Two-factor Authentication in Smartphones: Implementations and Attacks

Ericson, Christofer

Two-factor Authentication in Smartphones: Implementations and Attacks

Mark

Ericson, Christofer ^LU (2015) EITM01 20151
Department of Electrical and Information Technology

Abstract: Two-factor authentication is the method of combining two so called authentication factors in order to enhance the security of user authentication. An authentication factor is defined as ”Something the user knows, has or is”. Something the user knows is often the traditional username and password, something the user has is something that the user is in physical possession of and something the user is is a physical trait of the user, such as biometrics. Two-factor authentication greatly enhances security attributes compared to traditional password-only methods. With the advent of the smartphone, new convenient authentication methods have been developed in order to take advantage of the versatility such devices provide. However, older... (More); Two-factor authentication is the method of combining two so called authentication factors in order to enhance the security of user authentication. An authentication factor is defined as ”Something the user knows, has or is”. Something the user knows is often the traditional username and password, something the user has is something that the user is in physical possession of and something the user is is a physical trait of the user, such as biometrics. Two-factor authentication greatly enhances security attributes compared to traditional password-only methods. With the advent of the smartphone, new convenient authentication methods have been developed in order to take advantage of the versatility such devices provide. However, older two-factor authentication methods such as sending codes via SMS are still widely popular and in the case of the smartphone opens up new attack vectors for criminals to exploit by creating malware that is able to gain control over SMS functionality. This thesis explores, discusses and compares three distinct two-factor authentication methods used in smartphones today in the sense of security and usability. These are mTAN (mobile Transaction Authentication Number), TOTP (Time-based One Time Password Algorithm) and PKI (Public Key Infrastructure). Both practial and theoretical attacks against these methods are reviewed with a focus on malicious software and advantages and disadvantages of each method are presented. An in-depth analysis of an Android smartphone SMS-stealing trojan is done in order to gain a deeper understanding of how smartphone malware operates. (Less)

Please use this url to cite or link to this publication: http://lup.lub.lu.se/student-papers/record/7792889

author

Ericson, Christofer ^LU

supervisor

Thomas Johansson ^LU
Martin Hell ^LU

organization

Department of Electrical and Information Technology

course

EITM01 20151

year

2015

type

H2 - Master's Degree (Two Years)

subject

Technology and Engineering

report number

LU/LTH-EIT 2015-462

language

English

id

7792889

date added to LUP

2015-09-03 16:08:09

date last changed

2015-09-03 16:08:09

@misc{7792889,
  abstract     = {{Two-factor authentication is the method of combining two so called authentication factors in order to enhance the security of user authentication. An authentication factor is defined as ”Something the user knows, has or is”. Something the user knows is often the traditional username and password, something the user has is something that the user is in physical possession of and something the user is is a physical trait of the user, such as biometrics. Two-factor authentication greatly enhances security attributes compared to traditional password-only methods. With the advent of the smartphone, new convenient authentication methods have been developed in order to take advantage of the versatility such devices provide. However, older two-factor authentication methods such as sending codes via SMS are still widely popular and in the case of the smartphone opens up new attack vectors for criminals to exploit by creating malware that is able to gain control over SMS functionality. This thesis explores, discusses and compares three distinct two-factor authentication methods used in smartphones today in the sense of security and usability. These are mTAN (mobile Transaction Authentication Number), TOTP (Time-based One Time Password Algorithm) and PKI (Public Key Infrastructure). Both practial and theoretical attacks against these methods are reviewed with a focus on malicious software and advantages and disadvantages of each method are presented. An in-depth analysis of an Android smartphone SMS-stealing trojan is done in order to gain a deeper understanding of how smartphone malware operates.}},
  author       = {{Ericson, Christofer}},
  language     = {{eng}},
  note         = {{Student Paper}},
  title        = {{Two-factor Authentication in Smartphones: Implementations and Attacks}},
  year         = {{2015}},
}

LUP Student Papers

LUND UNIVERSITY LIBRARIES

Two-factor Authentication in Smartphones: Implementations and Attacks