User-autonomous Multi-Factor Authentication Supporting Arbitrary Factor Configurations

Abstract

Multi-factor authentication (MFA) is widely used to secure high-value digital assets in web applications. Traditional t-factor authentication (t-FA) enhances security by requiring users to present t factors, which often becomes inconvenient as the number of required factors increases. Threshold (t, n)-MFA (T-MFA) improves usability by allowing users to authenticate with any t factors from a set of n. However, T-MFA treats all factors as equal, ignoring the varying security strengths of different factors. For instance, passwords are generally less secure than smart cards, yet T-MFA fails to account for these differences. This restricts its ability to balance security and usability effectively. To overcome this, we propose AS-MFA, a new primitive allowing users to configure factor combinations based on the security strength of each factor. Our scheme employs secret sharing for general access structures, ensuring that authentication is granted only when a valid combination of factors is presented. Unlike T-MFA limited to threshold configurations, AS-MFA supports arbitrary factor combinations, offering greater user autonomy. We formally define the security of AS-MFA and prove the security of our design. In terms of performance, the protocol requires only two communication rounds and achieves computational efficiency, involving t2 fuzzy extractor operations, 2 + 3t1 + 3t2 exponentiations, and 2 multi-exponentiations for a factor combination consisting of t1 passwords, t2 biometrics, and t3 devices. For threshold configurations, AS-MFA outperforms Li et al.’s T-MFA by requiring fewer exponentiation operations, offering a constant and lower computation cost compared to the linear cost in t of T-MFA.