Advertisement

Design and Security Assessment of Usable Multi-factor Authentication and Single Sign-On Solutions for Mobile Applications

A Workshop Experience Report
  • Roberto Carbone
  • Silvio Ranise
  • Giada SciarrettaEmail author
Chapter
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 547)

Abstract

In this interactive workshop we focused on multi-factor authentication and Single Sign-On solutions for mobile native applications. The main objective was to create awareness of the current limitations of these solutions in the mobile context. Thus, after an introduction part, the participants were invited to discuss usability and security issues of different mobile authentication scenarios. After this interactive part, we concluded the workshop presenting our on-going work on this topic by briefly describing our methodology for the design and security assessment of multi-factor authentication and Single Sign-On solutions for mobile native applications; and presenting a plugin that helps developers make their mobile native application secure.

Notes

Acknowledgments

This work has partially been supported by the Activity no. 18163, “API Assistant - Automated security assessment of 3rd party apps for the API economy”, funded by the EIT Digital.

References

  1. 1.
    API Assistant: automated security assessment of 3rd party apps for the API economy. https://st.fbk.eu/projects/api-assistant/
  2. 2.
  3. 3.
  4. 4.
    Facebook: Getting started with the Facebook SDK for Android, May 2017. https://developers.facebook.com/docs/android/getting-started/facebook-sdk-for-android/
  5. 5.
  6. 6.
    NIST Special Publication 800–63B: Appendix A - Strength of Memorized Secrets. https://pages.nist.gov/800-63-3/sp800-63b.html#appendix-astrength-of-memorized-secrets
  7. 7.
    NIST Special Publication 800–63B: Section 8.1: Authenticator Threats. https://pages.nist.gov/800-63-3/sp800-63b.html#81-authenticator-threats
  8. 8.
    Profiles for the OASIS: Security Assertion Markup language (SAML) V2.0. http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
  9. 9.
  10. 10.
  11. 11.
  12. 12.
    CAD: Codice dell’Amministrazione Digitale - D.Lgs.n. 82/2005 (2014). http://www.altalex.com/documents/codici-altalex/2014/06/20/codice-dell-amministrazione-digitale
  13. 13.
    Chen, E., Pei, Y., Chen, S., Tian, Y., Kotcher, R., Tague, P.: OAuth demystified for mobile application developers. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2014).  https://doi.org/10.1145/2660267.2660323
  14. 14.
    Cranor, L.: Your mobile phone account could be hijacked by an identity thief. https://www.ftc.gov/news-events/blogs/techftc/2016/06/your-mobile-phone-account-could-be-hijacked-identity-thief
  15. 15.
  16. 16.
    Garante Privacy: Personal Data Protection Code. Legislative Decree no. 196 of 30 June 2003 (2003). http://www.privacy.it/archivio/privacycode-en.html
  17. 17.
    General Data Protection Regulation: Regulation EU 2016/679. http://www.eugdpr.org
  18. 18.
    OAuth Working Group: OAuth 2.0 for Native Apps (2018). https://tools.ietf.org/html/rfc8252
  19. 19.
    Luo, T., Hao, H., Du, W., Wang, Y., Yin, H.: Attacks on WebView in the android system. In: Twenty-Seventh Annual Computer Security Applications Conference, ACSAC 2011, Orlando, FL, USA, 5–9 December 2011, pp. 343–352 (2011).  https://doi.org/10.1145/2076732.2076781
  20. 20.
    OpenID Foundation: OpenID Connect Core 1.0. (2014). http://openid.net/specs/openid-connect-core-1_0.html
  21. 21.
    Sciarretta, G., Carbone, R., Ranise, S., Viganò, L.: Design, formal specification and analysis of multi-factor authentication solutions with a single sign-on experience. In: Proceedings of the 7th International Conference on Principles of Security and Trust (POST), pp. 188–213 (2018).  https://doi.org/10.1007/978-3-319-89722-6_8Google Scholar
  22. 22.
    Shehab, M., Mohsen, F.: Towards enhancing the security of OAuth implementations in smart phones. In: IEEE International Conference on Mobile Services (MS), pp. 39–46 (2014).  https://doi.org/10.1109/MobServ.2014.15

Copyright information

© IFIP International Federation for Information Processing 2019

Authors and Affiliations

  1. 1.Security and TrustFBKTrentoItaly

Personalised recommendations