Symbolon: Enabling Flexible Multi-device-based User Authentication

Thalia Laing; Eduard Marin; Mark D. Ryan; Joshua Schiffman; Gaetan Wattiau

doi:10.1109/DSC54232.2022.9888854

Symbolon: Enabling Flexible Multi-device-based User Authentication

Thalia Laing, Eduard Marin^*, Mark D. Ryan, Joshua Schiffman, Gaetan Wattiau

^*Corresponding author for this work

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Hardware tokens are increasingly used to support second-factor and passwordless authentication schemes. While these devices improve security over weaker factors like passwords, they suffer from a number of security and practical issues. We present the design and implementation of Symbolon, a system that allows users to authenticate to an online service in a secure and flexible manner by using multiple personal devices (e.g., their smartphone and smart watch) together, in place of a password. The core idea behind Symbolon is to let users authenticate only if they carry a sufficient number of their personal devices and give explicit consent. We use threshold cryptography at the client side to protect against strong adversaries while overcoming the limitations of multi-factor authentication in terms of flexibility. Symbolon is compatible with FIDO servers, but improves the client-side experience compared to FIDO in terms of security, privacy, and user control. We design Symbolon such that the user can (i) authenticate using a flexible selection of devices, which we call 'authenticators'; (ii) define fine-grained threshold policies that enforce user consent without involving or modifying online services; and (iii) add or revoke authenticators without needing to generate new cryptographic keys or manually (un)register them with online services. Finally, we present a detailed design and analyse the security, privacy and practical properties of Symbolon; this includes a formal proof using ProVerif to show the required security properties are satisfied.

Original language	English
Title of host publication	2022 IEEE Conference on Dependable and Secure Computing (DSC)
Publisher	Institute of Electrical and Electronics Engineers (IEEE)
Number of pages	12
ISBN (Electronic)	9781665421416
ISBN (Print)	9781665421423 (PoD)
DOIs	https://doi.org/10.1109/DSC54232.2022.9888854
Publication status	Published - 26 Sept 2022
Event	5th IEEE Conference on Dependable and Secure Computing, DSC 2022 - Edinburgh, United Kingdom Duration: 22 Jun 2022 → 24 Jun 2022

Publication series

Name	IEEE Conference on Dependable and Secure Computing
Publisher	IEEE

Conference

Conference	5th IEEE Conference on Dependable and Secure Computing, DSC 2022
Country/Territory	United Kingdom
City	Edinburgh
Period	22/06/22 → 24/06/22

Bibliographical note

Funding Information:
Mark Ryan gratefully acknowledges his appointment as HP Research Chair generously supported by HP Labs. We also gratefully acknowledge financial support from EPSRC under grants EP/V000454/1 (CAP-TEE: Capability Architectures for Trusted Execution); EP/S030867/1 (SIPP - Secure IoT Processor Platform with Remote Attestation); and EP/R012598/1 (User-controlled hardware security anchors: evaluation and designs).

Publisher Copyright:
© 2022 IEEE.

Keywords

authentication
FIDO
proverif
signatures
threshold cryptography

ASJC Scopus subject areas

Computer Networks and Communications
Information Systems and Management
Safety, Risk, Reliability and Quality

Access to Document

10.1109/DSC54232.2022.9888854

Cite this

Laing, T., Marin, E., Ryan, M. D., Schiffman, J., & Wattiau, G. (2022). Symbolon: Enabling Flexible Multi-device-based User Authentication. In 2022 IEEE Conference on Dependable and Secure Computing (DSC) Article 9888854 (IEEE Conference on Dependable and Secure Computing). Institute of Electrical and Electronics Engineers (IEEE). https://doi.org/10.1109/DSC54232.2022.9888854

@inproceedings{69793a4db9eb4d50ab224a6d0288107d,

title = "Symbolon: Enabling Flexible Multi-device-based User Authentication",

abstract = "Hardware tokens are increasingly used to support second-factor and passwordless authentication schemes. While these devices improve security over weaker factors like passwords, they suffer from a number of security and practical issues. We present the design and implementation of Symbolon, a system that allows users to authenticate to an online service in a secure and flexible manner by using multiple personal devices (e.g., their smartphone and smart watch) together, in place of a password. The core idea behind Symbolon is to let users authenticate only if they carry a sufficient number of their personal devices and give explicit consent. We use threshold cryptography at the client side to protect against strong adversaries while overcoming the limitations of multi-factor authentication in terms of flexibility. Symbolon is compatible with FIDO servers, but improves the client-side experience compared to FIDO in terms of security, privacy, and user control. We design Symbolon such that the user can (i) authenticate using a flexible selection of devices, which we call 'authenticators'; (ii) define fine-grained threshold policies that enforce user consent without involving or modifying online services; and (iii) add or revoke authenticators without needing to generate new cryptographic keys or manually (un)register them with online services. Finally, we present a detailed design and analyse the security, privacy and practical properties of Symbolon; this includes a formal proof using ProVerif to show the required security properties are satisfied.",

keywords = "authentication, FIDO, proverif, signatures, threshold cryptography",

author = "Thalia Laing and Eduard Marin and Ryan, {Mark D.} and Joshua Schiffman and Gaetan Wattiau",

