Secure Authentication for Everyone! Enabling 2nd-Factor Authentication Under Real-World Constraints

AbstractMillions of user accounts have been exposed by data breaches within the last years. The leaked credentials pose a huge threat to many because they can be used for credential stuffing and brute-force attacks across all online services. The best solution for this problem seems to be the use of 2nd-factor authentication, like hardware tokens or one-time passwords. While these are great solutions, they cause many problems for users because they are too expensive, difficult to manage, or just not user-friendly. In this paper, we will present the results of a study that shows that users need and want secure authentication, as long as it is quick, easy, and free of charge. Hence, we investigate how recent advancements in smartphone security and authentications standards can be used to build a mobile authenticator that is easy to use, free of charge, and as secure as a hardware token. Therefore we leverage the Trusted Execution Environment of the Android platform to implement a FIDO compliant authentication mechanism on the smartphone. Furthermore, we integrate this mobile authenticator into a password manager app, to reduce user interaction, simplify the setup and provide an encompassing solution for the user.