Biblioteche e Archivi
POLITesi - Archivio digitale delle tesi di laurea e di dottorato

Two-factor authentication (2FA) is the most common case of the multi-factor authentication (MFA) model. As the name says, 2FA requires two distinct factors. Usually, the first factor is “something the user knows,” a password, while the second factor is either “something that the user pos-sesses,” like a smartphone or a smartcard, or “something that the owner is,” like fingerprints or other biometric features. The key is that an adversary must compromise both the factors to obtain access to the guarded system. Nymi’s three-factor authentication (3FA) is the first known, consumer-level implementation of an authentication mechanism that employs more than two factors, while keeping the usability at a reasonable level. Nymi’s 3FA technology revolves around electrocardiogram (ECG) features. In prac-tice, the wristband is equipped with two ECG-measuring electrodes, thus acting both as a second factor (i.e., ECG features) and as a third factor (i.e., the actual wristband). These components are orchestrated by a smartphone app that handles authentication requests and fulfils the communication tasks between third-party apps and services, and the wristband. In this work, I propose the first security analysis of Nymi’s 3FA imple-mentation, based on an early release of their development kit, with the goal of assessing the presence of vulnerabilities and the resilience to attacks. The results of my analysis consist of 4 vulnerabilities. Moreover, I show that an adversary can leverage these vulnerabilities to bypass the 3FA en-tirely. Alarmed by my findings, I propose design recommendations and modifications to secure Nymi’s 3FA implementation. The conclusion of my assessment is that Nymi’s 3FA is not ready for production, given the design and implementation flaws that I found. More in general, I conclude that building a secure and usable 3FA system is not as trivial as combining multiple factors, and thus requires further research and engineering efforts.

Three-factor, ECG-based authentication : security analysis of the Nymi wristband

WU, JIANG
2014/2015

Abstract

Two-factor authentication (2FA) is the most common case of the multi-factor authentication (MFA) model. As the name says, 2FA requires two distinct factors. Usually, the first factor is “something the user knows,” a password, while the second factor is either “something that the user pos-sesses,” like a smartphone or a smartcard, or “something that the owner is,” like fingerprints or other biometric features. The key is that an adversary must compromise both the factors to obtain access to the guarded system. Nymi’s three-factor authentication (3FA) is the first known, consumer-level implementation of an authentication mechanism that employs more than two factors, while keeping the usability at a reasonable level. Nymi’s 3FA technology revolves around electrocardiogram (ECG) features. In prac-tice, the wristband is equipped with two ECG-measuring electrodes, thus acting both as a second factor (i.e., ECG features) and as a third factor (i.e., the actual wristband). These components are orchestrated by a smartphone app that handles authentication requests and fulfils the communication tasks between third-party apps and services, and the wristband. In this work, I propose the first security analysis of Nymi’s 3FA imple-mentation, based on an early release of their development kit, with the goal of assessing the presence of vulnerabilities and the resilience to attacks. The results of my analysis consist of 4 vulnerabilities. Moreover, I show that an adversary can leverage these vulnerabilities to bypass the 3FA en-tirely. Alarmed by my findings, I propose design recommendations and modifications to secure Nymi’s 3FA implementation. The conclusion of my assessment is that Nymi’s 3FA is not ready for production, given the design and implementation flaws that I found. More in general, I conclude that building a secure and usable 3FA system is not as trivial as combining multiple factors, and thus requires further research and engineering efforts.
MAGGI, FEDERICO
QUARTA, DAVIDE
ING - Scuola di Ingegneria Industriale e dell'Informazione
27-apr-2016
2014/2015
Tesi di laurea Magistrale
Tesi di laurea Magistrale
File allegati
File Dimensione Formato  
Three-factor, ECG-based Authentication - Security Analysis of the Nymi Wristband.pdf

non accessibile

Descrizione: Tesi
Dimensione 4.62 MB
Formato Adobe PDF
  Visualizza/Apri
4.62 MB Adobe PDF   Visualizza/Apri

I documenti in POLITesi sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/10589/120485