Skip to main content

FRACTAL: Single-Channel Multi-factor Transaction Authentication Through a Compromised Terminal

  • 1064 Accesses

Part of the Lecture Notes in Computer Science book series (LNCS,volume 13407)


Multi-Factor Authentication (MFA) schemes currently used for verifying the authenticity of Internet banking transactions rely either on dedicated devices (namely, tokens) or on out-of-band channels—typically, the mobile cellular network. However, when both the dedicated devices and the additional channel are not available and the Primary Authentication Terminal (PAT) is compromised, MFA schemes cannot reliably guarantee transaction authenticity. The afore-mentioned situation is typical, e.g., offshore or on-board of aircraft, when only few untrusted terminals have Internet connection.

In this paper, we present FRACTAL, a new scheme providing single-channel transaction MFA through general-purpose additional authentication terminals. Moreover, the proposed solution is also resilient against a potentially-compromised PAT. FRACTAL easily scales up as per the number of multiple authentication factors, and it is extensible beyond the banking scenario, e.g., to unattended and constrained scenarios, by integrating also Internet of Things (IoT) devices as additional authentication terminals. Other than enjoying a formal verification of its security properties via ProVerif, FRACTAL is also supported by an extensive experimental performance assessment. Our real-world Proof-of-Concept scenarios, implemented using Spring micro-services, show that FRACTAL can complete a transaction in about 2 s, independently from the remote server location. The flexibility of use, the guaranteed security, and the striking performance, characterize FRACTAL as a solution with an expected high potential impact in the authentication field, for both Industry and Academia.


  • Internet transactions
  • Network security
  • Cryptographic protocols

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD   79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions


  1. Chandio, F., Irani, Z., Zeki, A., et al.: Online banking information systems acceptance: an empirical examination of system characteristics and web security. Inf. Syst. Manag. 34(1), 50–64 (2017)

    CrossRef  Google Scholar 

  2. Luo, G., et al.: Overview of intelligent online banking system based on HERCULES architecture. IEEE Access 8, 107685–107699 (2020)

    CrossRef  Google Scholar 

  3. Carminati, M., Caron, R., Maggi, F., Epifani, I., Zanero, S.: BankSealer: a decision support system for online banking fraud analysis and investigation. Comput. Secur. 53, 175–186 (2015)

    CrossRef  Google Scholar 

  4. Sinigaglia, F., et al.: A survey on multi-factor authentication for online banking in the wild. Comput. Secur. 95, 101745 (2020)

    Google Scholar 

  5. Kiljan, S., et al.: Evaluation of transaction authentication methods for online banking. Futur. Gener. Comput. Syst. 80, 430–447 (2018)

    CrossRef  Google Scholar 

  6. FIDO Alliance Specifications. Accessed 05 Apr 2022

  7. Di Pietro, R., Sciancalepore, S., Raponi, S.: Methods and systems for verifying the authenticity of a remote service. US Patent App. 16/657,088, July 2020

    Google Scholar 

  8. Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)

    CrossRef  MathSciNet  MATH  Google Scholar 

  9. Blanchet, B., et al.: ProVerif 2.02pl1: automatic cryptographic protocol verifier, user manual and tutorial. Technical report, September (2020)

    Google Scholar 

  10. Tedeschi, P., Sciancalepore, S., Eliyan, A., Di Pietro, R.: LiKe: lightweight certificateless key agreement for secure IoT communications. IEEE Internet Things J. 7(1), 621–638 (2020)

    CrossRef  Google Scholar 

  11. Hirschi, L., Cremers, C.: Improving automated symbolic analysis of ballot secrecy for E-voting protocols: a method based on sufficient conditions. In: IEEE Euro S &P 2019, pp. 635–650 (2019)

    Google Scholar 

  12. CRI-LAB, Code of FRACTAL in ProVerif (2021). Accessed 05 Apr 2022

  13. Spring Community. Accessed 05 Apr 2022

  14. Kotlin Foundation. Accessed 05 Apr 2022

  15. MongoDB Inc. Accessed 05 Apr 2022

  16. Oracle. Accessed 05 Apr 2022

  17. ZXing Project. Accessed 05 Apr 2022

  18. Jetbrains. Accessed 05 Apr 2022

  19. Sciancalepore, S., et al.: On the design of a decentralized and multiauthority access control scheme in federated and cloud-assisted cyber-physical systems. IEEE Internet Things J. 5(6), 5190–5204 (2018)

