2D-2FA: A New Dimension in Two-Factor Authentication

10/29/2021
by   Maliheh Shirvanian, et al.
Western Digital Corporation
Visa
0

We propose a two-factor authentication (2FA) mechanism called 2D-2FA to address security and usability issues in existing methods. 2D-2FA has three distinguishing features: First, after a user enters a username and password on a login terminal, a unique identifier is displayed to her. She inputs the same identifier on her registered 2FA device, which ensures appropriate engagement in the authentication process. Second, a one-time PIN is computed on the device and automatically transferred to the server. Thus, the PIN can have very high entropy, making guessing attacks infeasible. Third, the identifier is also incorporated into the PIN computation, which renders concurrent attacks ineffective. Third-party services such as push-notification providers and 2FA service providers, do not need to be trusted for the security of the system. The choice of identifiers depends on the device form factor and the context. Users could choose to draw patterns, capture QR codes, etc. We provide a proof of concept implementation, and evaluate performance, accuracy, and usability of the system. We show that the system offers a lower error rate (about half) and better efficiency (2-3 times faster) compared to the commonly used PIN-2FA. Our study indicates a high level of usability with a SUS of 75, and a high perception of efficiency, security, accuracy, and adoptability.

READ FULL TEXT VIEW PDF

page 1

page 2

page 3

page 4

07/02/2018

Tap-based User Authentication for Smartwatches

This paper presents TapMeIn, an eyes-free, two-factor authentication met...
10/01/2020

More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication

Risk-based Authentication (RBA) is an adaptive security measure to stren...
07/29/2019

Zero-Knowledge User Authentication: An Old Idea Whose Time Has Come

User authentication can rely on various factors (e.g., a password, a cry...
06/05/2020

Knock, Knock. Who's There? On the Security of LG's Knock Codes

Knock Codes are a knowledge-based unlock authentication scheme used on L...
10/13/2020

FPSelect: Low-Cost Browser Fingerprints for Mitigating Dictionary Attacks against Web Authentication Mechanisms

Browser fingerprinting consists into collecting attributes from a web br...
04/12/2022

Beautiful secrets: using aesthetic images to authenticate users

We propose and evaluate an authentication scheme that improves usability...
11/30/2017

Efficacy of Object-Based Passwords for User Authentication

Traditional text-based password schemes are inherently weak. Users tend ...

Abstract

We propose a two-factor authentication (2FA) mechanism called 2D-2FA to address security and usability issues in existing methods. 2D-2FA has three distinguishing features: First, after a user enters a username and password on a login terminal, a unique identifier is displayed to her. She inputs the same identifier on her registered 2FA device, which ensures appropriate engagement in the authentication process. Second, a one-time PIN is computed on the device and automatically transferred to the server. Thus, the PIN can have very high entropy, making guessing attacks infeasible. Third, the identifier is also incorporated into the PIN computation, which renders concurrent attacks ineffective. Third-party services such as push-notification providers and 2FA service providers, do not need to be trusted for the security of the system. The choice of identifiers depends on the device form factor and the context. Users could choose to draw patterns, capture QR codes, etc.

We provide a proof of concept implementation, and evaluate performance, accuracy, and usability of the system. We show that the system offers a lower error rate (about half) and better efficiency (2-3 times faster) compared to the commonly used PIN-2FA. Our study indicates a high level of usability with a SUS of 75, and a high perception of efficiency, security, accuracy, and adoptability.

1 Introduction

Two-factor authentication (2FA) is widely used to add an extra layer of security to services that rely on passwords [two-factor-auth, tnw-auth]

. We can broadly classify adopted solutions into two categories, PIN-based and push-based. In PIN-based model, one-time PINs can be delivered to users via SMS or voice, or generated on personal devices

[google-authenticator, safenet-mobilepass]. Users are then supposed to copy the PIN to the client terminal (e.g., web browser). Push-based 2FA operates by pushing notifications to users’ devices whenever login attempts are made [twilio-push, duo-push] and users can choose to accept or decline the attempt.

Despite known benefits, PIN- and push-based 2FA have several security and usability issues. PIN-2FA suffers from problems like SIM swap attacks [nist-sms-2fa, duo-2fa-survey], shoulder surfing [Eiband:2017:USS:3025453.3025636], short PINs [ndss-2014], etc. On the other hand, Push-2FA suffers from neglectful user approvals and reliance on push-notification services, which can be targeted [li2014mayhem, loreti2018push, xu2012abusing, pushattack1, pushattack2, abbott2020mandatory]. See Section 2.3 for a detailed discussion.

In this work, we introduce a new 2FA approach called 2D-2FA. In 2D-2FA, when a user enters a username and password on a login terminal, a unique identifier is displayed to her. The user is supposed to input the same identifier on her personal device, say , to ensure proper engagement. Then, a one-time PIN is generated on the device and transferred automatically to the server, say , along with the identifier. The identifier is also incorporated into the PIN computation, binding the PIN to a specific session. The choice of identifiers depends on the device’s form factor and the context. Inputting identifiers could take the form of drawing patterns, capturing QR codes, copying short strings, etc.

and agree on a secret key during a one-time registration process, and compute the PIN using this key. The PIN computation function is defined as , where is a message authentication code [hmac-rfc], is the shared secret key, and is a value known to both and (the identifier is a part of ). Both the PIN and identifier are transferred automatically to for verification. On receiving them, authenticates the session associated with the identifier by verifying the corresponding PIN. Note that the server takes two Dimensions (2D-2FA), PIN and identifier, into account.

One-time PIN

Observe that the way one-time PINs are generated and circulated in 2D-2FA is different from PIN-2FA. In the latter, PINs are generated on the server side and sent to the user device [sms2fa] (or they may be generated on the user device itself [google-authenticator, authy]). Then, the user manually copies the PIN from the device to the login terminal. After that, the terminal transfers the PIN to the server. In contrast, 2D-2FA always generates PINs on the device and directly transfers them to the server—without user involvement. One important benefit of this is that PINs can have high entropy, making guessing attacks infeasible.

Identifier

2D-2FA engages users in the authentication process by asking them to copy an identifier from the login terminal to their personal device. After the identifier has been entered, a PIN is computed and sent (directly) to the server. This stands in contrast to Push-2FA where users are just supposed to choose between approve or reject, and may accidentally approve a concurrent session launched by an attacker. Note that identifier memorability and secrecy are not relevant to us because neither do users need to remember identifiers nor do they need to keep them secret (identifiers just need to be unique for each concurrent session).

Flow

Notice how the flow of second factor in 2D-2FA is different from PIN-2FA. In PIN-2FA, a user copies a PIN from the device to the terminal whereas in 2D-2FA, she copies the identifier (not any PIN) in the reverse direction (from terminal to device). Also note that while Push-2FA pushes notifications to the device, 2D-2FA sends PINs to the server. See Figure 1 for an overview.

Security

2D-2FA offers the following security properties:

  • Security against client compromise: An attacker with knowledge of the password cannot authenticate without getting access to the user’s device. Since PIN is transferred automatically, it can have high entropy, making PIN guessing infeasible.

  • Security against channel compromise: Stealing PINs does not help an attacker authenticate to a different session since PIN is a function of both secret key and identifier. Thus, PINs can be communicated to the server over an attacker-controlled channel. Shoulder-surfing attacks are not a problem either (as opposed to PIN-based 2FA [Eiband:2017:USS:3025453.3025636]) because identifiers are not confidential values.

  • No reliance on third parties: In 2D-2FA, users do not have to trust third-party services such as push-notification providers [google-cloud-messaging, apple-notifications], 2FA service providers [authy, duo], etc.

  • Resistance to user negligence: 2D-2FA requires the user to approve the ongoing session by copying a simple identifier displayed to her. This level of user engagement is more resistant to user errors as compared to Push-based 2FA, which only requires approval of a notification message [push-accept-dark-side]. Our user study (Section 7) shows a 0% false accept rate indicating that with a more involved user engagement process, erroneous acceptance of an attacker session could be eliminated.

More features

2D-2FA offers the following features to enhance user experience.

  • Easy PIN transfer: Transfer of the PIN is automated and does not require manual copying.

