Skip to main content
SpringerLink
Log in

Exploring Phone-Based Authentication Vulnerabilities in Single Sign-On Systems

  • Conference paper
  • First Online:
Information and Communications Security (ICICS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13407))

Included in the following conference series:

Abstract

Phone-based authenticators (PBAs) are commonly incorporated into multi-factor authentication and passwordless login schemes for corporate networks and systems. These systems require users to prove that they possess a phone or phone number associated with an account. The out-of-band nature of PBAs and their security may not be well understood by users. Further, the frequency of PBA prompts may desensitize users and lead to increased susceptibility to phishing or social engineering. We explore such risks to PBAs by exploring PBA implementation options and two types of attacks. When employed with a real-world PBA system, we found the symptoms of such attacks were subtle. A subsequent user study revealed that none of our participants noticed the attack symptoms, highlighting the limitations and risks associated with PBAs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We refer to the device being authenticated as “the browser,” for simplicity. However, this approach can also be embedded within other application types.

  2. 2.

    Future engineering efforts may allow the script to run continuously and to automatically identify the login session. Since our goal was to measure participant reactions, for simplicity, we manually activated it in the user study.

References

  1. Akhawe, D., Felt, A.P.: Alice in warningland: a large-scale field study of browser security warning effectiveness. In: USENIX Security Symposium, pp. 257–272 (2013)

    Google Scholar 

  2. Amran, A., Zaaba, Z.F., Mahinderjit Singh, M.K.: Habituation effects in computer security warning. Inf. Secur. J.: Global Perspect. 27(4), 192–204 (2018)

    Google Scholar 

  3. Anderson, B.B., Kirwan, C.B., Jenkins, J.L., Eargle, D., Howard, S., Vance, A.: How polymorphic warnings reduce habituation in the brain: insights from an FMRI study. In: ACM Conference on Human Factors in Computing Systems, pp. 2883–2892 (2015). https://doi.org/10.1145/2702123.2702322

  4. Avatier: Azure active directory seamless single sign-on (2020). https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso. Accessed 29 Apr 2021

  5. Avatier: Which companies use multi-factor authentication with their customers? (2021). https://www.avatier.com/blog/companies-use-multi-factor-authentication-customers/. Accessed 29 Apr 2021

  6. Bravo-Lillo, C., Cranor, L.F., Downs, J., Komanduri, S., Sleeper, M.: Improving computer security dialogs. In: Campos, P., Graham, N., Jorge, J., Nunes, N., Palanque, P., Winckler, M. (eds.) INTERACT 2011. LNCS, vol. 6949, pp. 18–35. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23768-3_2

    Chapter  Google Scholar 

  7. Breński, K.P.: Evil Hotspot-are public hotspots safe? Ph.D. thesis, Zakład Strukturalnych Metod Przetwarzania Wiedzy (2017)

    Google Scholar 

  8. Brustoloni, J.C., Villamarín-Salomón, R.: Improving security decisions with polymorphic and audited dialogs. In: Proceedings of the ACM Symposium on Usable Privacy and Security, pp. 76–85 (2007). https://doi.org/10.1145/1280680.1280691

  9. Cristofaro, E.D., Du, H., Freudiger, J., Norcie, G.: Two-factor or not two-factor? A comparative usability study of two-factor authentication. CoRR abs/1309.5344 (2013). http://arxiv.org/abs/1309.5344

  10. Das, S., Dingman, A., Camp, L.J.: Why Johnny doesn’t use two factor a two-phase usability study of the FIDO U2F security key. In: Meiklejohn, S., Sako, K. (eds.) FC 2018. LNCS, vol. 10957, pp. 160–179. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-662-58387-6_9

    Chapter  MATH  Google Scholar 

  11. Das, S., Wang, B., Tingle, Z., Camp, L.J.: Evaluating user perception of multi-factor authentication: a systematic review. CoRR abs/1908.05901 (2019). http://arxiv.org/abs/1908.05901

  12. Dasgupta, D., Roy, A., Nag, A.: Multi-factor authentication. In: Advances in User Authentication. ISFS, pp. 185–233. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-58808-7_5

    Chapter  Google Scholar 

  13. Dhamija, R., Tygar, J.D., Hearst, M.: Why phishing works. In: Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems, pp. 581–590 (2006). https://doi.org/10.1145/1124772.1124861

  14. Doerfler, P., et al.: Evaluating login challenges as a defense against account takeover. In: The ACM World Wide Web Conference, pp. 372–382 (2019). https://doi.org/10.1145/3308558.3313481

  15. Downs, J.S., Holbrook, M.B., Cranor, L.F.: Decision strategies and susceptibility to phishing. In: Proceedings of the ACM Symposium on Usable Privacy and Security, pp. 79–90 (2006). https://doi.org/10.1145/1143120.1143131

  16. European Commission: Payment services (PSD 2) - directive (EU) 2015/2366 (2015). https://ec.europa.eu/info/law/payment-services-psd-2-directive-eu-2015-2366_en. Accessed 6 June 2022

