SecurePay: Strengthening Two-Factor Authentication for Arbitrary Transactions | IEEE Euro S&P 2020 скачать в хорошем качестве

SecurePay: Strengthening Two-Factor Authentication for Arbitrary Transactions | IEEE Euro S&P 2020

Sep 10, 2020 | Zoom conference | IEEE Euro S&P 2020 Session #9: Web security and privacy SecurePay: Strengthening Two-Factor Authentication for Arbitrary Transactions Radhesh Krishnan Konoth, Vrije Universiteit Amsterdam Björn Fischer, Vrije Universiteit Amsterdam Wan Fokkink, Vrije Universiteit Amsterdam Elias Athanasopoulos, University of Cyprus Kaveh Razavi, ETH Z¨urich Herbert Bos, Vrije Universiteit Amsterdam ABSTRACT: Secure transactions on the Internet often rely on two-factor authentication (2FA) using mobile phones. In most existing schemes, the separation between the factors is weak and a compromised phone may be enough to break 2FA. In this paper, we identify the basic principles for securing any transaction using mobile-based 2FA. In particular, we argue that the computing system should not only provide isolation between the two factors, but also the integrity of the transaction, while involving the user in confirming the authenticity of the transaction. We show for the first time how these properties can be provided on commodity mobile phones, securing 2FA-protected transactions even when the operating system on the phone is fully compromised. We explore the challenges in the design and implementation of SecurePay, and evaluate the first formally-verified solution that utilizes the ARM TrustZone technology to provide the necessary integrity and authenticity guarantees for mobilebased 2FA. For our evaluation, we integrated SecurePay in ten existing apps, all of which required minimal changes and less than 30 minutes of work. Moreover, if code modifications are not an option, SecurePay can still be used as a secure drop-in replacement for existing (insecure) SMS-based 2FA solutions.