Online citations, reference lists, and bibliographies.
Please confirm you are human
(Sign Up for free to never see this)
← Back to Search

The Request For Better Measurement: A Comparative Evaluation Of Two-Factor Authentication Schemes

Ding Wang, Qianchen Gu, H. Cheng, P. Wang
Published 2016 · Computer Science

Save to my Library
Download PDF
Analyze on Scholarcy
Share
Despite over two decades of continuous efforts, how to design a secure and efficient two-factor authentication scheme remains an open issue. Hundreds of new schemes have wave upon wave been proposed, yet most of them are shortly found unable to achieve some important security goals (e.g., truly two-factor security) and desirable properties (e.g., user anonymity), falling into the unsatisfactory "break-fix-break-fix" cycle. In this vicious cycle, protocol designers often advocate the superiorities of their improved scheme, but do not illustrate (or unconsciously overlooking) the aspects on which their scheme performs poorly. In this paper, we first use a series of "improved schemes" over Xu et al.'s 2009 scheme as case studies to highlight that, if there are no improved measurements, more "improved schemes" generally would not mean more advancements. To figure out why the measurement of existing schemes is invariably insufficient, we further investigate into the state-of-the-art evaluation criteria set (i.e., Madhusudhan-Mittal's set). Besides reporting its ambiguities and redundancies, we propose viable fixes and refinements. To our knowledge, we for the first time show that there are at least seven different attacking scenarios that may lead to the failure of a scheme in achieving truly two-factor security. Finally, we conduct a large-scale comparative evaluation of 26 representative two-factor schemes, and our results outline the request for better measurement when assessing new schemes.
This paper references
10.1016/j.csi.2010.03.008
Advanced smart card based password authentication protocol
R. Song (2010)
10.1016/j.csi.2008.09.006
An improved smart card based password authentication scheme with provable security
J. Xu (2009)
10.1007/978-3-319-18467-8_32
Chaotic Chebyshev Polynomials Based Remote User Authentication Scheme in Client-Server Environment
T. Truong (2015)
10.6138/JIT.2012.13.3.04
Improvement on a Smart Card Based Password Authentication Scheme
D. He (2012)
10.1016/j.jisa.2015.06.001
Design of a lightweight two-factor authentication scheme with smart card revocation
Dheerendra Mishra (2015)
10.1109/NCC.2010.5430153
An improvement of Wang et al.'s authentication scheme using smart cards
S. Sood (2010)
10.1016/j.jnca.2012.01.007
Dynamic ID-based remote user password authentication schemes using smart cards: A review
R. Madhusudhan (2012)
Automated Reverse Engineering using Lego®
Georg Chalupar (2014)
10.1109/TII.2012.2230639
Novel Anonymous Authentication Scheme Using Smart Cards
Jia-Lun Tsai (2013)
An Effective and Robust Secure Remote User Authenticated Key Agreement Scheme Using Smart Cards in Wireless Communication Systems
OdeluVanga (2015)
Wu . Novel anonymous authentication scheme using smart cards
N.-W. Lo (2015)
10.1016/S1665-6423(13)71583-9
Security Improvement of Two Dynamic ID-based Authentication Schemes by Sood-Sarje-Singh
Rafael Martínez-Peláez (2013)
10.1002/sec.315
Robust smart-cards-based user authentication scheme with user anonymity
Shuhua Wu (2012)
10.1002/dac.2590
Cryptanalysis and improvement of 'a robust smart-card-based remote user password authentication scheme'
S. Kumari (2014)
10.1002/sec.605
A simple and robust anonymous two-factor authenticated key exchange protocol
Xiaowei Li (2013)
10.1016/j.jss.2010.07.062
Two robust remote user authentication protocols using smart cards
