POLITESI Politecnico di Milano Servizi Bibliotecari di Ateneo Servizi Bibliotecari di Ateneo
authorized users
Please use this identifier to cite or link to this thesis: http://hdl.handle.net/10589/120485

Author: WU, JIANG
Date: 27-Apr-2016
Academic year: 2014/2015
Title: Three-factor, ECG-based authentication : security analysis of the Nymi wristband
English abstract: Two-factor authentication (2FA) is the most common case of the multi-factor authentication (MFA) model. As the name says, 2FA requires two distinct factors. Usually, the first factor is “something the user knows,” a password, while the second factor is either “something that the user pos-sesses,” like a smartphone or a smartcard, or “something that the owner is,” like fingerprints or other biometric features. The key is that an adversary must compromise both the factors to obtain access to the guarded system. Nymi’s three-factor authentication (3FA) is the first known, consumer-level implementation of an authentication mechanism that employs more than two factors, while keeping the usability at a reasonable level. Nymi’s 3FA technology revolves around electrocardiogram (ECG) features. In prac-tice, the wristband is equipped with two ECG-measuring electrodes, thus acting both as a second factor (i.e., ECG features) and as a third factor (i.e., the actual wristband). These components are orchestrated by a smartphone app that handles authentication requests and fulfils the communication tasks between third-party apps and services, and the wristband. In this work, I propose the first security analysis of Nymi’s 3FA imple-mentation, based on an early release of their development kit, with the goal of assessing the presence of vulnerabilities and the resilience to attacks. The results of my analysis consist of 4 vulnerabilities. Moreover, I show that an adversary can leverage these vulnerabilities to bypass the 3FA en-tirely. Alarmed by my findings, I propose design recommendations and modifications to secure Nymi’s 3FA implementation. The conclusion of my assessment is that Nymi’s 3FA is not ready for production, given the design and implementation flaws that I found. More in general, I conclude that building a secure and usable 3FA system is not as trivial as combining multiple factors, and thus requires further research and engineering efforts.
Italian keywords: ECG; Nymi; braccialetto; autenticazione a tre fattori; analisi di sicurezza; vulnerabilità; Android; Java
English keywords: ECG; Nymi; wristband; three-factor authentication; security analysis; penetration test; Android; vulnerability; Java; reversed code; native library
Language: eng
Appears in Collections:POLITesi >Tesi Specialistiche/Magistrali

Files in This Item:

File Description SizeFormatVisibility
Three-factor, ECG-based Authentication - Security Analysis of the Nymi Wristband.pdfTesi4.62 MBAdobe PDFNot accessible View/Open


  Support, maintenance and development by SURplus team @ CINECA- Powered by DSpace Software