TY - GEN
T1 - A User-Friendly Two-Factor Authentication Method against Real-Time Phishing Attacks
AU - Sun, Yuanyi
AU - Zhu, Sencun
AU - Zhao, Yan
AU - Sun, Pengfei
N1 - Publisher Copyright:
© 2022 IEEE.
PY - 2022
Y1 - 2022
N2 - Today, two-factor authentication (2FA) is a widely implemented mechanism to counter phishing attacks. Although much effort has been investigated in 2FA, most 2FA systems are still vulnerable to carefully designed phishing attacks, and some even request special hardware, which limits their wide deployment. Recently, real-time phishing (RTP) has made the situation even worse because an adversary can effortlessly establish a phishing website without any background of the web page design technique. Traditional 2FA can be easily bypassed by such RTP attacks. In this work, we propose a novel 2FA system to counter RTP attacks. The main idea is to request a user to take a photo of the web browser with the domain name in the address bar as the 2nd authentication factor. The web server side extracts the domain name information based on Optical Character Recognition (OCR), and then determines if the user is visiting this website or a fake one, thus defeating the RTP attacks where an adversary must set up a fake website with a different domain. We prototyped our system and evaluated its performance in various environments. The results showed that PhotoAuth is an effective technique with good scalability. We also showed that compared to other 2FA systems, PhotoAuth has several advantages, especially no special hardware or software support is needed on the client side except a phone, making it readily deployable.
AB - Today, two-factor authentication (2FA) is a widely implemented mechanism to counter phishing attacks. Although much effort has been investigated in 2FA, most 2FA systems are still vulnerable to carefully designed phishing attacks, and some even request special hardware, which limits their wide deployment. Recently, real-time phishing (RTP) has made the situation even worse because an adversary can effortlessly establish a phishing website without any background of the web page design technique. Traditional 2FA can be easily bypassed by such RTP attacks. In this work, we propose a novel 2FA system to counter RTP attacks. The main idea is to request a user to take a photo of the web browser with the domain name in the address bar as the 2nd authentication factor. The web server side extracts the domain name information based on Optical Character Recognition (OCR), and then determines if the user is visiting this website or a fake one, thus defeating the RTP attacks where an adversary must set up a fake website with a different domain. We prototyped our system and evaluated its performance in various environments. The results showed that PhotoAuth is an effective technique with good scalability. We also showed that compared to other 2FA systems, PhotoAuth has several advantages, especially no special hardware or software support is needed on the client side except a phone, making it readily deployable.
UR - http://www.scopus.com/inward/record.url?scp=85143401344&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85143401344&partnerID=8YFLogxK
U2 - 10.1109/CNS56114.2022.9947253
DO - 10.1109/CNS56114.2022.9947253
M3 - Conference contribution
AN - SCOPUS:85143401344
T3 - 2022 IEEE Conference on Communications and Network Security, CNS 2022
SP - 91
EP - 99
BT - 2022 IEEE Conference on Communications and Network Security, CNS 2022
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2022 IEEE Conference on Communications and Network Security, CNS 2022
Y2 - 3 October 2022 through 5 October 2022
ER -