K. Yeh (2010)
Smart card security from a programming language and static analysis perspective
X Leroy (2013)
10.1007/978-3-642-37682-5_34
An Enhanced Anonymous Authentication and Key Exchange Scheme Using Smartcard
Kyung-kug Kim (2012)
10.1002/dac.2793
Design and analysis of an improved smartcard-based remote user password authentication scheme
S. H. Islam (2016)
10.1109/SP.2014.50
A Study of Probabilistic Password Models
Jerry Ma (2014)
Amazon elastic compute cloud (Amazon EC2)
(2015)
Smart cards; uicc-terminal interface; physical and logical characteristics
Etsi-Ts-102
10.1016/j.jnca.2013.02.034
An enhanced smart card based remote user password authentication scheme
X. Li (2013)
10.14722/NDSS.2016.23240
Who Are You? A Statistical Approach to Measuring User Authenticity
D. Freeman (2016)
10.1002/sec.1299
An enhanced privacy preserving remote user authentication scheme with provable security
Shehzad Ashraf Chaudhry (2015)
10.1007/978-3-642-31284-7_1
Security Analysis of a Multi-factor Authenticated Key Exchange Protocol
Feng Hao (2012)
10.1007/s10916-011-9658-5
A More Secure Authentication Scheme for Telecare Medicine Information Systems
He Debiao (2012)
Smart card security from a programming language and static analysis perspective, 2013. available at http://pauillac.inria.fr/~xleroy/ talks/language-security-etaps03.pdf
X. Leroy (2013)
Amazon elastic compute cloud (Amazon EC2), 2015. https://aws.amazon.com/ec2/pricing
Smart card security from a programming language and static analysis perspective, 2013. available at http://t.cn/RGHWFIm
X. Leroy (2013)
Secure and Efficient Smart Card Based Remote User Password Authentication Scheme
Jianghong Wei (2016)
10.1049/ip-e.1992.0053
Remote password authentication with smart cards
Cc (2004)
10.1002/dac.2468
Security flaws in two improved remote user authentication schemes using smart cards
C. Ma (2014)
10.1109/TIFS.2015.2439964
A Secure Biometrics-Based Multi-Server Authentication Protocol Using Smart Cards
Vanga Odelu (2015)
10.1109/TDSC.2013.2297110
Robust Multi-Factor Authentication for Fragile Communications
Xinyi Huang (2014)
10.1109/SP.2015.41
Security of the J-PAKE Password-Authenticated Key Exchange Protocol
M. Abdalla (2015)
FIPS 201: Personal identity verification of federal employees and contractors
E. Morse (2013)
Smart cards; uicc-terminal interface; physical and logical characteristics, Feb
Etsi-Ts (2010)
10.1145/2414456.2414490
Security implications in Kerberos by the introduction of smart cards
Nikos Mavrogiannopoulos (2012)
10.1007/3-540-45539-6_11
Authenticated Key Exchange Secure against Dictionary Attacks
M. Bellare (2000)
10.1007/s11277-015-2721-7
An Effective and Robust Secure Remote User Authenticated Key Agreement Scheme Using Smart Cards in Wireless Communication Systems
Vanga Odelu (2015)
10.1016/j.jcss.2005.10.001
A password authentication scheme over insecure networks
I. Liao (2006)
10.1109/TPDS.2013.230
Further Observations on Smart-Card-Based Password-Authenticated Key Agreement in Distributed Systems
Xinyi Huang (2014)
10.1016/j.jcss.2008.04.002
Two-factor mutual authentication based on smart cards and passwords
G. Yang (2008)
10.1002/dac.2552
Untraceable dynamic-identity-based remote user authentication scheme with verifiable password update
Y. Chang (2014)
10.1007/978-3-319-17503-4_1
On Limitations of Designing Usable Leakage-Resilient Password Systems: Attacks, Principles and Usability
Qiang Yan (2012)
10.1145/2714576.2714614
TrustLogin: Securing Password-Login on Commodity Operating Systems
F. Zhang (2015)
10.1109/SP.2012.49
The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords
J. Bonneau (2012)
10.1002/sec.967
Cryptanalysis and security enhancement of Zhu's authentication scheme for Telecare medicine information system
