Practical Threshold Multi-Factor Authentication

—Multi-factor authentication (MFA) has been widely used to safeguard high-value assets. Unlike single-factor authentication (e.g., password-only login), t -factor authentication ( t FA) requires a user always to carry and present t speciﬁed factors so as to strengthen the security of login. Nevertheless, this may restrict user experience in limiting the ﬂexibility of factor usage, e.g., the user may prefer to choose any factors at hand for login authentication. To bring back usability and ﬂexibility without loss of security, we introduce a new notion of authentication, called ( t,n ) threshold MFA , that allows a user to actively choose t factors out of n based on preference. We further deﬁne the “most-rigorous” multi-factor security model for the new notion, allowing attackers to control public channels, launch active/passive attacks, and compromise/corrupt any subset of parties as well as factors. We state that the model can capture the most practical security needs in the literature. We design a threshold MFA key exchange (T-MFAKE) protocol built on the top of a threshold oblivious pseudorandom function and an authenticated key exchange protocol. Our protocol achieves the “highest-attainable” security against all attacking attempts in the context of parties/factors being compromised/corrupted. As for efﬁciency, our design only requires 4+ t exponentiations, 2 multi-exponentiations and 2 communication rounds. Compared with existing t FA schemes, even the degenerated ( t,t ) version of our protocol achieves the strongest security (stronger than most schemes) and higher efﬁciency on computational and communication. We instantiate our design on real-world platform to highlight its practicability and efﬁciency.


INTRODUCTION
M ULTI-FACTOR authentication (MFA) has been deployed in real-world applications to safeguard highvalue assets, e.g., online banking. A user is required to make use of t factors, at the same time, to execute secure authentication. This t-factor authentication (tFA) naturally brings more challenges, than single-factor authentication, to attackers since there are t factors that need to be compromised for an impersonation. For instance, EMV [1], [2], a widely adopted payment method, allows one to present his smart card and the password/PIN to pay a bill on a POS terminal. Attackers cannot steal the money by only being given the smart card or the password.
Motivation. The current tFA schemes require users to present t fixed factors for authentication. This "static"-factor authentication mode could not provide flexibility for authentication because users may not be able to always present the t factors anywhere and anytime, for example, one of the factors may be left at home and even be lost. Furthermore, this mode also limits the preference of factor usage -which factors should users choose to take. Users, in practice, prefer to leverage those factors which are at hand. To this end, the usage of factors should be more dynamic. Besides, the number t becomes a bottleneck between the security and usability in tFAs. It is clear that a higher security level requires a larger t (e.g., t = 5) but this brings lower usability for users.  We propose the notion of (t, n) threshold MFA (T-MFA) to address the issues. As shown in Fig. 1, T-MFA allows a user to register n factors and adaptively choose arbitrary t out of n for authentication, in which t and n can be flexibly set by the user based on its preference (note that (t, n) T-MFA is naturally degenerated to tFA, when n = t). Compared with tFA, (t, n) T-MFA significantly improves usability with the same security level (attackers need to compromise t factors to impersonate users). More importantly, T-MFA allows a user to autonomously increase t to achieve higher security according to the number of always-at-hand factors. Since the usage of multiple personal electronic devices at home and workplace has become common [3], the user may hold several devices, e.g., a smartphone, a smartwatch, and a tablet, as multiple factors along with its password (or other types of factor) and later, it just uses a subgroup of factors (≥ t) in verification. T-MFA also allows the user to leverage fixed-location (non-portable) devices as factors, e.g., a smart speaker at home, or an intranet server in the workplace. The user may now set a larger t without compromising usability, e.g., t = 4: using the password, smartphone and smartwatch as portable factors, and either smart speaker or server as the unportable one. Besides, if a device is lost, the authentication can still be successfully executed with another one. Naturally, the user can also use more devices, e.g., an old smartphone as a factor, for backup. Design Challenges. The concept of T-MFA seems natural, but, to our best knowledge, none of the existing studies has paid attention to it. We state that this is because of the significant challenges in designing a T-MFA scheme and further analyzing its security. Note that we here mainly focus on remote authentication rather than local authentication, since the design for the former is more challenging and usually can apply to the latter.
One may think that a trivial way to implement T-MFA can be captured as follows. A user may send any t (may be in challenge-response mode) out of n registered factors to a server, so that the server can verify them one by one. This design is quite similar to the multiple login authentication. For instance, the user can log in to WeChat via either option (1): phone number + password, or option (2): phone number + SMS. But this requires the server to store factors in a file for (possessing knowledge of) verification, leading to potential vulnerabilities against server compromise. Via compromising the server, the attacker can access the file storing those factors, which yields the possibility of factor recovery. A classic example could be that the attacker attempts to recover the password (which is one of the factors) via offline password guessing. Once the factors are retrieved, the attacker can impersonate the valid user. It is also probable that all the accounts that used the same revealed factors will be controlled by the attacker. Beyond impersonation, the server compromise may bring even worse consequences -harming user long-term privacy -if the storage file includes personal biometrics (e.g., gait [4], electroencephalogram [5]).
Another potential approach is to leverage threshold cryptography. For multiple devices, a trivial T-MFA design can request each device to share the user's secret for authentication via a threshold secret share scheme. This idea is used in some server-side authentication scenarios, e.g., [6], [7], [8], requesting multiple servers to store cryptographic keys. However, this mechanism still cannot be perfectly compatible with some types of factors, e.g., passwords and biometrics, which are not natural cryptographic keys, and require non-server-side storage.
One may also try to extend the current MFA schemes to yield a T-MFA. However, even for MFA, it is difficult to capture the "highest attainable security" with a precise and well-defined security model and further satisfy the security by a well-designed protocol. It is not trivial to handle all different parties and their factors along with all the combinations over compromise. A single MFA scheme will perform different security levels according to the various compromise cases. This brings a great challenge for researchers to precisely capture the security of MFA, which also applies to T-MFA. Due to the lack of a precise security model, most MFA schemes fail to achieve "sound and practical security". The industrial MFA schemes (e.g., [9], [10]) cannot resist server compromise, and most of the academic ones (e.g., [11], [12]) fail to provide forward security, key-compromise impersonation (KCI) security, or suffer from other security issues. To the best of our knowledge, only Jarecki et al. [13] 2FA protocol achieves the highest attainable security. But their protocol requires expensive cost in communication (10 rounds) so it is not practical for real-world applications. Note the detailed analysis for the existing MFA schemes will be given in Section 2. Therefore, no current MFA design with both the highest attainable security and efficiency can be used to construct T-MFA. And again, the existing MFA schemes suffer from the "pre-set" limit: the number and the type of factors are fixed in the very beginning, e.g., the passwordand-device based 2FAs [9], [10], [13], [14], and biometricsbased 3FAs [11], [12]. They cannot be trivially extended to offer the dynamic and flexible usage of factors to T-MFA. Our contribution. We here briefly describe the contribution.
Real-world Security. We introduce a game-based model to precisely capture the security for (t, n) T-MFA key exchange (T-MFAKE). Our model allows attackers to control communication on public channels and to compromise any parties and factors, and considers the use of different types of factors, including passwords, devices, and biometrics. For each combination of party or factor compromise, we give special security bound (i.e., advantage) to capture the highest attainable security by only allowing inevitable attacks. Specifically, our novel security notion considers the inevitable attacks against password via: 1) if t − 1 factors (excluding password) are compromised, online password guessing attack is inevitable and allowed; 2) if t − 1 factors (excluding password) are compromised and server is compromised or corrupted, offline password guessing attack is also inevitable and allowed; 3) if t factors are compromised, user impersonation is trivially inevitable; 4) if server is compromised or corrupted, impersonating server is trivially inevitable; 5) otherwise, no other inevitable attacks are allowed. Note we consider the similar inevitable guessing attacks for a biometric factor. If a protocol is secure in our model, it can achieve practical real-world security (i.e. resisting all the attacks except the "inevitable ones").
Practical Design. We propose a fast and secure (t, n) T-MFAKE protocol. We allow a user to leverage a password, multiple devices, and biometrics (optional) as authentication factors. Because of the advantages of passwords on usability and deployability [15], we require the user to always type his password for authentication (cannot use another factor instead it) in order to provide the last defense for the worst case where the other factors are all compromised. Our construction is built on the top of a threshold oblivious pseudorandom function (TOPRF) and an authenticated key exchange (AKE) protocol. The core idea is to enhance the password to a cryptographic key with any other t−1 factors (via TOPRF) and further use the key for authentication (via AKE). Each factor except the password corresponds to a secret key in TOPRF: for a device factor, the key is stored in the device locally; for a biometric factor, the key is converted by fuzzy extractor [16], which prevents the biometrics from leaking even if the storage file is compromised. By TOPRF, our protocol provides factor invisibility, i.e., the server cannot see which factors are registered and used for authentication. This means that even if the server is compromised, the factors can stay safe. Besides, using the refreshment mechanism of threshold schemes, our protocol can remotely revoke the lost (or misfunctioned) devices. As for efficiency, our protocol is extremely light-weight w.r.t. computation and communication cost, requiring 4 + t exponentiations, 2 multi-exponentiations and only 2 rounds communication (by parallel running TOPRF and AKE).
Security Analysis. We further analyze the security of our T-MFAKE protocol. Our protocol holds against all practical and real-world attacks (except the inevitable ones), and thus achieves the highest attainable security w.r.t. arbitrary combination of party or factor compromise. The degenerated (2, 2) version of our protocol holds the same security as the stateof-the-art 2FAKE, OpTFA [13], while (t, t) version achieves higher security as compared to other existing tFA schemes.
Efficient Implementation. We implement the (2, 2) version of our protocol on a real-world system with a smartphone, a PC, and a remote server, and further evaluate its runtime performance. The experimental results show that the new version is 138.25% and 148.49% faster than OpTFA on communication and computation, respectively (note that OpTFA costs 12 exponentiations, 2 multi-exponentiations, and 10-round communication).
To summarize, our main contributions are as follows: 1) The notion of (t, n) threshold multi-factor authentication (T-MFA), for the first time in the literature, is proposed to allow users to freely and actively choose t factors out of n for authentication. 2) A security model is defined to capture the real-world highest attainable security for T-MFA key exchange (T-MFAKE) protocol. 3) An efficient T-MFAKE protocol is proposed, only requiring 4 + t exponentiations, 2 multi-exponentiations and only 2-round communication. 4) A formal security analysis for our protocol is given, presenting that the protocol achieves the highest attainable security. 5) An efficient implementation and the performance evaluation are demonstrated to highlight the efficiency of our design in the real-world platform.

