Efficient Mobile User Authentication Service with Privacy Preservation and User Untraceability

Security questions and answers for authentication are a common approach to enable the user to reset forgotten passwords. Moreover, they are also sometimes used as alternative for the classical username-password system, which fails in offering a good balance between user friendliness and security as long and complex passwords are required. However, in order to guarantee the privacy of the user as imposed by the new General Data Protection Regulation (GDPR), it should be impossible to derive the answer of the user by any other entity, including the server provider or the server managing the authentication. In this paper, we present an efficient mobile based security mechanism to realise this goal. The proposed scheme can be applied on top of any type of question-answer based authentication system. In addition, our solution also offers anonymity and untraceability of the user, such that no activity patterns can be drawn by simply eavesdropping on the communication channel to the service provider or the authentication server. We show that our proposed mechanism not only offers more security features compared to related work, but it is also significantly faster, in particular at the side of the user.