F. B. Muhaya (2015)
10.1109/TIE.2009.2028351
Anonymity Enhancement on Robust and Efficient Password-Authenticated Key Agreement Using Smart Cards
Xiangxue Li (2010)
10.1007/978-3-319-24174-6_24
Small Tweaks Do Not Help: Differential Power Analysis of MILENAGE Implementations in 3G/4G USIM Cards
J. Liu (2015)
10.1109/TWC.2008.080128
Two-factor user authentication in wireless sensor networks
M. Das (2009)
10.1002/dac.2644
Improvement of robust smart-card-based password authentication scheme
Qi Jiang (2015)
10.1002/dac.2858
Cryptanalysis and security enhancement of a robust two-factor authentication and key agreement protocol
Q. Xie (2016)
10.1109/TDSC.2014.2355850
Anonymous Two-Factor Authentication in Distributed Systems: Certain Goals Are Beyond Attainment
Ding Wang (2015)
10.1002/sec.1229
Privacy preserving smartcard-based authentication system with provable security
Jin Wook Byun (2015)
10.1109/DSN.2016.60
fuzzyPSM: A New Password Strength Meter Using Fuzzy Probabilistic Context-Free Grammars
Ding Wang (2016)
10.1002/sec.1305
A new authenticated key agreement scheme based on smart cards providing user anonymity with formal proof
F. Wu (2015)
10.1007/978-3-540-46588-1_29
Forward Secrecy and Its Application to Future Mobile Communications Security
DongGook Park (2000)
10.1007/978-3-642-30436-1_40
Password Protected Smart Card and Memory Stick Authentication Against Off-line Dictionary Attacks
Y. Wang (2012)
10.1109/TIE.2009.2016508
Improvements of Juang 's Password-Authenticated Key Agreement Scheme Using Smart Cards
Da-Zhi Sun (2009)
10.1002/SEC.1419
Robust anonymous two-factor authenticated key exchange scheme for mobile client-server environment
Y. Lu (2016)
10.1109/TIE.2008.921677
Robust and Efficient Password-Authenticated Key Agreement Using Smart Cards
W. Juang (2008)
10.1007/s10916-012-9835-1
An Improved Authentication Scheme for Telecare Medicine Information Systems
Jianghong Wei (2012)
10.1007/s10916-013-9933-8
A Secure Smart-Card Based Authentication and Key Agreement Scheme for Telecare Medicine Information Systems
Tian-Fu Lee (2013)
10.1016/j.comcom.2010.04.005
Robust authentication and key agreement scheme preserving the privacy of secret key
Ren-Chiun Wang (2011)
10.1002/dac.2368
Robust smart-card-based remote user password authentication scheme
Bae-Ling Chen (2014)
10.1016/j.compeleceng.2014.05.007
An improved remote user authentication scheme with key agreement
S. Kumari (2014)
10.1016/j.comcom.2010.02.011
Cryptanalysis and security enhancement of a 'more efficient & secure dynamic ID-based remote user authentication scheme'
M. Khan (2011)
10.1145/1754288.1754303
An improvement of Xu et al.'s authentication scheme using smart cards
S. Sood (2010)
10.1007/s10916-012-9856-9
An Efficient Authentication Scheme for Telecare Medicine Information Systems
Zhian Zhu (2012)
10.1007/978-3-642-39884-1_20
On the Need of Physical Security for Small Embedded Devices: A Case Study with COMP128-1 Implementations in SIM Cards
Yuanyuan Zhou (2013)
10.1007/978-3-319-27659-5_16
Offline Dictionary Attack on Password Authentication Schemes Using Smart Cards
Ding Wang (2013)



This paper is referenced by
10.1109/ICOIN.2018.8343155
Cryptanalysis of a chaotic chebyshev polynomials based remote user authentication scheme
Chunyi Quan (2018)
10.1016/j.infsof.2017.11.004
Kontun: A Framework for recommendation of authentication schemes and methods
I. Velásquez (2018)
10.1007/978-3-319-68542-7_16
A Chaotic Map-Based Authentication and Key Agreement Scheme with User Anonymity for Cloud Computing
F. Wu (2017)
10.1002/dac.3701
A secure and enhanced elliptic curve cryptography-based dynamic authentication scheme using smart card
R. Madhusudhan (2018)
10.1007/978-3-030-01950-1_50
