Scalable Two-Factor Authentication Using Historical Data

  • Aldar C.-F. ChanEmail author
  • Jun Wen Wong
  • Jianying Zhou
  • Joseph Teo
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9878)


Two-factor authentication is increasingly demanded in the Internet of Things (IoT), especially those deployed in the critical infrastructure. However, resource and operational constraints of typical IoT devices are the key impediment, especially when the IoT device acts as a verifier. This paper proposes a novel authentication factor (namely, historical data) which, when combined with the conventional first authentication factor (a secret key), results in a scalable, lightweight two-factor entity authentication protocol for use in the IoT. In the new authentication factor, the data exchanged between a verifier and a prover is used as the secret information for the verifier to prove his identity to the verifier. Practically, the verifier needs all the historical data to prove his identity. Yet, through an innovative use of the proof of retrievability, the verifier only needs a constant storage regardless of the size of the historical data. Leveraging on the data retrieval and searching capability of contemporary big data technologies, the proposed authentication factor can achieve realtime, fault-tolerant verification. The use of historical data as an authentication factor has a very interesting leakage-resilience property. Besides, the proposed scheme demonstrates a tradeoff between security and computational overhead, and such scalability particularly suits the IoT, with devices of diverse capabilities.


Authentication Scheme Authentication Protocol Historical Dataset Entity Authentication Authentication Session 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Adams, N.P., Sibley, R.P., Davis, D.L.M., Singh, R.: Simplified multi-factor authentication, US Patent 8370640 (2013)Google Scholar
  2. 2.
    Aumann, Y., Yan, Z.D., Rabin, M.O.: Everlasting security in the bounded storage model. IEEE Trans. Inf. Theory 48(6), 1668–1680 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of security for public-key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  4. 4.
    Bishop, M.: The Art and Science of Computer Security. Addison-Wesley, Boston (2002)Google Scholar
  5. 5.
    Borthakur, D.: HDFS architecture guide, r.1.2.1.
  6. 6.
    Brainard, J., Juels, A., Rivest, R., Szydlo, M., Yung, M.: Fourth factor authentication: somebody you know. In: ACM CCS 2006, pp. 168–178 (2006)Google Scholar
  7. 7.
    Buer, M.: Multi-factor authentication using a smartcard, US Patent 8245292 (2012)Google Scholar
  8. 8.
    Chan, A.C.-F.: Efficient defence against misbehaving TCP receiver DoS attacks. Comput. Netw. 55(17), 3904–3914 (2011)CrossRefGoogle Scholar
  9. 9.
    Choi, S., Zage, D.: Addressing insider threat using “where you are” as fourth factor authentication. In: ICCST 2012 (2012)Google Scholar
  10. 10.
    Das, M.L.: Two-factor user authentication in wireless sensor networks. IEEE Trans. Wirel. Commun. 8(3), 1086–1090 (2009)CrossRefGoogle Scholar
  11. 11.
    Di Crescenzo, G., Lipton, R.J., Walfish, S.: Perfectly secure password protocols in the bounded retrieval model. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 225–244. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  12. 12.
    Dispensa, S.T.: Multi factor authentication, US Patent 8365258 (2013)Google Scholar
  13. 13.
    Dziembowski, S.: Intrusion-resilience via the bounded-storage model. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 207–224. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  14. 14.
    Google. Google authenticator for two-step verification.
  15. 15.
    Grim, E.T.: Two-factor authentication systems and methods, US Patent 8578454 (2013)Google Scholar
  16. 16.
    Headley, P.: Multi-channel multi-factor autentication, US Patent 8516562 (2013)Google Scholar
  17. 17.
    Headley, P., Collins, K.: Single-channel multi-factor authentication, US Patent 8536976 (2013)Google Scholar
  18. 18.
    Krawczyk, H., Bellare, M., Canetti, R.: HMAC: keyed-hashing for message authentication. RFC 2104 (Informational), February 1997Google Scholar
  19. 19.
    Lee, A.: Integrating electricity subsector failure scenarios into a risk assessment methodology. Technical Report 3002001181, EPRI, December 2013Google Scholar
  20. 20.
    Marforio, C., Karapanos, N., Soriente, C., Kostiainen, K., Capkun, S.: Smartphones as practical and secure location verification tokens for payments. In: NDSS 2014 (2014)Google Scholar
  21. 21.
    National Electric Sector Cybersecurity Organization Resource (NESCOR). Analysis of selected electric sector high risk failure scenarios, ver. 1.0. Technical report, EPRI, September 2013Google Scholar
  22. 22.
    National Electric Sector Cybersecurity Organization Resource (NESCOR). Electric sector failure scenarios and impact analyses, ver. 1.0. Technical report, EPRI, September 2013Google Scholar
  23. 23.
    Noe, F., Hoomaert, F., Marien, D., Fort, N.: Two-factor USB authentication token, US Patent 8214888 (2012)Google Scholar
  24. 24.
    Pan, W., Liu, G.: Two-factor authentication of a remote administrator, US Patent 7971238 (2011)Google Scholar
  25. 25.
    Sammer, E.: Hadoop Operations: A Guide for Developers and Administrators. O’Reilly Media, Sebastopol (2012)Google Scholar
  26. 26.
    Samuelsson, J., Camaisa, A.: System and method for second factor authentication services, US Patent 8533791 (2013)Google Scholar
  27. 27.
    Shacham, H., Waters, B.: Compact proofs of retrievability. J. Cryptol. 26(3), 442–483 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Shirook, A.A., Labrador, C., Warden, J., Wilson, K.S.: Method and apparatus for providing continuous authentication based on dynamic personal information, PCT Patent WO 2012017326 A1 (2012)Google Scholar
  29. 29.
    Shirvanian, M., Jarecki, S., Saxena, N., Nathan, N.: Two-factor authentication resilient to server compromise using mix-bandwidth devices. In: NDSS 2014 (2014)Google Scholar
  30. 30.
    Bluetooth SIG. Bluetooth core specifications v4.2, December 2014Google Scholar
  31. 31.
    Vaidya, B., Makrakia, D., Mouftah, H.T.: Improved two-factor user authentication in wireless sensor networks. In: International Workshop on Network Assurance and Security Services in Ubiquitous Environments (2010)Google Scholar
  32. 32.
    Weber, F.: Multi-factor authentication, US Patent 7770002 (2010)Google Scholar
  33. 33.
    William, O.N., Shoemaker, E.: Multi-factor authentication system, US Patent 7373515 (2008)Google Scholar
  34. 34.
    Zhang, L.: Enhanced multi-factor authentication, US Patent 8286227 (2012)Google Scholar
  35. 35.
    Zikopoulos, P., Deroos, D., Parasuraman, K., Deutsch, T., Corrigan, D., Giles, J.: Harness the power of big data (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Aldar C.-F. Chan
    • 1
    Email author
  • Jun Wen Wong
    • 2
  • Jianying Zhou
    • 2
  • Joseph Teo
    • 3
  1. 1.Hong Kong R&D Centre for LSCM Enabling TechnologiesHong KongChina
  2. 2.Institute for Infocomm Research, A*STARSingaporeSingapore
  3. 3.CSITSingaporeSingapore

Personalised recommendations