RELATED WORKS
We here briefly review some typical MFA protocols.

MFA Schemes in Industry
In industry, many 2FA schemes are widely implemented in the web-based authentication, including Google Authenticator [9], FIDO U2F [17], and Duo 2FA [10]. All these schemes authenticate the factors separately. For example, in password-and-device authentication mode, the user is requested to send a password to the server via a serverauthenticated secure channel and meanwhile, the server also needs a PIN generated from the smartphone. But the verification of the password and PIN is separate, meaning that these two factors are not "tightly" bound together as one verification. This may bring several limits: 1) The server can access the password in plaintext, which may be leaked accidentally or on purpose, for example, Github recorded plaintext passwords in secure internal logs because of some bug [18]. Similar issues have also happened to Google, Twitter and Facebook [19].
2) The server stores the hash values of passwords (or other verification values), increasing the leak risk. In practice, billions of passwords have been leaked from hundreds of websites [20]. With hash values, an attacker can efficiently and offline recover the plaintext by exploiting password guessing algorithms (e.g., [21], [22]). Since users usually reuse passwords on different accounts [21], the attacker probably compromises multiple accounts with the same password.

3) The authentication requires a Public Key Infrastructure
(PKI) to establish the server-authenticated secure channel. This may not scale well and will leak password or other factors if PKI is infiltrated.

Academic Studies on MFA
Many studies, e.g., [11], [12], [13], [14], focus on the security analysis along with new designs for MFA. We first review the methods of security analysis they use and then make discussions over their constructions. Security analysis methods. Some of the analyses are based on heuristic attacks, BAN logic or automatic tools [23], [24], [25], [26], which cannot provide a sound and solid analysis. Others (e.g., [11], [12], [27]) are in game-based security model (usually BPR or ROR model [28], [29]) to provide a provable security analysis. However, most of the game-based analyses (except for [13], [14]) fail to model the highest attainable security of MFA. This is so because they cannot precisely define the security requirements for various combinations of party or factor compromise. Taking an ideally secure 2FA (password-and-device mode) as an example. 1) if the attacker does not compromise the device (case I), she cannot impersonate the user except a negligible probability; 2) if the attacker compromises the device (case II), she inevitably can carry out online password guessing attacks to impersonate the user with a non-negligible probability. The security requirements for the above cases should be specified respectively. But the current security models just define an upper-bound attacking advantage to define the security requirements w.r.t. all the compromise cases. This bound only captures the security in the worst case (referring to the case where all factors except for password are compromised), and thus cannot precisely model the security for other cases (e.g., the device is not compromised). Take a further example, if a 2FA protocol suffers from online password guessing attacks in case I, it satisfies the security requirement of the current models but is clearly insecure in practice. Thus we state the limitation of the security models incurs that a concrete protocol -proved secure by current research works -cannot satisfy the highest security requirements in all practical cases. In other words, what has been proved secure is not always secure in practice.
To tackle the issue, Shirvanian et al. [14] first defined different requirements for 2FA w.r.t. a few cases of compromise combination, and provided specified security bound for each of the cases. But their model does not consider the case of server corruption. Later, Jarecki et al. [13] proposed an improved model by taking more other cases into account, capturing the highest attainable security for 2FA. Our security notion is inspired by theirs but also provides the highest attainable security for MFA and even T-MFA. More academic MFA schemes. Due to the limitation of the security models, current MFA schemes may suffer from unexpected real-world attacks which are not considered Industrial schemes [9], [10], [17] TLS + Separate factor authentication Deployability. Suffer from PKI failures and server compromise. Shirvanian et al. [14] Salt reconstruction Resist server compromise. Suffer from server corruption.
Jarecki et al. [ and covered in the models, meaning they are insecure in practical use. Here, we briefly present some examples. 3FA schemes. Zhang et al. [11] proposed a 3FA scheme combining a password, a device, and biometrics. Although proved secure in the BRP model (with one security bound), the scheme still suffers from key-compromise impersonation (KCI) attacks. Expressly, if all factors (α, β, γ) of a user are compromised, attackers can impersonate the server to interact with the user (by leveraging Z = H (α+β+γ) ). Similarly, we find Wazid et al.'s scheme [12] which is proved in the ROR model but still suffers from KCI attacks and ephemeral secret leakage (ESL) attacks. Besides, this scheme cannot hold against offline password guessing, if device and biometrics are compromised.
2FA schemes. Shirvanian et al. [14] proposed a 2FA scheme twisting password and device, based on industrial 2FA design. The scheme is strengthened to resist server compromise (i.e., the leakage of server's data). However, it heavily relies on PKI and cannot prevent server from accessing plaintext passwords, which leads to the aforementioned vulnerabilities identified from the industrial schemes. Jarecki et al. [13] later proposed an improved 2FA, OpTFA, to address all the aforementioned vulnerabilities. However, OpTFA is too complex and inefficient. It requires 12 exponentiations, 2 multi-exponentiations on computation cost and 10 rounds on communication. Besides, it is designed for 2FA context only and thus is difficult to be extended to an MFA variant.

