Auth4App: Streamlining authentication for integrated cyber–physical environments

IF 3.8 2区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS Journal of Information Security and Applications Pub Date : 2024-06-01 DOI:10.1016/j.jisa.2024.103802
Vagner Ereno Quincozes , Rodrigo Brandão Mansilha , Diego Kreutz , Charles Christian Miers , Roger Immich
{"title":"Auth4App: Streamlining authentication for integrated cyber–physical environments","authors":"Vagner Ereno Quincozes ,&nbsp;Rodrigo Brandão Mansilha ,&nbsp;Diego Kreutz ,&nbsp;Charles Christian Miers ,&nbsp;Roger Immich","doi":"10.1016/j.jisa.2024.103802","DOIUrl":null,"url":null,"abstract":"<div><p>The growing integration of mobile applications for user authentication has revolutionized user interactions with digital platforms, offering novel possibilities in user experience (UX). However, this paradigm shift poses significant security challenges. Leveraging smartphones for authentication purposes provides convenient and swift access to services, streamlining user interactions with various platforms through simple taps. Several institutions adopt static QR Codes generated from primary, unchanging user data (e.g., individual citizen national identification numbers) for physical authentication procedures like access turnstiles. However, relying on static data introduces critical security vulnerabilities as this data is susceptible to compromise. Implementing an One-Time Authentication Code (OTAC) approach appears promising in addressing these issues. Nevertheless, the absence of an integrated solution for developing a physical authentication process using OTAC leads to suboptimal API user experiences (UX APIs) and subsequent security vulnerabilities. In response to this challenge, we introduce Auth4App, a protocol set designed for identification and authentication using mobile applications. Auth4App comprises two core protocols: one dedicated to linking user credentials to mobile devices (i.e., identification), and the other for generating OTAC. We showcase the adaptability and practicality of Auth4App through three distinct case studies: a mobile-only scenario, integration of mobile devices with a turnstile, and integration of Auth4App with FIDO2. To ensure the robustness of the security protocols, Auth4App is evaluated using automated verification tools and argument proofs, solidifying the system’s reliability.</p></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"83 ","pages":"Article 103802"},"PeriodicalIF":3.8000,"publicationDate":"2024-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212624001054","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

Abstract

The growing integration of mobile applications for user authentication has revolutionized user interactions with digital platforms, offering novel possibilities in user experience (UX). However, this paradigm shift poses significant security challenges. Leveraging smartphones for authentication purposes provides convenient and swift access to services, streamlining user interactions with various platforms through simple taps. Several institutions adopt static QR Codes generated from primary, unchanging user data (e.g., individual citizen national identification numbers) for physical authentication procedures like access turnstiles. However, relying on static data introduces critical security vulnerabilities as this data is susceptible to compromise. Implementing an One-Time Authentication Code (OTAC) approach appears promising in addressing these issues. Nevertheless, the absence of an integrated solution for developing a physical authentication process using OTAC leads to suboptimal API user experiences (UX APIs) and subsequent security vulnerabilities. In response to this challenge, we introduce Auth4App, a protocol set designed for identification and authentication using mobile applications. Auth4App comprises two core protocols: one dedicated to linking user credentials to mobile devices (i.e., identification), and the other for generating OTAC. We showcase the adaptability and practicality of Auth4App through three distinct case studies: a mobile-only scenario, integration of mobile devices with a turnstile, and integration of Auth4App with FIDO2. To ensure the robustness of the security protocols, Auth4App is evaluated using automated verification tools and argument proofs, solidifying the system’s reliability.

查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
Auth4App:简化集成网络物理环境的身份验证
越来越多的移动应用集成了用户身份验证功能,彻底改变了用户与数字平台的交互方式,为用户体验(UX)提供了新的可能性。然而,这种模式的转变也带来了巨大的安全挑战。利用智能手机进行身份验证可以方便快捷地访问服务,通过简单的点击简化用户与各种平台的交互。一些机构采用由基本的、不变的用户数据(如公民个人身份证号码)生成的静态 QR 码来进行实体身份验证程序,如进入旋转栅门。然而,依赖静态数据会带来严重的安全漏洞,因为这些数据很容易被泄露。采用一次性验证码(OTAC)方法似乎有望解决这些问题。然而,由于缺乏使用 OTAC 开发物理身份验证流程的集成解决方案,导致 API 用户体验(UX API)不尽人意,并随之产生安全漏洞。为了应对这一挑战,我们推出了 Auth4App,这是一套专为使用移动应用程序进行身份识别和验证而设计的协议。Auth4App 包含两个核心协议:一个用于将用户凭证与移动设备相连(即识别),另一个用于生成 OTAC。我们通过三个不同的案例研究展示了 Auth4App 的适应性和实用性:纯移动场景、移动设备与旋转栅门的集成以及 Auth4App 与 FIDO2 的集成。为确保安全协议的稳健性,我们使用自动验证工具和论据证明对 Auth4App 进行了评估,从而巩固了系统的可靠性。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
Journal of Information Security and Applications
Journal of Information Security and Applications Computer Science-Computer Networks and Communications
CiteScore
10.90
自引率
5.40%
发文量
206
审稿时长
56 days
期刊介绍: Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.
期刊最新文献
Fed-LSAE: Thwarting poisoning attacks against federated cyber threat detection system via Autoencoder-based latent space inspection Lightweight privacy-preserving authenticated key agreements using physically unclonable functions for internet of drones BCRS-DS: A Privacy-protected data sharing scheme for IoT based on blockchain and certificateless ring signature Privacy-preserving verifiable fuzzy phrase search over cloud-based data Robust coverless video steganography based on pose estimation and object tracking
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1