A Passwordless MFA Utlizing Biometrics, Proximity and Contactless Communication
Sneha Shukla, Gaurav Varshney, Shreya Singh, Swati Goel
TL;DR
This work tackles phishing and MITM threats by proposing a passwordless MFA that fuses real-time facial biometrics with proximity-based device ownership via BLE and NFC. The authors implement a prototype on BLE-NFC capable Android devices, model the protocol with formal verification (AVISPA), and evaluate usability, deployability, and security against the Bonneau framework. Key contributions include a two-device login workflow with secure token transfer, threat modeling, and evidence of practical performance and security guarantees. The approach leverages ubiquitous smartphone capabilities to reduce reliance on hardware tokens while aiming to withstand RT MITM, CR MITM, and MBE-based phishing, potentially enabling scalable, browser-agnostic passwordless authentication in real-world settings.
Abstract
Despite being more secure and strongly promoted, two-factor (2FA) or multi-factor (MFA) schemes either fail to protect against recent phishing threats such as real-time MITM, controls/relay MITM, malicious browser extension-based phishing attacks, and/or need the users to purchase and carry other hardware for additional account protection. Leveraging the unprecedented popularity of NFC and BLE-enabled smartphones, we explore a new horizon for designing an MFA scheme. This paper introduces an advanced authentication method for user verification that utilizes the user's real-time facial biometric identity, which serves as an inherent factor, together with BLE- NFC-enabled mobile devices, which operate as an ownership factor. We have implemented a prototype authentication system on a BLE-NFC-enabled Android device, and initial threat modeling suggests that it is safe against known phishing attacks. The scheme has been compared with other popular schemes using the Bonneau et al. assessment framework in terms of usability, deployability, and security.