  • Client compatibility: 2D-2FA does not require any changes on the client, nor any additional software or plugins unlike other approaches such as FIDO2 that requires significant browser support [fidou2f, u2f-not-prime-time, duo-2fa-survey].

  • Use of different devices: Different user devices come with different input options. While some devices like smartphones have multiple input options (touchscreen, camera, etc.), there are many devices that have only one option. For instance, many smart-home devices, smartwatches, etc. just have a touchscreen but no camera to capture QR codes; some devices may only have a small keypad with some buttons but no touchscreen. Fortunately, 2D-2FA supports multiple identifier types as the second dimension like drawing patterns on a touchscreen, capturing QR codes with a camera, typing short strings on a keypad, etc.

Contributions

Our contributions can be summarized as follows:

System Design (Section 4).

We design a new two-factor authentication mechanism, 2D-2FA. This design allows automatic transfer of PINs from a device to server with no reliance on third-party services. The PIN is unique for each authentication session and corresponds to an identifier displayed on the client and copied by the user to her personal device.

Security Analysis (Section 5).

We present a comprehensive security analysis of the system. We consider various types of threats in our analysis. We argue that 2D-2FA is secure against client compromise because it is infeasible to guess the PIN, even when the attacker tries to log in at the same time as the right user (they receive different identifiers). We also show that eavesdropping identifiers or PINs on the communication channels is of no use because PINs are a function of both time/counter and identifier. We consider several other attack venues too; see section 5 for more details.

We also compare 2D-2FA with other well-known 2FA schemes in the framework of Bonneau et al. [bonneau2012quest]. Unlike most other schemes, 2D-2FA is resistant to physical and internal observation.

System Implementation (Section 6).

We discuss the choice of identifiers that can improve the security, accuracy, and usability of 2D-2FA. We suggest two forms of identifiers: 1) PT-2D-2FA, in which identifier is represented as a pattern on a grid of dots, similar to Android pattern lock; and 2) QR-2D-2FA, in which identifier is encoded into a QR Code and can be scanned through any device with a camera. We develop a full proof of concept implementation of 2D-2FA, including server-side scripts and an Android app.

Evaluation and User Study (Section 7).

We ran a user study with 30 participants and evaluated performance, accuracy, and usability of the system, and compared our methods with the commonly used PIN-2FA. The study shows that the false reject rate of the system is low (about 2%) and the false accept rate is 0%. The system also seems to be efficient with an end-to-end delay of less than 5s. Answers to the usability questions indicate that 2D-2FA has “Good” usability with a system usability scale (SUS) of 75. The participants were in agreement that the system is efficient, secure, and has low error rate. In comparison to PIN-2FA, the system provides similar or better usability rating, which considering the long history of PIN-2FA adoption and familiarity of the users with this technique, is a promising outcome. 2D-2FA error rate was about half that of PIN-2FA and the system end-to-end delay was 2-3 times less than PIN-2FA. Besides, 75% of the participants preferred at least one of the 2D-2FA variants (pattern or QR Code) over PIN-2FA.

Figure 1: 2D-2FA system components and interaction model. Identifiers ensure proper user engagement. In this figure, they are instantiated with patterns. User is shown a pattern on the client terminal. She draws the same pattern on her device. Identifiers are incorporated into PIN computation to bind PINs to sessions. PINs are used to verify availability of the second factor.

2 Background and Related Work

2.1 Notation and Primitives

We use calligraphic math fonts to denote various entities involved in authentication like for user, for client, for device, for server, etc.

Channels

We use to denote a channel from to . can use this channel to send messages to in a reliable and ordered manner (e.g., TCP). We use to denote a secure channel from to . A secure channel provides confidentiality and strong integrity protection (e.g., TLS). Messages sent on the channel are hidden from other parties and cannot be modified. (Some metadata like message length, delivery time, etc. could be leaked.)

A secure channel from to does not imply a secure channel (or even a regular channel) from to . When there is a secure channel available in both directions, we denote it by “”. On the internet, TLS is widely used to establish bi-directional secure channels between clients and servers. Moreover, servers often provide certificates to identify themselves to the clients.

Message Authentication

Hash-based message authentication code (HMAC) is a mechanism for message authentication using cryptographic hash functions like SHA-256 or SHA-3 [hmac-rfc]. It takes a key and a message as inputs, and outputs a tag. HMAC provides both integrity and authenticity. Without knowledge of , it is infeasible for an attacker to produce a valid (message, tag) pair.

Digital signature

Digital signature is the public-key analogue of MAC. A secret key is used to sign messages, which can be verified by anyone with the corresponding public key . Without knowledge of , it is infeasible to forge signatures. RSA and DSA/ECDSA are commonly used signature schemes.

2.2 Two-Factor Authentication

Broadly defined, two-factor authentication (2FA) refers to an authentication protocol that requires a user to login to a service by proving knowledge of a password (first factor, “something you know”) and possession of a previously registered personal device (second factor, “something you have”).

PIN-2FA Protocol

PIN-2FA is the most prominent two-factor authentication in which the user’s personal device generates a one-time PIN. The PIN is transferred to the server for verification, often manually with the user’s assistance and through the login terminal. To verify the device, the server generates the same PIN and compares it with the one it receives from the terminal111The deprecated SMS 2FA [nist-sms-2fa] uses a similar protocol flow, but the device does not compute the PIN. Rather, the PIN is communicated by the server and sent to the user’s registered device as a text message..

A popular PIN generation function is HMAC [hmac-rfc]. In an initial setup phase, the server and the device agree on an HMAC key. TOTP [totp] defines the timestamp and HOTP [hotp] defines a counter as the HMAC message. In general, it could be any parameter known both by the server and the device. The HMAC output is encoded into a number and truncated to a small number of digits (e.g., six digits) for easier manual copying by the user.

Push-2FA Protocol

Push-2FA is a relatively new trend in the 2FA design-space, which attempts to address the usability issues with PIN-2FA. This method follows a simple request/response message exchange between the server and the device. Upon receiving a login request, the server sends a notification message to the registered secondary device, and waits for the user to approve the validity of the login attempt. It is assumed that the user only approves login requests initiated by herself and denies any other attempt. The approval (or denial) response proves to the server that the user possesses the secondary device. Since the user interaction with the system is limited to approving or denying a request, displayed as a notification on the user’s device, Push-2FA is considered more user-friendly than PIN-2FA [duopushusability, abbott2020mandatory].

Push-2FA assumes that the server has a direct or indirect connection with the device. This connection is commonly supported by third-party services such as 2FA service providers (e.g., Authy [twilio-push], Google [googleprompt], Duo [duo-push]) and push notification services (e.g., Google cloud messaging [google-cloud-messaging], Apple notification [apple-notifications]). Without such third party service, the server needs to establish a connection directly with the device. Establishing such a connection is not a trivial engineering effort since smartphones (assuming that 2FA system uses a smartphone) do not keep a permanent internet address and migrate from one network to another constantly.

Fido U2f

2FA protocols could also be based on asymmetric-key authentication schemes such as digital signatures. In FIDO U2F [u2f-tech-overview], for example, the device generates a public/private key pair during registration and transfers the public key to the server. During authentication, the server sends a challenge to the user’s device through the client. The user locally authenticates to her trusted device to sign the challenge and transfers the response to the server through the client. This approach requires support from the client browser and establishment of a secure device-client channel.

2.3 Benefits and Limitations of Current 2FAs

Pin-2fa

2FA hardware tokens such as RSA Secure ID [sid], and mobile apps, such as Google Authenticator [google-authenticator] and HID ActiveID [hid], generate a one-time short PIN that is manually copied by the user to the login terminal. The device generating the PIN only needs to be capable of generating the PIN (not transferring it) and be equipped with a display to show it. Therefore, this type of 2FA systems are suitable when offline devices or devices with limited connectivity are used as second factor.

The main user interaction in PIN-2FA is manual copy of PINs, which limits their length, increasing the risk of guessing attacks. In contrast, 2D-2FA does not require manual entry of PINs, and therefore, PINs could be long to offer much better resistance to guessing attacks. Shoulder surfing of PINs is another issue with PIN-2FA [Eiband:2017:USS:3025453.3025636], which does not arise in 2D-2FA.

