Countering concurrent login attacks in 'Just Tap' push-based authentication: A redesign and usability evaluations

Jay Prakash, Clarice Chua Qing Yu, Tanvi Ravindra Thombre, Andrei Bytes, Mohammed Jubur, Nitesh Saxena, Lucienne Blessing, Jianying Zhou, Tony Q.S. Quek

研究成果: Conference contribution

摘要

In this paper, we highlight a fundamental vulnerability associated with the widely adopted 'Just Tap' push-based authentication in the face of a concurrency attack, and propose the method REPLICATE, a redesign to counter this vulnerability. In the concurrency attack, the attacker launches the login session at the same time the user initiates a session, and the user may be fooled, with high likelihood, into accepting the push notification which corresponds to the attacker's session, thinking it is their own. The attack stems from the fact that the login notification is not explicitly mapped to the login session running on the browser in the Just Tap approach. REPLICATE attempts to address this fundamental flaw by having the user approve the login attempt by replicating the information presented on the browser session over to the login notification, such as by moving a key in a particular direction, choosing a particular shape, etc. We report on the design and a systematic usability study of REPLICATE. Even without being aware of the vulnerability, in general, participants placed multiple variants of REPLICATE in competition to the Just Tap and fairly above PIN-based authentication.

原文English
主出版物標題Proceedings - 2021 IEEE European Symposium on Security and Privacy, Euro S and P 2021
發行者Institute of Electrical and Electronics Engineers Inc.
頁面21-36
頁數16
ISBN(電子)9781665414913
DOIs
出版狀態Published - 2021 九月
事件6th IEEE European Symposium on Security and Privacy, Euro S and P 2021 - Virtual, Online, Austria
持續時間: 2021 九月 62021 九月 10

出版系列

名字Proceedings - 2021 IEEE European Symposium on Security and Privacy, Euro S and P 2021

Conference

Conference6th IEEE European Symposium on Security and Privacy, Euro S and P 2021
國家/地區Austria
城市Virtual, Online
期間21-09-0621-09-10

All Science Journal Classification (ASJC) codes

  • 電腦網路與通信
  • 資訊系統
  • 資訊系統與管理
  • 安全、風險、可靠性和品質

指紋

深入研究「Countering concurrent login attacks in 'Just Tap' push-based authentication: A redesign and usability evaluations」主題。共同形成了獨特的指紋。

引用此