New methods can improve the security of two-factor authentication systems
As an added layer of security, many online services have adopted push-notification two-factor authentication systems that allow users to authenticate login attempts through a mobile device. In the current authentication settings, especially in the “Tap Allow” approach, there is no explicit link between the user’s browser session and the notification they receive on their device. The attacker can take advantage of this vulnerability.
To solve this problem, a professor of computer science and engineering at A&M University in Texas, Dr. A team of researchers, including Nitish Saxena, has devised new, easy-to-use methods to deal with the vulnerabilities in both based on the Bush announcement. Factor authentication systems.
“The algorithms we have designed have similar applications to the original Bush notice-based authentication system, but they simultaneously enhance security against login attacks,” Saxena said. “If a user receives two notifications, the notification associated with the attacker’s browser session will be different. Therefore, the user can detect that something is wrong and will not accept the false notification.”
An article by a panel describing the research in the European Symposium (EuroS & B) study on the safety and privacy of 2021 Institute of Electrical and Electronics Engineers has been published.
Push notifications are clickable pop-up messages that are sent directly to the user’s mobile or desktop device through the installed application. They can appear at any time and show various things like weather, important news, missed calls or text messages, reminders.
They can also be used as secondary factor authentication (or password-free authentication), which acts as an additional layer of protection to protect users’ online accounts from attackers. With push notification authentication, the push notification is sent directly to the mobile device — usually registered on the smartphone-online account, alerting the user that a login attempt is imminent. The user can review the notification details and accept or reject the request at the touch of a button.
One of the main advantages of this method is that it is an easy way for users to recognize and manage unnecessary passwords for their accounts and to recognize unnecessary login attempts. Over the past few years, there has been a sharp increase in the acceptance of Bush notice-based authentication systems such as the Duo-Push and Authy. They are also commercially accepted by major software and service companies such as Google, Twitter and many educational institutions.
Although this method is basically more suitable for users than a one-time password system, it does have a number of security risks, one of which is the so-called concurrency attack introduced in Saxena’s research.
During this type of attack, a malicious actor obtains a user’s password and starts the login session simultaneously as the primary user, gaining access to the user’s login credentials. If the attacker and the user log in at the same time, the user’s device will receive two “allow push” notifications. Since there is no fundamental difference between the two notices, they may unknowingly accept the attackers’ notice and access important information (bank, school, etc.) for them.
The earliest solution developed by the researchers, mentioned in their European Symposium on Security and Privacy Paper, was to use a random four-digit number that the user had to compare to accept the announcement. However, with this kind of attitude, they will not look at it close enough and will not accept the attackers’ announcement.
“There is a lot of literature in the utility security community that shows people not noticing these security announcements, warnings and things like that,” Saxena said. “They pass them by pressing the OK button so they can be connected and continue their main mission. They do not expect an attack, so we do not want to use this method.”
To address this design shortcoming, researchers have developed a new method called REPLICATE. By REPLICATE, users must authorize the login attempt by duplicating the random interaction provided in the browser session in the login notification, and the notification must be explicitly linked to the user’s browser session. For example, in an interaction the user will be prompted to drag a key icon in a specific direction. In another dialog, colored buttons are displayed for the user and press the appropriate one.
Although interactions are simple to perform, they prevent a synchronous attack because the contact needed to verify the user’s session is different from the contact required for the attacker to authenticate his session.
To test the performance of the interface, the team conducted a utility study with 40-50 participants, where they evaluated and compared its performance with the “Just Tape” method. They found that study participants were able to successfully perform simple tasks.
“To launch an attack against this system, if the attacker logs in at the same time, they will not succeed because the user matches his browser session with the notification and the attacker will not accept the notification.” Said Saxena.
To study the effectiveness of REPLICATE with a large research team and to better measure its usability and adaptability in practice, researchers want to increase the inconsistency of the process of matching browser session notification.
“For example, when you look at the number of options for a drag-pull contact, the inconsistency in this process is very low. Although we do not see it in the study, there is a small chance that it will happen, so it will be a matter for us to resolve. ”
<div class="article-main__explore my-4 d-print-none"> Professor of Computer Science takes a 'hands-on' approach to smartphone security </div> <hr class="mb-4"/> <div class="article-main__more p-4"> <strong>More info:</strong> Jay Prakash et al., "Just tape" push-based recognition: a redesign and use ratings, counter-concurrent attacks at the European Symposium on 2021 Security and Privacy (EuroS & P) (EuroS & P) (2021). <a data-doi="1" href="https://dx.doi.org/10.1109/EuroSP51992.2021.00013" target="_blank" rel="noopener">DOI: 10.1109 / EuroSP51992.2021.00013</a>, <a href="https://ieeexplore.ieee.org/document/9581191" target="_blank" rel="noopener">ieeexplore.ieee.org/document/9581191</a> </div> <div class="d-inline-block text-medium my-4"> Presented by Texas A&M University College of Engineering <a class="icon_open" href="https://engineering.tamu.edu/" target="_blank" rel="nofollow noopener"> <svg> <use href="https://techx.b-cdn.net/tmpl/v2/img/svg/sprite.svg#icon_open" x="0" y="0"/> </svg> </a> </div> <!-- print only --> <div class="d-none d-print-block"> <p> <strong>Quote</strong>: New methods can improve the security of two-factor authentication systems (April 14, 2022) This document is subject to copyright. No part may be reproduced without written permission, except for any reasonable manipulation for the purpose of personal study or research. Content is provided for informational purposes only. </div> </div>https://connect.facebook.net/en_US/sdk.js</p>