U2F based Secure Mutual Authentication Protocol for
Mobile Payment*
Kai Fan
State Key Laboratory of Integrated
Service Networks
Xidian University
Xi’an, China
kfan@mail.xidian.edu.cn
Hui Li
State Key Laboratory of Integrated
Service Networks
Xidian University
Xi’an, China
lihui@mail.xidian.edu.cn
Wei Jiang
State Key Laboratory of Integrated
Service Networks
Xidian University
Xi’an, China
2450855261@qq.com
Chengsheng Xiao
Shanghai haijiye High Tech Co. Ltd.
Shanghai, China
robot@haijiye.com
Yintang Yang
Key Lab. of the Minist. of Educ. for
Wide Band-Gap Semiconductor
Materials and Devices
Xidian University
Xi’an, China
ytyang@xidian.edu.cn
ABSTRACT
With the increasing popularity of the fintech, the e-
commerce market has grown rapidly in last decade, and
now the mobile devices are unprecedented popular and
playing an ever-increasing role in the e-commerce field,
especially the mobile payment. However, it is hard for
online authentication technology based on traditional mode
to maintain the healthy and stable development of mobile
payment. Besides that, it can’t meet the security demand of
user’s privacy or some sensitive information else. In this
paper, we propose a secure mutual authentication protocol
(SMAP) based on U2F for mobile payment. In this system,
the asymmetric cryptosystem is used for mutual
authentication between server and client to guarantee a
reliable service, which is based on the architecture of U2F.
It can resist disguise and dispose counterfeit user.
Compared to the current existing modes, the proposed
protocol strengthens the security of user’s account
information as well as individual privacy in whole
transaction process with mobile payment. The practice
proves that the proposed protocol is secure and convenient.
KEYWORDS
*Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. Copyrights for
components of this work owned by others than ACM must be honored.
Abstracting with credit is permitted. To copy otherwise, or republish, to
post on servers or to redistribute to lists, requires prior specific permission
and/or a fee. Request permissions from Permissions@acm.org.
ACM TUR-C '17, May 12-14, 2017, Shanghai, China
© 2017 ACM. ISBN 978-1-4503-4873-7/17/05…$15.00
DOI: http://dx.doi.org/10.1145/3063955.3063982
mutual authentication, security, privacy, U2F, mobile
payment
1 INTRODUCTION
For the last twenty years, most parts of the world have
stepped into an Internet era gradually. In this age, Internet
provides various convenient services for people anytime
and anywhere [1], especially mobile payment. Mobile
phone (M-phone), as the significant role, has become an
inseparable companion for many users, more than just
communication tools, and people store more and more
sensitive individual information in it [2]. It is apparent that
the emergence of intelligent M-phone contributes to the
booming development of the mobile payment.
Compared with traditional ways of payment, mobile
payment is with following features: 1) Digital transmission.
Mobile payment adopts advanced technology to complete
the information transmission through digital circulation
while the traditional payment completes the payment
through the transfer of cash, the transfer of notes or the
summarizing by the bank. 2) Open payment environment.
The environment of mobile payment is based on an open
system platform, and the traditional payment system is
operated in a relatively closed system. 3) Advanced
communication means. To mobile payment, the
requirements of hardware and software facilities are high,
but traditional payment uses the traditional communication
medium, less demanding. 4) Some other economic
advantages. Mobile payment is convenient, fast and
efficient. Users simply have a networked tablet computer or
M-phone, without leaving home and the entire payment
process can be completed in a very short period of time.
Traditional payments, on the other hand, require
cumbersome procedures and sometimes a lot of time.