I bought a new security token and all I got was this lousy phish— Relay attacks on visual code authentication schemes

Accepted version
Repository URI
https://www.repository.cam.ac.uk/handle/1810/279377
Repository DOI
https://doi.org/10.17863/CAM.26754
Files
Accepted version (427.62 KB)
Type
Conference Object
Change log
Authors
Jenkinson, Graeme 
Spencer, Max 
Warrington, Chris 
Stajano, FM 
Abstract

One recent thread of academic and commercial research into web authentication has focused on schemes where users scan a visual code with their smartphone, which is a convenient alternative to password- based login. We find that many schemes in the literature (including, previously, our own) are, unfortunately, vulnerable to relay attacks. We explain the inherent reasons for this vulnerability and offer an architec- tural fix, evaluating its trade-offs and discussing why it has never been proposed by other authors.

Description
Keywords
Journal Title
Security Protocols XXII 22nd International Workshop, Cambridge, UK, March 19-21, 2014, Revised Selected Papers
Conference Name
Security Protocols Workshop 2014
Journal ISSN
Volume Title
Publisher
Publisher DOI
https://doi.org/10.1007/978-3-319-12400-1_19
Rights
http://www.rioxx.net/licenses/all-rights-reserved
Sponsorship
European Research Council (307224)
ERC 307224
Collections
Cambridge University Research Outputs