Abstract
Multi-Factor Authentication (MFA) schemes currently used for verifying the authenticity of Internet banking transactions rely either on dedicated devices (namely, tokens) or on out-of-band channels—typically, the mobile cellular network. However, when both the dedicated devices and the additional channel are not available and the Primary Authentication Terminal (PAT) is compromised, MFA schemes cannot reliably guarantee transaction authenticity. The afore-mentioned situation is typical, e.g., offshore or on-board of aircraft, when only few untrusted terminals have Internet connection. In this paper, we present FRACTAL, a new scheme providing single-channel transaction MFA through general-purpose additional authentication terminals. Moreover, the proposed solution is also resilient against a potentially-compromised PAT. FRACTAL easily scales up as per the number of multiple authentication factors, and it is extensible beyond the banking scenario, e.g., to unattended and constrained scenarios, by integrating also Internet of Things (IoT) devices as additional authentication terminals. Other than enjoying a formal verification of its security properties via ProVerif, FRACTAL is also supported by an extensive experimental performance assessment. Our real-world Proof-of-Concept scenarios, implemented using Spring micro-services, show that FRACTAL can complete a transaction in about 2 s, independently from the remote server location. The flexibility of use, the guaranteed security, and the striking performance, characterize FRACTAL as a solution with an expected high potential impact in the authentication field, for both Industry and Academia.
| Original language | English |
|---|---|
| Title of host publication | Information and Communications Security - 24th International Conference, ICICS 2022, Proceedings |
| Editors | Cristina Alcaraz, Liqun Chen, Shujun Li, Pierangela Samarati |
| Publisher | Springer |
| Pages | 201-217 |
| Number of pages | 17 |
| ISBN (Print) | 9783031157769 |
| DOIs | |
| Publication status | Published - 2022 |
| Event | 24th International Conference on Information and Communications Security, ICICS 2022 - Canterbury, United Kingdom Duration: 5 Sept 2022 → 8 Sept 2022 |
Publication series
| Name | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |
|---|---|
| Volume | 13407 LNCS |
| ISSN (Print) | 0302-9743 |
| ISSN (Electronic) | 1611-3349 |
Conference
| Conference | 24th International Conference on Information and Communications Security, ICICS 2022 |
|---|---|
| Country/Territory | United Kingdom |
| City | Canterbury |
| Period | 5/09/22 → 8/09/22 |
Bibliographical note
Funding Information:Acknowledgements. This work was supported by both the HBKU Technology Development Fund under contract TDF 02-0618-190005 and the NPRP-S-11-0109-180242 from the QNRF-Qatar National Research Fund. Both HBKU and QNRF are members of The Qatar Foundation. This work has been partially supported also by the INTERSCT project, Grant No. NWA.1162.18.301, funded by Netherlands Organisation for Scientific Research (NWO). The findings reported herein are solely responsibility of the authors.
Publisher Copyright:
© 2022, Springer Nature Switzerland AG.
Funding
Acknowledgements. This work was supported by both the HBKU Technology Development Fund under contract TDF 02-0618-190005 and the NPRP-S-11-0109-180242 from the QNRF-Qatar National Research Fund. Both HBKU and QNRF are members of The Qatar Foundation. This work has been partially supported also by the INTERSCT project, Grant No. NWA.1162.18.301, funded by Netherlands Organisation for Scientific Research (NWO). The findings reported herein are solely responsibility of the authors.
Keywords
- Cryptographic protocols
- Internet transactions
- Network security