I Bought a New Security Token and All I Got Was This Lousy Phish -- Relay Attacks on Visual Code Authentication Schemes
Authors: Graeme Jenkinson, Max Spencer, Chris Warrington, Frank Stajano

Date: October 29 2014
Publication: Cambridge International Workshop on Security Protocols, Security Protocols 2014 / Lecture Notes in Computer Science Volume 8809
Page(s): 197 - 215
Publisher: Springer
Source 1: https://www.cl.cam.ac.uk/~fms27/papers/2014-JenkinsonSpeWarETAL-phish.pdf
Source 2: https://dx.doi.org/10.1007/978-3-319-12400-1_19 - Subscription or payment required

Abstract or Summary:
One recent thread of academic and commercial research into web authentication has focused on schemes where users scan a visual code with their smartphone, which is a convenient alternative to password-based login. We find that many schemes in the literature (including, previously, our own) are, unfortunately, vulnerable to relay attacks. We explain the inherent reasons for this vulnerability and offer an architectural fix, evaluating its trade-offs and discussing why it has never been proposed by other authors.

Do you have additional information to contribute regarding this research paper? If so, please email siteupdates@passwordresearch.com with the details.

<-- Back to Authentication Research Paper Index

[Home] [About Us] [News] [Research]

Copyright © 2019 PasswordResearch.com