Abstract
While multifactor authentication technologies continue to advance and adoption rates for those technologies increase, there exists a need to characterize the composite vulnerability score for complete authentication solutions. To meet this need, we propose an extension to the Common Vulnerability Scoring System (CVSS) v3 calculator to provide an aggregate score for any metric category, enabling organizations and researchers to succinctly determine the composite vulnerability impact of authentication factor multiplicity. This chapter has presented a novel mathematical approach and demonstrated the approach through a real-world application which is a comparative study on the composite vulnerability of two different multifactor authentication technologies.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
D. Lipaj, V. Davidavičienė, Influence of information systems on business performance. Mokslas – Lietuvos Ateitis 5(1), 38–45 (2013). https://doi.org/10.3846/mla.2013.06
L. Henderson, Multi-Factor Authentication Fingerprinting Device Using Biometrics (Villanova University, 2019)
A. Tang, Two-factor authentication: The death of the password? [Blog] (2020). Retrieved from https://www.itproportal.com/2015/01/15/two-factor-authentication-death-p4ssw0rd/
T. Webb, An Architecture for Implementing Enterprise Multifactor Authentication with Open Source Tools (SANS Institute Reading Room, 2013)
Y. Choi, Security weakness of efficient and secure smart card-based password authentication scheme. Int. J. Appl. Eng. Res. 12(7), 1222–1226 (2017)
S. Carberry, DOD pushes toward CAC replacement. FCW (2017). Retrieved from https://fcw.com/articles/2017/08/14/dod-cac-replacement-carberry.aspx
J. Couretas, M. Ucal, Organizational adoption of innovation: Background, programs & a descriptive modeling approach, in Military Modeling & Simulation Symposium, (Society for Computer Simulation International, Boston, MA, 2011), pp. 44–52
P. Mell, K. Scarfone, S. Romanosky, A complete guide to the common vulnerability scoring system version 2.0. CVSS (2007). Retrieved from https://www.first.org/cvss/v2/guide
E. Kovacs, FIRST announces CVSS version 3.1 [Blog] (2019). Retrieved from https://www.securityweek.com/first-announces-cvss-version-31
Common Vulnerability Scoring System v3.0: User Guide. Retrieved from https://www.first.org/cvss/v3.0/user-guide (Accessed May 25, 2021)
Common Vulnerability Scoring System v3.0: Specification Document. Retrieved from https://www.first.org/cvss/specification-document (Accessed May 25, 2021)
O. Santos, The evolution of scoring security vulnerabilities: The sequel (2016). Retrieved from https://blogs.cisco.com/security/cvssv3-study
L. Allodi, S. Biagioni, B. Crispo, K. Labunets, F. Massacci, W. Santos, Estimating the assessment difficulty of CVSS environmental metrics: An experiment. Future Data Secur. Eng., 23–39 (2017). https://doi.org/10.1007/978-3-319-70004-5_2
D. Nguyen, D. Nguyen-Duc, N. Huynh-Tuong, H. Pham, CVSS, in Proceedings of the Ninth International Symposium on Information and Communication Technology – SoICT 2018, (2018). https://doi.org/10.1145/3287921.3287968
Latent Feature Vulnerability Ranking of CVSS Vectors, in Summer Computer Simulation Conference (SCSC) (2017). https://doi.org/10.22360/summersim.2017.scsc.019
S. Hazari, Challenges of implementing public key infrastructure in Netcentric enterprises. Logist. Inf. Manag. 15(5/6), 385–392 (2002). https://doi.org/10.1108/09576050210447073
National Institute of Standards and Technology, Security and Privacy Controls for Information Systems and Organizations (National Institute of Standards and Technology, Gaithersburg, MD, 2017), pp. 6–17
I. Velásquez, A. Caro, A. Rodríguez, Authentication schemes and methods: A systematic literature review. Inf. Softw. Technol. 94, 30–37 (2018). https://doi.org/10.1016/j.infsof.2017.09.012
D. Dasgupta, A. Roy, A. Nag, Toward the design of adaptive selection strategies for multi-factor authentication. Comput. Secur. 63, 85–116 (2016). https://doi.org/10.1016/j.cose.2016.09.004
D. Stebila, P. Udupi, S. Chang, Multi-factor password-authenticated key exchange, in Eighth Australasian Conference on Information Security, (Australian Computer Society, Inc., Brisbane, Australia, 2010), pp. 56–66
NVD - CVE-2020-11052, (2020). Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2020-11052
NVD - CVE-2019-14833, (2020). Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2019-14833
NVD - CVE-2019-3980, (2020). Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2019-3980
NVD - CVE-2018-16393, (2020). Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2018-1639
NVD - CVE-2019-13603, (2020). Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2019-13603
NVD - CVE-2020-7958, (2020). Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2020-7958
NVD - CVE-2019-12813, (2020). Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2019-12813
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
English, A., Qu, Y. (2021). An Effective Tool for Assessing the Composite Vulnerability of Multifactor Authentication Technologies. In: Daimi, K., Arabnia, H.R., Deligiannidis, L., Hwang, MS., Tinetti, F.G. (eds) Advances in Security, Networks, and Internet of Things. Transactions on Computational Science and Computational Intelligence. Springer, Cham. https://doi.org/10.1007/978-3-030-71017-0_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-71017-0_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-71016-3
Online ISBN: 978-3-030-71017-0
eBook Packages: EngineeringEngineering (R0)