Rijswijk-Deij, Roland vanPoll, ErikHühnlein, DetlefRoßnagel, Heiko2018-10-102018-10-102013978-3-88579-617-6https://dl.gi.de/handle/20.500.12116/17195Classic two-factor authentication has been around for a long time and has enjoyed success in certain markets (such as the corporate and the banking environment). A reason for this success are the strong security properties, particularly where user interaction is concerned. These properties hinge on a security token being a physically separate device. This paper investigates whether Trusted Execution Environments (TEE) can be used to achieve a comparable level of security without the need to have a separate device. To do this, we introduce a model that shows the security properties of user interaction in two-factor authentication. The model is used to examine two TEE technologies, Intel's IPT and ARM TrustZone, revealing that, although it is possible to get close to classic two-factor authentication in terms of user interaction security, both technologies have distinct drawbacks. The model also clearly shows an open problem shared by many TEEs: how to prove to the user that they are dealing with a trusted application when trusted and untrusted applications share the same display.entrusted execution environmentIntel Identity Protection TechnologyIPTARM TrustZonetwo-factor authenticationText/Conference Paper1617-5468