Adversary Models for Mobile Device Authentication

TL;DR

This paper introduces a new adversary classification for mobile device authentication, enabling better analysis and comparison of security properties across various methods, revealing many lack comprehensive security evaluations.

Contribution

The paper proposes a systematic adversary model classification for mobile device authentication, addressing the gap of weak threat models and enabling more rigorous security analysis.

Findings

Most protocols lack comprehensive security analysis

The new adversary model allows better comparison of security properties

Security remains an afterthought in many proposed methods

Abstract

Mobile device authentication has been a highly active research topic for over 10 years, with a vast range of methods having been proposed and analyzed. In related areas such as secure channel protocols, remote authentication, or desktop user authentication, strong, systematic, and increasingly formal threat models have already been established and are used to qualitatively and quantitatively compare different methods. Unfortunately, the analysis of mobile device authentication is often based on weak adversary models, suggesting overly optimistic results on their respective security. In this article, we first introduce a new classification of adversaries to better analyze and compare mobile device authentication methods. We then apply this classification to a systematic literature survey. The survey shows that security is still an afterthought and that most proposed protocols lack a comprehensive security analysis. Our proposed classification of adversaries provides a strong uniform adversary model that can offer a comparable and transparent classification of security properties in mobile device authentication methods.