Abstract
With the increasing usage of cameras, the threat from video attacks has greatly increased in recent years in addition to shoulder surfing. Many organizations have implemented two-factor authentication to enhance security. However, attackers can still steal users' usernames and passwords from two-factor authentication through video attack or shoulder surfing and applied the credential stuffing attack, as most people use the same passwords on different applications. Cue-based authentication provides high protection against shoulder surfing attacks, but it remains vulnerable to video attacks. To mitigate the threats of video attacks, we propose cue-based two-factor authentication (i.e., Cue-2FA), which is distinct from other methods by separating cue display from response input (refer to Chapter 1). We conducted two user studies to compare the usability and security between Cue-2FA and a standard Time-based-One-Time-Password two-factor authentication (i.e., TOTP-2FA). The evaluate results revealed Cue-2FA provides both higher usability and stronger resistance to the shoulder surfing attack. However, when both the cue and response are recorded, Cue-2FA is not more resistant to the video attack than TOTP-2FA. To address this issue, we introduced misleading operations to Cue-2FA when inputting a response, which significantly improves the resistance to the video attack.
Published Version
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call