note = "Funding Information: Mark Ryan gratefully acknowledges his appointment as HP Research Chair generously supported by HP Labs. We also gratefully acknowledge financial support from EPSRC under grants EP/V000454/1 (CAP-TEE: Capability Architectures for Trusted Execution); EP/S030867/1 (SIPP - Secure IoT Processor Platform with Remote Attestation); and EP/R012598/1 (User-controlled hardware security anchors: evaluation and designs). Publisher Copyright: {\textcopyright} 2022 IEEE.; 5th IEEE Conference on Dependable and Secure Computing, DSC 2022 ; Conference date: 22-06-2022 Through 24-06-2022",

year = "2022",

month = sep,

day = "26",

doi = "10.1109/DSC54232.2022.9888854",

language = "English",

isbn = "9781665421423 (PoD)",

series = "IEEE Conference on Dependable and Secure Computing",

publisher = "Institute of Electrical and Electronics Engineers (IEEE)",

booktitle = "2022 IEEE Conference on Dependable and Secure Computing (DSC)",

}

Laing, T, Marin, E, Ryan, MD, Schiffman, J & Wattiau, G 2022, Symbolon: Enabling Flexible Multi-device-based User Authentication. in 2022 IEEE Conference on Dependable and Secure Computing (DSC)., 9888854, IEEE Conference on Dependable and Secure Computing, Institute of Electrical and Electronics Engineers (IEEE), 5th IEEE Conference on Dependable and Secure Computing, DSC 2022, Edinburgh, United Kingdom, 22/06/22. https://doi.org/10.1109/DSC54232.2022.9888854

Symbolon: Enabling Flexible Multi-device-based User Authentication. / Laing, Thalia; Marin, Eduard; Ryan, Mark D. et al.
2022 IEEE Conference on Dependable and Secure Computing (DSC). Institute of Electrical and Electronics Engineers (IEEE), 2022. 9888854 (IEEE Conference on Dependable and Secure Computing).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Symbolon

T2 - 5th IEEE Conference on Dependable and Secure Computing, DSC 2022

AU - Laing, Thalia

AU - Marin, Eduard

AU - Ryan, Mark D.

AU - Schiffman, Joshua

AU - Wattiau, Gaetan

N1 - Funding Information: Mark Ryan gratefully acknowledges his appointment as HP Research Chair generously supported by HP Labs. We also gratefully acknowledge financial support from EPSRC under grants EP/V000454/1 (CAP-TEE: Capability Architectures for Trusted Execution); EP/S030867/1 (SIPP - Secure IoT Processor Platform with Remote Attestation); and EP/R012598/1 (User-controlled hardware security anchors: evaluation and designs). Publisher Copyright: © 2022 IEEE.

PY - 2022/9/26

Y1 - 2022/9/26

N2 - Hardware tokens are increasingly used to support second-factor and passwordless authentication schemes. While these devices improve security over weaker factors like passwords, they suffer from a number of security and practical issues. We present the design and implementation of Symbolon, a system that allows users to authenticate to an online service in a secure and flexible manner by using multiple personal devices (e.g., their smartphone and smart watch) together, in place of a password. The core idea behind Symbolon is to let users authenticate only if they carry a sufficient number of their personal devices and give explicit consent. We use threshold cryptography at the client side to protect against strong adversaries while overcoming the limitations of multi-factor authentication in terms of flexibility. Symbolon is compatible with FIDO servers, but improves the client-side experience compared to FIDO in terms of security, privacy, and user control. We design Symbolon such that the user can (i) authenticate using a flexible selection of devices, which we call 'authenticators'; (ii) define fine-grained threshold policies that enforce user consent without involving or modifying online services; and (iii) add or revoke authenticators without needing to generate new cryptographic keys or manually (un)register them with online services. Finally, we present a detailed design and analyse the security, privacy and practical properties of Symbolon; this includes a formal proof using ProVerif to show the required security properties are satisfied.

AB - Hardware tokens are increasingly used to support second-factor and passwordless authentication schemes. While these devices improve security over weaker factors like passwords, they suffer from a number of security and practical issues. We present the design and implementation of Symbolon, a system that allows users to authenticate to an online service in a secure and flexible manner by using multiple personal devices (e.g., their smartphone and smart watch) together, in place of a password. The core idea behind Symbolon is to let users authenticate only if they carry a sufficient number of their personal devices and give explicit consent. We use threshold cryptography at the client side to protect against strong adversaries while overcoming the limitations of multi-factor authentication in terms of flexibility. Symbolon is compatible with FIDO servers, but improves the client-side experience compared to FIDO in terms of security, privacy, and user control. We design Symbolon such that the user can (i) authenticate using a flexible selection of devices, which we call 'authenticators'; (ii) define fine-grained threshold policies that enforce user consent without involving or modifying online services; and (iii) add or revoke authenticators without needing to generate new cryptographic keys or manually (un)register them with online services. Finally, we present a detailed design and analyse the security, privacy and practical properties of Symbolon; this includes a formal proof using ProVerif to show the required security properties are satisfied.

KW - authentication

KW - FIDO

KW - proverif

KW - signatures

KW - threshold cryptography

UR - http://www.scopus.com/inward/record.url?scp=85141043426&partnerID=8YFLogxK

U2 - 10.1109/DSC54232.2022.9888854

DO - 10.1109/DSC54232.2022.9888854

M3 - Conference contribution

AN - SCOPUS:85141043426

SN - 9781665421423 (PoD)

T3 - IEEE Conference on Dependable and Secure Computing

BT - 2022 IEEE Conference on Dependable and Secure Computing (DSC)

PB - Institute of Electrical and Electronics Engineers (IEEE)

Y2 - 22 June 2022 through 24 June 2022

ER -

Symbolon: Enabling Flexible Multi-device-based User Authentication

Abstract

Publication series

Conference

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this