Convenient One-, Two- and Three-factor Authentication for Mobile Devices

Authentication methods used today on mobile devices are both inconvenient and insecure.

Ordinary passwords are difficult to type on small touch-screen displays that require switching keyboards for entering digits or punctuation. They provide even less security on mobile devices than on desktops or laptops. Due to the difficulty of typing on mobile keyboards, each character is prominently displayed after it is typed, circumventing the security provided by password input boxes that displays dots in lieu of characters. And users are motivated to choose shorter and simpler passwords, which have less entropy.

One-time passwords are often used on mobile devices due to the lack of security of ordinary passwords. Authenticating with a one-time password requires entering a PIN, obtaining the one-time password from a hard token, a soft token, a text message, or an email message, and entering the one-time password. This is a very cumbersome procedure. A one-time password is a two-factor authentication method, and is thus more secure than an ordinary password. But they have limited entropy, and they can be replayed within a time-window of several minutes. An attacker who observes or intercepts a one-time password has several minutes during which he or she can use it to log in as the legitimate user.

Social login avoids some of the inconvenience of ordinary and one-time passwords by outsourcing authentication to a social network. If the user is already logged in to the social network, he or she does not have to enter a password again. Current standards for social login are a mess, as I said in the previous post, and as confirmed by the recent resignation of the editor of the OAuth protocol. In the previous post I linked to a white paper where we propose a better social login protocol, SAAAM, well suited for mobile devices.

But while social login is useful in some cases, it is not always appropriate. There is no reason why applications should always rely on social networks to authenticate their users, or why a user should have to surrender his or her privacy to a social network in order to authenticate to an unrelated application. Also, social login does not completely solve the authentication problem, since the user still has to authenticate to the social network.

So there is a need for good authentication methods on mobile devices that do not rely on a third party. We have just written a white paper proposing one-, two- and three-factor authentication methods for mobile devices that provide strong security and are more convenient to use than ordinary or one-time passwords. They are particularly well suited for enterprise use, but are suitable for consumer use as well.

The proposed authentication methods are based on public key cryptography, but they are easy to implement and deploy. They are easy to implement because all cryptography is encapsulated in black boxes, so that developers do not have to program any cryptographic operations. They are easy to deploy because they avoid the use of certificates and do not require a public-key infrastructure.

In our one-factor authentication method the user does not have to provide any input. The device authenticates by demonstrating knowledge of a private key. A hash of the associated public key is stored in a device record, which is linked to a user record in an enterprise directory or user database.

In our two-factor authentication method, the user provides a PIN, which is used to regenerate the key pair. Because any PIN results in a well-formed key pair, the user’s PIN is not exposed to an exhaustive offline guessing attack by an attacker who steals the mobile device, opens it, and reads its persistent memory.

In our three-factor authentication method, the user provides a PIN and a biometric such as an iris scan. No biometric template is stored in the mobile device. Instead, the device contains an auxiliary string that is used in conjunction with the biometric to provide a biometric key. The biometric key is used to regenerate the key pair. The auxiliary string is encrypted by the PIN for additional security.

8 thoughts on “Convenient One-, Two- and Three-factor Authentication for Mobile Devices”

  1. 2-Factor Authentication wins every day. I feel suspicious when I am not asked to telesign into my account by way of 2FA, it just feels as if they are not offering me enough protection. Just the fact that we are still living in a password world is annoying. Almost everything is still only password protected. But ultimately the fact is passwords (strong or not) do not replace the need for other effective security control.

  2. Great insights Francisco….still the most popular way is password, the world is moving towards Oauth and openid with social logins. Article really provided some good food for thought..

      1. Ankur, social login does not solve the password problem. Today, social networks require a password to log in. So, after being redirected to the social network, you still have to log in with a password if you are not logged in already. And asking for a password after a redirection increases the risk of phishing attacks. The method we are proposing in this blog post uses public key cryptography instead of a password for authentication. (A PIN or password can be used as an additional authentication factor.) The method could actually be used by social networks to improve the security of social login on a mobile device.

        1. Francisco, I got your idea but don’t you think that users are already reluctant with the registration process will prefer an additional step here. But it will be of great help where the security is of importance and your method can really be helpful for social media companies for sure.

          1. Ankur, I’m afraid I don’t understand your comment. Some word seems to be missing in the first sentence. And it’s not clear what additional step you are referring to. Can you clarify?

          2. Francisco what I was refer to is the growing acceptance of Open ID, Oauth and social login because the users are not willing to register to all the websites and keep track of their IDs. But i really liked your idea of authentication and really feel that it should be included atleast by all social id providers in their authentication process :)…Hope this clarifies and apologies for creating confusion

  3. More options have seen the light of day since this article was created. OTP codes sent by SMS messages are considered the weakest option. The next strongest method is using an authentication app or hardware token, and alternatively FIDO keys may be used (U2F or FIDO2 keys).

Leave a Reply to Ankur Sharma Cancel reply

Your email address will not be published.