Countering Concurrent Login Attacks in Just Tap Push-based Authentication: A Redesign and Usability Evaluations Conference Paper uri icon

abstract

  • In this paper, we highlight a fundamental vulnerability associated with the widely adopted Just Tap push-based authentication in the face of a concurrency attack, and propose the method REPLICATE, a redesign to counter this vulnerability. In the concurrency attack, the attacker launches the login session at the same time the user initiates a session, and the user may be fooled, with high likelihood, into accepting the push notification which corresponds to the attacker's session, thinking it is their own. The attack stems from the fact that the login notification is not explicitly mapped to the login session running on the browser in the Just Tap approach. REPLICATE attempts to address this fundamental flaw by having the user approve the login attempt by replicating the information presented on the browser session over to the login notification, such as by moving a key in a particular direction, choosing a particular shape, etc. We report on the design and a systematic usability study of REPLICATE. Even without being aware of the vulnerability, in general, participants placed multiple variants of REPLICATE in competition to the Just Tap and fairly above PIN-based authentication.

name of conference

  • 2021 IEEE European Symposium on Security and Privacy (EuroS&P)

published proceedings

  • 2021 IEEE European Symposium on Security and Privacy (EuroS&P)

altmetric score

  • 61

author list (cited authors)

  • Prakash, J., Yu, C., Thombre, T. R., Bytes, A., Jubur, M., Saxena, N., ... Quek, T.

citation count

  • 0

complete list of authors

  • Prakash, Jay||Yu, Clarice Chua Qing||Thombre, Tanvi Ravindra||Bytes, Andrei||Jubur, Mohammed||Saxena, Nitesh||Blessing, Lucienne||Zhou, Jianying||Quek, Tony QS

publication date

  • January 2021