Push-2FA

In recent years, smartphones with more connectivity options created opportunities for more usable approaches. 2FA providers, such as Authy [authy] and Duo [duo], offer several options for simpler user interaction. Push-based 2FA offered by these providers lets users approve or deny a 2FA request notification sent to their phone. While user engagement is much simpler compared to traditional PIN-based 2FA, a neglectful user could mistakenly accept an attacked session since the binding between the - login session and - approval, relies only on user’s attention.

To maintain a connection from the server to the device, a secure and trusted channel should be established, imposing unwanted trust on the apps and push service providers, which are shown to be target of various attacks [li2014mayhem, loreti2018push, xu2012abusing, pushattack1, pushattack2]. These channels may also be unreliable as shown in [abbott2020mandatory] who reported 20% failed authentication due to “no response”, caused by the users not responding in time (due to errors in notification communication). In contrast, 2D-2FA establishes a strong binding between the - login session and - communication by requiring users to input the displayed identifier, which avoid attacks arising from users neglectfully accepting attacker’s sessions [push-accept-dark-side]. Besides, messages are communicated from to directly with no security requirement on the channel or reliance on third party services.

Fido U2f

Other approaches have been introduced that establish a channel between the device and client to automatically transfer some token through the client to the server on user’s approval. In FIDO, for example, a channel is established between user’s trusted device (e.g., smartphone, security key) and the client [u2f-tech-overview]. Other challenge-response 2FA mechanisms [czeskis2012strengthening, ndss-2014] also rely on establishment of a channel between the device and client to transfer the response. In 2D-2FA, ’s response to is not channeled through the client. Therefore, 2D-2FA does not require establishing a secure to channel. Thus, it makes migration to new clients hassle-free.

On the flip side, FIDO U2F is resistant to phishing but 2D-2FA isn’t, much like PIN-2FA. FIDO U2F binds the user login to the origin since the client sends the origin and the channel ID as part of the challenge to the device and the device signs the entire challenge.

3 2D-2FA System & Design Goals

3.1 System Model

There are four parties involved in 2D-2FA to securely authenticate a user to a service, as shown in Figure 1. A “user” initiates a request from a “client” (a.k.a. the client terminal, like a web browser on a laptop) by entering her username and password, as is the case with any password authentication protocol. submits the request to a “server” (a.k.a. a service provider, hosted on a web server for example) over a secure channel. also proves to the possession of a secondary factor personal device (e.g., smartphone, smartwatch) by entering a identifier on , which is provided to by through .

In our model, the client and the server interact over a bidirectional channel. As in other password authentication protocols, we assume a secure channel such as a TLS channel. and interaction is assisted by the human user (i.e., a manual channel), who observes the identifier displayed on the client and inputs the same on the device. Finally, the device communicates to the server to manifest the knowledge of the correct identifier and PIN through channel, e.g., internet.

Other 2FA systems usually involve a similar set of parties but the communication channels may be different. For example, in the traditional PIN-2FA, the secure communication is commonly assisted by a human user and happens in one direction, from the device to the client (i.e., the user copies a PIN from the device to the client terminal). In contrast, in 2D-2FA the manual unprotected unidirectional channel is for transferring the identifier from the client to the device. Push-2FA relies on third party push notification service providers (e.g., Firebase Cloud Messaging [google-cloud-messaging]) to handle secure messaging between the device and the server. In our model, an ordinary channel from device to server is good enough, which could be established without relying on third-party services.

3.2 System Overview

Our system consists of two phases (a detailed discussion can be found in Section 4):

Registration

The initial “registration phase” through which the parties in the protocol establish the communication channels and share the 2FA secret keys. During this phase, the user registers a username and a password with the server, as the first authentication factor. The server and the device agree on a secret key (typically picked by the server and transferred to the device manually or by scanning a QR Code), which will be used later to generate one-time PINs. The server stores the user’s state (e.g., hash of the password and the secret key) and the device stores the secret key associated with the user account on the server. The client does not store any state during this phase.

Authentication

The “authentication phase” through which the parties interact to securely authenticate the user to the server. During this phase, the registered username and password are used as the first factor, and the server displays a unique identifier to the user through the client machine (e.g., on the login webpage). The user specifies the server name on the device and inputs the identifier, which consequently sends the identifier and a PIN to the server to prove the presence of the device.

Entering the identifier indicates that the user has diligently approved the submission of the PIN. Besides, the uniqueness of the identifier helps the server to distinguish between two concurrent sessions and binds the received PIN to the associated session. Upon receiving the authentication information, the server verifies the password and the PIN, and authenticates the user’s session associated with the identifier.

During the authentication process, the server keeps a temporary record of all active sessions and identifiers.

3.3 Design Goals

The overall goal of the system is to securely authenticate a user to a service using two authentication factors that are known (i.e., password) and owned by the user (i.e., a device generating a one-time PIN). An attacker with access to only one of the two factors cannot authenticate to the system without launching an online guessing attack on the other. From a usability perspective, we expect the system to offer a high level of usability (at least comparable to that of traditional PIN-2FA or perhaps higher since the identifier unlike PIN is not a secret, and hence can be short and simple).

3.3.1 Security Goals

We consider various ways in which the system could be attacked: any of the entities could be compromised or the channels connecting them. We model the attacks with the help of a (computationally-bounded) attacker . The primary goal of is to get access to a user ’s account.

Client compromise

An attacker compromises a client from which logs into , and learns ’s password. Even with this knowledge, it should be infeasible for to get access to ’s account (assuming the registered device is not compromised).

could also try to log in at the same time as . In other words, it may be able to run authentication sessions with the server concurrently with the user. Even when it can do so, it should remain infeasible to get into ’s account. (Here, we will assume that does not make any mistake entering the displayed identifier on her device.)

Device compromise

An attacker compromises a user ’s device , which enables it to control the device fully. In particular, is able to authenticate to (if needed) and get access to any secret information stored on the device (directly or otherwise). We want that does not gain any knowledge of ’s password as a result of this. Specifically, could only attack by guessing her password in an online manner.

Channel compromise

Even when none of the entities in the system (client, device, or server) are under attack, an adversary could have control over the channels connecting them. It may just eavesdrop on the channels passively, or could modify/censor the traffic actively. Irrespective of how powerful is, we want to make sure that it does not gain any advantage over attackers who have no access to the channels.

Attacks on third parties

As we have seen several times, there are three main entities in a 2FA system: client, device and server. Several 2FA schemes, however, introduce additional entities like a 2FA service provider. We can either trust these other entities or study how the security of the system is affected when they are targeted by attackers. The attacks could be targeted at the entities themselves or the channels connecting them with others. As a result, analyzing the security of the system becomes substantially more complex. Therefore, we want to design a system that does not introduce any other entities beyond the three main ones. Such a system would keep the attack surface low.

User negligence

Users can be negligent sometimes, granting access to others unintentionally. We would like the 2FA scheme to make such oversights harder for users.

Parties. The protocol runs between a user (who knows a password and owns a device), and a server, through a client machine. The four parties involved in the protocol are: Server offering a service to authorized registered users. User who attempts to register an account with or seek an authorized access to the service offered by . Client using which submits a registration or access request to . Device which is a user personal device (e.g., smartphone) used in the authentication process.   Parameters. The 2FA protocol is based on well-known password authentication and one-time PIN authentication mechanisms and has the following parameters. Password from a dictionary of size . Random secret 2FA key of size from . One-time password generator function computed as HMAC, where is a time reference for TOTP or a counter reference for HOTP algorithm. Using this function, a one-time PIN is computed as , and optionally truncated to -bits. A temporary identifier chosen from a domain of size .   Registration. The registration protocol runs between the parties to register the user known by a username and a password with the service and to share the secret between and . One round of authentication protocol (detailed next) should be completed to ensure the success of the registration.   Authentication. The authentication protocol runs between the four parties to authenticate the user with the help of the shared secret parameters according to these steps: Step 1. On the Client establishes a secure authenticated channel with . Let be the common name for . enters and on . submits and to . Step 2. On the Server verifies . starts an authentication session timer . It picks a fresh from and sends it to , which is displayed to . Step 3. On the Device specifies and on and inputs the displayed . computes PIN. submits PIN and to . Step 4. On the Server verifies PIN (server may delay verification of till this point). accepts the authentication session associated with if PIN and are correct, and rejects the session otherwise. starts a timer to discard temporarily stored on successful/failed/expired authentication.

