Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Asynchronous Authentication

Marwa Mouallem, Ittay Eyal

TL;DR

It is presented an algorithm for finding approximately optimal mechanisms by leveraging the problem structure to reduce complexity by orders of magnitude and revealed two surprising results: Accurately incorporating easily-lost credentials improves cryptocurrency wallet security by orders of magnitude and novel usage of security questions improves authentication security for online services.

Abstract

A myriad of authentication mechanisms embody a continuous evolution from verbal passwords in ancient times to contemporary multi-factor authentication. Nevertheless, digital asset heists and numerous identity theft cases illustrate the urgent need to revisit the fundamentals of user authentication. We abstract away credential details and formalize the general, common case of asynchronous authentication, with unbounded message propagation time. Our model, which might be of independent interest, allows for eventual message delivery, while bounding execution time to maintain cryptographic guarantees. Given credentials' fault probabilities (e.g., loss or leak), we seek mechanisms with the highest success probability. We show that every mechanism is dominated by some Boolean mechanism -- defined by a monotonic Boolean function on presented credentials. We present an algorithm for finding approximately optimal mechanisms. Previous work analyzed Boolean mechanisms specifically, but used brute force, which quickly becomes prohibitively complex. We leverage the problem structure to reduce complexity by orders of magnitude. The algorithm is readily applicable to practical settings. For example, we revisit the common approach in cryptocurrency wallets that use a handful of high-quality credentials. We show that adding low-quality credentials improves security by orders of magnitude.

Asynchronous Authentication

TL;DR

It is presented an algorithm for finding approximately optimal mechanisms by leveraging the problem structure to reduce complexity by orders of magnitude and revealed two surprising results: Accurately incorporating easily-lost credentials improves cryptocurrency wallet security by orders of magnitude and novel usage of security questions improves authentication security for online services.

Abstract

A myriad of authentication mechanisms embody a continuous evolution from verbal passwords in ancient times to contemporary multi-factor authentication. Nevertheless, digital asset heists and numerous identity theft cases illustrate the urgent need to revisit the fundamentals of user authentication. We abstract away credential details and formalize the general, common case of asynchronous authentication, with unbounded message propagation time. Our model, which might be of independent interest, allows for eventual message delivery, while bounding execution time to maintain cryptographic guarantees. Given credentials' fault probabilities (e.g., loss or leak), we seek mechanisms with the highest success probability. We show that every mechanism is dominated by some Boolean mechanism -- defined by a monotonic Boolean function on presented credentials. We present an algorithm for finding approximately optimal mechanisms. Previous work analyzed Boolean mechanisms specifically, but used brute force, which quickly becomes prohibitively complex. We leverage the problem structure to reduce complexity by orders of magnitude. The algorithm is readily applicable to practical settings. For example, we revisit the common approach in cryptocurrency wallets that use a handful of high-quality credentials. We show that adding low-quality credentials improves security by orders of magnitude.
Paper Structure (42 sections, 13 theorems, 2 equations, 6 figures, 1 table, 5 algorithms)

This paper contains 42 sections, 13 theorems, 2 equations, 6 figures, 1 table, 5 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. Model
  4. Asynchronous Authentication
  5. Mechanism Success
  6. Maximal Mechanisms
  7. Domination by Boolean Mechanisms
  8. Step template
  9. One-shot Mechanisms
  10. Credential-based mechanisms
  11. Deterministic mechanisms
  12. Boolean mechanisms
  13. Any mechanism is dominated by a Boolean one
  14. Monotonic Boolean Mechanisms are Maximal
  15. Probabilistic Analysis
  16. ...and 27 more sections

Key Result

Lemma 1

Let $\sigma$ be a scenario and let $M$ be a mechanism successful in $\sigma$. Then, for all executions of $M_\textit{OS}\xspace(M)$ in scenario $\sigma$ in which the function $\textit{step}_{M_\textit{OS}\xspace(M)}({\cdot})\xspace$ receives a message from the attacker for the first time, either the

Figures (6)

  • Figure 1: Probability of scenarios for $n$ credentials and different probabilities.
  • Figure 2: Failure probability vs. credentials number. Comparing our algorithm to previous methods: exhaustive search, genetic algorithm, and guessing a symmetric mechanism.
  • Figure 3: Runtime of the algorithm as a function of the number of credentials for different fault probabilities with $\delta=10^{-5}$.
  • Figure 4: Failure probability harnessing easy-to-lose credentials. Weak: $P^\textit{leak}\xspace=0, P^\textit{loss}\xspace =0.3$, regular: $P^\textit{leak}\xspace = P^\textit{loss}\xspace=0.01$.
  • Figure 5: Failure probability harnessing easy-to-leak credentials. Weak: $P^\textit{leak}\xspace=0.3, P^\textit{loss}\xspace =0$, regular: $P^\textit{leak}\xspace = P^\textit{loss}\xspace=0.01$.
  • ...and 1 more figures

Theorems & Definitions (36)

  • Definition 1: Credential
  • Definition 2: Authentication mechanism
  • Definition 3: Strategy
  • Definition 4: Mechanism success
  • Definition 5: Profile cryptoeprint:2022/1682
  • Definition 6: Asynchronous authentication
  • Definition 7: Mechanisms order
  • Definition 8: One-shot mechanism
  • Lemma 1
  • Proposition 1
  • ...and 26 more