Litcius/Paper detail

Bypassing Push-based Second Factor and Passwordless Authentication with Human-Indistinguishable Notifications

Mohammed Jubur, Prakash Shrestha, Nitesh Saxena, Jay Prakash

202117 citationsDOI

Abstract

Second factor (2FA) or passwordless authentication based on notifications pushed to a user's personal device (e.g., a phone) that the user can simply approve (or deny) has become widely popular due to its convenience. In this paper, we show that the effortlessness of this approach gives rise to a fundamental design vulnerability. The vulnerability stems from the fact that the notification, as shown to the user, is not uniquely bound to the user's login session running through the browser, and thus if two notifications are sent around the same time (one for the user's session and one for an attacker's session), the user may not be able to distinguish between the two, likely ending up accepting the notification of the attacker's session.

Topics & Concepts

Session (web analytics)Computer scienceVulnerability (computing)LoginAuthentication (law)Computer securityMulti-factor authenticationPhoneFactor (programming language)Internet privacyWorld Wide WebAuthentication protocolLinguisticsProgramming languagePhilosophyUser Authentication and Security SystemsAdvanced Malware Detection TechniquesSpam and Phishing Detection
Bypassing Push-based Second Factor and Passwordless Authentication with Human-Indistinguishable Notifications | Litcius