Detecting and Preventing Credential Misuse in OTP-Based Two and Half Factor Authentication Toward Centralized Services Utilizing Blockchain-Based Identity Management

TL;DR

This paper introduces a blockchain-based two and a half-factor authentication scheme called SmartOTPs, designed to detect and prevent credential misuse in centralized services, enhancing security against theft, man-in-the-middle, and malware attacks.

Contribution

It adapts and extends SmartOTPs for centralized service authentication, providing a protocol and security analysis that enables immediate detection and re-initialization after credential theft.

Findings

Effective detection of stolen credentials and attack occurrence

Immediate re-initialization with fresh credentials after detection

Security analysis against man-in-the-middle and malware attacks

Abstract

This work focuses on the problem of detection and prevention of stolen and misused secrets (such as private keys) for authentication toward centralized services. We propose a solution for such a problem based on the blockchain-based two-factor authentication scheme SmartOTPs, which we modify for our purposes and utilize in the setting of two and half-factor authentication against a centralized service provider. Our proposed solution consists of four entities that interact together to ensure authentication: (1) the user, (2) the authenticator, (3) the service provider, and (4) the smart contract. Out of two and a half factors of our solution, the first factor stands for the private key, and the second and a half factor stands for one-time passwords (OTPs) and their precursors, where OTPs are obtained from the precursors (a.k.a., pre-images) by cryptographically secure hashing. We describe the protocol for bootstrapping our approach as well as the authentication procedure. We make the security analysis of our solution, where on top of the main attacker model that steals secrets from the client, we analyze man-in-the-middle attacks and malware tampering with the client. In the case of stolen credentials, we show that our solution enables the user to immediately detect the attack occurrence and proceed to re-initialization with fresh credentials.