This page contains complementary material related to the following paper:
AbstractOver the last few years, there has been an almost exponential increase of the number of mobile applications that deal with sensitive data, such as applications for e-commerce or health. When dealing with sensitive data, classical authentication solutions based on username-password pairs are not enough, and multi-factor authentication solutions that combine two or more authentication elements of different categories are required. Many different such solutions are available, but they usually cover the scenario of a user accessing web applications on their laptops, whereas in this paper we focus on native mobile applications. This changes the exploitable attack surface and thus requires a specific analysis. In this paper, we present the design, the formal specification and the security analysis of a solution that allows users to access different mobile applications through a multi-factor authentication solution providing a Single Sign-On experience. The formal and automated analysis that we performed validates the security goals of the solution we propose.
- IDOTP App Scenario: description of the use-case scenario and link to download the protocol specification file (idotp.aslan++);
- Security Results: description and results of the security analyses performed in our analysis;
- Tools: links to download the SATMC model checker tool and the STIATE plugin used to perform the security assessment.