Published May 17, 2021 | Version v1
Journal article Open

Practical Threshold Multi-Factor Authentication

  • 1. TU Delft

Description

Multi-factor authentication (MFA) has been widely used to safeguard high-value assets. Unlike single-factor authentication (e.g., password-only login), t-factor authentication ( tFA) requires a user always to carry and present t specified factors so as to strengthen the security of login. Nevertheless, this may restrict user experience in limiting the flexibility of factor usage, e.g., the user may prefer to choose any factors at hand for login authentication. To bring back usability and flexibility without loss of security, we introduce a new notion of authentication, called (t,n) threshold MFA, that allows a user to actively choose t factors out of n based on preference. We further define the “most-rigorous” multi-factor security model for the new notion, allowing attackers to control public channels, launch active/passive attacks, and compromise/corrupt any subset of parties as well as factors. We state that the model can capture the most practical security needs in the literature. We design a threshold MFA key exchange (T-MFAKE) protocol built on the top of a threshold oblivious pseudorandom function and an authenticated key exchange protocol. Our protocol achieves the “highest-attainable” security against all attacking attempts in the context of parties/factors being compromised/corrupted. As for efficiency, our design only requires 4+t exponentiations, 2 multi-exponentiations and 2 communication rounds. Compared with existing tFA schemes, even the degenerated (t,t) version of our protocol achieves the strongest security (stronger than most schemes) and higher efficiency on computational and communication. We instantiate our design on real-world platform to highlight its practicability and efficiency.

Files

Practical_Threshold_Multi-Factor_Authentication.pdf

Files (2.7 MB)

Additional details

Funding

ASSURED – Future Proofing of ICT Trust Chains: Sustainable Operational Assurance and Verification Remote Guards for Systems-of-Systems Security and Privacy 952697
European Commission