  17. Felt, A.P., et al.: Improving SSL warnings: comprehension and adherence. In: Proceedings of the ACM Conference on Human Factors in Computing Systems, pp. 2893–2902 (2015). https://doi.org/10.1145/2702123.2702442

  18. Government of Singapore: Police advisory on scam survey leading to the misuse of singpass access to digital services (2022). https://ec.europa.eu/info/law/payment-services-psd-2-directive-eu-2015-2366_en. Accessed 6 June 2022

  19. Hong, J.: The state of phishing attacks. Commun. ACM 55(1), 74–81 (2012). https://doi.org/10.1145/2063176.2063197

    Article  MathSciNet  Google Scholar 

  20. Jover, R.P.: Security analysis of SMS as a second factor of authentication: the challenges of multifactor authentication based on SMS, including cellular security deficiencies, SS7 exploits, and sim swapping. Queue 18(4), 37–60 (2020)

    Article  MathSciNet  Google Scholar 

  21. Kerkhoff Technologies Inc: Netfilterqueue (2021). https://github.com/kti/python-netfilterqueue. Accessed 29 Apr 2021

  22. Kondracki, B., Azad, B.A., Starov, O., Nikiforakis, N.: Catching transparent phish: analyzing and detecting MITM phishing toolkits. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 36–50 (2021). https://doi.org/10.1145/3460120.3484765

  23. Konoth, R.K., van der Veen, V., Bos, H.: How anywhere computing just killed your phone-based two-factor authentication. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 405–421. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_24

    Chapter  Google Scholar 

  24. Lee, K., Kaiser, B., Mayer, J., Narayanan, A.: An empirical study of wireless carrier authentication for SIM swaps. In: Symposium on Usable Privacy and Security, pp. 61–79 (2020)

    Google Scholar 

  25. Microsoft: Microsoft digital defense report (2020). https://www.microsoft.com/en-us/security/business/security-intelligence-report. Accessed 29 Apr 2021

  26. Microsoft: Optimize reauthentication prompts and understand session lifetime for Azure AD multi-factor authentication (2020). https://docs.microsoft.com/en-us/azure/active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime. Accessed 29 Apr 2021

  27. Niemietz, M., Schwenk, J.: Owning your home network: router security revisited. CoRR abs/1506.04112 (2015). http://arxiv.org/abs/1506.04112

  28. ReportLinker: Global multi-factor authentication (MFA) industry (2021). https://www.reportlinker.com/p03329771/Global-Multi-Factor-Authentication-MFA-Industry.html. Accessed 29 Apr 2021

  29. SecDev: Scapy (2021). https://github.com/secdev. Accessed 29 Apr 2021

  30. Selenium: Seleniumhq browser automation (2021). https://www.selenium.dev/. Accessed 29 Apr 2021

  31. Sinigaglia, F., Carbone, R., Costa, G., Zannone, N.: A survey on multi-factor authentication for online banking in the wild. Comput. Secur. 95, 101745 (2020)

    Google Scholar 

  32. Spaulding, J., Nyang, D., Mohaisen, A.: Understanding the effectiveness of typosquatting techniques. In: Proceedings of the ACM/IEEE Workshop on Hot Topics in Web Systems and Technologies (2017). https://doi.org/10.1145/3132465.3132467

  33. Sunshine, J., Egelman, S., Almuhimedi, H., Atri, N., Cranor, L.F.: Crying wolf: an empirical study of SSL warning effectiveness. In: USENIX Security Symposium, pp. 399–416 (2009)

    Google Scholar 

  34. Zaaba, Z.F., Boon, T.K.: Examination on usability issues of security warning dialogs. Age 18(25), 26–35 (2015)

    Google Scholar 

Download references

Acknowledgements

This material is based upon work supported by the National Science Foundation under Grant No. 1651540.

Author information

Authors and Affiliations

  1. Worcester Polytechnic Institute, Worcester, MA, 01609, USA

    Matthew M. Tolbert, Elie M. Hess, Mattheus C. Nascimento, Yunsen Lei & Craig A. Shue

Authors
  1. Matthew M. Tolbert
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Elie M. Hess
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mattheus C. Nascimento
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yunsen Lei
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Craig A. Shue
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Craig A. Shue .

Editor information

Editors and Affiliations

  1. University of Malaga, Malaga, Spain

    Cristina Alcaraz

  2. University of Surrey, Guildford, UK

    Liqun Chen

  3. University of Kent, Canterbury, UK

    Shujun Li

  4. University of Milan, Milan, Italy

    Pierangela Samarati

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Tolbert, M.M., Hess, E.M., Nascimento, M.C., Lei, Y., Shue, C.A. (2022). Exploring Phone-Based Authentication Vulnerabilities in Single Sign-On Systems. In: Alcaraz, C., Chen, L., Li, S., Samarati, P. (eds) Information and Communications Security. ICICS 2022. Lecture Notes in Computer Science, vol 13407. Springer, Cham. https://doi.org/10.1007/978-3-031-15777-6_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-15777-6_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-15776-9

  • Online ISBN: 978-3-031-15777-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation