Two-factor Authentication in Smartphones: Implementations and Attacks
(2015) EITM01 20151Department of Electrical and Information Technology
- Abstract
- Two-factor authentication is the method of combining two so called authentication factors in order to enhance the security of user authentication. An authentication factor is defined as ”Something the user knows, has or is”. Something the user knows is often the traditional username and password, something the user has is something that the user is in physical possession of and something the user is is a physical trait of the user, such as biometrics. Two-factor authentication greatly enhances security attributes compared to traditional password-only methods. With the advent of the smartphone, new convenient authentication methods have been developed in order to take advantage of the versatility such devices provide. However, older... (More)
- Two-factor authentication is the method of combining two so called authentication factors in order to enhance the security of user authentication. An authentication factor is defined as ”Something the user knows, has or is”. Something the user knows is often the traditional username and password, something the user has is something that the user is in physical possession of and something the user is is a physical trait of the user, such as biometrics. Two-factor authentication greatly enhances security attributes compared to traditional password-only methods. With the advent of the smartphone, new convenient authentication methods have been developed in order to take advantage of the versatility such devices provide. However, older two-factor authentication methods such as sending codes via SMS are still widely popular and in the case of the smartphone opens up new attack vectors for criminals to exploit by creating malware that is able to gain control over SMS functionality. This thesis explores, discusses and compares three distinct two-factor authentication methods used in smartphones today in the sense of security and usability. These are mTAN (mobile Transaction Authentication Number), TOTP (Time-based One Time Password Algorithm) and PKI (Public Key Infrastructure). Both practial and theoretical attacks against these methods are reviewed with a focus on malicious software and advantages and disadvantages of each method are presented. An in-depth analysis of an Android smartphone SMS-stealing trojan is done in order to gain a deeper understanding of how smartphone malware operates. (Less)
Please use this url to cite or link to this publication:
http://lup.lub.lu.se/student-papers/record/7792889
- author
- Ericson, Christofer LU
- supervisor
-
- Thomas Johansson LU
- Martin Hell LU
- organization
- course
- EITM01 20151
- year
- 2015
- type
- H2 - Master's Degree (Two Years)
- subject
- report number
- LU/LTH-EIT 2015-462
- language
- English
- id
- 7792889
- date added to LUP
- 2015-09-03 16:08:09
- date last changed
- 2015-09-03 16:08:09
@misc{7792889, abstract = {{Two-factor authentication is the method of combining two so called authentication factors in order to enhance the security of user authentication. An authentication factor is defined as ”Something the user knows, has or is”. Something the user knows is often the traditional username and password, something the user has is something that the user is in physical possession of and something the user is is a physical trait of the user, such as biometrics. Two-factor authentication greatly enhances security attributes compared to traditional password-only methods. With the advent of the smartphone, new convenient authentication methods have been developed in order to take advantage of the versatility such devices provide. However, older two-factor authentication methods such as sending codes via SMS are still widely popular and in the case of the smartphone opens up new attack vectors for criminals to exploit by creating malware that is able to gain control over SMS functionality. This thesis explores, discusses and compares three distinct two-factor authentication methods used in smartphones today in the sense of security and usability. These are mTAN (mobile Transaction Authentication Number), TOTP (Time-based One Time Password Algorithm) and PKI (Public Key Infrastructure). Both practial and theoretical attacks against these methods are reviewed with a focus on malicious software and advantages and disadvantages of each method are presented. An in-depth analysis of an Android smartphone SMS-stealing trojan is done in order to gain a deeper understanding of how smartphone malware operates.}}, author = {{Ericson, Christofer}}, language = {{eng}}, note = {{Student Paper}}, title = {{Two-factor Authentication in Smartphones: Implementations and Attacks}}, year = {{2015}}, }