I bought a new security token and all I got was this lousy phish— Relay attacks on visual code authentication schemes

Jenkinson, Graeme; Spencer, Max; Warrington, Chris; Stajano, FM

I bought a new security token and all I got was this lousy phish— Relay attacks on visual code authentication schemes

Accepted version

Peer-reviewed

Repository URI

https://www.repository.cam.ac.uk/handle/1810/279377

Repository DOI

https://doi.org/10.17863/CAM.26754

Files

Accepted version (427.62 KB)

Type

Conference Object

Authors

Jenkinson, Graeme

Spencer, Max

Warrington, Chris

Stajano, FM

Abstract

One recent thread of academic and commercial research into web authentication has focused on schemes where users scan a visual code with their smartphone, which is a convenient alternative to password- based login. We find that many schemes in the literature (including, previously, our own) are, unfortunately, vulnerable to relay attacks. We explain the inherent reasons for this vulnerability and offer an architec- tural fix, evaluating its trade-offs and discussing why it has never been proposed by other authors.

Journal Title

Security Protocols XXII 22nd International Workshop, Cambridge, UK, March 19-21, 2014, Revised Selected Papers

Conference Name

Security Protocols Workshop 2014

Publisher DOI

https://doi.org/10.1007/978-3-319-12400-1_19

Rights

http://www.rioxx.net/licenses/all-rights-reserved

Sponsorship

European Research Council (307224)

ERC 307224

Collections

Cambridge University Research Outputs