We propose a two-factor authentication (2FA) mechanism called 2D-2FA to address security and usability issues in existing methods. 2D-2FA has three distinguishing features: First, after a user enters a username and password on a login terminal, a unique $\textit{identifier}$ is displayed to her. She $\textit{inputs}$ the same identifier on her registered 2FA device, which ensures appropriate engagement in the authentication process. Second, a one-time PIN is computed on the device and $\textit{automatically}$ transferred to the server. Thus, the PIN can have very high entropy, making guessing attacks infeasible. Third, the identifier is also incorporated into the PIN computation, which renders $\textit{concurrent attacks}$ ineffective. Third-party services such as push-notification providers and 2FA service providers, do not need to be trusted for the security of the system. The choice of identifiers depends on the device form factor and the context. Users could choose to draw patterns, capture QR codes, etc. We provide a proof of concept implementation, and evaluate performance, accuracy, and usability of the system. We show that the system offers a lower error rate (about half) and better efficiency (2-3 times faster) compared to the commonly used PIN-2FA. Our study indicates a high level of usability with a SUS of 75, and a high perception of efficiency, security, accuracy, and adoptability.
翻译:我们建议一个名为 2D-2FA 的两要素认证机制,名为 2D-2FA, 以解决现有方法中的安全和可用性问题。 2D-2FA 机制有三个显著特征: 首先, 在用户进入登录终端的用户名和密码后, 向她展示了一个独特的 $\ textit{ 身份识别器$。 她注册的 2FA 设备上同样的识别器$, 以确保适当参与认证进程。 第二, 在设备上计算一次性的 PIN 和 $\ textit{ 自动转让给服务器的 美元 。 因此, PIN 具有非常高的加密性, 使得猜测攻击不可行。 第三, 该识别器也被纳入 PIN 计算中, 使 $\ textit{ contecter} 美元变得无效 。 她注册的 2FA 设备上的一个第三方服务, 如推- 通知提供者和 2FA 服务供应商, 不需要被信任系统的安全性。 识别器的选择取决于设备格式因素和背景。 用户可以选择绘制模式, 捕捉到 QR 代码等非常精确性, 。 我们提供了一个概念的精度的精度 的精度 的精度 和精度 比较的精度 的精度 。