This page contains complementary material related to the following paper:

• Title: Design, Formal Specification and Analysis of Multi-Factor Authentication Solutions with a Single Sign-On Experience
• Authors: Giada Sciarretta, Roberto Carbone, Silvio Ranise, Luca Viganò
• DOI: 10.1007/978-3-319-89722-6_8
• Acceptance News: Link

Abstract

Over the last few years, there has been an almost exponential increase of the number of mobile applications that deal with sensitive data, such as applications for e-commerce or health. When dealing with sensitive data, classical authentication solutions based on username-password pairs are not enough, and multi-factor authentication solutions that combine two or more authentication elements of different categories are required. Many different such solutions are available, but they usually cover the scenario of a user accessing web applications on their laptops, whereas in this paper we focus on native mobile applications. This changes the exploitable attack surface and thus requires a specific analysis. In this paper, we present the design, the formal specification and the security analysis of a solution that allows users to access different mobile applications through a multi-factor authentication solution providing a Single Sign-On experience. The formal and automated analysis that we performed validates the security goals of the solution we propose.

Complementary Material

Structure

• IDOTP App Scenario: description of the use-case scenario and link to download the protocol specification file (idotp.aslan++);
• Security Results: description and results of the security analyses performed in our analysis;
• Tools: links to download the SATMC model checker tool and the STIATE plugin used to perform the security assessment.