2D-2FA: A New Dimension in Two-Factor Authentication

TL;DR

2D-2FA introduces a novel two-factor authentication system that enhances security and usability by incorporating user identifiers and high-entropy PINs, demonstrating improved performance and user satisfaction over traditional PIN-2FA methods.

Contribution

The paper presents a new 2FA mechanism that integrates user identifiers and high-entropy PINs, reducing vulnerability to attacks and improving efficiency and usability.

Findings

Lower error rate (about half) compared to PIN-2FA

2-3 times faster authentication process

High usability with SUS score of 75

Abstract

We propose a two-factor authentication (2FA) mechanism called 2D-2FA to address security and usability issues in existing methods. 2D-2FA has three distinguishing features: First, after a user enters a username and password on a login terminal, a unique $\textit{identifier}$ is displayed to her. She $\textit{inputs}$ the same identifier on her registered 2FA device, which ensures appropriate engagement in the authentication process. Second, a one-time PIN is computed on the device and $\textit{automatically}$ transferred to the server. Thus, the PIN can have very high entropy, making guessing attacks infeasible. Third, the identifier is also incorporated into the PIN computation, which renders $\textit{concurrent attacks}$ ineffective. Third-party services such as push-notification providers and 2FA service providers, do not need to be trusted for the security of the system. The choice of identifiers depends on the device form factor and the context. Users could choose to draw patterns, capture QR codes, etc. We provide a proof of concept implementation, and evaluate performance, accuracy, and usability of the system. We show that the system offers a lower error rate (about half) and better efficiency (2-3 times faster) compared to the commonly used PIN-2FA. Our study indicates a high level of usability with a SUS of 75, and a high perception of efficiency, security, accuracy, and adoptability.