TY - GEN
T1 - Countering concurrent login attacks in 'Just Tap' push-based authentication
T2 - 6th IEEE European Symposium on Security and Privacy, Euro S and P 2021
AU - Prakash, Jay
AU - Yu, Clarice Chua Qing
AU - Thombre, Tanvi Ravindra
AU - Bytes, Andrei
AU - Jubur, Mohammed
AU - Saxena, Nitesh
AU - Blessing, Lucienne
AU - Zhou, Jianying
AU - Quek, Tony Q.S.
N1 - Publisher Copyright:
© 2021 IEEE.
PY - 2021/9
Y1 - 2021/9
N2 - In this paper, we highlight a fundamental vulnerability associated with the widely adopted 'Just Tap' push-based authentication in the face of a concurrency attack, and propose the method REPLICATE, a redesign to counter this vulnerability. In the concurrency attack, the attacker launches the login session at the same time the user initiates a session, and the user may be fooled, with high likelihood, into accepting the push notification which corresponds to the attacker's session, thinking it is their own. The attack stems from the fact that the login notification is not explicitly mapped to the login session running on the browser in the Just Tap approach. REPLICATE attempts to address this fundamental flaw by having the user approve the login attempt by replicating the information presented on the browser session over to the login notification, such as by moving a key in a particular direction, choosing a particular shape, etc. We report on the design and a systematic usability study of REPLICATE. Even without being aware of the vulnerability, in general, participants placed multiple variants of REPLICATE in competition to the Just Tap and fairly above PIN-based authentication.
AB - In this paper, we highlight a fundamental vulnerability associated with the widely adopted 'Just Tap' push-based authentication in the face of a concurrency attack, and propose the method REPLICATE, a redesign to counter this vulnerability. In the concurrency attack, the attacker launches the login session at the same time the user initiates a session, and the user may be fooled, with high likelihood, into accepting the push notification which corresponds to the attacker's session, thinking it is their own. The attack stems from the fact that the login notification is not explicitly mapped to the login session running on the browser in the Just Tap approach. REPLICATE attempts to address this fundamental flaw by having the user approve the login attempt by replicating the information presented on the browser session over to the login notification, such as by moving a key in a particular direction, choosing a particular shape, etc. We report on the design and a systematic usability study of REPLICATE. Even without being aware of the vulnerability, in general, participants placed multiple variants of REPLICATE in competition to the Just Tap and fairly above PIN-based authentication.
UR - http://www.scopus.com/inward/record.url?scp=85119263958&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85119263958&partnerID=8YFLogxK
U2 - 10.1109/EuroSP51992.2021.00013
DO - 10.1109/EuroSP51992.2021.00013
M3 - Conference contribution
AN - SCOPUS:85119263958
T3 - Proceedings - 2021 IEEE European Symposium on Security and Privacy, Euro S and P 2021
SP - 21
EP - 36
BT - Proceedings - 2021 IEEE European Symposium on Security and Privacy, Euro S and P 2021
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 6 September 2021 through 10 September 2021
ER -