Jubur et al., 2021 - Google Patents

Bypassing push-based second factor and passwordless authentication with human-indistinguishable notifications

Jubur et al., 2021

View PDF
Document ID
9177136284765775871
Author
Jubur M
Shrestha P
Saxena N
Prakash J
Publication year
Publication venue
Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

External Links

Snippet

Second factor (2FA) or passwordless authentication based on notifications pushed to a user's personal device (eg, a phone) that the user can simply approve (or deny) has become widely popular due to its convenience. In this paper, we show that the effortlessness of this …
Continue reading at dl.acm.org (PDF) (other versions)

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/083Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATIONS NETWORKS
    • H04W12/00Security arrangements, e.g. access security or fraud detection; Authentication, e.g. verifying user identity or authorisation; Protecting privacy or anonymity
    • H04W12/06Authentication

Similar Documents

Publication Publication Date Title
Jubur et al. Bypassing push-based second factor and passwordless authentication with human-indistinguishable notifications
Ulqinaku et al. Is real-time phishing eliminated with {FIDO}? social engineering downgrade attacks against {FIDO} protocols
Parmar et al. A comprehensive study on passwordless authentication
Lee et al. An empirical study of wireless carrier authentication for {SIM} swaps
Dasgupta et al. Multi-factor authentication: more secure approach towards authenticating individuals
Huang et al. Using one-time passwords to prevent password phishing attacks
US8627088B2 (en) System and method for in- and out-of-band multi-factor server-to-user authentication
US20250323910A1 (en) Risk-based factor selection
Marforio et al. Hardened setup of personalized security indicators to counter phishing attacks in mobile banking
Mahdad et al. Breaching security keys without root: Fido2 deception attacks via overlays exploiting limited display authenticators
Iyanda et al. Development of two-factor authentication login system using dynamic password with SMS verification
Chaudhari et al. A comprehensive study on authentication systems
Jubur et al. Usability and security analysis of the compare-and-confirm method in mobile push-based two-factor authentication
Zhao et al. Explicit authentication response considered harmful
Markert et al. View the email to get hacked: Attacking SMS-based two-factor authentication
Mahdad et al. Breaking mobile notification-based authentication with concurrent attacks outside of mobile devices
Papaspirou et al. A blockchain-based multi-factor honeytoken dynamic authentication mechanism
Tolbert et al. Exploring phone-based authentication vulnerabilities in single sign-on systems
Hackenjos et al. FIDO2 with two displays-Or how to protect security-critical web transactions against malware attacks
Certic The Future of Mobile Security
Leitner et al. Authentication in the context of E-participation: current practice, challenges and recommendations
Masoud et al. May I know your Iban? Cracking the short message service (sms) as a second factor authentication for online payments
Hammoudeh et al. Enhancing Security Using E-Authentication
Kellenberger Analyzing the Resilience of Two-Factor Authentication Techniques against Runtime Phishing Attacks
Jubur On the security and usability of new paradigms of Web authentication