Simple But Not Secure: An Empirical Security Analysis of Two-factor Authentication Systems

• URL: http://arxiv.org/abs/2411.11551v1
• Date: Mon, 18 Nov 2024 13:08:56 GMT
• Title: Simple But Not Secure: An Empirical Security Analysis of Two-factor Authentication Systems
• Authors: Zhi Wang, Xin Yang, Du Chen, Han Gao, Meiqi Tian, Yan Jia, Wanpeng Li,
• Abstract summary: We propose SE2FA, a vulnerability evaluation framework designed to detect vulnerabilities in 2FA systems. We analyze the security of 407 2FA systems across popular websites from the Tranco Top 10,000 list.
• Score: 9.046883991816571
• License:
• Abstract: To protect users from data breaches and phishing attacks, service providers typically implement two-factor authentication (2FA) to add an extra layer of security against suspicious login attempts. However, since 2FA can sometimes hinder user experience by introducing additional steps, many websites aim to reduce inconvenience by minimizing the frequency of 2FA prompts. One approach to achieve this is by storing the user's ``Remember the Device'' preference in a cookie. As a result, users are only prompted for 2FA when this cookie expires or if they log in from a new device. To understand and improve the security of 2FA systems in real-world settings, we propose SE2FA, a vulnerability evaluation framework designed to detect vulnerabilities in 2FA systems. This framework enables us to analyze the security of 407 2FA systems across popular websites from the Tranco Top 10,000 list. Our analysis and evaluation found three zero-day vulnerabilities on three service providers that could allow an attacker to access a victim's account without possessing the victim's second authentication factor, thereby bypassing 2FA protections entirely. A further investigation found that these vulnerabilities stem from design choices aimed at simplifying 2FA for users but that unintentionally reduce its security effectiveness. We have disclosed these findings to the affected websites and assisted them in mitigating the risks. Based on the insights from this research, we provide practical recommendations for countermeasures to strengthen 2FA security and address these newly identified threats.

Related papers

• 2FA: Navigating the Challenges and Solutions for Inclusive Access [55.2480439325792]
  Two-Factor Authentication (2FA) has emerged as a critical solution to protect online activities. This paper examines the intricacies of deploying 2FA in a way that is secure and accessible to all users. An analysis was conducted to examine the implementation and availability of various 2FA methods across popular online platforms.
  arXiv  Detail & Related papers  (2025-02-17T12:23:53Z)
• Dual-Technique Privacy & Security Analysis for E-Commerce Websites Through Automated and Manual Implementation [2.7039386580759666]
  38.5% of the websites deployed over 50 cookies per session, many of which were categorized as unnecessary or unclear in function. Our manual assessment uncovered critical gaps in standard security practices, including the absence of mandatory multi-factor authentication and breach notification protocols. Based on these findings, we recommend targeted improvements to privacy policies, enhanced transparency in cookie usage, and the implementation of stronger authentication protocols.
  arXiv  Detail & Related papers  (2024-10-19T03:25:48Z)
• Improving the Shortest Plank: Vulnerability-Aware Adversarial Training for Robust Recommender System [60.719158008403376]
  Vulnerability-aware Adversarial Training (VAT) is designed to defend against poisoning attacks in recommender systems. VAT employs a novel vulnerability-aware function to estimate users' vulnerability based on the degree to which the system fits them.
  arXiv  Detail & Related papers  (2024-09-26T02:24:03Z)
• Excavating Vulnerabilities Lurking in Multi-Factor Authentication Protocols: A Systematic Security Analysis [2.729532849571912]
  Single-factor authentication (SFA) protocols are often bypassed by side-channel and other attack techniques. To alleviate this problem, multi-factor authentication (MFA) protocols have been widely adopted recently.
  arXiv  Detail & Related papers  (2024-07-29T23:37:38Z)
• Nudging Users to Change Breached Passwords Using the Protection Motivation Theory [58.87688846800743]
  We draw on the Protection Motivation Theory (PMT) to design nudges that encourage users to change breached passwords. Our study contributes to PMT's application in security research and provides concrete design implications for improving compromised credential notifications.
  arXiv  Detail & Related papers  (2024-05-24T07:51:15Z)
• Rethinking the Vulnerabilities of Face Recognition Systems:From a Practical Perspective [53.24281798458074]
  Face Recognition Systems (FRS) have increasingly integrated into critical applications, including surveillance and user authentication. Recent studies have revealed vulnerabilities in FRS to adversarial (e.g., adversarial patch attacks) and backdoor attacks (e.g., training data poisoning)
  arXiv  Detail & Related papers  (2024-05-21T13:34:23Z)
• A Novel Protocol Using Captive Portals for FIDO2 Network Authentication [45.84205238554709]
  We introduce FIDO2CAP: FIDO2 Captive-portal Authentication Protocol. We develop a prototype of FIDO2CAP authentication in a mock scenario. This work makes the first systematic approach for adapting network authentication to the new authentication paradigm relying on FIDO2 authentication.
  arXiv  Detail & Related papers  (2024-02-20T09:55:20Z)
• Reducing Usefulness of Stolen Credentials in SSO Contexts [0.0]
  Multi-factor authentication (MFA) helps to thwart attacks that use valid credentials, but attackers still commonly breach systems by tricking users into accepting MFA step up requests. This paper proposes a token-based enrollment architecture that is less invasive to user devices than mobile device management.
  arXiv  Detail & Related papers  (2024-01-21T21:05:32Z)
• Leveraging Machine Learning for Wi-Fi-based Environmental Continuous Two-Factor Authentication [0.44998333629984877]
  We present a novel 2FA approach replacing the user's input with decisions made by Machine Learning (ML) Our system exploits unique environmental features associated with the user, such as beacon frame characteristics and Received Signal Strength Indicator ( RSSI) values from Wi-Fi Access Points (APs) For enhanced security, our system mandates that the user's two devices (i.e., a login device and a mobile device) be situated within a predetermined proximity before granting access.
  arXiv  Detail & Related papers  (2024-01-12T14:58:15Z)
• Towards Bidirectional Protection in Federated Learning [70.36925233356335]
  F2ED-LEARNING offers bidirectional defense against malicious centralized server and Byzantine malicious clients. F2ED-LEARNING securely aggregates each shard's update and launches FilterL2 on updates from different shards. evaluation shows that F2ED-LEARNING consistently achieves optimal or close-to-optimal performance.
  arXiv  Detail & Related papers  (2020-10-02T19:37:02Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.