Security Levels for Web Authentication Using Mobile Phones Anna - - PDF document

▶

Aug 26, 2023 161 likes •224 views

2010-08-13 Security Levels for Web Authentication Using Mobile Phones Anna Vapen and Nahid Shahmehri Linkping University IDA/ADIT PrimeLife Summer School 2010 1 Agenda Problems with web authentication Mobile phones in

SLIDE 1

2010-08-13 Linköpings universitet 1

Security Levels for Web Authentication Using Mobile Phones

Anna Vapen and Nahid Shahmehri

Linköping University – IDA/ADIT PrimeLife Summer School 2010

Agenda

Problems with web authentication
Mobile phones in authentication
Security levels
Our approach: Using security levels for evaluation and design
f mobile phone authentication
Conclusions and future work

SLIDE 2

2010-08-13 Linköpings universitet 2

Problems with Web Authentication

Passwords are insecure
Eavesdropping
Key loggers
Passwords are valuable
Hardware devices for strong authentication
Distribution
Availability
The mobile phone – a non-dedicated device

Mobile Phones in Authentication

Long-range channels Short-range channels Local computer Remote server

SLIDE 3

2010-08-13 Linköpings universitet 3

NIST Security Levels for Authentication

Level 1: Lowest level. No identity proof.
Level 2: Single factor authentication.
No replay attacks
No eavesdropping
Level 3: Multi factor authentication.
No MiTM attacks
Possible to lock the device
Level 4: Highest level. Requires secure hardware.

Security Levels + Other Factors

Level 1: Lowest level. No identity proof.
Level 2: Single factor authentication.
Level 3: Multi factor authentication.
Level 4: Highest level. Requires secure hardware.

Availability Usability

SLIDE 4

2010-08-13 Linköpings universitet 4

Design and Evaluation Method

Design: Start with a security level Evaluation: Start with a solution

1. Authentication methods 2. Locking methods 3. Eavesdropping 4. Man-in-the-Middle-attacks 5. Other factors 6. Conclusion: Solution or level

Conclusions and Future Work

Evaluation and design method for web authentication with

mobile phones

Future work:
Include protocols and hardware modules
Add new factors
Adapt the method for different services
Let the user switch security level

SLIDE 5

Security Levels for Web Authentication Using Mobile Phones Anna - - PDF document

2010-08-13 Linköpings universitet 1

Security Levels for Web Authentication Using Mobile Phones

Anna Vapen and Nahid Shahmehri

Agenda

2010-08-13 Linköpings universitet 2

Problems with Web Authentication

Mobile Phones in Authentication

Long-range channels Short-range channels Local computer Remote server

2010-08-13 Linköpings universitet 3

NIST Security Levels for Authentication

Security Levels + Other Factors

Availability Usability

2010-08-13 Linköpings universitet 4

Design and Evaluation Method

Design: Start with a security level Evaluation: Start with a solution

1. Authentication methods 2. Locking methods 3. Eavesdropping 4. Man-in-the-Middle-attacks 5. Other factors 6. Conclusion: Solution or level

Conclusions and Future Work

mobile phones

2010-08-13 Linköpings universitet 5

Any questions?