Account Recovery Methods for Two-Factor Authentication (2FA): An Exploratory Study

System administrators have started to adopt two-factor authentication (2FA) to increase user account resistance to cyber-attacks. Systems with 2FA require users to verify their identity using a password and a second-factor authentication device to gain account access. This research found that 60% of users only enroll one second-factor device to their account. If a user’s second factor becomes unavailable, systems are using different procedures to ensure its authorized owner recovers the account. Account recovery is essentially a bypass of the system’s main security protocols and needs to be handled as an alternative authentication process (Loveless, 2018). The current research aimed to evaluate users’ perceived security for four 2FA account recovery methods. Using Renaud’s (2007) opportunistic equation, the present study determined that a fallback phone number recovery method provides user accounts with the most cyber-attack resistance followed by system-generated recovery codes, a color grid pattern, and graphical passcode. This study surveyed 103 participants about authentication knowledge, general risk perception aptitude, ability to correctly rank the recovery methods in terms of their attackr esistance, and recovery method perceptions. Other survey inquires related to previous 2FA, account recovery, and cybersecurity training experiences. Participants generally performed poorly when asked to rank the recovery methods by security strength. Results suggested that neither risk numeracy, authentication knowledge, nor cybersecurity familiarity impacted users’ ability to rank recovery methods by security strength. However, the majority of participants ranked either generated recovery codes, 39%, or a fallback phone number, 25%, as being most secure. The majority of participants, 45%, preferred the fallback phone number for account recovery, 38% expect it will be the easiest to use, and 46% expect it to be the most memorable. However, user’s annotative descriptions for recovery method preferences revealed that users are likely to disregard the setup instructions and use their phone number instead of an emergency contact number. Overall, this exploratory study offers information that researchers and designers can deploy to improve user’s 2FA- and 2FA account recovery- experiences

Securing Heterogeneous Wireless Sensor Networks: Breaking and Fixing a Three-Factor Authentication Protocol

Heterogeneous wireless sensor networks (HWSNs) are employed in many real-time applications, such as Internet of sensors (IoS), Internet of vehicles (IoV), healthcare monitoring, and so on. As wireless sensor nodes have constrained computing, storage and communication capabilities, designing energy-efficient authentication protocols is a very important issue in wireless sensor network security. Recently, Amin et al. presented an untraceable and anonymous three-factor authentication (3FA) scheme for HWSNs and argued that their protocol is efficient and can withstand the common security threats in this sort of networks. In this article, we show how their protocol is not immune to user impersonation, de-synchronization and traceability attacks. In addition, an adversary can disclose session key under the typical assumption that sensors are not tamper-resistant. To overcome these drawbacks, we improve the Amin et al.'s protocol. First, we informally show that our improved scheme is secure against the most common attacks in HWSNs in which the attacks against Amin et al.'s protocol are part of them. Moreover, we verify formally our proposed protocol using the BAN logic. Compared with the Amin et al.'s scheme, the proposed protocol is both more efficient and more secure to be employed which renders the proposal suitable for HWSN networks.This work was partially supported by the MINECO grant TIN2016-79095-C2-2-R (SMOG-DEV—Security mechanisms for fog computing: advanced security for devices); and by the CAM grant S2013/ICE-3095 (CIBERDINE: Cybersecurity, Data, and Risks)

Password-less two-factor authentication using scannable barcodes on a mobile device

Currently, passwords are the default method used to authenticate users. As hardware continues to advance in speed, breaking these passwords becomes easier. The traditional solution to this problem is ever increasing password complexity and two-factor authentication. However, users become strained under overly complex login systems and often circumvent them. Two-factor authentication also adds to this complexity and many forms of two-factor authentication are inherently insecure. In answer to these problems, this project proposes a password-less multi-factor authentication system, which leverages the tried-and-proven existing technologies, asymmetric cryptography, digital signatures, and biometric authentication. Simulated user testing shows promising results, suggesting that registration can be completed in just over thirty seconds, and authentication in just over two seconds. An analysis of this project’s possible attack vectors, preventative steps taken, and their solutions in potential future research are also discussed

Modeling of the user’s identification security system of on the 2FA base

The article describes methods of user identification using authentication based on the second factor. Known algorithms and protocols for two-factor authentication are considered. An algorithm is proposed using mobile devices as identifiers and generating a temporary password based on the hash function of encryption standards. For an automated control system, a two-factor authentication model and a sequential algorithm for generating a temporary password using functions have been developed. The implementation of the system is based on the Node.js software platform using the JavaScript programming language, as well as frameworks and connected system libraries. MongoDB, an open source database management system for information storage and processing was used

Two-factor Authentication in Smartphones: Implementations and Attacks

Two-factor authentication is the method of combining two so called authentication factors in order to enhance the security of user authentication. An authentication factor is defined as ”Something the user knows, has or is”. Something the user knows is often the traditional username and password, something the user has is something that the user is in physical possession of and something the user is is a physical trait of the user, such as biometrics. Two-factor authentication greatly enhances security attributes compared to traditional password-only methods. With the advent of the smartphone, new convenient authentication methods have been developed in order to take advantage of the versatility such devices provide. However, older two-factor authentication methods such as sending codes via SMS are still widely popular and in the case of the smartphone opens up new attack vectors for criminals to exploit by creating malware that is able to gain control over SMS functionality. This thesis explores, discusses and compares three distinct two-factor authentication methods used in smartphones today in the sense of security and usability. These are mTAN (mobile Transaction Authentication Number), TOTP (Time-based One Time Password Algorithm) and PKI (Public Key Infrastructure). Both practial and theoretical attacks against these methods are reviewed with a focus on malicious software and advantages and disadvantages of each method are presented. An in-depth analysis of an Android smartphone SMS-stealing trojan is done in order to gain a deeper understanding of how smartphone malware operates

0E2FA: Zero Effort Two-Factor Authentication

Smart devices (mobile devices, laptops, tablets, etc.) can receive signals from different radio frequency devices that are within range. As these devices move between networks (e.g., Wi-Fi hotspots, cellphone towers, etc.), they receive broadcast messages from access points, some of which can be used to collect useful information. This information can be utilized in a variety of ways, such as to establish a connection, to share information, to locate devices, and to identify users, which is central to this dissertation. The principal benefit of a broadcast message is that smart devices can read and process the embedded information without first being connected to the corresponding network. Moreover, broadcast messages can be received only within the range of the wireless access point that sends the broadcast, thus inherently limiting access to only those devices in close physical proximity, which may facilitate many applications that are dependent on proximity. In our research, we utilize data contained in these broadcast messages to implement a two-factor authentication (2FA) system that, unlike existing methods, does not require any extra effort on the part of the users of the system. By determining if two devices are in the same physical location and sufficiently close to each other, we can ensure that they belong to the same user. This system depends on something that a user knows, something that a user owns, and—a significant contribution of this work—something that is in the user’s environment