I bought a new security token and all I got was this lousy phish— Relay attacks on visual code authentication schemes

Conference Object
Change log
Jenkinson, Graeme 
Spencer, Max 
Warrington, Chris 
Stajano, FM 

One recent thread of academic and commercial research into web authentication has focused on schemes where users scan a visual code with their smartphone, which is a convenient alternative to password- based login. We find that many schemes in the literature (including, previously, our own) are, unfortunately, vulnerable to relay attacks. We explain the inherent reasons for this vulnerability and offer an architec- tural fix, evaluating its trade-offs and discussing why it has never been proposed by other authors.

Journal Title
Security Protocols XXII 22nd International Workshop, Cambridge, UK, March 19-21, 2014, Revised Selected Papers
Conference Name
Security Protocols Workshop 2014
Journal ISSN
Volume Title
European Research Council (307224)
ERC 307224