Figure 2: 2D-2FA registration and authentication protocols.

3.3.2 Usability and Deployability Goals

We attempt to make the system easy to be used and to be deployed:

Ease of use

After the initial setup, the system should be effortless for frequent use. Interaction of users with the system should be maintained at the minimum level required to achieve the security goals. A user with average technical background should be confident using the system if sufficient instructions are provided.

Easy integration

Client-side modification should not be required. Server-side modification should be minimal. Similar to traditional PIN-2FA, the server should just need to verify a password and a one-time PIN.

Universal compatibility

Users should be able to register devices with different input modes (touchscreen, camera, keypad, etc.) as the second factor.

4 2D-2FA Protocol

Figure 3: 2D-2FA registration overview.
Figure 4: 2D-2FA authentication overview.

In this section, we present the protocol description in Figure 2 and elaborate on the registration and authentication phases in Section 4.1 and 4.2, respectively.

4.1 Registration Protocol

A high level overview of the registration flow is shown in Figure 3. We provide some insight on the choices we made in designing the protocol to achieve our goals.

We assume that a user initiates the registration process from only one client at a time (no concurrent registration).222 The server can simply avoid concurrent registrations since only one registration per account is generally needed. However, the user may want to login to the same service from multiple clients (e.g., sharing files between two machines). Therefore, we do consider concurrent logins. During the process, she communicates with a server to register an account known by a username and authenticated by a password. Most of the services deploying two-factor authentication separate password registration from secondary device registration. In our protocol, we assume that the user registers the password and the secondary device during the same setup phase. However, as with other 2FAs, the user may enroll into two-factor authentication at any point after registering for password-only authentication.

The goal of the registration process is to store user’s state with the server, and share the secrets required to authenticate the user. Therefore, it is important to establish a secure communication channel. Since the registration is a one-time task, we can assume that all efforts are made to make the transfer of the secrets secure. For example, we may assume higher engagement from the user since the overall impact on user experience is negligible.

The transfer of the 2FA secret key from the server to the device can happen through the client and with the assistance of the user. For example, the client can display the secret received from the server (encoded into plain text or QR Code for example) and ask the user to input it on the device. In a similar way, the user can be asked to save some information about the server (e.g., the server domain name – also known as in our protocol) and herself (e.g., username, or account nickname – also known as in our protocol). This information is essential to distinguish between different services on the same personal device.

Once the 2FA secret key is transferred, one round of 2FA may be carried out to ensure the accurate transfer of information. A complete round of 2D-2FA consists of picking a unique identifier by the server, submitted to and displayed on the client for the user to transfer it to the device (e.g., by drawing a pattern on the device touch-screen). Once the device receives the identifier for a specific service, it computes a one-time PIN, and submits the PIN and the identifier to the server. If the PIN is correct, the server accepts the connection associated with the identifier.

4.2 Authentication Protocol

The high level authentication flow is shown in Figure 4 and the protocol is described in Figure 2. To avoid repetition, we do not discuss the protocol details here. Instead, we focus on the design choices.

To authenticate successfully to a service, a user inputs a username and password on a client, and copies an identifier displayed on the client to a registered device. The PIN is computed on the device and is transferred to the server automatically (unlike traditional PIN-2FA where the user inputs the PIN manually). Receiving the correct PIN proves that the user holds the device and has explicitly consented to the authentication process.

In Push-2FA systems, a similar user consent is provided by asking the user to approve or deny a message sent to her device. We believe that the user interaction in 2D-2FA is less prone to user errors compared to tapping an approve/deny button. Intuitively, the possibility of a neglectful user mistakenly accepting an attacker’s session by approving a notification message sent to the device for the attacker’s login attempt is higher than the user deliberately inputting an identifier that matches the one generated for the attacker’s session.

Figure 5: Role of identifiers in distinguishing concurrent sessions. We take the example of drawing patterns here.

Therefore, besides serving as a proof of consent, identifiers distinguish between concurrent sessions belonging to one user. Let us consider a user who tries to login to her account from multiple devices concurrently, for example, a smartphone and a laptop. Once the server receives an identifier, it compares the identifier with the list of identifiers that have been generated and displayed to the user, and accepts only the session associated with the received identifier. As an example, if the displayed identifier is the pattern for the smartphone and for the laptop, drawing only approves the smartphone session (see Figure 5). Now, if one of the concurrent sessions belongs to an attacker who is planning his/her login to occur concurrently with the user, it would be unlikely that the user draws the pattern belonging to the attacker’s session. Note that the uniqueness of identifiers applies to concurrent sessions belonging to the same user (). The same set of identifiers could be used for all users registered with a service and the same identifier might be issued simultaneously to multiple users.

In-use identifiers should not only be “unique” among all concurrent sessions, but also distinct enough with an optimal distance according to a “similarity metric”333In Appendix A, we define the “similarity metric” between two patterns according to the number of slips it takes to convert one pattern to another. A lower number of slips corresponds to a higher similarity metric. . The distance is important to minimize manual input errors that may lead to acceptance of an attacker’s session. For example, and are more similar compared to and , so the former has more room for user errors. Therefore, the server should not issue and for two concurrent sessions. This consideration is only valid if identifiers are input manually, for example by drawing a pattern or entering a numerical value. Human input errors are not relevant if more automated tools such as QR Codes scanning is used.

The “optimal distance” and “identifier uniqueness’ limit the number of identifiers that can be in-use. In addition to these two constraints, we should be mindful of the usability of manually inputting the identifier and restrict the identifiers to those that are easy to input (for example by restricting the identifier length), which could further limit the number of possible identifiers.

The communicated identifiers would of course not immediately be ready for future use, to avoid replay attacks as we explain next. 2FA systems usually allow the server to accept one or more PINs prior and after the current PIN to compensate for time drifts between the device and server. An attacker may replay a PIN and identifier within the time window considered for the time drift and succeed. Hence, we start a timer after completion or expiration of an authentication session. The timer runs for a duration greater than an acceptable time drift window. The communicated identifier will be ready for reuse once the timer matures. For example, assuming an allowable time drift of 60s backward and 60s forward, the identifier will be ready for reuse 120s after the completion/expiration of an authentication session that used the identifier.

A question that may arise is whether limiting the number of possible identifiers may give a DoS attacker the opportunity to open several concurrent sessions to mark all possible identifiers as in-use, and therefore, stop a legitimate user from logging in. Note that since typically the number of allowed concurrent logins for one user are not boundless (to avoid DoS and password guessing attacks), a limited number of in-use identifiers should not be problematic. The identifier domain size can be defined by the number of concurrent sessions that a service provider allows per each user. For example, for a server that allows only 100 simultaneous sessions for a user, a set of 100 identifiers should be sufficient since the 101 session is rejected by the service provider anyway (not due to lack of available identifiers but to avoid password guessing and DoS attacks).

5 Security Analysis

We analyze the security of 2D-2FA against the attacks described in Section 3.3.

Client compromise.

With ’s password, will clear the first hurdle of authentication with , and receive an identifier in return. To complete the authentication process, needs to provide a valid PIN corresponding to some ‘fresh value’ (a new value of time-stamp, new counter value, etc.). However, without knowledge of HMAC key, has negligible chance of doing so.

If can log in concurrently with , then the ‘fresh value’ could be the same for both (e.g., when TOTP is used). So a PIN sent from user device could also be a valid PIN for ’s session. However, there are two important things to note here. First, apart from the ‘fresh value’, identifier is also involved in PIN computation. Second, if logs in first (from ’s perspective) and its session has not expired, a different identifier is sent to (or, vice versa, if ’s logs in first and has an active session, a different identifier is sent to ). Therefore, even when and log in at about the same time, they receive different identifiers. As a result, the PIN sent by has negligible chance of being a valid PIN for ’s session.

