Security policies of authentication systems are a crucial factor in mitigating the risk of impersonation, which is often the first stage of advanced persistent threats. Online authentication systems may often interact with each other, due to various mechanisms, such as account recovery or federated authentication. This leads to an implicit extension of the security policies of an authentication system with policies over which the system has no control. As a result, an authentication system that adopts very strong security policies can be unexpectedly weak. This paper deals with the above problem, which affects most real-world online authentication systems. The paper proposes a theoretical framework that formalizes authentication policies and interactions among authentication systems, together with a protocol that prevents, whenever an interaction is established or updated, the security issues described above. An SSI-based implementation of the proposed protocol is presented as well.
Enforcing security policies on interacting authentication systems / Buccafurri, Francesco; De Angelis, Vincenzo; Lazzaro, Sara; Pugliese, Andrea. - In: COMPUTERS & SECURITY. - ISSN 0167-4048. - 140:103771(2024). [10.1016/j.cose.2024.103771]
Enforcing security policies on interacting authentication systems
Buccafurri, Francesco
;De Angelis, Vincenzo;Lazzaro, Sara;
2024-01-01
Abstract
Security policies of authentication systems are a crucial factor in mitigating the risk of impersonation, which is often the first stage of advanced persistent threats. Online authentication systems may often interact with each other, due to various mechanisms, such as account recovery or federated authentication. This leads to an implicit extension of the security policies of an authentication system with policies over which the system has no control. As a result, an authentication system that adopts very strong security policies can be unexpectedly weak. This paper deals with the above problem, which affects most real-world online authentication systems. The paper proposes a theoretical framework that formalizes authentication policies and interactions among authentication systems, together with a protocol that prevents, whenever an interaction is established or updated, the security issues described above. An SSI-based implementation of the proposed protocol is presented as well.File | Dimensione | Formato | |
---|---|---|---|
Buccafurri_2024_j.cose_Enforcing_Editor.pdf
accesso aperto
Descrizione: Versione editoriale
Tipologia:
Versione Editoriale (PDF)
Licenza:
Creative commons
Dimensione
1.06 MB
Formato
Adobe PDF
|
1.06 MB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.