skip to main content
10.1145/3538969.3538987acmotherconferencesArticle/Chapter ViewAbstractPublication PagesaresConference Proceedingsconference-collections
research-article

Multi-Account Dashboard for Authentication Dependency Analysis

Published: 23 August 2022 Publication History

Abstract

User authentication is necessary for the majority of online services. If users fail to authenticate due to the loss of an authentication factor, fallback processes allow users to regain access to their accounts. However, most of the proposed and deployed fallback methods have substantial weaknesses that degrade security, e.g., guessable security questions. This is even more serious since through account dependencies (e.g., password reset via email), additional accounts can be compromised. On the other hand, misconfiguration of (fallback) authentication might result in locking a user out of an account.
To help users to analyze their account security and accessibility risk, we present the multi-account dashboard (MAD). The MAD evaluates account types, applied primary and fallback authentication methods as well as the formed account network. By analyzing dependencies and transitive risks, weak links are discovered and indicated, and improvements are suggested. We further propose a service authentication description to collect the required information in an transparent way. The MAD is implemented as a plugin of the password manager KeePass. A following small-scale user study evaluates the usefulness and usability of the implementation.

References

[1]
Alaadin Addas, Amirali Salehi-Abari, and Julie Thorpe. 2019. Geographical Security Questions for Fallback Authentication. In Proceedings of the 17th IEEE International Conference on Privacy, Security and Trust (PST) (Fredericton, NB, Canada). IEEE, New York, NY, USA, 1–6. https://doi.org/10.1109/PST47121.2019.8949063
[2]
Noura Alomar, Mansour Alsaleh, and Abdulrahman Alarifi. 2017. Social Authentication Applications, Attacks, Defense Strategies and Future Research Directions: A Systematic Review. IEEE Communications Surveys Tutorials 19, 2 (2017), 1080–1111. https://doi.org/10.1109/COMST.2017.2651741
[3]
Fatima Alqubaisi, Ahmad Samer Wazan, Liza Ahmad, and David W Chadwick. 2020. Should We Rush to Implement Password-less Single Factor FIDO2 based Authentication?. In Proceedings of the 12th IEEE Undergraduate Research Conference on Applied Computing (URC) (Dubai, United Arab Emirates). IEEE, New York, NY, USA, 1–6. https://doi.org/10.1109/URC49805.2020.9099190
[4]
Apple Support. 2022. If you forgot your Apple ID password. Retrieved 2022/06/12 08:59:45 from https://support.apple.com/en-us/HT201487
[5]
Joseph Bonneau, Elie Bursztein, Ilan Caron, Rob Jackson, and Mike Williamson. 2015. Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google. In Proceedings of the 24th International Conference on World Wide Web (WWW). International World Wide Web Conferences Steering Committee, Republic and Canton of Geneva, CHE, 141–150. https://doi.org/10.1145/2736277.2741691
[6]
Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. 2012. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. In Proceedings of the IEEE Symposium on Security and Privacy (SP) (San Francisco, CA, USA). IEEE, New York, NY, USA, 553–567. https://doi.org/10.1109/SP.2012.44
[7]
Michele Campobasso and Luca Allodi. 2020. Impersonation-as-a-Service: Characterizing the Emerging Criminal Infrastructure for User Impersonation at Scale. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS) (Virtual Event, USA). ACM, New York, NY, USA, 1665–1680. https://doi.org/10.1145/3372297.3417892
[8]
Lorrie Cranor, Brooks Dobbs, Serge Egelman, Giles Hogben, Jack Humphrey, Marc Langheinrich, Massimo Marchiori, Martin Presler-Marshall, Joseph Reagle, Matthias Schunter, David A. Stampley, and Rigo Wenning. 2006. The Platform for Privacy Preferences 1.1 (P3P1.1) Specification. Technical Report. W3C.
[9]
Google Account Help. 2022. Tips to complete account recovery steps. Retrieved 2022/06/12 08:59:45 from https://support.google.com/accounts/answer/7299973
[10]
Paul A. Grassi, James L. Fenton, Elaine M. Newton, Ray A. Perlner, Andrew R. Regenscheid, William E. Burr, Justin P. Richer, Naomi B. Lefkovitz, Jamie M. Danker, Yee-Yin Choong, