research-article

Public Access

T/Key: Second-Factor Authentication From Secure Hash Chains

Authors:

Dmitry Kogan,

Nathan Manohar,

Dan BonehAuthors Info & Claims

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Pages 983 - 999

https://doi.org/10.1145/3133956.3133989

Published: 30 October 2017 Publication History

PDF eReader

Abstract

Time-based one-time password (TOTP) systems in use today require storing secrets on both the client and the server. As a result, an attack on the server can expose all second factors for all users in the system. We present T/Key, a time-based one-time password system that requires no secrets on the server. Our work modernizes the classic S/Key system and addresses the challenges in making such a system secure and practical. At the heart of our construction is a new lower bound analyzing the hardness of inverting hash chains composed of independent random functions, which formalizes the security of this widely used primitive. Additionally, we develop a near-optimal algorithm for quickly generating the required elements in a hash chain with little memory on the client. We report on our implementation of T/Key as an Android application. T/Key can be used as a replacement for current TOTP systems, and it remains secure in the event of a server-side compromise. The cost, as with S/Key, is that one-time passwords are longer than the standard six characters used in TOTP.

Supplemental Material

MP4 File

Download
2458.38 MB

References

[1]

Gildas Avoine, Pascal Junod, and Philippe Oechslin. 2008. Characterization and Improvement of Time-Memory Trade-Off Based on Perfect Tables. ACM Trans. Inf. Syst. Secur. Vol. 11, 4, Article 17 (July 2008), 22 pages./10.1145/100216.100226

Digital Library

Google Scholar

[2]

Yubico [n. d.]. Trust the Net with YubiKey Strong Two-Factor Authentication. ( [n. d.]). Retrieved 08/25/2017 from https://www.yubico.com/

Google Scholar

[3]

Andrey M Zubkov and Aleksandr A Serov 2015. Images of subset of finite set under iterations of random mappings. Discrete Mathematics and Applications Vol. 25, 3 (2015), 179--185. https://doi.org/10.1515/dma-2015-0017

Crossref

Google Scholar

[4]

Andrey M Zubkov and Aleksandr A Serov 2017. Limit theorem for the image size of a subset under compositions of random mappings. Discrete Mathematics and Applications Vol. 29, 1 (2017), 17--26. https://doi.org/10.4213/dm1403

Crossref

Google Scholar

Cited By

View all

Kalash Ghosh BAddya S(2025)Enhancing Security in Smart Contract Wallets : An OTP Based 2-Factor Authentication ApproachProceedings of the 26th International Conference on Distributed Computing and Networking10.1145/3700838.3700868(211-220)Online publication date: 4-Jan-2025
https://dl.acm.org/doi/10.1145/3700838.3700868
Bicakci KUlker KUzunay YŞahin HGündoğan M(2024)Quantum-Resistance Meets White-Box Cryptography: How to Implement Hash-Based Signatures against White-Box Attackers?IACR Communications in Cryptology10.62056/an59qgxqOnline publication date: 8-Jul-2024
https://doi.org/10.62056/an59qgxq
Ma CLiu YYang ZMa J(2024)Towards Building a Faster and Incentive Enabled Privacy-Preserving Proof of Location Scheme from GTOTPElectronics10.3390/electronics1308144313:8(1443)Online publication date: 11-Apr-2024
https://doi.org/10.3390/electronics13081443
Show More Cited By

Index Terms

T/Key: Second-Factor Authentication From Secure Hash Chains
1. Security and privacy
  1. Cryptography
    1. Symmetric cryptography and hash functions
      1. Hash functions and message authentication codes
  2. Security services
    1. Authentication
      1. Multi-factor authentication

Recommendations

Two-factor mutual authentication based on smart cards and passwords

One of the most commonly used two-factor user authentication mechanisms nowadays is based on smart-card and password. A scheme of this type is called a smart-card-based password authentication scheme. The core feature of such a scheme is to enforce two-...
Forward-secure signatures with untrusted update
CCS '06: Proceedings of the 13th ACM conference on Computer and communications security

In most forward-secure signature constructions, a program that updates a user's private signing key must have full access to the private key. Unfortunately, these schemes are incompatible with several security architectures including Gnu Privacy Guard (...
HORSE: An Extension of an r-Time Signature Scheme With Fast Signing and Verification
ITCC '04: Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC'04) Volume 2 - Volume 2

