1109/ACCESS.2019.2962247
A Smart Collaborative Authentication Framework for Multi-Dimensional Fine-Grained Control
Zhengyang Ai (2020)
Security Analysis of a Three-factor Anonymous Authentication Scheme for Wireless Sensor Networks in Internet of Things Environments
W. Tai (2019)
10.1002/dac.3484
An efficient three factor-based authentication scheme in multiserver environment using ECC
R. Ali (2018)
10.1016/j.jisa.2017.08.004
Security bound enhancement of remote user authentication using smart card
R. Madhusudhan (2017)
10.1007/978-3-030-30619-9_26
Secure and Fast Decision Tree Evaluation on Outsourced Cloud Data
L. Liu (2019)
10.3233/JIFS-169820
A PKC-based user authentication scheme without smart card
Devender Kumar (2018)
10.1155/2017/1619741
Cryptanalysis of Three Password-Based Remote User Authentication Schemes with Non-Tamper-Resistant Smart Card
Chenyu Wang (2017)
10.1109/ACCESS.2020.2989305
Lightweight Authentication Protocol for NFC Based Anti-Counterfeiting System in IoT Infrastructure
B. Alzahrani (2020)
10.1007/s10207-019-00430-5
Certificateless designated verifier signature revisited: achieving a concrete scheme in the standard model
P. Rastegari (2019)
10.1109/CC.2018.8398512
Lightweight mutual authentication scheme for protecting identity in insecure environment
Xu Wu (2018)
10.3390/MCA23020017
An Improved Digital Signature Protocol to Multi-User Broadcast Authentication Based on Elliptic Curve Cryptography in Wireless Sensor Networks (WSNs)
Hamed Bashirpour (2018)
10.1007/978-3-030-00012-7_9
Improved Two-Factor Authentication Protocol Based on Biometric Feature and Password for Cloud Service
Jian Song (2018)
10.1155/2018/3048697
An Enhanced User Authentication Protocol Based on Elliptic Curve Cryptosystem in Cloud Computing Environment
Chenyu Wang (2018)
10.1109/ACCESS.2018.2880225
An Enhanced Symmetric Cryptosystem and Biometric-Based Anonymous User Authentication and Session Key Establishment Scheme for WSN
M. Alotaibi (2018)
10.1109/ACCESS.2020.3000790
On the Design of Secure and Efficient Three-Factor Authentication Protocol Using Honey List for Wireless Sensor Networks
Joonyoung Lee (2020)
10.14400/JDC.2020.18.5.249
Cryptanalysis and Remedy Scheme on Qiu et al.'s Enhanced Password Authentication Scheme for SIP
Hyunsung Kim (2020)
Crytanalysis of Three Anonymous Authentication Schemes for Multi-Server Environment
Wang Ding (2018)
10.1007/s11277-020-07462-4
An Enhanced Authentication Protocol for Multi-server Environment Using Password and Smart Card
T. Sudhakar (2020)
10.1002/DAC.3900
User centric three-factor authentication protocol for cloud-assisted wearable devices
Qi Jiang (2019)
10.1109/JIOT.2019.2931724
Anti-Quantum Fast Authentication and Data Transmission Scheme for Massive Devices in 5G NB-IoT System
Jin Cao (2019)
10.3390/s18103520
Efficient Privacy-Preserving Access Control Scheme in Electronic Health Records System
Y. Ming (2018)
Lighting Two Candles With One Flame: An Unaided Human Identification Protocol With Security Beyond Conventional Limit
Nilesh Chakraborty (2017)
10.1155/2019/2838615
A Provably Secure Biometrics-Based Authentication Scheme for Multiserver Environment
Feifei Wang (2019)
10.1007/s11432-019-9922-x
A privacy preserving two-factor authentication protocol for the Bitcoin SPV nodes
Lu Zhou (2020)
10.1109/JSYST.2019.2899580
A Secure Three-Factor User Authentication Protocol With Forward Secrecy for Wireless Medical Sensor Network Systems
X. Li (2020)
10.1109/TVT.2020.2971254
Unified Biometric Privacy Preserving Three-Factor Authentication and Key Agreement for Cloud-Assisted Autonomous Vehicles
Q. Jiang (2020)
10.1109/CyberSecPODS.2019.8885375
Secure Chaotic Maps-based Authentication Scheme for Real-Time Data Access In Internet of Things
Wenting Li (2019)
10.1155/2020/5686498
An Improved Anonymous Authentication Protocol for Wearable Health Monitoring Systems
Jiaqing Mo (2020)
10.1155/2019/2136506
A Lightweight Secure User Authentication and Key Agreement Protocol for Wireless Sensor Networks
Jiaqing Mo (2019)
See more
Semantic Scholar Logo Some data provided by SemanticScholar