A Formal Analysis of CIE Level 2 Multi-Factor Authentication via SMS OTP

Roberto Van Eeden; Matteo Paier; Matteo Paier; Marino Miculan; Marino Miculan

doi:10.5220/0012768300003767

A Formal Analysis of CIE Level 2 Multi-Factor Authentication via SMS OTP

Roberto Van Eeden, Matteo Paier, Matteo Paier, Marino Miculan, Marino Miculan

2024

Abstract

We analyze the security of Level 2 multi-factor authentication (MFA) based on SMS One-Time Passcode (OTP) of Italian Electronic Identity Card (CIE). We propose a novel threat model encompassing password compromise, network disruptions, user errors, and malware attacks. The combinations of the adversary’s attack capabilites yield a plethora of possible attack scenarios, which we systematically generate, formalise and verify in ProVerif. Our analysis reveals that CIE MFA based on SMS OTP is vulnerable to attacks with read access to the mobile device or keyboard, or to phishing, but event to mere read access to the user’s computer screen. To address the latter vulnerability, we propose a minor modification of the protocol. The threat model we introduce paves the way for the analysis of other CIE MFA protocols.

Download

Paper Citation

in Harvard Style

Van Eeden R., Paier M. and Miculan M. (2024). A Formal Analysis of CIE Level 2 Multi-Factor Authentication via SMS OTP. In Proceedings of the 21st International Conference on Security and Cryptography - Volume 1: SECRYPT; ISBN 978-989-758-709-2, SciTePress, pages 483-491. DOI: 10.5220/0012768300003767

in Bibtex Style

@conference{secrypt24,
author={Roberto Van Eeden and Matteo Paier and Marino Miculan},
title={A Formal Analysis of CIE Level 2 Multi-Factor Authentication via SMS OTP},
booktitle={Proceedings of the 21st International Conference on Security and Cryptography - Volume 1: SECRYPT},
year={2024},
pages={483-491},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0012768300003767},
isbn={978-989-758-709-2},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 21st International Conference on Security and Cryptography - Volume 1: SECRYPT
TI - A Formal Analysis of CIE Level 2 Multi-Factor Authentication via SMS OTP
SN - 978-989-758-709-2
AU - Van Eeden R.
AU - Paier M.
AU - Miculan M.
PY - 2024
SP - 483
EP - 491
DO - 10.5220/0012768300003767
PB - SciTePress