The Request for Better Measurement
- 30 May 2016
- conference paper
- conference paper
- Published by Association for Computing Machinery (ACM)
- p. 475-486
- https://doi.org/10.1145/2897845.2897916
Abstract
Despite over two decades of continuous efforts, how to design a secure and efficient two-factor authentication scheme remains an open issue. Hundreds of new schemes have wave upon wave been proposed, yet most of them are shortly found unable to achieve some important security goals (e.g., truly two-factor security) and desirable properties (e.g., user anonymity), falling into the unsatisfactory \"break-fix-break-fix\" cycle. In this vicious cycle, protocol designers often advocate the superiorities of their improved scheme, but do not illustrate (or unconsciously overlooking) the aspects on which their scheme performs poorly. In this paper, we first use a series of \"improved schemes\" over Xu et al.'s 2009 scheme as case studies to highlight that, if there are no improved measurements, more \"improved schemes\" generally would not mean more advancements. To figure out why the measurement of existing schemes is invariably insufficient, we further investigate into the state-of-the-art evaluation criteria set (i.e., Madhusudhan-Mittal's set). Besides reporting its ambiguities and redundancies, we propose viable fixes and refinements. To our knowledge, we for the first time show that there are at least seven different attacking scenarios that may lead to the failure of a scheme in achieving truly two-factor security. Finally, we conduct a large-scale comparative evaluation of 26 representative two-factor schemes, and our results outline the request for better measurement when assessing new schemes.Keywords
Funding Information
- National Natural Science Foundation of China (61472016; 61501333)
This publication has 54 references indexed in Scilit:
- An enhanced smart card based remote user password authentication schemeJournal of Network and Computer Applications, 2013
- Dynamic ID-based remote user password authentication schemes using smart cards: A reviewJournal of Network and Computer Applications, 2012
- Robust smart‐cards‐based user authentication scheme with user anonymitySecurity and Communication Networks, 2011
- Robust authentication and key agreement scheme preserving the privacy of secret keyComputer Communications, 2011
- Advanced smart card based password authentication protocolComputer Standards & Interfaces, 2010
- Improvements of Juang 's Password-Authenticated Key Agreement Scheme Using Smart CardsIEEE Transactions on Industrial Electronics, 2009
- An improved smart card based password authentication scheme with provable securityComputer Standards & Interfaces, 2008
- Two-factor mutual authentication based on smart cards and passwordsJournal of Computer and System Sciences, 2008
- A password authentication scheme over insecure networksJournal of Computer and System Sciences, 2006
- Remote password authentication with smart cardsIEE Proceedings E Computers and Digital Techniques, 1991