Usability and Security Analysis of the Compare-and-Confirm Method in Mobile Push-Based Two-Factor Authentication

IF 7.7 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

IEEE Transactions on Mobile Computing Pub Date : 2024-12-30 DOI:10.1109/TMC.2024.3524093

Mohammed Jubur;Nitesh Saxena;Faheem A. Reegu

{"title":"Usability and Security Analysis of the Compare-and-Confirm Method in Mobile Push-Based Two-Factor Authentication","authors":"Mohammed Jubur;Nitesh Saxena;Faheem A. Reegu","doi":"10.1109/TMC.2024.3524093","DOIUrl":null,"url":null,"abstract":"Push-based two-factor authentication (2FA) methods, such as the ”Just-Confirm” approach, are popular due to their user-friendly design, requiring users to simply approve or deny a push notification on their mobile device. However, these methods are vulnerable to ”concurrency attacks,” where an attacker attempts to log in immediately after the legitimate user, causing multiple push notifications that may lead to users inadvertently approving fraudulent access. This vulnerability arises because the login notifications are not uniquely bound to individual login attempts. To address this issue, Push-Compare-and-Confirm 2FA method enhances security by associating each login notification with a unique code displayed on both the authentication terminal and the push notification. Users are required to match these codes before confirming access, thereby binding the notification to a specific login attempt. Recognizing the ubiquity of mobile devices in daily life, we conducted a comprehensive user study with 65 participants to evaluate the usability and security of Push-Compare-and-Confirm. The study considered two scenarios: one where the user’s second-factor device (phone) is physically separate from the authentication terminal (e.g., logging in on a PC and confirming on the phone), and another where the phone serves as both the authentication terminal and the second-factor device. Participants completed 24 login trials, including both benign and attack scenarios, with varying code lengths (four characters and six characters). Our results indicate that while Push-Compare-and-Confirm maintains high usability in benign scenarios, with True Positive Rates (<italic>TPR</i>) exceeding 95%, it presents significant challenges in attack detection. Participants correctly identified only about 50% of fraudulent login attempts, indicating a substantial vulnerability remains. These findings suggest that although Push-Compare-and-Confirm enhances security over standard push-based 2FA methods, additional measures—such as more intuitive interface designs, clearer visual cues, and user education on the importance of code verification—are necessary to improve attack detection rates without compromising usability.","PeriodicalId":50389,"journal":{"name":"IEEE Transactions on Mobile Computing","volume":"24 6","pages":"4623-4638"},"PeriodicalIF":7.7000,"publicationDate":"2024-12-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Mobile Computing","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10818582/","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Push-based two-factor authentication (2FA) methods, such as the ”Just-Confirm” approach, are popular due to their user-friendly design, requiring users to simply approve or deny a push notification on their mobile device. However, these methods are vulnerable to ”concurrency attacks,” where an attacker attempts to log in immediately after the legitimate user, causing multiple push notifications that may lead to users inadvertently approving fraudulent access. This vulnerability arises because the login notifications are not uniquely bound to individual login attempts. To address this issue, Push-Compare-and-Confirm 2FA method enhances security by associating each login notification with a unique code displayed on both the authentication terminal and the push notification. Users are required to match these codes before confirming access, thereby binding the notification to a specific login attempt. Recognizing the ubiquity of mobile devices in daily life, we conducted a comprehensive user study with 65 participants to evaluate the usability and security of Push-Compare-and-Confirm. The study considered two scenarios: one where the user’s second-factor device (phone) is physically separate from the authentication terminal (e.g., logging in on a PC and confirming on the phone), and another where the phone serves as both the authentication terminal and the second-factor device. Participants completed 24 login trials, including both benign and attack scenarios, with varying code lengths (four characters and six characters). Our results indicate that while Push-Compare-and-Confirm maintains high usability in benign scenarios, with True Positive Rates (TPR) exceeding 95%, it presents significant challenges in attack detection. Participants correctly identified only about 50% of fraudulent login attempts, indicating a substantial vulnerability remains. These findings suggest that although Push-Compare-and-Confirm enhances security over standard push-based 2FA methods, additional measures—such as more intuitive interface designs, clearer visual cues, and user education on the importance of code verification—are necessary to improve attack detection rates without compromising usability.

查看原文本刊更多论文

基于移动推送的双因素认证中比较确认方法的可用性和安全性分析

基于推送的双因素身份验证（2FA）方法，如“Just-Confirm”方法，由于其用户友好的设计而流行，要求用户在其移动设备上简单地批准或拒绝推送通知。然而，这些方法容易受到“并发攻击”的攻击，攻击者试图在合法用户之后立即登录，导致多个推送通知，可能导致用户无意中批准欺诈性访问。出现此漏洞是因为登录通知没有唯一地绑定到个人登录尝试。为了解决这个问题，推送-比较-确认2FA方法通过将每个登录通知与在身份验证终端和推送通知上显示的唯一代码相关联来增强安全性。用户需要在确认访问之前匹配这些代码，从而将通知绑定到特定的登录尝试。认识到移动设备在日常生活中的无处不在，我们对65名参与者进行了全面的用户研究，以评估推-比较-确认的可用性和安全性。研究考虑了两种场景：一种是用户的第二因素设备（手机）与认证终端物理分离（例如，在PC上登录并在手机上确认），另一种是手机同时作为认证终端和第二因素设备。参与者完成了24次登录试验，包括良性和攻击场景，使用不同的代码长度（四个字符和六个字符）。我们的研究结果表明，虽然推-比较-确认在良性场景中保持了很高的可用性，其真阳性率（TPR）超过95%，但它在攻击检测中提出了重大挑战。参与者正确识别了大约50%的欺诈性登录尝试，表明仍然存在大量漏洞。这些发现表明，尽管“推送-比较-确认”比标准的基于推送的2FA方法增强了安全性，但要在不影响可用性的情况下提高攻击检测率，还需要采取额外的措施——比如更直观的界面设计、更清晰的视觉提示和对用户进行代码验证重要性的教育。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Mobile Computing 工程技术-电信学

CiteScore

12.90

自引率

2.50%

发文量

403

审稿时长

6.6 months

期刊介绍： IEEE Transactions on Mobile Computing addresses key technical issues related to various aspects of mobile computing. This includes (a) architectures, (b) support services, (c) algorithm/protocol design and analysis, (d) mobile environments, (e) mobile communication systems, (f) applications, and (g) emerging technologies. Topics of interest span a wide range, covering aspects like mobile networks and hosts, mobility management, multimedia, operating system support, power management, online and mobile environments, security, scalability, reliability, and emerging technologies such as wearable computers, body area networks, and wireless sensor networks. The journal serves as a comprehensive platform for advancements in mobile computing research.