東華大學圖書館 |

語系: 繁體中文

說明(常見問題)

回圖書館首頁

手機版館藏查詢

登入

回首頁

切換: 標籤 | MARC模式 | ISBD

FindBook

Google Book

Amazon

博客來

The Research-Practice Gap in User Authentication.

紀錄類型:	書目-電子資源 : Monograph/item
正題名/作者:	The Research-Practice Gap in User Authentication./
作者:	Lee, Kevin.
面頁冊數:	1 online resource (206 pages)
附註:	Source: Dissertations Abstracts International, Volume: 84-04, Section: B.
Contained By:	Dissertations Abstracts International84-04B.
標題:	Computer science. -
電子資源:	http://pqdd.sinica.edu.tw/twdaoapp/servlet/advanced?query=29255940click for full text (PQDT)
ISBN:	9798351480480

The Research-Practice Gap in User Authentication.
Lee, Kevin.

The Research-Practice Gap in User Authentication. - 1 online resource (206 pages)

Source: Dissertations Abstracts International, Volume: 84-04, Section: B.

Thesis (Ph.D.)--Princeton University, 2022.

Includes bibliographical references

The gap between user authentication research and practice has led to weaknesses in critical, widely-deployed systems used by millions of people. In these systems, policy and process vulnerabilities-not software vulnerabilities-allow UI-bound, low-tech adversaries to exploit weaknesses to threaten user safety. The disconnect is caused partly by practice failing to heed advice from research. But it is also caused by research not understanding the practical constraints of these systems, while discouraging studies that try to do so. Ultimately, users are the ones who suffer when these weaknesses remain undiscovered.Here, we studied user authentication practices that were not necessarily cutting-edge, but broadly impacted user safety. We identified security policy and process flaws, quantified the risk of harm to users through manual measurements, and called for policy solutions to mitigate the risks. More broadly, we honed a methodology through these studies which can potentially bridge the research-practice gap in user authentication as well as in other topics in information security.First, we studied call center authentication for SIM swap requests at mobile carriers. We found flaws in their authentication policy and processes which could facilitate SIM swap attacks. Furthermore, we found that most websites did not stand up well against SIM swaps, demonstrating that users' accounts could easily be hijacked. Our results have influenced policy changes at carriers and websites, and have motivated ongoing rulemaking by the FCC.Next, we studied security and privacy risks of phone number recycling in the U.S. at mobile carriers. We found that most numbers we sampled were recycled and vulnerable to attacks on previous owners, while carriers had design weaknesses that could facilitate attacks. We have raised awareness about the risks of number recycling at carriers, and have communicated a practical constraint of SMS-based authentication to the research community.Finally, we studied password policies of top websites. Despite well-established recommendations from research, we found few websites actually following them, which could put accounts at risk of password compromise. We hypothesized reasons why these websites were not following best practices, and discussed ways the research community could engage website system administrators to bridge the research-practice gap.

Electronic reproduction.
Ann Arbor, Mich. :
ProQuest,
2023

Mode of access: World Wide Web

ISBN: 9798351480480Subjects--Topical Terms:

523869
Computer science.
Subjects--Index Terms:

AuditIndex Terms--Genre/Form:

542853
Electronic books.

The Research-Practice Gap in User Authentication.
LDR:03665nmm a2200373K 4500 001 2358126
005 20230725094956.5
006 m o d
007 cr mn ---uuuuu
008 241011s2022 xx obm 000 0 eng d
020 $a 9798351480480
035 $a (MiAaPQ)AAI29255940
035 $a AAI29255940
040 $a MiAaPQ $b eng $c MiAaPQ $d NTU
100 1 $a Lee, Kevin. $3 1037548
245 1 4 $a The Research-Practice Gap in User Authentication.
264 0 $c 2022
300 $a 1 online resource (206 pages)
336 $a text $b txt $2 rdacontent
337 $a computer $b c $2 rdamedia
338 $a online resource $b cr $2 rdacarrier
500 $a Source: Dissertations Abstracts International, Volume: 84-04, Section: B.
500 $a Advisor: Narayanan, Arvind.
502 $a Thesis (Ph.D.)--Princeton University, 2022.
504 $a Includes bibliographical references
520 $a The gap between user authentication research and practice has led to weaknesses in critical, widely-deployed systems used by millions of people. In these systems, policy and process vulnerabilities-not software vulnerabilities-allow UI-bound, low-tech adversaries to exploit weaknesses to threaten user safety. The disconnect is caused partly by practice failing to heed advice from research. But it is also caused by research not understanding the practical constraints of these systems, while discouraging studies that try to do so. Ultimately, users are the ones who suffer when these weaknesses remain undiscovered.Here, we studied user authentication practices that were not necessarily cutting-edge, but broadly impacted user safety. We identified security policy and process flaws, quantified the risk of harm to users through manual measurements, and called for policy solutions to mitigate the risks. More broadly, we honed a methodology through these studies which can potentially bridge the research-practice gap in user authentication as well as in other topics in information security.First, we studied call center authentication for SIM swap requests at mobile carriers. We found flaws in their authentication policy and processes which could facilitate SIM swap attacks. Furthermore, we found that most websites did not stand up well against SIM swaps, demonstrating that users' accounts could easily be hijacked. Our results have influenced policy changes at carriers and websites, and have motivated ongoing rulemaking by the FCC.Next, we studied security and privacy risks of phone number recycling in the U.S. at mobile carriers. We found that most numbers we sampled were recycled and vulnerable to attacks on previous owners, while carriers had design weaknesses that could facilitate attacks. We have raised awareness about the risks of number recycling at carriers, and have communicated a practical constraint of SMS-based authentication to the research community.Finally, we studied password policies of top websites. Despite well-established recommendations from research, we found few websites actually following them, which could put accounts at risk of password compromise. We hypothesized reasons why these websites were not following best practices, and discussed ways the research community could engage website system administrators to bridge the research-practice gap.
533 $a Electronic reproduction. $b Ann Arbor, Mich. : $c ProQuest, $d 2023
538 $a Mode of access: World Wide Web
650 4 $a Computer science. $3 523869
650 4 $a Web studies. $3 2122754
653 $a Audit
653 $a Authentication
653 $a Policy
653 $a Security
655 7 $a Electronic books. $2 lcsh $3 542853
690 $a 0984
690 $a 0646
710 2 $a ProQuest Information and Learning Co. $3 783688
710 2 $a Princeton University. $b Computer Science. $3 2099280
773 0 $t Dissertations Abstracts International $g 84-04B.
856 4 0 $u http://pqdd.sinica.edu.tw/twdaoapp/servlet/advanced?query=29255940 $z click for full text (PQDT)