PRELIMINARIES
In this section, we review the building blocks we are going to use in our design, including a threshold oblivious pseudorandom function (TOPRF) and an authenticated key exchange (AKE) protocol, a password-based authenticated key exchange (PAKE) protocol and the fuzzy extractor.

Threshold Oblivious Pseudorandom Function
Threshold oblivious pseudorandom function (TOPRF) is introduced by Jarecki et al. [8]. It is a threshold variant of the client-server oblivious pseudorandom function (OPRF). The client-server OPRF consists of a PRF F and a clientserver protocol. In the protocol, the server holds a secret key s, and the client inputs x to get F s (x) without knowing s. Meanwhile, the server knows nothing about the input x. This is an appropriate method to enhance the low-entropy password pw to a cryptographic key F s (pw). TOPRF leverages multiple servers to collectively control the key to resist server compromise. For a (t, n) TOPRF, the client needs to run the TOPRF protocol with t servers. If no more than t servers are compromised or corrupted, the attacker cannot offline calculate F and has to interact with some servers. The formal security of TOPRF is defined in Universally Composable (UC) Framework [30]. Specifically, the executions of a real TOPRF protocol Π and the ideal TOPRF function F TOPRF are indistinguishable.
We will use a TOPRF scheme, 2HashTDH [8], in our protocol. 2HashTDH is a threshold variant of 2HashDH [31], an OPRF scheme. We detail 2HashTDH in Fig. 2. In 2HashTDH, the secret key s is shared by Shamir's secret sharing scheme. During the execution of 2HashTDH, s is used to calculate the PRF but not reconstructed on any party, which can avoid the leakage of s (unless t servers are compromised). In addition, the randomness of r guarantees the servers (and attackers) cannot get any information about x. Formally, 2HashTDH is secure under the One-More Diffie-Hellman assumption and in the random-oracle model.
Shamir's secret sharing used in TOPRF is a typical threshold method. In (t, n) Shamir's secret sharing, a (randomly-generated) secret key s is divided into n shares {s} n i=1 . Arbitrary t shares {s Di } i∈I (where I is the index set of the t shares) can reconstruct s. This construction is leveraged by a polynomial of degree t, where a 0 = s, a 1 , a 2 , . . . , a t are randomly generated. The i- where λ i is the Lagrange interpolation coefficient for i in I, Note that we made a slight modification on the original 2HashTDH [8]. In the original version, S i calculates λ i ; in our version (Fig. 2), C does the calculation. In our way, C does not need to send I to S i , which saves communication costs (note the length of I is proportional to t).

Authenticated Key Exchange
Authenticated key exchange (AKE) has been studied for decades and there are many protocols have been proposed, e.g., [32], [33]. In contrast to 2FAKE and MFAKE, AKE requires each party to hold a long-lived cryptographic key. Two parties can establish a temporary session key with the long-lived keys and encrypting further communications Parameter • G is a cyclic group with a generator g and prime order m. • H, H are two hash functions with ranges {0, 1} l and G, respectively. The PRF F s (x) is defined as

Initialization
• n servers initialize a (t, n) Shamir's secret sharing to generate each secret share using the session key without the long-lived keys. The security definition [32] for AKE protocols is similar to that for MFAKE (see Section 4), which is also defined by distinguishing the real session key and a random one. We use Adv ake Π (A) to denote the advantage of the attacker A against an AKE protocol Π. We do not detail the security game for AKE protocols, and readers can refer to [32], [33].
To construct our protocol, we require the AKE protocol to be secure as defined in [32] and additionally resist KCI attacks. This means if the long-lived key of a party P is compromised, the attacker cannot impersonate another party Q to interact with P by P 's key. To capture the security, the security game defined in [32] should be modified by including more fresh instances whose internal states and its partner's states are not compromised.
HMQV [33] is a well-known protocol with KCI resistance. We will use it in our protocol, due to its security and efficiency. Fig. 3 details HMQV (with implicit authentication). It only needs one exponentiation and one multiexponentiation for each party and two communication rounds. Its message flows are similar to those of Diffie-Hellman key exchange, but it additionally uses public key cryptography (k A , K A for participant A) for authentication. Although HMQV does not provide explicit authentication, it is trivial to achieve explicit authentication by adding one round as in [28]. Krawczyk proves the AKE security of HMQV as well as KCI security/resistance. Formally, in the aforementioned (modified) game with KCI security, the advantage Adv ake HMQV is negligible under Computational Diffie-Hellman assumption in the random-oracle model.

Password-based Authenticated Key Exchange
Password-based Authenticated Key Exchange (PAKE) also has been studied for decades. Some important studies are [34], [35], [36]. In symmetric PAKE, two parties share a longlived password with low entropy for authentication and key exchange. In asymmetric PAKE, one party (the user) holds Parameter • G is a cyclic group with a generator g and prime order m. • H, H are two hash functions with ranges Z m and {0, 1} l . l is the length of the session key. Note that these parameters may not be the same as those in Fig. 2.

