I Bought a New Security Token and All I Got Was This Lousy Phish -- Relay Attacks on Visual Code Authentication Schemes
Date: October 29 2014
Publication: Cambridge International Workshop on Security Protocols, Security Protocols 2014 / Lecture Notes in Computer Science Volume 8809
Page(s): 197 - 215
Source 1: https://www.cl.cam.ac.uk/~fms27/papers/2014-JenkinsonSpeWarETAL-phish.pdf
Source 2: https://dx.doi.org/10.1007/978-3-319-12400-1_19 - Subscription or payment required
Abstract or Summary:
One recent thread of academic and commercial research into web authentication has focused on schemes where users scan a visual code with their smartphone, which is a convenient alternative to password-based login. We find that many schemes in the literature (including, previously, our own) are, unfortunately, vulnerable to relay attacks. We explain the inherent reasons for this vulnerability and offer an architectural fix, evaluating its trade-offs and discussing why it has never been proposed by other authors.
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.