Detecting and Preventing Credential Misuse in OTP-Based Two and Half Factor Authentication Toward Centralized Services Utilizing Blockchain-Based Identity Management (2211.03490v1)

Abstract: This work focuses on the problem of detection and prevention of stolen and misused secrets (such as private keys) for authentication toward centralized services. We propose a solution for such a problem based on the blockchain-based two-factor authentication scheme SmartOTPs, which we modify for our purposes and utilize in the setting of two and half-factor authentication against a centralized service provider. Our proposed solution consists of four entities that interact together to ensure authentication: (1) the user, (2) the authenticator, (3) the service provider, and (4) the smart contract. Out of two and a half factors of our solution, the first factor stands for the private key, and the second and a half factor stands for one-time passwords (OTPs) and their precursors, where OTPs are obtained from the precursors (a.k.a., pre-images) by cryptographically secure hashing. We describe the protocol for bootstrapping our approach as well as the authentication procedure. We make the security analysis of our solution, where on top of the main attacker model that steals secrets from the client, we analyze man-in-the-middle attacks and malware tampering with the client. In the case of stolen credentials, we show that our solution enables the user to immediately detect the attack occurrence and proceed to re-initialization with fresh credentials.