Initialization
• Each participant A generates the private and public We assume that each participant securely gets the others' public key (in our MFAKE, the public key is sent on a secure channel in initialization phase).
Authentication Adding one round as in [28] can achieve explicit authentication (i.e., adding the message H (SK, 1) and H (SK, 2) to the last two rounds respectively, where H is a hash function with the range {0, 1} l ). Informally, a 2FAKE protocol can be seen as a PAKE protocol if the device is corrupted. So the former may leverage the latter as a component, e.g., OpTFA [13], to protect the password for the case of device corruption. However, this usually leads to complexity and inefficiency. Instead, we are inspired by the design of a PAKE protocol, OPAQUE [35], and further use it for our T-MFAKE.
As shown in Fig. 4, OPAQUE leverages an OPRF, an AKE and an encryption scheme. Its core roadmap is as follows: 1) The client enhances the password pw to a cryptographic key rw (also called random password) by running OPRF with the server. 2) The secret keys (k U , K U ) of the user in AKE is en-Parameter • All parameters in 2HashDH (i.e., (1, 1) 2HashTDH) and HMQV. To distinguish these parameters, we add the subscript 1 and 2 to parameters in 2HashTDH and HMQV, respectively, if necessary. • An encryption scheme (Enc, Dec). Initialization • C generates the secret key s of S in the 2HashDH and sends s to D; calculates rw ← H 1 (pw, H 1 (pw) s ) (note running 2HashDH with S and input pw will get rw). s can be generated by S. If so, rw is got by C running 2HashDH. • C generates the private and public keys (k U , K U ) by k U ←$ Z m2 and K U ← g k U 2 for HMQV; gets S's public key K S and encrypts (k U , K S ) to c with the key rw (c ← Enc rw (k U , K s )); sends K U to S and sends c to D. • S generates the private and public keys (k S , K S ) by k S ←$ Z m2 and K S ← g k S 2 for HMQV; sends K S to C; stores K U and the share s S for 2HashDH.
) x+H 2 (X,K S )k U ) and outputs it. crypted by rw and the ciphertext is stored on the server. 3) During the authentication phase, the client reconstructs rw by running OPRF with the server, gets the keys in AKE by decrying c, and then runs AKE to establish the session key. Note that c is sent to the client by the server along with the messages of OPRF and AKE.
The details of OPAQUE are given in Fig. 5. Jarecki et al. [35] prove the security of OPAQUE in the Universally Composable (UC) Framework. This means that the execution of OPAQUE is indistinguishable from that of the ideal functionality F SaPAKE , i.e., the distinguishing advantage Adv dis HMQV,FSaPAKE is negligible. F SaPAKE only allows two inevitable attacks: 1) the online password guessing attack; 2) the offline password guessing attack in the case of server compromise. Therefore in the game G PAKE for PAKE, we have: where q is the number of online password guessing attacks.
2) Otherwise, where q is the number of offline password guessing attacks.
The security of OPAQUE requires the security of OPRF and AKE (with KCI resistance) as well as a random-key robust and equivocable authenticated encryption scheme. We briefly explain the properties required for the encryption: 1) Authentication. Authenticated encryption provides security against chosen ciphertext attacks as well as message integrity and confidentiality. It can be constructed on the top of an encryption scheme and a message authentication code (MAC). 2) Random-key robustness. This property means that it is difficult to construct a ciphertext c for two randomlygenerated keys k 1 , k 2 such that decrypting c using both k 1 , k 2 will not fail. Formally, for an arbitrary PPT attacker A, Pr is negligible. 3) Equivocability. This property means that the encryption of a message can be simulated by 1) first creating the ciphertext without knowing the plaintext and 2) then creating the key for the given plaintext. Formally, an arbitrary attacker A, there exists a simulator S such that the following two games are indistinguishable: a) The real game: A gives a message m, generates (k, m) by k ←$ {0, 1} l and c ← Enc k (m). b) The simulated game: A gives a message m, generates (k, m) by c ← S(|m|) and k ← S(m).

Fuzzy Extractor
To generate cryptographic key from biometric characteristic with information protection, several methods have been proposed, e.g., fuzzy vault [37], fuzzy extractor [16]. We choose the latter for our scheme since it provides stronger security. Fuzzy extractor generates a uniformly random key R and transforms the key to a helper string P based on a biometric input w as (R, P ) ← Gen(w) at initialization. A biometric input w which is close to w can extract the key R from P . Formally, if dis(w , w) ≤ t (t is a parameter), then Rep(w , P ) = R.
Fuzzy extractor guarantees that the helper string P does not leak information of the random key R as well as the biometric input w, maintaining data security and user privacy. In our scenario, the initialization and extraction can be done on the smartphone equipped with the biometric recognition sensor and storing the helper string P . In this paper, we do not review specific constructions of the fuzzy extractor, and the reader can refer to [16] for more details.

SECURITY MODEL FOR THRESHOLD MFAKE
Inspired by the CK-adversary model for AKE [38], [39], [40] and Jarecki et al.'s security model [13] for 2FA with a password and an auxiliary device, we propose a model for threshold MFAKE (T-MFAKE) supporting various types and various numbers of factors.
Protocol participants. There are several participants in T-MFAKE: a user U , a client C, one or multiple device(s) {D i } i∈I (where I is the index set), and a server S. The user U leverages a password pw, and the device(s) {D i } i∈I (maybe with biometrics) as factors for authentication.
Protocol execution and communication model. In the registration phase of a (t, n) T-MFAKE protocol Π, the user U registers the combination of the n authentication factors on the server S. This registration is assumed to be securely done. Take opening a bank account as an example, the registration can be done physically in the bank, which is regarded as secure execution. Note the user U does not register the client C, which means U does not leverage a fixed client and further may use different clients (e.g., public computers in libraries) in the authentication phase. This brings advantages to usability.
In the authentication phase of Π, the user U leverages t factors (usually containing the password and device(s) {D i } i∈I , where |I | = t − 1) to run Π with the server S. The communication between C and S is via a public channel. After successful authentication, both the server S and the client C accept each other, and meanwhile, a session key SK is securely established between them (note SK is unknown to the device(s) and the attacker). This session key usually is further used to build a secure channel between C and S. For this authentication, the server S and the device(s) D i (i ∈ I) need to generate and store long-lived secrets on themselves during the registration phase. But the client C is not allowed to store any long-lived secrets, since the user is allowed to leverage arbitrary clients for login (which may be different from the one used in the registration).
Besides, we assume there is an authenticated and secure channel between the client C and the device D i . For a smartphone as the device, the channel can be established by Bluetooth or other means (e.g., QR + Wi-Fi) proposed in [14]. Unlike our model, Jarecki et al. assume the communication between C and D is on a public channel but require a tbit Short Authenticated String (SAS) channel from C to D, where the message transmitted cannot be tampered by the attacker. This t-bit SAS channel assumption is suitable for some special devices embedded with a small LCD screen (e.g., RSA SecurID). But for smart devices (e.g., smartphones and smartwatches), we can directly assume an authenticated and secure channel between C and D i .
Our model enables the parties to parallel run different instances (also called sessions) of the protocol Π. This is important to capture the security of Π in the context of parallel running. We use P i to denote the i-th instance of a party P . Partnering instances. We use the session id (SID) to define the partnering of the instances. More specifically, each instance of C or S outputs a SID sid, a partner id (PID) pid with the session key SK when it accepts.
Definition 1 (Partnering). C i and S j are partners, if both of them accept with SID sid, sid and PID pid, pid , respectively and the following requirements hold: 1) C i and S j output the same SID sid = sid . This means their interaction transcripts are matching and the attacker does not launch active attacks.
2) C i outputs the PID pid = S and S j outputs the SID pid = C. This means they accept each other after a successful authentication.
Attacker ability. Since the channel between the client and the server is public, the attacker is allowed to fully control it. This means that the attacker can overhear, intercept, and synthesize any message on this channel (as being characterized in Dolev-Yao model).
Besides, the attacker is also allowed to corrupt any participants (except the user) of the protocol and fully control the participants. We here consider the strong corruption, i.e., when corrupting a participant, the attacker gets its longlived secrets and internal states (e.g., the random numbers if they are not be erased at the moment). Some studies only consider the weak corruption, where the attacker can only get the long-lived secrets without the internal states. We, in this paper, also cover this corruption. To distinguish these two types of corruptions, we use "Corrupt" to denote the strong corruption operator and "Compromise" for the weak one.
For the authentication factors, we also allow the attacker to compromise them. This modeling is to capture the cases where the attacker steals the factors, e.g., getting the password via shoulder surfing attacks. Security definition. Our security model is game-based, defining the security by a game within the attacker. The attacker's ability is formally modeled by means of queries and responses. The attacker tries to win the game by these queries, where the winning is defined to break the protocol. The protocol is (defined to be) secure, if arbitrary attackers cannot win the game with an advantage (or a probability) larger than a given bound.
For a T-MFAKE protocol Π, the attacker's goal is to compromise the established session keys, more specifically, obtaining any partial information about the session keys. Therefore, our game requires the attacker to distinguish the (real) session key and a random number (of the same length). If failing to tell the difference, then she knows nothing about the real session key, and otherwise, we say that she breaks Π.
In the following, we formally describe the game with the attacker's queries for the T-MFAKE protocol Π. In the game, the registration process of Π is executed first, then the attacker can make the queries: 1) Send(P, i, Q, M ): Execute Π as the instance P i of the party P getting the message M from Q, and respond the response message of P i to the attacker. Note that M can be a special message Init with Q =⊥. If M = Init, initialize P i and respond the first message(s) of P i to the attacker. 2) Reveal(P, i): If P i has accepted, then respond its session key. Otherwise, respond ⊥. Note that as mentioned before, the internal states and the long-lived secrets are given to the attacker. 5) Compromise(P, U ) (where P = S, D i , PW or Bio): Allow the attacker to get the long-lived secrets on P about U or directly steal U 's factors. 6) Test(P, i): If P i has accepted, flip a coin b. a) If b = 1, respond the (real) session key of P i ; b) If b = 0, randomly generate a number with the same length of the session key and respond the number. This query does not capture the attacker's ability. Instead, it is used to challenge the attacker to know the partial information about the real session key. Note that this Test(·, ·) query can only be made once. At the end of the game, the attacker A needs to output a guess b for the coin b. If and only if b = b, the attacker wins the game. The advantage of A is defined as Adv t-mfake Π (A) = |2 Pr[b = b] − 1|, and max advantage is denoted as Note that the attacker can trivially get the session keys of some instances, e.g., by making Reveal or Corrupt queries to the instances. Therefore, we only allow the attacker to Test a fresh instance, which is expected to be secure in our model. The freshness is formally defined as follows.