Device compromise.

When the registered device is compromised, can get the hold of the HMAC secret key. Hence, it can generate PIN on any value of its choice. However, no information about ’s password is ever stored on —not even temporarily. So can only try to guess the password in an online manner.

Channel compromise.

Three different channels are used in the design of 2D-2FA: between and , between and , and between and . The first one is a secure channel, which cannot be compromised. The second one is a regular channel through . can eavesdrop on to observe the identifiers she inputs. The channel from to is also a regular channel. can gather (identifier, PIN) pairs from the channel, and use them later in any manner it pleases. To make the attack more severe, let us also assume that knows the first factor. (There is no point assuming that knows the HMAC key since spying on the channel would be meaningless.)

The analysis here is not very different from the first case above (client compromise). must generate a valid PIN on a ‘fresh value’ to successfully authenticate. This value would be different from the values corresponding to the PINs collected from the channel, unless those PINs were generated in about the same time frame as the attacker’s session and the values used to generate PINs are time-stamps (like in TOTP). When this is true, we can again rely on the fact that no two unexpired authentication sessions share the same identifier. Thus, even when a PIN on the channel corresponds to the same time-stamp that needs, it will correspond to a different identifier, making the task of PIN scraping on the device-server channel unfruitful.

User negligence.

Users can sometimes accidentally approve an attacker’s session. In the case of 2D-2FA, this could only happen when a user inputs an identifier that does not match with the one displayed to her, but it matches with the one given to the attacker. Depending on the type of identifier used, the frequency of such errors could be very small.

Attacks on third parties.

A central benefit of 2D-2FA is that it does not introduce new entities into the authentication infrastructure beyond the ones that are already well-established. In other 2FA schemes, one has to rely on one or more intermediaries between device and server to secure the communication between them. In our case, however, no special security property is needed for this channel. We just need the channel to deliver messages to the server.

5.1 Comparative Analysis

We use the framework of Bonneau et al. [bonneau2012quest] to compare 2D-2FA with Sound-Proof [karapanos2015sound], FBD-WF-WF [shirvanian2014two], FIDO U2F [u2f-tech-overview], PIN-2FA, and Push-2FA. The framework defines 25 properties framed as a diverse set of benefits and a methodology for comparative evaluation. We have borrowed from similar analyses done in prior work, and from the Sound-Proof paper [karapanos2015sound] in particular, but there are some differences.

A PIN-2FA scheme can be implemented in various ways. PINs can be delivered via SMS or voice, or generated on the device itself. Here, we consider PIN generation on the device through an app (like Google Authenticator [google-authenticator]) since SMS 2FA is deprecated [nist-sms-2fa]. For FIDO U2F, we assume a smart phone as the authenticator although other form factors such as security tokens are also possible.

In Table 1, for each 2FA method, we state whether the method offers the benefit or somewhat offers the benefit or does not offer the benefit at all. Here we summarize the results.

Usability Deployability Security
Scheme

Memorywise-Effortless

Scalable-for-Users

Nothing-to-Carry

Physically-Effortless

Easy-to-Learn

Efficient-to-Use

Infrequent-Errors

Easy-Recovery-from-Loss

Accessible

Negligible-Cost-per-User

Server-Compatible

Browser-Compatible

Mature

Non-Proprietary

Resilient-to-Physical-Observation

Resilient-to-Targeted-Impersonation

Resilient-to-Throttled-Guessing

Resilient-to-Unthrottled-Guessing

Resilient-to-Internal-Observation

Resilient-to-Leaks-from-Other-Verifiers

Resilient-to-Phishing

Resilient-to-Theft

No-Trusted-Third-Party

Requiring-Explicit-Consent

Unlinkable

Sound-Proof
FBD-WF-WF
FIDO U2F
PIN-2FA
Push-2FA
2D-2FA
Table 1: Comparison of 2D-2FA against Sound-Proof [karapanos2015sound], FBD-WF-WF [shirvanian2014two], FIDO U2F [u2f-tech-overview], PIN-2FA, and Push-2FA using the framework of Bonneau et al. [bonneau2012quest]. We use to denote that method offers the benefit and to denote that the method somewhat offers the benefit.
Usability.

Several usability benefits are offered at the same level by all the methods. None of the methods are Memorywise-Effortless, Scalable-for-Users, or Physically-Effortless because they do not replace passwords. The benefit Nothing-to-Carry is somewhat offered because a common device like smartphone can be used as the second factor. In terms of being Easy-to-Learn, Infrequent-Errors, and Easy-Recovery-from-Loss, all the methods are roughly the same. While most methods are Efficient-to-Use, PIN-2FA is only somewhat efficient because one has to copy PINs manually. With 2D-2FA, one can use QR codes, patterns, etc. to keep the authentication time short.

Deployability.

Except PIN-2FA, all the methods are Accessible because users have to do little beyond typing passwords. The cost per user for all the methods is negligible because users carry a secondary factor like smartphones anyway. None of the methods are server compatible as the provider needs to handle something other than passwords. Apart from FIDO U2F and FBD-WF-WF, none of the methods require any changes to the client, so they are browser compatible. In terms of maturity, FIDO U2F, PIN-2FA, and Push-2FA are very mature technologies. All the methods are non-proprietary.

Security.

To be Resilient-to-Physical-Observation, an attacker should not be able to impersonate a user after observing them authenticate one or more times. Various types of attacks are included here like shoulder surfing, filming the keyboard, recording keystroke sounds, etc. Sound-Proof does not provide this benefit because it suffers from co-location attacks. FBD-WF-WF and PIN-2FA do not provide it either because they are vulnerable to shoulder-surfing attacks. To be Resilient-to-Targeted-Impersonation, an acquaintance should not be able to impersonate a specific user by exploiting knowledge of personal details like date of birth. All the methods provide this benefit somewhat only because victim’s personal details could be used for (fake) account recovery.

Most of the schemes do not provide the benefit Resilient-to-Internal-Observation because PIN is transferred through the client machine. On the contrary, in both Push-2FA and 2D-2FA, users do not input anything beyond passwords on the client. In Push-2FA, users approve or reject notifications on the registered device and, in 2D-2FA, they input identifiers on the device.

Apart from FIDO, none of the methods are resilient to phishing attacks. FIDO provides security against phishing by including the origin address in the signed tokens. While most of the methods do not rely on trusted third parties, Push-2FA usually does. All the methods are unlinkable because the authenticators (PINs, identifiers, etc.) cannot be linked across multiple providers.

6 System Implementation

As a proof of concept, we designed and developed a web-based authentication service. We developed the server side scripts running on a Macbook Pro Mojave 10.14.5 with 2.9 Intel Core i7 processor and 16 GB 2133 MHz memory. The 2FA application was developed in Java for Android on a Huawei Honor 7X smartphone with Kirin 659 processor and 3GB memory.

6.1 Choice of Identifier

2D-2FA relies on the user to copy the identifier displayed on the client to their device to confirm the association of the client-server authentication session with the device-server session. Identifier values could have a short textual or graphical representation (e.g., few-digit number, letters, a short phrase). To reduce the users’ cognitive load we suggest using common input methods. In our implementation, we considered patterns and QR Codes, and from now on we refer to them as PT-2D-2FA and QR-2D-2FA respectively.

Figure 6: Fourgram patterns on a 3 3 grid and their numerical representations, used in our implementation.

Pt-2d-2fa

We assume the user owns a device with a touchscreen or a keypad but not a camera (e.g., a smartwatch). For such devices we recommend representing identifiers as patterns, similar to the one used in Android pattern lock. Several studies have shown convenience of this method [von2013patterns, schloglhofer2012secure, andriotis2016study, micallef2015aren]. Pattern lock screen is a n n grid of dots on which the user can draw patterns by connecting some number of dots with straight directional lines. We can interpret a pattern numerically too by assigning a number to each dot. Therefore, users can also input identifiers using a simple keypad, which could be helpful in case their device only comes a keypad and not a touchscreen.

