Design and Security Assessment of Usable Multi-factor Authentication and Single Sign-On Solutions for Mobile Applications

A Workshop Experience Report
  • Roberto Carbone
  • Silvio Ranise
  • Giada SciarrettaEmail author
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 547)


In this interactive workshop we focused on multi-factor authentication and Single Sign-On solutions for mobile native applications. The main objective was to create awareness of the current limitations of these solutions in the mobile context. Thus, after an introduction part, the participants were invited to discuss usability and security issues of different mobile authentication scenarios. After this interactive part, we concluded the workshop presenting our on-going work on this topic by briefly describing our methodology for the design and security assessment of multi-factor authentication and Single Sign-On solutions for mobile native applications; and presenting a plugin that helps developers make their mobile native application secure.



This work has partially been supported by the Activity no. 18163, “API Assistant - Automated security assessment of 3rd party apps for the API economy”, funded by the EIT Digital.


  1. 1.
    API Assistant: automated security assessment of 3rd party apps for the API economy.
  2. 2.
  3. 3.
  4. 4.
    Facebook: Getting started with the Facebook SDK for Android, May 2017.
  5. 5.
  6. 6.
    NIST Special Publication 800–63B: Appendix A - Strength of Memorized Secrets.
  7. 7.
    NIST Special Publication 800–63B: Section 8.1: Authenticator Threats.
  8. 8.
    Profiles for the OASIS: Security Assertion Markup language (SAML) V2.0.
  9. 9.
  10. 10.
  11. 11.
  12. 12.
    CAD: Codice dell’Amministrazione Digitale - D.Lgs.n. 82/2005 (2014).
  13. 13.
    Chen, E., Pei, Y., Chen, S., Tian, Y., Kotcher, R., Tague, P.: OAuth demystified for mobile application developers. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2014).
  14. 14.
    Cranor, L.: Your mobile phone account could be hijacked by an identity thief.
  15. 15.
  16. 16.
    Garante Privacy: Personal Data Protection Code. Legislative Decree no. 196 of 30 June 2003 (2003).
  17. 17.
    General Data Protection Regulation: Regulation EU 2016/679.
  18. 18.
    OAuth Working Group: OAuth 2.0 for Native Apps (2018).
  19. 19.
    Luo, T., Hao, H., Du, W., Wang, Y., Yin, H.: Attacks on WebView in the android system. In: Twenty-Seventh Annual Computer Security Applications Conference, ACSAC 2011, Orlando, FL, USA, 5–9 December 2011, pp. 343–352 (2011).
  20. 20.
    OpenID Foundation: OpenID Connect Core 1.0. (2014).
  21. 21.
    Sciarretta, G., Carbone, R., Ranise, S., Viganò, L.: Design, formal specification and analysis of multi-factor authentication solutions with a single sign-on experience. In: Proceedings of the 7th International Conference on Principles of Security and Trust (POST), pp. 188–213 (2018). Scholar
  22. 22.
    Shehab, M., Mohsen, F.: Towards enhancing the security of OAuth implementations in smart phones. In: IEEE International Conference on Mobile Services (MS), pp. 39–46 (2014).

Copyright information

© IFIP International Federation for Information Processing 2019

Authors and Affiliations

  1. 1.Security and TrustFBKTrentoItaly

Personalised recommendations