Despite being more secure and strongly promoted, two-factor (2FA) or multi-factor (MFA) schemes either fail to protect against recent phishing threats such as real-time MITM, controls/relay MITM, malicious browser extension-based phishing attacks, and/or need the users to purchase and carry other hardware for additional account protection. Leveraging the unprecedented popularity of NFC and BLE-enabled smartphones, we explore a new horizon for designing an MFA scheme. This paper introduces an advanced authentication method for user verification that utilizes the user's real-time facial biometric identity, which serves as an inherent factor, together with BLE- NFC-enabled mobile devices, which operate as an ownership factor. We have implemented a prototype authentication system on a BLE-NFC-enabled Android device, and initial threat modeling suggests that it is safe against known phishing attacks. The scheme has been compared with other popular schemes using the Bonneau et al. assessment framework in terms of usability, deployability, and security.

翻译：尽管双因素认证（2FA）或多因素认证（MFA）方案在安全性上更强且受到大力推广，但其仍无法抵御实时中间人攻击、控制/中继中间人攻击、基于恶意浏览器扩展的网络钓鱼攻击等新型网络钓鱼威胁，且/或需要用户购买并携带额外的硬件设备以增强账户保护。借助支持NFC和BLE的智能手机前所未有的普及度，我们探索了设计多因素认证方案的新方向。本文提出一种先进的用户验证认证方法，该方法综合利用用户实时面部生物特征（作为固有因素）与支持BLE-NFC的移动设备（作为持有因素）。我们已在支持BLE-NFC的Android设备上实现了原型认证系统，初步威胁建模表明该系统能够有效抵御已知的网络钓鱼攻击。通过采用Bonneau等人提出的评估框架，本方案在可用性、可部署性与安全性方面已与其他主流方案进行了对比分析。