Definition 2 (Freshness). An instance P i is fresh, if
Reveal(P, i) and Reveal(Q, j) were not made, where Q j is the partner instance of P i (if it exists), and one of the following conditions holds: 1) None of the queries Corrupt(C), Corrupt(S), Compromise(S, U ) was made, and meanwhile at least one factor of the user is honest (not corrupted and not compromised).
2) The internal states of P i and Q j (if exists) are not compromised, and no rogue Send(P, i, Q, ·) queries were made.
The attacker can passively deliver the messages among the instances by the Send queries. She also can actively intercept and synthesize the messages. We say the Send queries in the second case are rogue.

Definition 3 (T-MFAKE). A (t, n) T-MFAKE Π is secure, if
for a uniform password distribution on a dictionary of size n, an arbitrary probabilistic polynomial time (PPT) attacker A, and the security parameter κ, the advantage of A is bounded as follows: 1) If t − 1 factors without the password are compromised (or corrupted): a) If S is not compromised, where, q C (resp. q S ) denotes the number of rogue Send(C, ·, S, ·) (resp. Send(D, ·, C, ·)) queries that the attacker made, negl(κ) denotes a negligible amount in κ. b) If S is compromised or corrupted, Here q S denotes the number of (offline) operators that the attacker made on S's long-lived secrets.
In the definition, we assume the password follows the uniform distribution for simplification. This can be naturally extended to an arbitrary password distribution. For a distribution with the cumulative probability function f , the terms 1 n (q C + q S ) and 1 n q S in the bounds should be f (q C + q S ) and f (q S ), respectively. Explanations of the bounds. In Case 2, a secure T-MFAKE protocol achieves the same security as a secure AKE protocol. Therefore, the bound is negligible as AKE security. In Case 1, the T-MFAKE protocol achieves the same security as a secure PAKE protocol. Specially, in Case 1a, the attacker can carry out an unavoidable online password guessing attack. If the attacker successfully guesses the password, then she gets the session key (to win the game). For each guess, the attacker needs to make a rough Send queries and has 1 n probability to guess the right password, which defines the security bound. In Case 1b, the attacker can launch an unavoidable offline password guessing attack. Similarly, for each offline guess, the attacker should do the corresponding offline operators, which gives the bound. 2FA security. To facilitate understanding the definition of T-MFAKE security, we here present the 2FAKE security degenerated from Definition 3. Note that in 2FAKE, there only exists one device denoted as D.
Definition 4 (2FA security). A 2FAKE protocol Π is secure, if for a uniform password distribution on a dictionary of size n, an arbitrary probabilistic polynomial time (PPT) attacker A, and the security parameter κ, the advantage of A is bounded as follows: 3) If only D and S are corrupted (or compromised), Here, q C , q S , q S are the same as in Definition 3.
This definition for 2FA security is similar to that given in [13]. If the attacker does not compromise D, then she cannot impersonate the user or the server except a negligible probability; otherwise, she inevitably can carry out online password guessing attacks (only one time per session) to perform impersonation with a non-negligible probability. Further, if D and S are compromised at the same time, the attacker inevitably can launch offline password guessing (as many times as she prefers to) to obtain the password plaintext with a non-negligible probability, so that she can impersonate the user with the password and D's long-term secret. Note she is also able to impersonate the server via the S's long-term secret. Support for fuzzy factors. In the above T-MFA security, we require each factor except the password can provide to a high-entropy cryptographic key, e.g., a smartphone (storing a cryptographic key). However, this does not work for fuzzy factors. The factors, in practice, may not have sufficient entropy and can be easily cracked like a simple password. More importantly, their readings may have some noise, which leads to false acceptances and false rejections (also called false positives and false negatives) with a small probability. Therefore, the security definition (more specifically, the security bound) must be revised to adapt fuzzy factors. Here we only consider one fuzzy factor. If there are multiple fuzzy factors, we will combine them into one factor with a smaller probability of false acceptances and false rejections (e.g., by multimodal machine learning for biometrics [41], [42]), instead of using them separately.

Definition 5 (T-MFAKE with a fuzzy factor)
. This definition is the same as Definition 3, except the modified security bounds. For a uniform password distribution on a dictionary of size n, a fuzzy factor with the min-entropy H min and the probability p false of false acceptances, an arbitrary PPT attacker A, and the security parameter κ, the advantage of A is bounded as follows: Here, q C , q S , q S are the same as in Definition 3, and p c is defined as follows: 1) If t − 2 factors without the password and the fuzzy factor are compromised (or corrupted): 2) If t − 1 factors without the password or the fuzzy factor or both are compromised (or corrupted): a) If the password is compromised but not the fuzzy factor: p c = 1 2 Hmin + p false . b) If the fuzzy factor is compromised but not the password: c) If none of the fuzzy factor and the password are compromised: Note that the fuzzy factor can be guessed as the password. We use the min-entropy H min to bound the probability of one guess for the fuzzy factor. Recall that the minentropy H min (X) of a random variable X is defined as , for x ∈ Range(X). For the fuzzy factor, the probability that a guess is correct is not more than 1 2 H min . Besides, there is a small probability p false of false acceptances. Therefore, the cracked probability of each guess is not more than 1 2 H min + p false . If compromising sufficient factors, the attacker can make online guessing for the password or the fuzzy factor or both to compromise the session keys. If the server is also corrupted, offline guessing becomes possible. We use p c to denote the cracked probability of one guess (for the password, the fuzzy factor or both if necessary). For guessing the password and the fuzzy factor, For guessing the password, For guessing the fuzzy factor, p c = 1 2 Hmin + p false . For guessing the password or fuzzy factor (since the attacker can choose one of them for guessing), If there are not enough factors that are compromised, the guessing attack cannot be carried out. In this case, we let With the above definition of p c , we complete all the security bounds for T-MFAKE with a fuzzy factor.

