Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Bücher
Zeitschriften
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
ATZ-Fachkongress

Chassis.tech plus 2024


4 Kongresse in einer Veranstaltung

Treffen Sie in München die Fachleute von Chassis, Lenkung, Bremsen sowie Reifen/Räder.
Erweiterte Suche
Anmelden
nach oben
Erschienen in:
A Quantum Physics Approach for Enabling Information-Theoretic Secure Communication Channels Kapitel lesen Erstes Kapitel lesen

2024 | OriginalPaper | Buchkapitel

Security Analysis of Google Authenticator, Microsoft Authenticator, and Authy

verfasst von : Aleck Nash, Hudan Studiawan, George Grispos, Kim-Kwang Raymond Choo

Erschienen in: Digital Forensics and Cyber Crime

Verlag: Springer Nature Switzerland

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

As the use of authenticator applications for two-factor authentication (2FA) has become increasingly common, there is a growing need to assess the security of these applications. In this paper, we present a security analysis of authenticator applications that are widely used on various platforms, such as Google Authenticator, Microsoft Authenticator, and Authy. Our analysis includes an examination of the security features of these applications (e.g., level of protection) as well as the communication protocols used between the applications and the servers. Our results show that these applications have significant vulnerabilities that could compromise the security of the authentication process. Specifically, we found that some authenticator applications store sensitive data, such as secret keys, in plain text, making them vulnerable to attacks. Overall, our findings indicate that there is a need for better security practices in the design and implementation of authenticator applications. We recommend that developers follow best practices for secure coding and use well-established cryptographic algorithms to generate one-time codes.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren
Vorheriges Kapitel Power Analysis Attack Based on BS-XGboost Scheme
Nächstes Kapitel APTBert: Abstract Generation and Event Extraction from APT Reports
Fußnoten
Literatur
1.
Aloul, F., Zahidi, S., El-Hajj, W.: Two factor authentication using mobile phones. In: 2009 IEEE/ACS International Conference on Computer Systems and Applications, pp. 641–644 (2009)
2.
Buhov, D., Huber, M., Merzdovnik, G., Weippl, E.: Pin it! improving android network security at runtime. In: 2016 IFIP Networking Conference (IFIP Networking) and Workshops, pp. 297–305 (2016)
3.
Conti, M., Dragoni, N., Lesyk, V.: A survey of man in the middle attacks. IEEE Commun. Surv. Tutorials 18(3), 2027–2051 (2016)CrossRef
4.
5.
Do, Q., Martini, B., Choo, K.R.: The role of the adversary model in applied security research. Comput. Secur. 81, 156–181 (2019)CrossRef
6.
Evans, C., Palmer, C., Sleevi, R.: RFC 7469: Public key pinning extension for HTTP (2015)
7.
Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve and mallory love Android: an analysis of Android SSL (in) security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 50–61 (2012)
8.
Fahl, S., Harbach, M., Perl, H., Koetter, M., Smith, M.: Rethinking SSL development in an appified world. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 49–60 (2013)
9.
Gavazzi, A., Williams, R., Kirda, E., Lu, L., King, A., Davis, A., Leek, T.: A study of multi-factor and risk-based authentication availability. In: 32nd USENIX Security Symposium, USENIX Security, pp. 1–18 (2023)
10.
Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: Validating SSL certificates in non-browser software. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 38–49 (2012)
11.
Keerthi, V.K., et al.: Taxonomy of SSL/TLS attacks. Int. J. Comput. Netw. Inf. Secur. 8(2), 15 (2016)
12.
Marky, K., etal.: “nah, it’s just annoying!" a deep dive into user perceptions of two-factor authentication. ACM Trans. Comput. Hum. Interact. 29(5), 43:1–43:32 (2022)
13.
Merzdovnik, G., Buhov, D., Voyiatzis, A.G., Weippl, E.R.: Notary-assisted certificate pinning for improved security of Android apps. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 365–371 (2016)
14.
Modarres, A.M.A., Sarbishaei, G.: An improved lightweight two-factor authentication protocol for IoT applications. IEEE Trans. Industr. Inf. 19(5), 6588–6598 (2023)CrossRef
15.
Narayanan, A., Lee, K.: Security policy audits: why and how. IEEE Secur. Priv. 21(2), 77–81 (2023)CrossRef
16.
Onwuzurike, L., De Cristofaro, E.: Danger is my middle name: experimenting with SSL vulnerabilities in android apps. In: Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks, pp. 1–6 (2015)
17.
Peeters, C., Patton, C., Munyaka, I.N.S., Olszewski, D., Shrimpton, T., Traynor, P.: SMS OTP security (SOS): hardening SMS-based two factor authentication. In: ASIA CCS: ACM Asia Conference on Computer and Communications Security, pp. 2–16 (2022)
18.
Stricot-Tarboton, S., Chaisiri, S., Ko, R.K.: Taxonomy of man-in-the-middle attacks on HTTPS. In: 2016 IEEE Trustcom/BigDataSE/ISPA, pp. 527–534 (2016)
19.
Zhou, Z., Han, X., Chen, Z., Nan, Y., Li, J., Gu, D.: Simulation: demystifying (insecure) cellular network based one-tap authentication services. In: 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 534–546 (2022)
Metadaten
Titel
Security Analysis of Google Authenticator, Microsoft Authenticator, and Authy
verfasst von
Aleck Nash
Hudan Studiawan
George Grispos
Kim-Kwang Raymond Choo
Copyright-Jahr
2024
Buch
Digital Forensics and Cyber Crime

Print ISBN: 978-3-031-56582-3

Electronic ISBN: 978-3-031-56583-0

Copyright-Jahr: 2024

DOI
https://doi.org/10.1007/978-3-031-56583-0_13

Premium Partner

    Bildnachweise