Kevin Lee will present his Pre-FPO "Discovering Real-World Weaknesses in User Authentication" on February 25, 2022 at 2pm via Zoom.
Committee members: Arvind Narayanan (adviser), Examiners: Andrés Monroy-Hernández, and Tom Ristenpart (Cornell); Readers: Jonathan Mayer and Prateek Mittal.
The theory and practice of user authentication has come a long way in the last decade. Yet these gains have been uneven. From SIM swaps to romance scams, people continue to fall prey to low-tech but devastating security failures. In this talk, I’ll discuss three studies which uncovered fundamental weaknesses in widely-used user authentication methods.
SIM swap attacks allow criminals to hijack a victim’s phone number, which are used to receive one-time passcodes for 2FA. To protect against hijacking, mobile carriers should have procedures in place to properly authenticate a customer calling in to request a SIM swap. Instead, we found that five carriers in the United States continue to use authentication methods that are now known to be insecure, enabling straightforward SIM swap attacks. Through persistent outreach with policymakers and stakeholders, we have been able to effect ongoing rulemaking that aims to protect users against SIM swap attacks.
Phone number recycling presents another challenge to using SMS-based authentication. We presented and empirically evaluated attacks enabled by number recycling, a standard industry practice in the U.S. We simulated a UI-bound adversary and looked for vulnerable available recycled numbers at mobile carriers. We found most numbers were vulnerable, which could subject previous owners to account hijackings and privacy risks. While carriers, websites, and subscribers can take steps to reduce risk, number recycling threats highlight fundamental problems with the use of phone numbers for security-sensitive purposes.
Finally, I’ll discuss recent work looking at password policies. We examined the policies of 120 of the most popular websites for when a user creates a new password for their account. Despite well-established advice that has emerged from the research community, we found that only 11% of websites followed all relevant best practices in their password policies. Specifically, 75% of websites do not stop users from choosing the most common passwords, while 45% burden users by requiring specific character classes in their passwords for minimal security benefit. Worse, we found low adoption of password strength meters---a widely touted intervention to encourage stronger passwords, appearing on only 19% of websites. I’ll discuss the implications of our discoveries, and propose avenues for future research to understand the disconnect between password research and industry practices.