OUR THRESHOLD MFAKE PROTOCOL
In this section, we first propose an efficient T-MFAKE protocol and formally prove its security in our model.

A Variant of TOPRF
The main component of our T-MFAKE protocol is the TOPRF. We do not perform a direct use of the TOPRF but require its specific variant. Specifically, in the variant with n parties, running PRF needs a fixed party and arbitrary t − 1 parties from the rest (not arbitrary t parties).
This variant can be achieved by leveraging access structure schemes [43]. Access structure is generalized from the notion of threshold secret sharing. In the access structure, the party combinations for secret reconstruction can be freely specified. The only requirement is monotonicity, i.e., if a combination A can construct the secret, then any combination B including A can construct the secret. With an access structure scheme (e.g., [43]), setting our required party combinations can naturally construct a variant of TOPRF we need. However, this construction usually is inefficient. Instead, we use another method to achieve the required TOPRF variant. Informally, the fixed party holds half of the secret and each of the rest holds 1 t−1 of the other half secret. From this, we can use a (2, 2) secret sharing and a (t − 1, n − 1) secret sharing to construct the variant. Specifically, the secret key s of OPRF is divided to s 1 , s 2 by a (2, 2) secret sharing, and further s 2 is divided to {s 2i } n−1 i=1 by a (t−1, n−1) secret sharing; the fixed party holds s 1 , and each of the rest holds s 2i . To construct s for running PRF, s 1 is needed along with t − 1 shares in {s 2i } n−1 i=1 . Therefore, the constructed variant of TOPRF satisfies our requirement.

Our T-MFAKE
As shown in Fig. 6, our T-MFAKE protocol is built on the top of TOPRF and AKE. It works as follows.
1) The user/client first leverages the above variant of TOPRF to enhance the password pw to a cryptographic key rw (also called random password), with the server (as the fixed party) and arbitrary t − 1 devices. Note that the commutation between the client and the device is on a mutual-authenticated and secure channel. Fig. 6: Schematic diagram of our threshold MFAKE protocol 2) The user uses rw to decrypt the ciphertext c to get the keys k U , K S for AKE, where the ciphertext is stored on the devices and sent to the client.
3) The user runs AKE with the keys k U , K S with the server and outputs the session key of AKE, where k U is the private key of the user and K S is the public key of the server.
We use the 2HashTDH and HMQV to instantiate the TOPRF and AKE components. The details of our protocol are given in Fig. 7. With the instantiation, our T-MFAKE protocol only needs two commutation rounds by parallel running the TOPRF and AKE protocols. To make this point clear, we give the communication flows in Fig. 8.
Discussions on our design. The main challenge to achieve T-MFAKE security is to prohibit the password guessing attack as much as possible. A natural and potential way to achieve security is to leverage the technique of well-studied PAKEs (e.g., [34], [35], [36], [44]). In many PAKE protocols, we find the construction of OPAQUE [35], i.e., OPRF+AKE, is easily extended to T-MFAKE. In OPAQUE, the password is enhanced to a cryptographic key rw (in the OPRF part) and used for further authentication (in the AKE part). In our T-MFAKE protocol, we can further extend this enhancement by leveraging multiple devices to provide stronger security.
Informally, if less than t − 1 devices are corrupted or compromised, the cryptographic key rw cannot be reconstructed even with the password, and therefore the attacker cannot do further authentication. In this case, our T-MFAKE protocol is secure as the AKE protocol. If t − 1 devices are corrupted or compromised, our T-MFAKE protocol downgrades to OPAQUE (not precisely but closely). Therefore, in this case, our T-MFAKE protocol is secure as OPAQUE. More specifically, our T-MFAKE protocol only suffers from: 1) inevitable online password guessing attacks in the case where t−1 devices are corrupted or compromised; 2) offline password guessing attacks in the case where t − 1 devices are corrupted or compromised and meanwhile the server is corrupted or compromised.
Note that if we use original TORPF instead of our variant, then the attacker compromising t devices can offline run the PRF without the help of the server, and further can carry out offline password guessing. In contrast, using our TOPRF variant prohibits offline password guessing except the server is also corrupted or compromised. Parameter • All parameters in 2HashTDH (our variant) and HMQV. To distinguish these parameters, we add the subscript 1 and 2 to parameters in 2HashTDH and HMQV, respectively, if necessary. • An encryption scheme (Enc, Dec). Initialization • C generates the secret key s for 2HashTDH, generates the two shares s D , s S of s (s = s D + s S ), send s S to S; then generates shares s Di of s D by the (t−1, n−1) Shamir's secret sharing, and sends s Di to D i , respectively; calculates rw ← H 1 (pw, H 1 (pw) s ). • C generates the private and public keys (k U , K U ) by k U ←$ Z m2 and K U ← g k U 2 for HMQV; gets S's public key K S and encrypts (k U , K S ) to c with the key rw (c ← Enc rw (k U , K s )); sends K U to S and sends c to D i (1 ≤ i ≤ n − 1). • D i stores c and the share s Di for 2HashTDH. • S generates the private and public keys (k S , K S ) by k S ←$ Z m2 and K S ← g k S 2 for HMQV; sends K S to C; stores K U and the share s S for 2HashTDH.

Authentication
• C picks r ←$ Z m1 and calculates α ← H 1 (pw) r ; picks t − 1 devices with index set I; picks x ←$ Z m2 and calculates X ← g x 2 ; sends (U, X, α) to S and sends (U, S, α) to D i (i ∈ I).
• Getting (U, S, α) from C, D i calculates β Di ← α s D i and sends (β Di , c) to C. • Getting (U, X, α) from C, S picks y ←$ Z m2 and calculates Y ← g y 2 , β S ← α s S , SK ← H 2 ((XK Here, λ i is the Lagrange interpolation coefficient for i in I. Fig. 7: Our threshold MFAKE protocol.

Support for fuzzy factors.
Our T-MFAKE in Fig. 7 requires the password and n − 1 devices as the n authentication factors. It is not suitable for users who only have smartphones without other devices. A practical way to provide strong security is to leverage biometric characteristics as authentication factors.
To support fuzzy factors (including biometric factors), we leverage fuzzy extractor to convert the fuzzy factor to a cryptographic key R, and use R as one share in TOPRF. Therefore, the fuzzy factor can replace one device in the authentication phase.
Note that the reconstruction of R needs the helper string P and fuzzy input. Therefore, P should be stored on the devices. If one device is corrupted or compromised, the attacker can get the helper string, and try to reconstruct the key by guessing fuzzy input. Excepts that, our T-MFAKE with a fuzzy factor achieves the same security as the original version.