To reduce pattern complexity, we selected fourgram patterns on a 3x3 grid with the upper-left corner as the starting point to match the user’s preferred starting point [tupsamudre2018tinpal, loge2016user]. To minimize false accepts and false rejects, patterns in the dictionary were selected such that the distance between any two is at least 2, i.e., at least two connecting lines differ between them. In Appendix A, we provide more details on choosing the right patterns.

Figure 6 shows the collection of patterns used in our implementation and evaluation, and their numerical representations with upper-left dot labeled as 1 and the lower-right dot labeled as 9.

Qr-2d-2fa

In addition to touchscreen or keypad, a device may also have a camera using which one can scan identifiers encoded as QR Codes. Such a device can naturally support patterns and digits as well. QR Code scanning is a semi-automated input method (user only scans the code) and is therefore efficient and has a low error rate. QR Codes are extensively used in 2FA applications for enrollment and authentication. Many 2FA systems encode 2FA secret in a QR Code and ask users to scan it using their phone during the enrollment [qrqws, qrzoom, qrduo]. Others have used QR Code as part of the authentication process. For example, in [ndss-2014], a challenge message is encoded as a QR Code to be transferred to the device from the client. The PIN is computed as a function of the challenge and encoded into QR Code to be scanned by the client. OpTFA [jareckitwo] uses QR Codes to establish an authenticated channel between the device and the client as part of the authentication process. Phoneauth [czeskis2012strengthening] suggests QR Codes to transfer session information from the client to the server through the device as part of their recovery process.

6.2 Server-side Scripts

The server runs a web service and keeps a database table (named users) of users’ credentials, including username, password, and 2FA secret key. The database also maintains a table of authentication sessions (named active_sessions) that records the issued , timestamp, and authentication status flag for each session.

For each authentication attempt, the web page receives the username and password from the user and navigates her to a second web page displaying one of the “available identifiers” in the dictionary444The secondary authentication factor is displayed regardless of the success or failure of password authentication to resist password guessing attacks.. For each user, available identifiers are those identifiers in the dictionary that are not in use by the current active sessions or had been communicated for previous completed authenticated session, but are not yet expired.

After communicating , the server makes a record entry in active_sessions table flagging as active. The server starts a timer session_timer for the active session and waits to receive a PIN and a . The session will terminate if session_timer expires.

On receiving the PIN and , the server computes the PIN and compares it with the one received. If the received PIN and password are correct, the server locates the right session corresponding to the received and authenticates the user by displaying a success message. If either the password or PIN are incorrect or does not match any of the identifiers issued, the server would abort the protocol and displays an authentication failed message.

Once the authentication succeeds, fails, or times out, the server flags in the active_sessions table as succeeded, failed, or timed-out and starts a expiration timer identifier_timer. The identifier is removed from the active_sessions when identifier _timer expires and will be available for reuse.

Timer

A few notes on the timer:

  • Each PIN is generated for a time-slice of 30 seconds as per RFC6238 suggestion.

  • Each PIN is validated on the server against the current time-slice and four further validations for two time-slice backward and two time-slice forward to allow for clock drifts between the device and the server.

  • session_timer starts on the server as soon as an identifier is communicated. On expiration of the timer the authentication fails. This timer limits the time a user can complete an authentication session. This timer can extend to few minutes for usability purposes. There is no security implication on the length of the timer. This timer is set only to make sure an identifier is not occupied indefinitely.

  • identifier_timer starts on the server as soon as an authentication is completed (succeeded, failed, or timed-out). On expiration of the timer the identifier is removed from the active_sessions table and is available for reuse. This timer ensures that a identifier is not repeated early enough for an attacker to replay a valid PIN.

6.3 2FA Android Application

We developed an Android application for both PT-2D-2FA and QR-2D-2FA variants. The registration process is similar to that of PIN-2FA, in which the user inputs the 2FA secret associated with an account (username@ server), either manually or by capturing a QR Code. During authentication, the user selects the account (if more than one account is registered on the 2FA app), and then inputs the identifier. In PT-2D-2FA, a 3 3 dot grid is shown on the app where the user can draw the pattern by connecting the dots with straight lines. The pattern is received by the application and is encoded into digits by assigning a number to each dot. In QR-2D-2FA, the app shows a QR Code scanning page. The user can scan the identifier displayed on the webpage as a QR Code. The QR Code is decoded and passed to PIN generation function. We used Google Mobile Vision Barcode API to deploy QR Code scanning functionality.

The PIN generation function implementation has forked a simple implementation of TOTP in Java [2facode] with several modifications to allow the use of other hash functions and PIN length, and to incorporate the pattern in the PIN computation. PIN along with the pattern is submitted to the server as an HTTP POST request.

Our approach assumes that the device can connect to the server (e.g., over the internet). But in case the device loses connectivity, we can fall back to a PIN-2FA like method. After the user inputs the identifier on the device, the computed PIN will be displayed to her. She can manually copy the PIN to the client terminal, which would then be transferred to the server.

6.4 PIN Generation & Validation Function

Our implementation of the PIN generation function is developed on top of TOTP [totp] with several modifications as will be discussed here. We compute HMAC-SHA256 of concatenated with the Unix timestamp (in 30-second time-slice intervals) using a 128-bit 2FA secret key as the HMAC key. The HMAC output of size 256bit is considered as the PIN.

To compensate for possible time drifts between the server and the device, and any computation or communication delays, the received PIN would be verified by the server if it matches any of the PINs generated on the current time-slice and two time-slices, before and after the current time-slice.

Some of the design choices in our PIN generation implementation are not in compliance with common industrial deployments since their choices might have been deprecated or other secure replacements might be available. For example, SHA1 suggested in [totp] had been attacked in theory and practice and is announced deprecated by NIST. Similarly, 6-digit PIN was adopted for easier manual copying by the users. Since, 2D-2FA automates the PIN transfer we can increase the PIN length. For PIN-2FA method evaluated in our usability study (Section 7) we considered the common deployment with SHA1 and 6-digit PIN to match Google Authenticator app.

7 Usability Study

7.1 Study Setup

To evaluate usability of 2D-2FA, we ran a user study with 30 participants. We studied our PT-2D-2FA and QR-2D-2FA as well the commonly used PIN-2FA for comparison. The hypothesis is that 2D-2FA is at least as usable as PIN-2FA while providing higher lever of security and efficiency. Although patterns can be read and input in their numerical representation, we did not study this due to its similarity to PIN-2FA.

The study was performed in-person in a controlled environment and the recruitment was through word of mouth. Given the COVID-19 pandemic and work-from-home situation, we met no more than 2 participants at a time, at their place of choice (examiners’ homes, participants’ home, or an outdoor area). Common safety practices including face masks, social distancing, and sanitization were followed. The user study was discussed with our organization’s legal, privacy and finance teams to confirm ethical and privacy considerations. The study took about 30 minutes to complete for each participant and they were gifted a $25 amazon card for their time.

A laptop and a phone (same devices mentioned in Section 6) were handed over to the participants. The web-service and the database server were running on the laptop. The smartphone had the 2D-2FA app and the android version of Google Authenticator app installed. Internet connectivity was provided by a mobile hotspot on Verizon network. Timing information as well as the number of successful and failed attempts were recorded in a database for performance and error rate analysis. We used Google forms to present the study instructions and questionnaires, and to collect survey responses. All participants were given the same information about the study and three 2FA methods. To avoid influencing the participants, we did not disclose which one of the methods were designed by us.

The 2FA enrollment process is the same for all methods. It just involves copying the 2FA secret from the server to the device (through the client). Therefore, we evaluated the login process only. The first page of the study website was a simple username and password webpage. Upon entering username/password, the second step verification webpage was loaded. The second step webpage for PIN-2FA had a text box to enter the PIN. The participants were instructed to enter the PIN as shown on the Google Authenticator app. Entering the correct/incorrect PIN navigated them to a success/fail webpage. The second step webpage for PT-2D-2FA and QR-2D-2FA displayed a pattern and a QR Code, respectively, and waited for up to 30s for the PIN and identifier to be received from the device before navigating the user to the success or fail webpage.

Below, we outline the study flow.

