Cue-based two factor authentication

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2024-08-19 DOI:10.1016/j.cose.2024.104068

Zhenhua Yang , Jun Kong

{"title":"Cue-based two factor authentication","authors":"Zhenhua Yang , Jun Kong","doi":"10.1016/j.cose.2024.104068","DOIUrl":null,"url":null,"abstract":"<div><p>With the increasing usage of cameras, the threat from video attacks has greatly increased in recent years in addition to shoulder surfing. Many organizations have implemented two-factor authentication to enhance security. However, attackers can still steal users' usernames and passwords from two-factor authentication through video attack or shoulder surfing and applied the credential stuffing attack, as most people use the same passwords on different applications. Cue-based authentication provides high protection against shoulder surfing attacks, but it remains vulnerable to video attacks. To mitigate the threats of video attacks, we propose cue-based two-factor authentication (i.e., Cue-2FA), which is distinct from other methods by separating cue display from response input (refer to Chapter 1). We conducted two user studies to compare the usability and security between Cue-2FA and a standard Time-based-One-Time-Password two-factor authentication (i.e., TOTP-2FA). The evaluate results revealed Cue-2FA provides both higher usability and stronger resistance to the shoulder surfing attack. However, when both the cue and response are recorded, Cue-2FA is not more resistant to the video attack than TOTP-2FA. To address this issue, we introduced misleading operations to Cue-2FA when inputting a response, which significantly improves the resistance to the video attack.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8000,"publicationDate":"2024-08-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404824003730","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

With the increasing usage of cameras, the threat from video attacks has greatly increased in recent years in addition to shoulder surfing. Many organizations have implemented two-factor authentication to enhance security. However, attackers can still steal users' usernames and passwords from two-factor authentication through video attack or shoulder surfing and applied the credential stuffing attack, as most people use the same passwords on different applications. Cue-based authentication provides high protection against shoulder surfing attacks, but it remains vulnerable to video attacks. To mitigate the threats of video attacks, we propose cue-based two-factor authentication (i.e., Cue-2FA), which is distinct from other methods by separating cue display from response input (refer to Chapter 1). We conducted two user studies to compare the usability and security between Cue-2FA and a standard Time-based-One-Time-Password two-factor authentication (i.e., TOTP-2FA). The evaluate results revealed Cue-2FA provides both higher usability and stronger resistance to the shoulder surfing attack. However, when both the cue and response are recorded, Cue-2FA is not more resistant to the video attack than TOTP-2FA. To address this issue, we introduced misleading operations to Cue-2FA when inputting a response, which significantly improves the resistance to the video attack.

查看原文本刊更多论文

基于提示的双因素身份验证

近年来，随着摄像头使用量的不断增加，除肩上冲浪外，来自视频攻击的威胁也大大增加。许多企业已采用双因素身份验证来加强安全性。然而，由于大多数人在不同的应用程序中使用相同的密码，攻击者仍然可以通过视频攻击或肩上冲浪从双因素身份验证中窃取用户名和密码，并应用凭证填充攻击。基于插入点的身份验证可以很好地抵御 "肩上冲浪 "攻击，但仍然容易受到视频攻击。为了减轻视频攻击的威胁，我们提出了基于提示的双因素身份验证（即 Cue-2FA），它有别于其他方法，将提示显示与响应输入分离开来（参见第 1 章）。我们进行了两项用户研究，比较了 Cue-2FA 和标准的基于时间-一次性密码的双因素身份验证（即 TOTP-2FA）的可用性和安全性。评估结果表明，Cue-2FA 具有更高的可用性和更强的抗肩扛攻击能力。然而，当提示和响应都被记录下来时，Cue-2FA 对视频攻击的抵抗力并不比 TOTP-2FA 强。为了解决这个问题，我们在 Cue-2FA 中引入了输入回应时的误导操作，从而大大提高了其抵御视频攻击的能力。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.