The Security of Our T-MFAKE Protocol
Since the security requirements of T-MFAKE are relatively complex, we will analyze the security step by step. Recall that 2FAKE and MFAKE are the special cases of T-MFAKE. Based on this, we first prove the security of our 2FAKE ((2, 2) T-MFAKE) protocol, then extend it for MFAKE and finally T-MFAKE.
Theorem 1. Our 2FAKE ((2, 2) T-MFAKE) protocol (with a password pw and a device D as factors) is secure as in Definition 3. Specifically: Proof. In the analysis, our 2FAKE protocol achieves different security bounds. We present the bound for each case, as we need to construct different games and reductions. Case I (D is not corrupted). As discussed above, if D is not corrupted, the attacker does not know extra information about the key in the AKE protocol. Following this intuition, we reduce the security of our 2FAKE to the security of the AKE protocol. The main process of proof is to 1) slightly modify the real attack game G 0 (for 2FAKE) to G 1 , and 2) reduce the game G AKE for AKE to G 1 .
Let G 1 simulate the messages of 2HashTDH without executing it. Specifically, G 1 is the same as G 0 except the following: 1) When C i is initializing (getting Send(C, i, ⊥, Init)), pick α ←$ G and send it to the attacker as aimed at S. Meanwhile run HMQV. 2) When getting Send(C, i, S, β), check if β = α s S . If not, abort C i , otherwise, run HMQV. G 0 and G 1 are indistinguishable except β = α s S but C i does not abort. This only happens in G 0 when (the incorrect) β yields to the correct rw (a hash collision) or a successful decryption of c (breaking the authentication). Therefore, . Then we extend the game G AKE for AKE to G 1 by simulating 2HashTDH (as above) and do the reduction to the AKE security. Leveraging the attacker A for G 1 , we can naturally construct an attacker A for G AKE . A is the same as A except the 2HashTDH part: 1) If A makes Send(C, i, S, (U, X, α)) query, then A makes Send(C, i, S, (U, X)) query.
2) If A makes Send(S, j, C, (Y, β S )) query, then A makes Send(S, j, C, (U, Y )) query. If A wins in G 1 , then A will win in G AKE . Therefore,

Adv t-mfake
Our2FAKE (A) ≤ Adv ake HMQV + q C ( 1 2 κ + Adv auth Enc ). Case II (D is corrupted). If D is corrupted, our 2FAKE protocol is downgraded to OPAQUE. Based on this idea, we reduce the security of our 2FAKE to the security of the PAKE protocol. The main process of proof is to 1) modify the real attack game G 0 (for 2FAKE) to G 1 , and 2) slightly reduce the game G PAKE for PAKE to G 1 . The process is similar to that of the first case, but the constructed game G 1 and the reduction are totally different.
We modify G 0 to G 1 by slightly changing the query to H. G 0 and G 1 are the same except: 1) If (x, y) is queried for H (by A or participants), return H(x, y/H (x) s D ). Since both H and H are random oracles, G 0 and G 1 are totally indistinguishable. Therefore, Then we extend the game G PAKE for PAKE to G 1 and do the reduction to the PAKE security. Specifically, G PAKE is extended to G 1 by simulating the interaction of C and D as follows: 1) If (U, X, α) aimed at S is responded to the attacker in G PAKE , then respond the same message as well as (U, S, α) aimed at D in G 1 . Leveraging the attacker A for G 1 , we construct an attacker A for G PAKE which is the same as A except the following case: 1) If A makes Send(S, j, C, (Y, β S )) query and sends (β D , c) to C as the corrupted D, then A makes Send(S, j, C, (Y, β S β D /α s D , c)) query. Note that C i does the same calculation in G 0 with A as in G PAKE with A . More specifically, Adv t-mfake Our2FAKE (A) ≤ Adv pake OPAQUE . Due to the PAKE security of OPAQUE, Adv pake OPAQUE is bounded as explained in Section 3.3 (in the cases where S is corrupted or not). This gives the corresponding bounds for our 2FAKE protocol in these two cases. Note that for an online password guess, the attacker needs to make a rough Send(C, ·, S, ·) or Send(D, ·, C, ·) query, therefore, q ≤ q C + q S ; for an offline password guess, the attacker needs to make an offline operator on S's long-lived key as well as an operator on D's key, therefore, q ≤ min{q C , q S }. Theorem 2. Our MFAKE ((n, n) T-MFAKE) protocol (without fuzzy factors) is secure as in Definition 3.
Our MFAKE protocol is the same as our 2FAKE variant, except a single device is expanded to multiple. If at least one device in MFAKE is honest, then the attacker cannot carry out effective attacks. Informally, the corruption of the device in 2FAKE corresponds to the corruption of all devices here. The proof for Theorem 2 can easily make use of the analysis result from Theorem 1, we thus omit it. Theorem 3. Our MFAKE ((n, n) T-MFAKE) protocol (with a fuzzy factor) is secure as in Definition 5.
Proof. Due to the security of the fuzzy extractor, the cryptographic key can only be reproduced from the fuzzy input. Therefore, without the (right or close) fuzzy input, the attacker cannot get the random password and fail to distinguish the real session key with a random number. Besides, the attacker only has as most 1 2 H min + p false probability to reproduce the key ( 1 2 H min for guessing the correct input, p false for the false acceptance). Consequently, we can achieve the corresponding bound in Definition 3.
In the following, we give a formal analysis. In the cases where one device factor is not compromised or corrupted, the proof is trivial. In the cases where the biometric factor is compromised or corrupted, the proof is similar to that for Theorem 2. We only consider other cases.
Let G 0 be the real attack game. G 1 is the same as G 0 except that the helper string P generated by a randomlygenerated key R (not the right one R used in TOPRF) is given to the attacker instead of the real helper string P . Therefore, G 0 and G 1 are indistinguishable, except the attacker reproduces the right key R, reconstructs rw and further uses rw to decrypt c. If the password is compromised, then the probability of reconstruction is not more than p c = 1 2 Hmin + p false for each guess. Otherwise, the attacker has to guess the password as well as the fuzzy input, therefore the probability of reconstruction is not more than p c = 1 n ( 1 2 Hmin + p false ) for each guess.
In the case where S is not corrupted, each guess requires at least one (usually several) Send(C, ·, S, ·) or Send(C, ·, S, ·) query. Therefore, we have In the case where S is corrupted, each guess requires at least one (usually several) offline operation on S's and on D's long-lived secrets. Similar to the above reasoning, we have Adv t-mfake OurMFAKE2 (A) ≤ p c q S + negl(κ). Therefore, our MFAKE is secure as in Definition 5.

Theorem 4.
Our T-MFAKE without (or with) a fuzzy factor meets the requirements in Definition 3 (or 5).
The analysis for our (t, n) T-MFAKE is also similar to that for our (t, t) T-MFAKE (with or without a fuzzy factor). We omit it here.

