Skip to main content
Springer Nature Link
Log in

SAVVIcode: Preventing Mafia Attacks on Visual Code Authentication Schemes (Short Paper)

  • Conference paper
  • First Online:
Technology and Practice of Passwords (PASSWORDS 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9393))

Included in the following conference series:

  • 644 Accesses

Abstract

Most visual code authentication schemes in the literature have been shown to be vulnerable to relay attacks: the attacker logs into the victim’s “account A” using credentials that the victim provides with the intent of logging into “account B”. Visual codes are not human-readable and therefore the victim cannot distinguish between the codes for A and B; on the other hand, codes must be machine-readable in order to automate the login process. We introduce a new type of visual code, the SAVVIcode, that contains an integrity-validated human-readable bitmap. With SAVVIcode, attackers have a harder time swapping visual codes surreptitiously because the integrity check prevents them from modifying or hiding the human-readable distinguisher.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Another mechanism used to improve the scanning accuracy of visual codes is to use encodings that break up large contiguous blocks of the same colour. The SAVVIcode does not use this method for resynchronisation because we want the bitmap to be immediately readable, even without meaning to, by the person scanning the code. We thus want a high-contrast bitmap in which the black ink stands out against a background of white space.

References

  1. Batyuk, L., Camtepe, S.A., Albayrak, S.: Multi-device key management using visual side channels in pervasive computing environments. Proc. BWCCA 2011, 207–214 (2011)

    Google Scholar 

  2. Cobos, J.J.L., De La Hoz, P.C.: Method and system for authenticating a user by means of a mobile device. US Patent 8,261,089, 4 September 2012

    Google Scholar 

  3. Desmedt, Y.G., Goutier, C., Bengio, S.: Special uses and abuses of the fiat shamir passport protocol. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 21–39. Springer, Heidelberg (1988)

    Google Scholar 

  4. DeSoto, D.B., Peskin, M.A.: Login using QR code, US Patent Application 13/768,336, 22 August 2013

    Google Scholar 

  5. Dodson, B., Sengupta, D., Boneh, D., Lam, M.S.: Secure, consumer-friendly web authentication and payments with a phone. In: Gris, M., Yang, G. (eds.) MobiCASE 2010. LNICST, vol. 76, pp. 17–38. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  6. Gibson, S.: Secure quick reliable login. https://www.grc.com/sqrl/sqrl.htm

  7. Jenkinson, G., Spencer, M., Warrington, C., Stajano, F.: I bought a new security token and all I got was this lousy phish—relay attacks on visual code authentication schemes. In: Christianson, B., Malcolm, J., Matyáš, V., Švenda, P., Stajano, F., Anderson, J. (eds.) Security Protocols 2014. LNCS, vol. 8809, pp. 197–215. Springer, Heidelberg (2014)

    Google Scholar 

  8. Millican, J.: Implementing Pico authentication for linux. Undergraduate Final Year Dissertation, May 2014

    Google Scholar 

  9. Stajano, F.: Pico: no more passwords!. In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds.) Security Protocols 2011. LNCS, vol. 7114, pp. 49–81. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  10. Van Rijswijk, R.M., Van Dijk, J.: Tiqr: a novel take on two-factor authentication. In: Proceedings of LISA 2011, p. 7. USENIX Association (2011)

    Google Scholar 

Download references

Acknowledgements

We are grateful to the Pico team for their feedback and to Andy Rice for helpful discussions on visual code scanning technology.

The Pico team is also working on an alternative “augmented reality” approach in which the human-readable tag is displayed by the scanner rather than being shown alongside the visual tag.

The second author is partly supported by European Research Council grant 307224 (Pico).

Author information

Authors and Affiliations

  1. University of Cambridge Computer Laboratory, Cambridge, UK

    Jonathan Millican & Frank Stajano

Authors
  1. Jonathan Millican
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Frank Stajano
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jonathan Millican .

Editor information

Editors and Affiliations

  1. Dept of Telematics, Norwegian Univ of Science & Tech, Trondheim, Norway

    Stig F. Mjølsnes

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Millican, J., Stajano, F. (2015). SAVVIcode: Preventing Mafia Attacks on Visual Code Authentication Schemes (Short Paper). In: Mjølsnes, S. (eds) Technology and Practice of Passwords. PASSWORDS 2014. Lecture Notes in Computer Science(), vol 9393. Springer, Cham. https://doi.org/10.1007/978-3-319-24192-0_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-24192-0_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-24191-3

  • Online ISBN: 978-3-319-24192-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics