Torwards Flexible Multi-factor Combination for Authentication Based on Smart-Devices

  • Thomas LenzEmail author
  • Vesna Krnjic
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 372)


The number of transactions that are performed electronically between coupled smart-devices increases rapidly. These devices are not only sensors nodes that collect the non-private data, but also are devices that process sensitive information that has higher requirements into security and privacy. Unique and qualified identification and high-secure authentication are essential basics to facilitate these requirements in security and privacy. While security and privacy are widely described and examined for applications used on personal computers, the situation is more demanding for smart-devices. Due to the steadily increasing number and the continuous enhancement of smart-devices, there will be no stable technology over the years. In consequence, new agile and secure methods become necessary to bring identification and high-secure authentication on smart platforms in a proper way. We propose a model for agile smart-device based multi-factor authentication combination to close this open gap and to provide secure authentication on mobile devices only. By using our proposed model, a user can combine multiple authenticators by using a cryptographic protocol on client-side only to increase the assurance into authentication. One significant advantage of our model is that it is transparent to existing eID validation infrastructure and can be used without modifications on the verification side. We proof the practical applicability of our model by implementing all components in combination with Austrian eGovernment infrastructure components. A first evaluation was done by a small group of users in conjunction with real eGovernment components on the testing stage.


Authentication Multi-factor Aqile Distributed signatures Reliable Identity management 


  1. 1.
    The JavaScript Object Notation (JSON) Data Interchange Format. RFC 7159 (2014).
  2. 2.
    Bsi tr-03111: Elliptic curve cryptography, version 2.1 (2018)Google Scholar
  3. 3.
    International Journal of Security: Information technology – Security techniques – A framework for identity management – Part 1: Terminology and concepts. Technical report 24760-1, ISO/IEC, December 2011Google Scholar
  4. 4.
    Bertino, E., Takahashi, K.: Identity Management: Concepts, Technologies, and Systems. Artech House Inc., Norwood (2010)Google Scholar
  5. 5.
    van Tilborg, H.C.A., Jajodia, S. (eds.): Encyclopedia of Cryptography and Security. Springer, Boston (2011). Scholar
  6. 6.
    Boyd, C.: Digital multisignatures. In: Cryptography and Coding, pp. 241–246 (1986)Google Scholar
  7. 7.
    Burr, W.E., et al.: Electronic authentication guideline. Technical report, 800-63-2, National Institute of Standards and Technology (NIST), August 2013.
  8. 8.
    Chatzigiannakis, I., Pyrgelis, A., Spirakis, P., Stamatiou, Y.: Elliptic curve based zero knowledge proofs and their applicability on resource constrained devices, July 2011Google Scholar
  9. 9.
    Corella, F., Lewison, K.: Techniques for implementing derived credentials. Technical report, Pomcor Research in Mobile and Web Technology (2012).
  10. 10.
    Corella, F., Lewison, K.: An example of a derived credentials architecture. Technical report, Pomcor Research in Mobile and Web Technology (2014).
  11. 11.
    Croft, R.A., Harris, S.P.: Public-key cryptography and reusable shared secrets. In: Cryptography and Coding, pp. 189–201 (1989)Google Scholar
  12. 12.
    Entrust, E.A.: Mobile derived PIV/CAC credential - a complete solution for NIST 800-157. Technical report, Entrust Datacard (2014).
  13. 13.
    European Union: Commission Implementing Regulation (EU) 2015/1501 of 8 September 2015 on the interoperability framework pursuant to Article 12(8) of Regulation (EU) No. 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market. European Union (2015)Google Scholar
  14. 14.
    Ferraiolo, H., Cooper, D., Francomacaro, S., Regenscheid, A., Mohler, J., Gupta, S., Burr, W.: Guidelines for derived personal identity verification (PIV) credentials. Technical report, 800-157, National Institute of Standards and Technology (NIST), December 2014.
  15. 15.
    Ferraiolo, H., Regenscheid, A., Cooper, D., Francomacaro, S.: Mobile, PIV, and authentication. Technical report, Draft NISTIR 7981, National Institute of Standards and Technology (NIST), March 2014Google Scholar
  16. 16.
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). Scholar
  17. 17.
    Florêncio, D., Herley, C., Van Oorschot, P.C.: An administrator’s guide to internet password research. In: Proceedings of the 28th USENIX Conference on Large Installation System Administration, LISA 2014, Berkeley, CA, USA, pp. 35–52. USENIX Association (2014).
  18. 18.
    Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Robust threshold DSS signatures. Inf. Comput. 164(1), 54–84 (2001). Scholar
  19. 19.
    Grassi, P.A., Garcia, M.E., Feton, J.L.: Digital identity guidelines. Technical report, 800-63-3, National Institute of Standards and Technology (NIST), June 2017Google Scholar
  20. 20.
    Grassi, P.A., et al.: Digital identity guidelines - authentication and lifecycle management. Technical report, 800-63b, National Institute of Standards and Technology (NIST), June 2017Google Scholar
  21. 21.
    Hao, F.: Schnorr Non-interactive Zero-Knowledge Proof. RFC 8235, September 2017.,
  22. 22.
    Haupert, V., Müller, T.: (In)security of app-based TAN methods in online banking. University of Erlangen-Nuremberg, Germany (2016).
  23. 23.
    Hayikader, S., Hanis binti Abd Hadi, F.N., Ibrahim, J.: Issues and security measures of mobile banking apps. Int. J. Sci. Res. Publ. 6, 36–41 (2016)Google Scholar
  24. 24.
    ISO/IEC: ISO/IEC 29115. Information technology - Security techniques - Entity authentication assurance framework. International Standard, International Organization for Standardization (2013)Google Scholar
  25. 25.
    ISO/IEC: ISO/IEC COMMITTEE DRAFT 29003. Information technology - Security techniques - Identity proofing. Technical report, International Organization for Standardization (2016)Google Scholar
  26. 26.
    Jones, M.: JSON Web Key (JWK). RFC 7517, May 2015.
  27. 27.
    Jøsang, A., Zomai, M.A., Suriadi, S.: Usability and privacy in identity management architectures. In: Proceedings of the Fifth Australasian Symposium on ACSW Frontiers, ACSW 2007, Darlinghurst, Australia, vol. 68, pp. 143–152. Australian Computer Society Inc. (2007).
  28. 28.
    Kerry, C.F., Romine, C.: FIPS PUB 186-4 Federal Information Processing Standards Publication Digital Signature Standard (DSS) (2013)Google Scholar
  29. 29.
    Kim, J.J., Hong, S.P.: A method of risk assessment for multi-factor authentication. JIPS 7, 187–198 (2011)Google Scholar
  30. 30.
    Lenz, T., Alber, L.: Towards cross-domain eID by using agile mobile authentication. In: 2017 IEEE Trustcom/BigDataSE/ICESS, pp. 570–577, August 2017.
  31. 31.
    Lenz, T., Krnjic, V.: Agile smart-device based multi-factor authentication for modern identity management systems. In: WEBIST (2018)Google Scholar
  32. 32.
    Lenz, T., Zwattendorfer, B.: A modular and flexible identity management architecture for national eID solutions. In: 11th International Conference on Web Information Systems and Technologies, pp. 321–331 (2015)Google Scholar
  33. 33.
    Lindell, Y.: Fast secure two-party ECDSA signing. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 613–644. Springer, Cham (2017). Scholar
  34. 34.
    MacKenzie, P., Reiter, M.K.: Two-party generation of DSA signatures. Int. J. Inf. Secur. 2(3), 218–239 (2004). Scholar
  35. 35.
    Mohammed, M.M., Elsadig, M.: A multi-layer of multi factors authentication model for online banking services. In: 2013 International Conference on Computing, Electrical and Electronic Engineering (ICCEEE), pp. 220–224, August 2013.
  36. 36.
    Sarikhani, R.: Language and American social identity, January 2008.
  37. 37.
    Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). Scholar
  38. 38.
    Taneski, V., Heričko, M., Brumen, B.: Password security - no change in 35 years? In: 2014 37th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), pp. 1360–1365, May 2014.
  39. 39.
    Turner, S.: The application/pkcs10 media type. RFC 5967 (2010).
  40. 40.
    Zwattendorfer, B.: Towards a privacy-preserving federated identity as a service-model (2014)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.eGovernment Innovation Center - AustriaGrazAustria

Personalised recommendations