    CrossRef  Google Scholar 

  20. Bhargav-Spantzel, A., et al.: Privacy preserving multi-factor authentication with biometrics. J. Comput. Secur. 15(5), 529–560 (2007)

    CrossRef  Google Scholar 

  21. Han, Z., Yang, L., Liu, Q.: A novel multifactor two-server authentication scheme under the mobile cloud computing. In: International Conference on Networking and Network Applications (NaNA) 2017, pp. 341–346 (2017)

    Google Scholar 

  22. Shrestha, B., Mohamed, M., Saxena, N.: ZEMFA: zero-effort multi-factor authentication based on multi-modal gait biometrics. In: International Conference on Privacy, Security and Trust (PST) 2019, pp. 1–10. IEEE (2019)

    Google Scholar 

  23. Sabzevar, A.P., Stavrou, A.: Universal multi-factor authentication using graphical passwords. In: IEEE International Conference on Signal Image Technology and Internet Based Systems 2008, pp. 625–632 (2008)

    Google Scholar 

  24. Mohammed, M.M., Elsadig, M.: A multi-layer of multi factors authentication model for online banking services. In: International Conference on Computing, Electrical And Electronic Engineering 2013, pp. 220–224 (2013)

    Google Scholar 

  25. Huang, X., et al.: Robust multi-factor authentication for fragile communications. IEEE Trans. Dependable Secure Comput. 11(6), 568–581 (2014)

    CrossRef  Google Scholar 

  26. Boonkrong, S.: Internet banking login with multi-factor authentication. KSII Trans. Internet Inf. Syst. 11(1), 511–535 (2017)

    Google Scholar 

  27. Council, Federal Financial Institutions Examination, Authentication in an internet banking environment, FFIEC (2005)

    Google Scholar 

  28. Reynolds, J., et al.: A tale of two studies: the best and worst of yubikey usability. In: IEEE Symposium on Security and Privacy (SP) 2018, pp. 872–888 (2018)

    Google Scholar 

  29. Nagaraju, S., Parthiban, L.: Trusted framework for online banking in public cloud using multi-factor authentication and privacy protection gateway. J. Cloud Comput. 4(1), 22 (2015)

    CrossRef  Google Scholar 

Download references


This work was supported by both the HBKU Technology Development Fund under contract TDF 02-0618-190005 and the NPRP-S-11-0109-180242 from the QNRF-Qatar National Research Fund. Both HBKU and QNRF are members of The Qatar Foundation. This work has been partially supported also by the INTERSCT project, Grant No. NWA.1162.18.301, funded by Netherlands Organisation for Scientific Research (NWO). The findings reported herein are solely responsibility of the authors.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Savio Sciancalepore .

Editor information

Editors and Affiliations

Annex A

Annex A

Fig. 8.
figure 8

Screen shown on the AAT to validate the transaction. \(\mathcal {A}\) can verify that the details of the intended transaction match the ones on the screen. Then, in case of Scenario #1, \(\mathcal {A}\) can validate the transaction by pressing confirm. In case of Scenario #2, \(\mathcal {A}\) can insert the code on the PAT to verify the transaction (see Fig. 9.)

Fig. 9.
figure 9

Screen shown on the PAT to validate the transaction in case of Scenario #2. If the details of the transaction shown on the AAT match the intended ones, \(\mathcal {A}\) can insert the code in the passcode field and press the confirm button to validate the transaction.

Rights and permissions

Reprints and Permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Sciancalepore, S., Raponi, S., Caldarola, D., Di Pietro, R. (2022). FRACTAL: Single-Channel Multi-factor Transaction Authentication Through a Compromised Terminal. In: Alcaraz, C., Chen, L., Li, S., Samarati, P. (eds) Information and Communications Security. ICICS 2022. Lecture Notes in Computer Science, vol 13407. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-15776-9

  • Online ISBN: 978-3-031-15777-6

  • eBook Packages: Computer ScienceComputer Science (R0)