Security of Evolving Authentication Technologies. Multi-Factor Authentication, Passwordless Authentication, and Self-Sovereign Identity

In today’s digital age, people are burdened with a plethora of online profiles, e.g., for social media, banking, and governmental services. Traditionally, passwords have been the primary method to sign in to those accounts. They, however, are increasingly recognized as insecure. Thus, service providers implement new technologies to protect their users. This thesis explores the security of modern authentication technologies, focusing on multi-factor authentication, passwordless authentication, and self-sovereign identity (SSI). The research reveals that many users configure their accounts poorly, entailing the risk of account takeovers or account lockouts. The thesis also presents the first systematic study on risk-based account recovery, a hitherto overlooked concept that impacts the users' security and accessibility. Moreover, FIDO2, a recent innovation aimed at replacing passwords, is found to have vulnerabilities in certain conditions. A protocol is therefore suggested that can prevent such vulnerabilities effectively. Finally, a review of authentication in the context of data subject rights uncovers questionable practices, which inspired the proposal of an SSI-based concept to mitigate associated security and privacy risks.