基于提示的双因素身份验证

IF 4.8 2区 计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS
Zhenhua Yang , Jun Kong
{"title":"基于提示的双因素身份验证","authors":"Zhenhua Yang ,&nbsp;Jun Kong","doi":"10.1016/j.cose.2024.104068","DOIUrl":null,"url":null,"abstract":"<div><p>With the increasing usage of cameras, the threat from video attacks has greatly increased in recent years in addition to shoulder surfing. Many organizations have implemented two-factor authentication to enhance security. However, attackers can still steal users' usernames and passwords from two-factor authentication through video attack or shoulder surfing and applied the credential stuffing attack, as most people use the same passwords on different applications. Cue-based authentication provides high protection against shoulder surfing attacks, but it remains vulnerable to video attacks. To mitigate the threats of video attacks, we propose cue-based two-factor authentication (i.e., Cue-2FA), which is distinct from other methods by separating cue display from response input (refer to Chapter 1). We conducted two user studies to compare the usability and security between Cue-2FA and a standard Time-based-One-Time-Password two-factor authentication (i.e., TOTP-2FA). The evaluate results revealed Cue-2FA provides both higher usability and stronger resistance to the shoulder surfing attack. However, when both the cue and response are recorded, Cue-2FA is not more resistant to the video attack than TOTP-2FA. To address this issue, we introduced misleading operations to Cue-2FA when inputting a response, which significantly improves the resistance to the video attack.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8000,"publicationDate":"2024-08-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Cue-based two factor authentication\",\"authors\":\"Zhenhua Yang ,&nbsp;Jun Kong\",\"doi\":\"10.1016/j.cose.2024.104068\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><p>With the increasing usage of cameras, the threat from video attacks has greatly increased in recent years in addition to shoulder surfing. Many organizations have implemented two-factor authentication to enhance security. However, attackers can still steal users' usernames and passwords from two-factor authentication through video attack or shoulder surfing and applied the credential stuffing attack, as most people use the same passwords on different applications. Cue-based authentication provides high protection against shoulder surfing attacks, but it remains vulnerable to video attacks. To mitigate the threats of video attacks, we propose cue-based two-factor authentication (i.e., Cue-2FA), which is distinct from other methods by separating cue display from response input (refer to Chapter 1). We conducted two user studies to compare the usability and security between Cue-2FA and a standard Time-based-One-Time-Password two-factor authentication (i.e., TOTP-2FA). The evaluate results revealed Cue-2FA provides both higher usability and stronger resistance to the shoulder surfing attack. However, when both the cue and response are recorded, Cue-2FA is not more resistant to the video attack than TOTP-2FA. To address this issue, we introduced misleading operations to Cue-2FA when inputting a response, which significantly improves the resistance to the video attack.</p></div>\",\"PeriodicalId\":51004,\"journal\":{\"name\":\"Computers & Security\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":4.8000,\"publicationDate\":\"2024-08-19\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computers & Security\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0167404824003730\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404824003730","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

摘要

近年来,随着摄像头使用量的不断增加,除肩上冲浪外,来自视频攻击的威胁也大大增加。许多企业已采用双因素身份验证来加强安全性。然而,由于大多数人在不同的应用程序中使用相同的密码,攻击者仍然可以通过视频攻击或肩上冲浪从双因素身份验证中窃取用户名和密码,并应用凭证填充攻击。基于插入点的身份验证可以很好地抵御 "肩上冲浪 "攻击,但仍然容易受到视频攻击。为了减轻视频攻击的威胁,我们提出了基于提示的双因素身份验证(即 Cue-2FA),它有别于其他方法,将提示显示与响应输入分离开来(参见第 1 章)。我们进行了两项用户研究,比较了 Cue-2FA 和标准的基于时间-一次性密码的双因素身份验证(即 TOTP-2FA)的可用性和安全性。评估结果表明,Cue-2FA 具有更高的可用性和更强的抗肩扛攻击能力。然而,当提示和响应都被记录下来时,Cue-2FA 对视频攻击的抵抗力并不比 TOTP-2FA 强。为了解决这个问题,我们在 Cue-2FA 中引入了输入回应时的误导操作,从而大大提高了其抵御视频攻击的能力。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
Cue-based two factor authentication

With the increasing usage of cameras, the threat from video attacks has greatly increased in recent years in addition to shoulder surfing. Many organizations have implemented two-factor authentication to enhance security. However, attackers can still steal users' usernames and passwords from two-factor authentication through video attack or shoulder surfing and applied the credential stuffing attack, as most people use the same passwords on different applications. Cue-based authentication provides high protection against shoulder surfing attacks, but it remains vulnerable to video attacks. To mitigate the threats of video attacks, we propose cue-based two-factor authentication (i.e., Cue-2FA), which is distinct from other methods by separating cue display from response input (refer to Chapter 1). We conducted two user studies to compare the usability and security between Cue-2FA and a standard Time-based-One-Time-Password two-factor authentication (i.e., TOTP-2FA). The evaluate results revealed Cue-2FA provides both higher usability and stronger resistance to the shoulder surfing attack. However, when both the cue and response are recorded, Cue-2FA is not more resistant to the video attack than TOTP-2FA. To address this issue, we introduced misleading operations to Cue-2FA when inputting a response, which significantly improves the resistance to the video attack.

求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
Computers & Security
Computers & Security 工程技术-计算机:信息系统
CiteScore
12.40
自引率
7.10%
发文量
365
审稿时长
10.7 months
期刊介绍: Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信