DAMFA: Decentralized Anonymous Multi-Factor Authentication

Abstract

Token-based authentication is usually applied to enable single-sign-on on the web. In current authentication schemes, users are required to interact with identity providers securely to set up authentication data during a registration phase and receive a token (credential) for future accesses to various services and applications. This type of interaction can make authentication schemes challenging in terms of security and usability. From a security point of view, one of the main threats is the compromisation of identity providers. An adversary who compromises the authentication data (password or biometric) stored with the identity provider can mount an offline dictionary attack. Furthermore, the identity provider might be able to track user activity and control sensitive user data. In terms of usability, users always need a trusted server to be online and available while authenticating to a service provider.In this paper, we propose a new Decentralized Anonymous Multi-Factor Authentication (DAMFA) scheme where the process of user authentication no longer depends on a trusted third party (the identity provider). Also, service and identity providers do not gain access to sensitive user data and cannot track individual user activity. Our protocol allows service providers to authenticate users at any time without interacting with the identity provider.Our approach builds on a Threshold Oblivious Pseudorandom Function (TOPRF) to improve resistance to offline attacks and uses a distributed transaction ledger to improve usability. We demonstrate practicability of our proposed scheme through a prototype.