A Formal Analysis of the FIDO UAF Protocol

Feng, Haonan; Li, Hui; Pan, Xuesong; Zhao, Ziming

doi:10.14722/ndss.2021.24363

Cited by 24 publications

(20 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Fast IDentity Online (FIDO) FIDO is a piece of authentication technology that improves original hardware-based solutions by using the mathematics of public-key cryptography. It supports multi-factor authentication and public key cryptography, where universal second-factor authentication (U2F), the universal authentication framework (UAF), and the client-to-authenticator protocol (CTAP) protocols are developed [61,62].…”

Section: Biometric Fingerprintmentioning

confidence: 99%

“…It offers convenience, scalability, universality, persistence and uniqueness, and it improves user experience and performance. FIDO also provides a uniform user login experience; mitigates phishing attacks, sniffing attacks, replay attacks, and MITM attacks; and creates a secure communication channel between the application server and the users using public-key cryptography [62,[68][69][70][71].…”

Section: Biometric Fingerprintmentioning

confidence: 99%

“…Provides secure and efficient authentication: The proposed multi-factor authentication algorithm uses a PIN, OTP, and biometric fingerprint. The security of the PIN and OTP are ensured by SHA-256 and the biometric fingerprint by FIDO, which provides secure and robust authentication [14,17,46,62,63,65,[68][69][70][71]. Besides, using a mobile money agent's secure QR code in authorizing money withdrawal guarantees authenticity [81,83].…”

Section: Security Analysismentioning

confidence: 99%

“…The generated public key is encrypted and sent to the online FIDO database associated with the user's mobile money account and saved in a Keystore. The private key and biometric templates are encrypted and stored in the smartphone's cryptographic Keystore and smartphone [20,62,[68][69][70][71]. Moreover, integrating a secure QR code in mobile money agent authorization helps prevent phishing attacks [77].…”

Section: Security Analysismentioning

confidence: 99%

See 3 more Smart Citations

A Secure and Efficient Multi-Factor Authentication Algorithm for Mobile Money Applications

2021

View full text Add to dashboard Cite

With the expansion of smartphone and financial technologies (FinTech), mobile money emerged to improve financial inclusion in many developing nations. The majority of the mobile money schemes used in these nations implement two-factor authentication (2FA) as the only means of verifying mobile money users. These 2FA schemes are vulnerable to numerous security attacks because they only use a personal identification number (PIN) and subscriber identity module (SIM). This study aims to develop a secure and efficient multi-factor authentication algorithm for mobile money applications. It uses a novel approach combining PIN, a one-time password (OTP), and a biometric fingerprint to enforce extra security during mobile money authentication. It also uses a biometric fingerprint and quick response (QR) code to confirm mobile money withdrawal. The security of the PIN and OTP is enforced by using secure hashing algorithm-256 (SHA-256), a biometric fingerprint by Fast IDentity Online (FIDO) that uses a standard public key cryptography technique (RSA), and Fernet encryption to secure a QR code and the records in the databases. The evolutionary prototyping model was adopted when developing the native mobile money application prototypes to prove that the algorithm is feasible and provides a higher degree of security. The developed applications were tested, and a detailed security analysis was conducted. The results show that the proposed algorithm is secure, efficient, and highly effective against the various threat models. It also offers secure and efficient authentication and ensures data confidentiality, integrity, non-repudiation, user anonymity, and privacy. The performance analysis indicates that it achieves better overall performance compared with the existing mobile money systems.

show abstract

Section: Biometric Fingerprintmentioning

confidence: 99%

Section: Biometric Fingerprintmentioning

confidence: 99%

Section: Security Analysismentioning

confidence: 99%

Section: Security Analysismentioning

confidence: 99%

See 2 more Smart Citations

A Secure and Efficient Multi-Factor Authentication Algorithm for Mobile Money Applications

2021

View full text Add to dashboard Cite

show abstract

“…is study points out that the feasibility of the rebinding attack is due to the lack of proper authentication between the FIDO authenticator and the FIDO server. Feng [39] formalized the security model and protocol for various scenarios and then developed an automated verifier which performs security analysis and identifies design flaws according to the security assumptions and goals. Unlike the present paper, that work does not focus on how authentication data is managed on authenticators.…”

Section: Related Workmentioning

confidence: 99%

Security Analysis and Bypass User Authentication Bound to Device of Windows Hello in the Wild

Kim

Choi

2021

Security and Communication Networks

View full text Add to dashboard Cite

Windows Hello is a Fast IDentity Online- (FIDO-) based new login system for Windows 10, which provides a single sign-on (SSO) service to diverse online applications. Hardware protection is essential for Window Hello’s security. This paper aims to examine the security of Windows Hello on a device where hardware protection is unavailable. We present the first detailed analysis of Windows Hello’s security. The results show that, on a hardware-unsupported device, the authentication data for Windows Hello is not properly protected. We propose a migration attack to compromise Windows Hello’s security. In the proposed attack, an attacker extracts authentication data from a device to impersonate a victim in his or her Microsoft online account. We consider the possibility of such an attack to be serious and harmful to our society and demand immediate attention for remediation.

show abstract

Formal Verification of Security Protocols: ProVerif and Extensions

Yao

et al. 2022

Lecture Notes in Computer Science

View full text Add to dashboard Cite

A Formal Analysis of the FIDO UAF Protocol

Cited by 24 publications

References 21 publications

A Secure and Efficient Multi-Factor Authentication Algorithm for Mobile Money Applications

A Secure and Efficient Multi-Factor Authentication Algorithm for Mobile Money Applications

Security Analysis and Bypass User Authentication Bound to Device of Windows Hello in the Wild

Formal Verification of Security Protocols: ProVerif and Extensions

Contact Info

Product

Resources

About