A survey on multi-factor authentication for online banking in the wild

Sinigaglia, Federico; Carbone, Roberto; Costa, Gabriele; Zannone, Nicola

doi:10.1016/j.cose.2020.101745

Cited by 47 publications

(28 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The three most used criteria categories that could be observed are those of security, usability, and costs. The application context was observed to be of importance as well, since most publications either directly considered it as a criterion [1] or were oriented to a specific application context [46][47][48][49]. An important finding from the realization of the second SLR is that the comparison and evaluation of authentication schemes and methods has been increasingly researched since 2017: more than half of the publications belonging to RQ3 and RQ4 are since this year.…”

Section: Discussionmentioning

confidence: 99%

Framework for the Comparison and Selection of Schemes for Multi-Factor Authentication

Velásquez

2021

CLEIej

View full text Add to dashboard Cite

Authentication is the process of verifying a user’s identity for them to access a system’s resources. An authentication factor is a piece of information used for this authentication. Three well-known groups of authentication factors exist: knowledge-based (what you know), possession-based (what you have) and inherence-based (what you are). Authentication schemes belonging to distinct authentication factors can be combined in a multi-factor manner to increase security. Although multiple multi-factor proposals are seen in literature, the absence of a method that allows a proper comparison and selection of these authentication methods, based on an application’s security requirements, can be observed. Existing frameworks for the analysis of authentication methods have been identified through the realization of a systematic literature review, but most of these focus on specific contexts and do not provide a generic enough solution. Due to the above, this research focuses on the creation of a recommendation framework that guides in the comparison and selection of single and multi-factor authentication schemes, considering both the application’s requirements and its context. This has been attained not only through the knowledge found in literature, but the experience from industry experts has been compiled as well through the collaboration with a multinational software development company. Consequently, the knowledge found in literature has been obtained from a systematic literature review, whereas the experience from industry experts was obtained through a survey and interviews. The framework proposal has been generated based on the above and has been validated through an expert panel and a case study methodology in collaboration with the partnered software development company. A tool prototype has been constructed as well. The result is a recommendation framework for the comparison and selection of authentication methods that can support this decision process in multiple contexts.

show abstract

Section: Discussionmentioning

confidence: 99%

Framework for the Comparison and Selection of Schemes for Multi-Factor Authentication

Velásquez

2021

CLEIej

View full text Add to dashboard Cite

show abstract

“…As the authentication protocol will be used to secure financial transactions, a critical requirement is that the proposed scheme must be strong enough to support online financial transactions, with a security level at least equal to the existing authentication methods that are used by banks [ 76 , 77 ].…”

Section: Autonomous Device Challenge Response Authenticationmentioning

confidence: 99%

Non-Invasive Challenge Response Authentication for Voice Transactions with Smart Home Behavior

Hayashi

Ruggiero

2020

Sensors

View full text Add to dashboard Cite

Smart speakers, such as Alexa and Google Home, support daily activities in smart home environments. Even though voice commands enable friction-less interactions, existing financial transaction authorization mechanisms hinder usability. A non-invasive authorization by leveraging presence and light sensors’ data is proposed in order to replace invasive procedure through smartphone notification. The Coloured Petri Net model was created for synthetic data generation, and one month data were collected in test bed with real users. Random Forest machine learning models were used for smart home behavior information retrieval. The LSTM prediction model was evaluated while using test bed data, and an open dataset from CASAS. The proposed authorization mechanism is based on Physical Unclonable Function usage as a random number generator seed in a Challenge Response protocol. The simulations indicate that the proposed scheme with specialized autonomous device could halve the total response time for low value financial transactions triggered by voice, from 7.3 to 3.5 s in a non-invasive manner, maintaining authorization security.

show abstract

“…Based on our use-case scenarios (cf. Section 3) and in relation to the capabilities that an attacker can have under the security assumptions of Section 4.4, we have identified a number of proximity and hacker attackers (inspired by the NIST threat model in [24] and [49]), which we list in Table 5. We model these attackers taking into account two aspects:…”

Section: Threat Modelmentioning

confidence: 99%

Formal Analysis of Mobile Multi-Factor Authentication with Single Sign-On Login

Sciarretta¹,

Carbone²,

Ranise³

et al. 2020

ACM Trans. Priv. Secur.

Self Cite

View full text Add to dashboard Cite

Over the last few years, there has been an almost exponential increase in the number of mobile applications that deal with sensitive data, such as applications for e-commerce or health. When dealing with sensitive data, classical authentication solutions based on username-password pairs are not enough, and multi-factor authentication solutions that combine two or more authentication factors of different categories are required instead. Even if several solutions are currently used, their security analyses have been performed informally or semiformally at best, and without a reference model and a precise definition of the multi-factor authentication property. This makes a comparison among the different solutions both complex and potentially misleading. In this article, we first present the design of two reference models for native applications based on the requirements of two real-world use-case scenarios. Common features between them are the use of one-time password approaches and the support of a single sign-on experience. Then, we provide a formal specification of our threat model and the security goals, and discuss the automated security analysis that we performed. Our formal analysis validates the security goals of the two reference models we propose and provides an important building block for the formal analysis of different multi-factor authentication solutions.

show abstract

A survey on multi-factor authentication for online banking in the wild

Cited by 47 publications

References 5 publications

Framework for the Comparison and Selection of Schemes for Multi-Factor Authentication

Framework for the Comparison and Selection of Schemes for Multi-Factor Authentication

Non-Invasive Challenge Response Authentication for Voice Transactions with Smart Home Behavior

Formal Analysis of Mobile Multi-Factor Authentication with Single Sign-On Login

Contact Info

Product

Resources

About