Extensions for Refreshment and Anonymity
Refreshment. Besides the advantages of usability, our T-MFAKE also brings benefits to security by the refreshment. Refreshment is a mechanism that periodically refreshes the shares in the threshold context to avoid massive (t) shares being compromised over time. If the attacker does not compromise t shares in the current period, then it needs to re-compromise them in the next period.
In our T-MFAKE, we refresh the secret keys in TOPRF without the password and updates the ciphertext c without changing the private key k U . Specifically, the refreshment is designed as follows: 1) The client C generates a new secret key s in TOPRF and each shares s i of s , sends the shares to the corresponding parties; calculates rw ← H 1 (pw, H 1 (pw) s ), and encrypts k U , K S with rw to c ; sends c to the device(s).
2) The server S updates its share with the new one s n .
3) The device D i updates its share and the ciphertext with the new ones s i and c . As well as to resist (factor) compromise by periodic executions, this refreshment can be used to revoke lost devices by active executions. The user only needs to refresh the keys without the lost devices like the above process.
Note that we do not require the user to change the password, which will bring an extra burden on memory and cannot achieve expected security (for instance, a new password is just slightly modified from the old one [21]). Anonymity. In some scenarios (e.g., secret ballot), parties may choose to hide their usernames to protect privacy. We should provide user anonymity so that: 1) the attacker cannot identify the user ID in a session.
2) the attacker cannot tell if two sessions correspond to the same user. Our 2FAKE and MFAKE do not provide anonymity like OpTFA [13], since our protocols directly send the username on the public channel. A trivial way to achieve user anonymity is to establish a server-authenticated secure channel first and then run our protocol on the channel. This requires a public key of the server to establish this channel, which can be stored on the device(s). However, this method requires two extra communication rounds.
For our design, there is a faster and simpler way to achieve anonymity -encrypting the username by a probability public encryption scheme (e.g., ElGamal). With the encryption, the username is only known by the server and two ciphertexts of the same username are different. Therefore, the attacker cannot extract any information about the username from that. Besides, the attacker cannot extract any information about or linked to the username from the other transmitted messages (as they are all random numbers). This method will only slightly require the encryption and decryption operations of the public encryption scheme without an extra round for communication.

Discussions on Security
Since our T-MFAKE protocol is secure as in Definition 3 or 5, it can resist ephemeral secret leakage, replay, man-in-themiddle, impersonation and privileged-insider attacks. Here we briefly present some discussions on these attacks and our design.  Ephemeral secret leakage attacks. The main component of our design, HMQV [33], can resist the attacks, and the protocol benefits from this security feature. More specifically, for the session key ) x+H 2 (X,K S )k U ) (calculated by the client) in HMQV, if the attacker gets the ephemeral secret x, she cannot calculate SK without the private key k U . So the session key SK is safe. Even if capturing both x and SK, the attacker cannot calculate the private key k U except breaking the hash function and solving the discrete logarithm problem. Thus, the keys of other sessions are kept safe. Further, if the attacker compromises the longterm secret k U , these sessions without leaking the ephemeral secrets are still safe. Replay attacks. For each session, the client is able to randomly choose an ephemeral exponent as well as the server, so that the attacks cannot be carried. Impersonation attacks. As we proved previously, our protocol can resist impersonation attacks in arbitrary cases except the two trivial ones: 1) impersonating the user by compromising the user's t − 1 factor and the password (where the password may be captured by online/offline guessing attacks); and 2) impersonating the server by compromising the server's long-term secret. In normal (but not exceptional) cases, without at least t − 1 factor and the password, the attacker cannot impersonate the user to run TOPRF and therefore cannot execute SaPAKE to calculate the session key. Similarly, without compromising the server's long-term secret, the attacker also cannot obtain the session key by executing SaPAKE (as the server does). Man-in-the-middle attacks. Based on our analysis on the impersonation attacks, the attacker can only launch man-inthe-middle attacks by compromising the credentials of both the user and the server. Privileged-insider attacks. In the registration phrase, the user generates the shares of TOPRF and the private key on the client, but the server does not know the devices' shares of TOPRF and the user's private key. Thus, our protocol can resist privileged-insider attacks.

Automated Security Analysis with AVISPA
We leverage an automated validation tool, AVISPA (Automated Validation of Internet Security Protocols and Applications), to evaluate the security of our protocol. AVISPA can automatically check if a given protocol achieves the target security goals via running the protocol. It also can investigate potential security risks and further provide the attacking paths to help improve the protocol. Due to the advantages, it has been widely used in the study on authentication protocols [45], [46], [47].
We first describe our protocol and the security goals in High Level Protocol Specification Language (HLPSL), and then run AVISPA with two back-ends, namely CL-AtSe and OFMC. The analysis results, shown in Fig. 9, confirm that our protocol meets the security requirements.

IMPLEMENTATION AND PERFORMANCE
We implement our protocol and evaluate its performance on computation and communication. Here, we only implement a (2, 2) variant of our protocol. We note the (t, n) protocol only requires extra computation and communication cost (among extra devices), but does not increase the total running time of the protocol due to the parallel running.

Implementation Details
Participant. We need the following three parties in the implementation.
1) The server S in a Docker container running on a remote server in Alibaba Cloud. The Docker container is assigned with 2 CPUs (Intel Core i5-7300HQ CPU @ 2.50Hz 2.50Hz) and 2.0GB memory. In the container,   2 The communication on the two channels is run parallel in our protocol, but not in OpTFA. 3 The client stores nothing, but the user needs to memorize the password.
Computation. The client, server, and device leverage SJCL, OpenSSL 1.1.1g, and javax.crypto to support the cryptography algorithms, respectively. To instantiate cryptography algorithms, we use SHA-256 for the hash operator, HMAC-SHA256 for HMAC, AES for symmetric encryption, Encrypt-then-MAC with AES and HMAC-SHA256 for authentication encryption, and NIST P-256 for exponentiation. Storage. The user needs to remember the password, while the client does not store anything. Each device stores its shares of TOPRF and the ciphertext (of the user's private key and the server's public key). The server stores the shares of TOPRF, its private key and the user's public key. Note that we use the compressed form to represent an ECC point without the first 8 bits (0x04) indicating the compressed form [48]. User operations. A user first enters the username and the password on a PC -more specifically, on the web page of the server shown in the browser. Then he clicks the login button on the page, and gets a notice from the smartphone. After approving the login via a click on the APP installed on the smartphone, the user can log in the server.

Performance Evaluation
To present a fair and comprehensive performance evaluation, we run our protocol 1,000 times along with OpTFA for comparison (although there are some other MFA protocols, none of them achieve the strong security defined in this paper). Note that we here directly simulating the computation cost and ignore the cost a user spends in information entering and button clicking. Fig. 10 shows the time cost for each experiment while Table 2 gives us a general picture of the average values. The experimental results show that our protocol achieves a significant improvement in efficiency as compared to OpTFA -138.25% and 148.49% faster on communication and computation, respectively. Besides, our storage cost is quite close to that of OpTFA -512 bits less cost on the server, and just 128 bits more on the device. From the experimental results, we conclude that our protocol is efficient and practical enough for real-world applications.

CONCLUSION
We propose a new notion of (t, n) threshold multiple-factor authentication (T-MFA), allowing users to autonomously choose t at-hand factors out of n for authentication. It brings advantages to usability and security. We also construct a T-MFA key exchange protocol and prove that it achieves the highest attainable security. Our protocol only requires 4 + t exponentiations, 2 multi-exponentiations and 2 communication rounds. Via the implementations and experiments, we show that our design is fast, secure and practical in the real-world applications.