Consent

First, the participants were informed that we intend to evaluate usability of three different 2FA systems. The participants were shown a consent form stating that personally identifiable data will not be collected and any recorded data will be kept confidential. Participation in the study was voluntary and the participants were given the option to withdraw from the study at any point if they did not feel comfortable with it.

Introduction

Participants were shown a short description of the three 2FA methods: PIN-2FA, PT-2D-2FA, and QR-2D-2FA, and instructions on how to use them.

Learning

We asked the participants to login to the study website for as many times as needed to get familiar with the three methods. To only estimate delay of the 2FA process, the username and password were pre-filled on the website in all the three cases.

Main task

Each participant was instructed to complete a login attempt to the study website for 10 times using each of the three methods. The ordering of the three methods was randomized to eliminate biases.

Survey Questions

For each of the three methods, we asked a total number of 18 5-point Likert questions. Specifically, we presented several statements (both with positive and negative weights) about each method and asked the participants to express their agreement/disagreement with the statement. The list of questions can be found in Appendix B. 10 out of the 18 statements were the standard System Usability Scale (SUS) [sus] questions that measure usability of any given system with respect to ease of use, learnability, and adoptability. The remaining 8 questions were designed to understand users’ perception of efficiency, security, accuracy, adoptability, and instructions and feedback. After these questions, we asked the participants which method they preferred and the reason for their preference. At the end of the study, the participants filled out a demographic information questionnaire.

7.2 Performance Evaluation

Operation Party Avg Time
PIN generation 0.03 ms
PIN verification 0.00 ms
Overall PT-2D-2FA , , 11.87 s
Overall QR-2D-2FA , , 5.12 s
Overall PIN-2D-2FA , , 4.59 s
Table 2: Execution time of different operations and the overall delay for the studied 2FA methods

To evaluate the performance of the operations, we executed the PIN generation on the device and the PIN verification on the server, and report on the execution time averaged over 100,000 iterations in Table 2. As shown in the table, the delay incurred by these operations seem to be negligible.

As part of the user study we measured the time it takes to complete the 2FA process, from the time the 2FA webpage is loaded to the time the PIN is verified. Therefore, it includes the user interaction delay, i.e., copying the PIN on the browser for PIN-2FA, drawing the pattern, or scanning the QR Code, as well as any computation and communication delay. The reported results are averaged over 300 attempts for each method. The delay for PIN-2FA was on average 11.87s a the standard deviation of 9.99. The delay for PT-2D-2FA was 5.12s with a standard deviation of 3.23, and the delay for QR-2D-2FA was slightly less with an average of 4.59s and a standard deviation of 3.10. The minimum delay to complete PIN-2FA, PT-2D-2FA, and QR-2D-2FA, was 4s, 2s, and 1s, respectively. The maximum delay was 64s for PIN-2FA, and no timeout was considered. The maximum delay was 24s and 27s for QR-2D-2FA and PT-2D-2FA, respectively, excluding the attempts that exceeded 30s and timed out. As expected, PIN-2FA has the highest delay among all for a 6 digit PIN, while both patterns and QR Codes are faster even though a longer PIN (256-bit) is transferred to the server.

Friedman statistical test showed that the difference between the delay is significant at with a -value and Chi-square . Further, Wilcoxon Signed-Rank test with Bonferroni correction and adjusted significance level of showed statistically significantly difference among all three pairs, with -value of between PIN and patterns, between PINs and QR Codes, and between patterns and QR Codes.

7.3 Error Rates

For all the three methods, we recorded the number of successful and failed attempts. The error rate was 3.4%, 2.4%, and 2.2% for, PIN-2FA, PT-2D-2FA, and QR-2D-2FA, respectively. PIN-2FA does not consider any timeout and accepts PINs generated for the current time-slice as well as two time-slices before and after the current one. Therefore, no timeout error was recorded and all errors were related to entering an incorrect PIN. In 2D-2FA methods, for which a 30s time-out was considered, we noted that all errors that occurred in PT-2D-2FA were for those attempts that exceeded 30s. In QR-2D-2FA, all but one error was related to expiration of the login session, and one error was due to an incorrect decoding of the QR Code (perhaps a failure in the QR Code scanning API).

Note that the reported errors contribute to False Reject Rate (FRR). We define FRR as the rate of errors in entering PIN, drawing a pattern, or scanning a QR Code, such that a valid login attempt by the user does not succeed. These errors might affect the usability of the system since the user needs to repeat the protocol. An equivalent of this type of error in Push-2FA is when the user taps on the reject button while in fact she is the one who initiated a login. It seems that by extending the expiry time of identifiers, the error rate could be reduced. We may also consider refreshing the identifiers and displaying a new identifier on the web-page when the session expires (rather than dropping the login attempt completely). This would be similar to the PIN being updated on the Google Authenticator app every 30s.

The fact that no error other that time-out occurred in the 2D-2FA method implies that the False Accept Rate (FAR) of the system is 0%. FAR is defined as the rate of error in drawing a pattern or scanning the QR Code such that a different but valid identifier in the dictionary is generated. Since this mistakenly captured identifier might be issued to an attacker’s authentication session, it may lead to acceptance of the attacker’s session and impacts the practical security of the system. An equivalent of this type of error in Push-2FA happens when the user taps on the accept button when she is not trying to login.

7.4 System Usability Questions

Figure 7: System Usability Scale and users’ perception of Efficiency, Security, Accuracy, Adoptability, and Feedback.
Sus

The average SUS for all the three methods was approximately 75, which translates to a system with "Good" and "Acceptable" usability. Precisely the SUS was 75.33 (std. dev. 17.19), 75.33 (std. dev. 13.37), and 75.08 (std. dev. 17.15), for PIN-2FA, PT-2D-2FA, and QR-2D-2FA, respectively. Friedman test did not show any statistically significant difference between these methods at significance level, and reported Chi-square and -value . The results of this part of the study are summarized in Figure 7.

While the SUS was similar among all participants, analyzing individual responses and the open-ended question about the participants’ preference showed that 10 participants preferred PIN, 8 participants found patterns to be their method of choice, and 12 participants preferred QR Codes. Importantly, 9 out of 10 participants who preferred PIN mentioned that they have used PIN for several years and are accustomed to it, while patterns and QR Codes are less familiar. Only 1 participant mentioned that she is very comfortable with memorizing numbers, and that is why she prefers this method over any other approach.

Majority of the participants who liked patterns mentioned that it is easier to remember than a PIN, it is "fun to use", and faster. All the 12 participants who preferred QR Code mentioned the speed and ease of use as the primary factor behind their choice. Given that our quantitative analysis shows that pattern and QR Codes have lower error rate and delay compared to PIN, we believe the users would be willing to adopt them if they get familiar with it.

Perception of Efficiency

Answer to 5-point Likert questions regarding the efficiency of the system (with 5 representing Strongly Agree and 1 representing Strongly Disagree) shows that users were leaning towards "strong agreement" with efficiency of 2D-2FA, with a score of 4.13 and 4.27 for patterns and QR Codes, respectively. This score was 3.60 for PIN, which shows that users did not feel PIN is as fast as the other two methods. No statistically significant difference was observed among the three methods using Friedman test that resulted in Chi-square and -value .

Perception of Security

We asked the participants about their perception of security of the method. The responses show that most participants felt PINs and QR Codes are more secure compared to patterns. The score was 4.15, 3.93, and 4.12, for PIN-2FA, PT-2D-2FA, and QR-2D-2FA, respectively. We informally asked the participants why they would assume that patterns are not as secure as the other two. Some of them felt that patterns are easy for someone else to observe and learn. Note that the participants were not informed about the protocol and the role of patterns. Therefore, they did not know that observing a pattern dose not help an attacker. Also they did not know that the pattern does not need to be complex or long for the system to be more secure. Friedman test did not show any statistically significant difference and resulted in Chi-square and -value .

Perception of Accuracy

In response to questions regarding accuracy of the system and the number of errors, participant were leaning more towards agreement than disagreement that the three methods have low error rate, with a score of 3.35, 3.27, 3.33, for PIN-2FA, PT-2D-2FA, and QR-2D-2FA, respectively. Even though the quantitative analysis showed the error rate to be higher for PIN-2FA in practice, the response to this question was more in favor of PIN-2FA. For this score also Friedman test did not show any statistically significant difference with Chi-square and -value .

