Nowadays, cyberattacks are growing exponentially, causing havoc to Internet users. In particular, authentication attacks constitute the major attack vector where intruders impersonate legitimate users to maliciously access systems or resources. Traditional single-factor authentication (SFA) protocols are often bypassed by side-channel and other attack techniques, hence they are no longer sufficient to the current authentication requirements. To alleviate this problem, multi-factor authentication (MFA) protocols have been widely adopted recently, which helps to raise the security bar against imposters. Although MFA is generally considered more robust and secure than SFA, it may not always guarantee enhanced security and efficiency. This is because, critical security vulnerabilities and performance problems may still arise due to design or implementation flaws of the protocols. Such vulnerabilities are often left unnoticed until they are exploited by attackers. Therefore, the main objective of this work is identifying such vulnerabilities in existing MFA protocols by systematically analysing their designs and constructions. To this end, we first form a set of security evaluation criteria, encompassing both existing and newly introduced ones, which we believe are very critical for the security of MFA protocols. Then, we thoroughly review several MFA protocols across different domains. Subsequently, we revisit and thoroughly analyze the design and construction of the protocols to identify potential vulnerabilities. Consequently, we manage to identify critical vulnerabilities in ten of the MFA protocols investigated. We thoroughly discuss the identified vulnerabilities in each protocol and devise relevant mitigation strategies. We also consolidate the performance information of those protocols to show the runtime and storage cost when employing varying number of authentication factors.

翻译：当前，网络攻击呈指数级增长，给互联网用户带来严重危害。其中，认证攻击构成了主要的攻击向量，入侵者通过冒充合法用户恶意访问系统或资源。传统的单因素认证协议常被旁路攻击等技术绕过，已无法满足当前认证需求。为缓解此问题，多因素认证协议近年来被广泛采用，有助于提高防御冒名顶替者的安全门槛。尽管MFA通常被认为比SFA更稳健安全，但其未必总能保证增强的安全性与效率。这是因为协议设计或实现缺陷仍可能引发关键安全漏洞与性能问题。此类漏洞往往在遭受攻击者利用前难以察觉。因此，本研究的主要目标是通过系统分析现有MFA协议的设计与构建机制来识别此类漏洞。为此，我们首先建立了一套安全评估标准（涵盖既有标准与新引入标准），这些标准对MFA协议的安全性至关重要。随后，我们全面审视了跨不同领域的多个MFA协议。继而，我们重新检视并深入分析这些协议的设计架构以识别潜在漏洞。最终，我们在所研究的十个MFA协议中成功识别出关键漏洞。我们详细探讨了各协议中发现的漏洞，并制定了相应的缓解策略。同时，我们整合了这些协议的性能数据，以展示采用不同数量认证因子时的运行时与存储成本。