SecurePay: Strengthening Two-Factor Authentication for Arbitrary Transactions
2020 IEEE European Symposium on Security and Privacy (EuroS&P)(2020)
摘要
Secure transactions on the Internet often rely on two-factor authentication (2FA) using mobile phones. In most existing schemes, the separation between the factors is weak and a compromised phone may be enough to break 2FA. In this paper, we identify the basic principles for securing any transaction using mobile-based 2FA. In particular, we argue that the
computing system
should not only provide
isolation
between the two factors, but also the
integrity
of the transaction, while involving the user in confirming the
authenticity
of the transaction. We show for the first time how these properties can be provided on commodity mobile phones, securing 2FA-protected transactions even when the operating system on the phone is fully compromised. We explore the challenges in the design and implementation of SecurePay, and evaluate the first formally-verified solution that utilizes the ARM TrustZone technology to provide the necessary integrity and authenticity guarantees for mobile-based 2FA. For our evaluation, we integrated SecurePay in ten existing apps, all of which required minimal changes and less than 30 minutes of work. Moreover, if code modifications are not an option, SecurePay can still be used as a secure drop-in replacement for existing (insecure) SMS-based 2FA solutions.
更多查看译文
关键词
Mobile Security,Two-Factor Authentication,Trusted Execution Environment
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要