Adoptability

In response to question about adoptability of the system, we noticed that the participants preferred to use QR Code the most if offered as a login system. The score for this question was 3.67, 3.33, 3.76, for PIN-2FA, PT-2D-2FA, and QR-2D-2FA, respectively. The rating was inline with the answer for the open ended question about preferred method. The Friedman test showed no statistically significant difference with Chi-square and -value .

Instruction and Feedback

We gave similar instructions about the three methods and the study web-site was the same for them. Our hypothesis was that the answer to the questions regarding the instructions and feedback would be similar for the three methods. The participants were more in agreement than disagreement that the system provided sufficient instructions and feedback, with a score of 3.80, 3.93, and 3.0, for PIN-2FA, PT-2D-2FA, and QR-2D-2FA, respectively. We believe the lower rating of QR Code is perhaps due to the fact that the user interaction was fast and semi-automated (only scanning the QR Code) and therefore the users could not notice the feedback on their phone. This is in contrast to PIN and pattern that require more involvement from users, giving them more opportunity to notice the details on the app. Running the Friedman test showed Chi-square and -value , which indicates no statistically significant difference.

7.5 Demographic Information

The demographic information is summarized in Figure 8. 10% of the participants were 55-64 years old, 33% were 35-44 years old and 57% were 25-34 years old. 53% of the 30 participants were male and 47% were female. 43% of the participants had a doctorate degree (in various fields, including, medical, art, science, and engineering), 40% had an MS, MEng, or MA degree, 13% had a BS or BA degree, and 4% had a high-school degree. 70% of the participants had an occupation related to technology, computer science, or computer engineering, while 30% were occupied in other domains like art, business, marketing, or healthcare. Majority of the participants declared they have excellent General Computer skills, while 16%, 10%, 0%, and 4% had good, average, poor, and very poor General Computer skills, respectively. Majority of the participants were familiar with PIN-2FA method, which might explain the SUS Scale of 75. 60% of the participants were extremely familiar with PIN-2FA, 26% were familiar with PIN-2FA, and the rest of the participants were equally, somewhat, slightly, or not at all familiar.

Gender Female: 47%, Male: 53%, Other: 0% Age 18-24: 0%, 25-34: 57%, 35-44: 33%, 45-54: 0%, 55-64: 10%, 65+: 0% Education Less than high school degree 0% High school degree or equivalent 4% Some college but no degree 0% Associate degree 0% Bachelor’s degree 13% Master’s degree 40% Doctorate degree 43% Computer Science Professional Yes 70% No 30% General Computer Skills Excellent 70% Very Good 16% Good 10% Fair 0% Poor 4% Familiarity with 2FA Extremely Familiar 60% Very Familiar 26% Somewhat Familiar 5% Slightly Familiar 5% Not at all Familiar 4%

Figure 8: Demographic Information

7.6 Study Limitations

Identifiers could be represented in various textual and graphical forms. We considered patterns and QR Codes in the study because they are common and user-friendly. One could consider other forms of identifiers too like short strings, etc. However, we believe that the current study is sufficient to show that 2D-2FA could offer a good level of usability. Also, we only considered smartphones as the second factor in the study, since they are more common compared to other smart devices. One might consider other form factors depending on the context, like a smartwatch.

8 Conclusion

We introduced a 2FA method, 2D-2FA, in which a one-time PIN is generated on the secondary factor and is transferred to the server directly for verification. To associate the PIN received from the device to an authentication session, the server sends a unique identifier to the client, which is displayed to the user on the login terminal and copied by the user to the device. The device incorporates the identifier in PIN computation and sends it to the server. The identifier also acts as a user approval of the ongoing authentication attempt. On receiving the PIN and the identifier, the server can authenticate the session for which the identifier has been issued by verifying the PIN. We define a comprehensive security model and show that 2D-2FA satisfies the security goals defined.

We considered two forms of identifiers (patterns and QR Codes), developed a proof of concept implementation, and conducted an in-person usability study. Our study shows that our system offers a higher accuracy and lower delay compared to PIN-2FA method. Our study also indicates that the system usability (SUS = 75) and user’s perception of efficiency, security, and accuracy is high and comparable to the well-known PIN-2FA. Since 75% of the participants preferred our method over PIN-2FA, we believe that not only is our system secure but it would also be adoptable in practice.

References

Appendix

Appendix A Building the Right Pattern Dictionary

We should consider several factors in selecting patterns as discussed below.

Pattern Length

While the set of patterns could consist of various lengths, we prefer to restrict the pattern length to a fixed number to detect drawing mistakes [von2013patterns], such as addition or deletion of a connecting line. For example, if the pattern length is 4, for a sample pattern “1234”, errors such as “123” (aborting) or “12345” (addition) would be detected and possibly reversed. The length 4, creates 1624 valid patterns [sun2014dissecting], which is a generously large domain size for our application.

Pattern Usability Measure

The strength and complexity of a pattern is defined by metrics like pattern length, starting point, direction, symmetry, crosses and knight moves, familiar patterns such as alphabet and numbers, etc. When patterns are used for authentication, more complex patterns are preferred due to the predictability factor. For example, a majority of users select a starting position on the upper row and a right-to-left/up-to-down direction [loge2016user]. Therefore, these two choices reduces the pattern complexity, which is not a desirable security characteristic for authentication application. However, in 2D-2FA, we emphasize the usability of the pattern and, therefore, less complex and even predictable patterns are preferred.

Similarity Metric

While patterns are perceived to be usable (please refer to Section 7), the error rates are shown to be higher compared to PIN entry [von2013patterns, harbach2016anatomy]. Some of these errors reported in prior work are related to memorability of patterns (i.e., recalling a previously picked pattern for authentication). Memorability errors are not applicable to our application since we present a fresh pattern for each session and ask the user to draw the pattern as displayed on the screen.

However, other type of errors, referred to as slip errors [von2013patterns], might not only affect usability of the system by increasing the false rejection, but they may also increase the false accepts if the user accidentally draws the pattern associated with an attacker’s session. For example, by just one wrong connecting line, pattern “12365” would be changed to “12368”. If the two patterns are in the dictionary and one has been issued to the valid user and one to the attacker, the user’s mistake leads to acceptance of the attacker’s session.

We refer two patterns that can be converted to one another to be “similar” and rank the similarity based on the number of wrong connecting lines that could convert one to another. Therefore, the similarity metric between two patterns is defined as the number of connecting lines (insertion, deletion, replacement) needed to map one pattern to another. As mentioned earlier some mistakes, including deletion or aborting, and insertion can be avoided by fixing the length of the pattern. Other errors could be detected if the server avoids concurrently issuing similar patterns (those that may convert to one another with one or more errors) by running a similarity check. Since we can build the pattern set in advance, inclusion of similar patterns in the pattern dictionary can be avoided. This would reduce run-time overhead of similarity check on the server.

Appendix B Usability Study Questions

The response options were Strongly Disagree (1), Disagree (2), Neither agree not disagree (3), Agree (4), and Strongly Agree (5).

System Usability Scale.

  1. I think that I would like to use this system frequently.

  2. I found the system unnecessarily complex.

  3. I thought the system was easy to use.

  4. I think that I would need the support of a technical person to be able to use this system.

  5. I found the various functions in this system were well integrated.

  6. I thought there was too much inconsistency in this system.

  7. I would imagine that most people would learn to use this system very quickly.

  8. I found the system very cumbersome to use.

  9. I felt very confident using the system.

  10. I needed to learn a lot of things before I could get going with this system.

Perception of Efficiency.

I found login to the system to be fast.

Perception of Security.

I can trust this login method.

I found the login method to be secure.

Perception of Accuracy.

The number of unsuccessful attempts was high.

I found the system to have a reasonable low error rate.

Adoptability.

If this system is offered as a login I would prefer to use it.

Instruction and Feedback.

I found the instructions to be useful.

The system provided sufficient feedback when login attempt was successful or unsuccessful.