Authentication Analysis Framework (AAF)


Recently, our paper [1] on the Authentication Analysis Framework (AAF) was accepted and published by Elsevier COSE. But what is it all about? User accounts on the Internet usually support different primary and fallback authentication methods. Fallback methods take effect when the primary authentication methods are (temporarily) not available, for example, because the password has been forgotten. The fallback methods are predetermined and can also be configured depending on the website. A typical example is a security question. Account security is always as good as the weakest link – and that can be fallback methods. The fallback method does not even have to come from the account in question, but can be configured on a linked account within a user account network.

In order to analyze the problem in more detail, Nils Gruschka, Leonhard Ziegler, André Büttner, and I each derived a maturity model for authentication and fallback methods based on literature. These are coarsely granular to be able to handle them better in further analysis. While User Account Access Graphs by Hammann et al. [2] allows an initial systematic analysis of user accounts, we examine authentication and fallback methods separately, since in reality they are mostly different. We also offer an analysis of security and accessibility. For this we use, among other things, the previously defined maturity models. Even when modeling a simple account at Google, it becomes clear that problems with the fallback method in one account can affect other accounts, as email addresses are often used as an insecure fallback.

In order to enable the exchange of data, we propose a first exchange format. We also have two proof-of-concept implementations, one for end users and one for researchers. In particular, the end user plugin for KeePass still needs to be improved in further work to make it available to the general public. We want to use the tool for researchers ourselves to analyze user accounts (networks) even more precisely. You can find the source code, maturity models, and description language in our GitHub repository [3].