Source authentication of messages is a valuable tool incommunication networks where the source of a message caneasily be spoofed. Often, when two parties are communicating,a shared-key message authentication code is sufficientfor providing source ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

October 2017

2682 pages

ISBN:9781450349468

DOI:10.1145/3133956

General Chair:
Bhavani Thuraisingham
The University of Texas at Dallas, USA
,
Program Chairs:
David Evans
University of Virginia
,
Tal Malkin
Columbia University
,
Dongyan Xu
Purdue University

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CCS '17

Sponsor:

SIGSAC

CCS '17: 2017 ACM SIGSAC Conference on Computer and Communications Security

October 30 - November 3, 2017

Texas, Dallas, USA

Acceptance Rates

CCS '17 Paper Acceptance Rate 151 of 836 submissions, 18%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

29
Total Citations
View Citations
1,106
Total Downloads

Downloads (Last 12 months)189
Downloads (Last 6 weeks)34

Reflects downloads up to 04 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Kalash Ghosh BAddya S(2025)Enhancing Security in Smart Contract Wallets : An OTP Based 2-Factor Authentication ApproachProceedings of the 26th International Conference on Distributed Computing and Networking10.1145/3700838.3700868(211-220)Online publication date: 4-Jan-2025
https://dl.acm.org/doi/10.1145/3700838.3700868
Bicakci KUlker KUzunay YŞahin HGündoğan M(2024)Quantum-Resistance Meets White-Box Cryptography: How to Implement Hash-Based Signatures against White-Box Attackers?IACR Communications in Cryptology10.62056/an59qgxqOnline publication date: 8-Jul-2024
https://doi.org/10.62056/an59qgxq
Ma CLiu YYang ZMa J(2024)Towards Building a Faster and Incentive Enabled Privacy-Preserving Proof of Location Scheme from GTOTPElectronics10.3390/electronics1308144313:8(1443)Online publication date: 11-Apr-2024
https://doi.org/10.3390/electronics13081443
Cao XYang ZNing JJin CLu RLiu ZZhou J(2024)Dynamic Group Time-Based One-Time PasswordsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.338635019(4897-4913)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3386350
Bukhari SJanjua MQadir J(2024)Secure Storage of Crypto Wallet Seed Phrase Using ECC and Splitting TechniqueIEEE Open Journal of the Computer Society10.1109/OJCS.2024.33987945(278-289)Online publication date: 2024
https://doi.org/10.1109/OJCS.2024.3398794
Deng YWang SWang JYan R(2024)BAESDA: A Blockchain-Assisted Efficient and Secure Data Authentication Scheme for Distributed IoT Collection SystemIEEE Sensors Journal10.1109/JSEN.2024.337014624:8(13193-13208)Online publication date: 15-Apr-2024
https://doi.org/10.1109/JSEN.2024.3370146
Ji TFang BCui XWang TZhang YGu FZheng C(2024)Scrutinizing Code Signing: A Study of in-Depth Threat Modeling and Defense MechanismIEEE Internet of Things Journal10.1109/JIOT.2024.345027211:24(40051-40069)Online publication date: 15-Dec-2024
https://doi.org/10.1109/JIOT.2024.3450272
Gupta CVarshney G(2024)Securing Web Access: PUF-Driven Two-Factor Authentication for Enhanced ProtectionComputer Safety, Reliability, and Security. SAFECOMP 2024 Workshops10.1007/978-3-031-68738-9_6(74-87)Online publication date: 9-Sep-2024
https://doi.org/10.1007/978-3-031-68738-9_6
Uysal EAkgün M(2023)P/Key: PUF based second factor authenticationPLOS ONE10.1371/journal.pone.028018118:2(e0280181)Online publication date: 9-Feb-2023
https://doi.org/10.1371/journal.pone.0280181
Jin CYang ZXiang TAdepu SZhou J(2023)HMACCE: Establishing Authenticated and Confidential Channel From Historical Data for Industrial Internet of ThingsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.323487318(1080-1094)Online publication date: 2023
https://doi.org/10.1109/TIFS.2023.3234873
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Two-factor mutual authentication based on smart cards and passwords

Forward-secure signatures with untrusted update

HORSE: An Extension of an r-Time Signature Scheme With Fast Signing and Verification