Defeating the Secrets of OTP Apps for Android

Despite the increasing number of cases of data theft (such as Equifax), the classic password is still in many places the sole security feature for user authentication.

However, numerous possibilities for extending this now anachronistic form of access control already exist. One such option is the use of one-time passwords (OTP). These passwords are increasingly used for additional authentication (in addition to user name and password) of the respective user to service providers on the Internet and the applications that generate these are therefore referred to as so-called two-factor authentication apps (2FA apps).

The paper of Philip Polleit and myself investigates 16 such 2FA apps for the Android operating system and focuses on the extent to which these applications can offer a similar level of protection when compared to classical hardware tokens (e.g., YubiKey, SecurID-Authenticator). The paper was presented at this years IMF conference in Hamburg.

Continue reading “Defeating the Secrets of OTP Apps for Android”