Threat Modelling in User Performed Authentication

  • Xun Dong
  • John A. Clark
  • Jeremy L. Jacob
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5308)


User authentication can be compromised both by subverting the system and by subverting the user; the threat modelling of the former is well studied, the latter less so. We propose a method to determine opportunities to subvert the user allowing vulnerabilities to be systematically identified. The method is applied to VeriSign’s OpenID authentication mechanism.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anti-phishing work group home page (2007),
  2. 2.
    Flinn, S., Lumsden, J.: User perceptions of privacy and security on the web. In: The Third Annual Conference on Privacy, Security and Trust (PST 2005), St. Andrews, New Brunswick, Canada, October 12-14 (2005)Google Scholar
  3. 3.
    Dhamija, R., Tygar, D., Hearst, M.: Why phishing works. In: CHI 2006: Proceedings of the SIGCHI conference on Human Factors in computing systems, ACM Special Interest Group on Computer-Human Interaction, pp. 581–590 (2006)Google Scholar
  4. 4.
    Dong, X., Clark, J.A., Jacob, J.: A user-phishing interaction model. In: Conference on Human System Interaction (2008)Google Scholar
  5. 5.
    Downs, J.S., Holbrook, M.B., Cranor, L.F.: Decision strategies and susceptibility to phishing. In: SOUPS 2006: Proceedings of the second symposium on Usable privacy and security, pp. 79–90. ACM Press, New York (2006)CrossRefGoogle Scholar
  6. 6.
    Florencio, D., Herley, C.: A large-scale study of web password habits. In: WWW 2007: Proceedings of the 16th international conference on World Wide Web, pp. 657–666. ACM Press, New York (2007)Google Scholar
  7. 7.
    Friedman, B., Hurley, W.D., Howe, D.C., Nissenbaum, H., Felten, E.W.: Users’ conceptions of risks and harms on the web: a comparative study. In: CHI Extended Abstracts, pp. 614–615 (2002)Google Scholar
  8. 8.
    Jagatic, T., Johnson, N., Jakobsson, M., Menczer, F.: Social phishing. ACM Communication (October 2007)Google Scholar
  9. 9.
    Jakobsson, M., Tsow, A., Shah, A., Blevis, E., Lim, Y.-K.: What instills trust? a qualitative study of phishing. In: USEC 2007 (2007) (Extended abstract)Google Scholar
  10. 10.
    Nikander, P., Karvonen, K.: Users and trust in cyberspace, pp. 24–35 (2001)Google Scholar
  11. 11.
    Schechter, S., Dhamija, R., Ozment, A., Fischer, I.: The emperor’s new security indicators: An evaluation of website authentication and the effect of role playing on usability studies. In: 2007 IEEE Symposium on Security and Privacy (2007)Google Scholar
  12. 12.
    Whalen, T., Inkpen, K.M.: Gathering evidence: use of visual security cues in web browsers. In: GI 2005: Proceedings of Graphics Interface 2005, School of Computer Science, University of Waterloo, Waterloo, Ontario, Canada, pp. 137–144. Canadian Human-Computer Communications Society (2005)Google Scholar
  13. 13.
    Wikipedia. Phishing. web,
  14. 14.
    Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: CHI 2006: Proceedings of the SIGCHI conference on Human Factors in computing systems, pp. 601–610. ACM Press, New York (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Xun Dong
    • 1
  • John A. Clark
    • 1
  • Jeremy L. Jacob
    • 1
  1. 1.Department of Computer ScienceUniversity of YorkUnited Kingdom

Personalised recommendations