Thesis Context-aware multifactor authentication for the augmented human HUSEYNOV, Emin Abstract Multi-factor authentication is currently one of the de-facto standards for systems requiring strong security. In most of the cases, multi-factor authentication is rather complex and not very user-friendly, as it requires additional steps as far as end-users are concerned: e.g. with two-factor authentication, in addition to entering a username and a password (usually considered as a first factor), users need to manually enter an additional code (second factor) that they either receive by text messages, look up in a previously printed list of passwords or generated by a hardware or software token. An extensive review of potential security risks that multi-factor authentication is capable of mitigating is a significant part of this thesis. The thesis will review phishing as one of the biggest end-user targeted attacks and describe the security risks as well as modern methods of such attacks that can potentially lead to theft of sensitive data, such as user credentials, passwords and/or credit card information. The main purpose of this research is to review existing multi-factor authentication systems, primarily in corporate [...] Reference HUSEYNOV, Emin. Context-aware multifactor authentication for the augmented human. Thèse de doctorat : Univ. Genève, 2020, no. SdS 149 URN : urn:nbn:ch:unige-1358289 DOI : 10.13097/archive-ouverte/unige:135828 Available at: http://archive-ouverte.unige.ch/unige:135828 Disclaimer: layout of this document may differ from the published version. 1 / 1 Context-Aware Multi- factor Authentication for the Augmented Human THÈSE présentée à la Faculté des sciences de la société de l’Université de Genève par Emin Huseynov sous la codirection de Dr. Jean-Marc Seigneur, Prof. Giovanna Di Marzo Serugendo pour l’obtention du grade de Docteur ès sciences de la société mention Systèmes d’information Membres du jury de thèse: Prof. Jean-Henry Morin (Président du jury), CUI, Université de Genève Dr. Jean-Marc Seigneur (Co-directeur de thèse), CUI, Université de Genève Prof. Giovanna Di Marzo Serugendo (Co-directrice de thèse), CUI, Université de Genève Prof. Sviatoslav Voloshynovskiy, CUI, Université de Genève Prof. Alessandro Aldini, Information Science and Technology Institute, University of Urbino Thèse no 149 Genève, 12 05 2020 ii Context-Aware Multi-factor Authentication for the Augmented Human La Faculté des sciences de la société, sur préavis du jury, a autorisé l’impression de la présente thèse, sans entendre, par-là, émettre aucune opinion sur les propositions qui s’y trouvent énoncées et qui n’engagent que la responsabilité de leur auteur. Genève, le 14 05 2020 Le doyen Bernard DEBARBIEUX Impression d'après le manuscrit de l'auteur Résumé iii Table of Contents Résumé .......................................................................................................... viii Abstract ............................................................................................................ xi Acknowledgements ........................................................................................ xiii Acronyms ........................................................................................................ xiv Publications ..................................................................................................... xv Chapter 1. Introduction ............................................................................... 1 1.1 Purpose of this research .......................................................................... 1 1.2 Risks overview ......................................................................................... 1 1.3 Context definitions ................................................................................... 1 1.4 Organization of This Thesis ..................................................................... 2 Chapter 2. Research framework ................................................................ 3 2.1 Research flow model ............................................................................... 6 2.2 Gap analysis ............................................................................................ 6 2.3 Validation framework ............................................................................... 7 2.4 Solutions implementation principles ........................................................ 8 2.5 Potential security risks overview .............................................................. 9 2.5.1 Introduction .......................................................................................... 9 2.5.2 Background .......................................................................................... 9 2.5.2.1 Targeting victims: phishing or spear phishing ................................. 9 2.5.2.2 Phishing email – reaching the victim ............................................. 10 2.5.2.3 Attacks using network equipment .................................................. 10 2.5.2.3.1 Free Wi-Fi networks with Fake captive portals .......................... 10 2.5.2.3.2 Modem and routers exploits ...................................................... 11 2.5.2.4 Phishing page – the final destination ............................................. 11 2.5.3 Anatomy of a phishing page .............................................................. 11 2.5.3.1 The URL ........................................................................................ 12 2.5.3.2 Long subdomains technique .......................................................... 13 2.5.3.3 Homograph attack ......................................................................... 14 2.5.3.4 “Secure” phishing........................................................................... 14 2.5.3.5 Tools for phishing attacks .............................................................. 15 2.5.4 Summary ........................................................................................... 17 Chapter 3. Review of existing MFA systems ............................................ 18 3.1 TOTP algorithm and implementation overview ..................................... 18 3.2 Classic multi-factor authentication systems and solutions .................... 20 3.2.1 Hardware tokens................................................................................ 20 3.2.2 Software tokens ................................................................................. 22 3.2.3 Alternative types of strong authentication ......................................... 24 3.2.3.1 SMS based strong authentication .................................................. 25 3.2.3.2 Paper based MFA systems ........................................................... 25 3.2.3.2.1 PMFA Concept .......................................................................... 27 3.3 Modern multi-factor authentication systems and solutions ................... 30 3.3.1 Programmable tokens: a compromise between software and hardware tokens 30 3.3.1.1 Programmable tokens provisioning guide sample ......................... 33 iv Context-Aware Multi-factor Authentication for the Augmented Human 3.3.1.2 Programmable tokens vs classic tokens – user self-service aspect 37 3.3.2 Solutions based on static or pseudo-dynamic context ...................... 40 3.3.3 Dynamic Context ............................................................................... 42 3.3.4 Bluetooth Low Energy based solutions ............................................. 42 3.3.5 Wi-Fi based solutions ........................................................................ 43 3.3.6 Sound as a context ............................................................................ 43 3.4 Review of existing solutions and gap analysis ...................................... 45 Chapter 4. Our New MFA Solutions ......................................................... 48 4.1 Review of the improvement areas ......................................................... 48 4.2 Beacon AuthPath - Augmented Human Path Authentication ................ 49 4.2.1 Introduction ........................................................................................ 49 4.2.2 Related Work ..................................................................................... 49 4.2.3 Beacon Authpath Model .................................................................... 50 4.2.3.1 “Beacon AuthPath” with standard beacons ................................... 50 4.2.3.2 “Beacon AuthPath” with “smart” beacons ...................................... 51 4.2.4 Beacon Authpath Prototype Implementation and Validation ............. 53 4.2.5 Summary ........................................................................................... 54 4.3 Physical presence verification using TOTP and QR codes ................... 54 4.3.1 Introduction ........................................................................................ 54 4.3.2 Concept ............................................................................................. 54 4.3.3 Implementation .................................................................................. 55 4.3.4 Proof-of-concept device ..................................................................... 55 4.3.5 Summary ........................................................................................... 56 4.4 WifiOTP: Pervasive Two-Factor Authentication Using Wi-Fi SSID Broadcasts ............................................................................................................
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages126 Page
-
File Size-