Revisiting Anonymous Two-Factor Authentication Schemes for Multi-server Environment
P. Wang (2018)
10.1007/978-3-030-38991-8_35
Tiger Tally: Cross-Domain Scheme for Different Authentication Mechanism
Guishan Dong (2019)
10.1109/TII.2018.2834351
Measuring Two-Factor Authentication Schemes for Real-Time Data Access in Industrial Wireless Sensor Networks
Ding Wang (2018)
10.1155/2019/2516963
Revisiting Anonymous Two-Factor Authentication Schemes for IoT-Enabled Devices in Cloud Computing Environments
P. Wang (2019)
10.1145/3173574.3174030
“It's not actually that horrible”: Exploring Adoption of Two-Factor Authentication at a University
Jessica Colnago (2018)
10.1155/2018/3284324
A Secure Three-Factor Multiserver Authentication Protocol against the Honest-But-Curious Servers
H. Guo (2018)
Security Improvements of EPS-AKA Protocol
Mourad Abdeljebbar (2018)
10.1007/S12046-019-1163-4
Unified and integrated authentication and key agreement scheme for e-governance system without verification table
Darpan Anand (2019)
10.1002/sat.1385
An enhanced dynamic authentication scheme for mobile satellite communication systems
Yulei Chen (2020)
10.1016/j.cose.2019.101619
Understanding security failures of multi-factor authentication schemes for multi-server environments
Ding Wang (2020)
10.1109/ACCESS.2017.2764913
On the Design of Provably Secure Lightweight Remote User Authentication Scheme for Mobile Cloud Computing Services
S. Roy (2017)
10.1016/J.JKSUCI.2019.01.015
Using a systematic framework to critically analyze proposed smart card based two factor authentication schemes
K. Hussain (2019)
10.1007/S11036-018-1061-8
Secure Remote User Mutual Authentication Scheme with Key Agreement for Cloud Environment
M. Karuppiah (2019)
10.3390/s18103520
Efficient Privacy-Preserving Access Control Scheme in Electronic Health Records System
Y. Ming (2018)
Identifying Comparison and Selection Criteria for Authentication Schemes and Methods
I. Velásquez (2017)
10.1016/J.IMU.2018.02.003
An efficient and secure remote user mutual authentication scheme using smart cards for Telecare medical information systems
N. Radhakrishnan (2018)
10.1371/journal.pone.0193366
An improved anonymous authentication scheme for roaming in ubiquitous networks
Hakjun Lee (2018)
10.1016/J.PMCJ.2019.101050
Vulnerabilities on Hyperledger Fabric
Nitish Andola (2019)
10.1007/s11235-019-00612-5
Authentication schemes for smart mobile devices: threat models, countermeasures, and open research issues
M. Ferrag (2020)
10.1109/TDSC.2016.2605087
Two Birds with One Stone: Two-Factor Authentication with Security Beyond Conventional Bound
Ding Wang (2018)
10.1016/j.jisa.2020.102494
A three-factor anonymous user authentication scheme for Internet of Things environments
Hakjun Lee (2020)
Observation Study on Usability Challenges for Fingerprint Authentication Using WebAuthn-enabled Android Smartphones
Wataru Oogami (2020)
10.1109/JSYST.2016.2585681
On the Challenges in Designing Identity-Based Privacy-Preserving Authentication Schemes for Mobile Devices
Ding Wang (2018)
A Level Dependent Authentication for IoT Paradigm
C. Patel (2020)
10.1109/BigDataSecurity.2017.34
Breaking Two Remote User Authentication Systems for Mobile Devices
W. Li (2017)
10.1145/3325130
Efficient Multi-Factor User Authentication Protocol with Forward Secrecy for Real-Time Data Access in WSNs
Ding Wang (2020)
10.1007/978-3-030-01150-5_6
Connecting Things to Things in Physical-World: Security and Privacy Issues in Mobile Sensor Networks
S. Zhong (2019)
10.1007/978-3-030-16946-6_36
Cryptanalysis of Anonymous Three Factor-Based Authentication Schemes for Multi-server Environment
Jiaqing Mo (2018)
See more
Semantic Scholar Logo Some data provided by SemanticScholar