| Abstract [eng] |
This master's thesis addresses the problem of backup Two-Factor authentication (2FA): when a user loses the phone holding their second-factor application, access to their accounts is lost as well. The aim of the thesis is to create a USB-based backup 2FA solution that relies on asymmetric cryptography and works without installing additional software and without administrator privileges. The thesis analyses existing 2FA solutions and identifies their shortcomings. A four-component system is designed and implemented: an authentication server, a web application, a USB deployment tool, and a portable USB authenticator application. The solution uses an ECDSA P-256 key pair, whose private key is stored only on the USB drive; AES-256-GCM encryption with PBKDF2- HMAC-SHA256 (600 000 iterations) for the key store; Argon2id for hashing user passwords; and JWT (RS256) for access tokens. The challenge-response protocol is adapted from the WebAuthn Level 2 specification: the challenge lifetime is 120 seconds. The security level of the solution was verified through five experimental scenarios: USB cloning, replay attack, expired challenge, incorrect USB password, and tampered authentication data. All attack scenarios were rejected, while a legitimate authentication took approximately 45 seconds. The resulting system complies with Zero-Trust architecture principles and can be adapted for both commercial and non-commercial use. |
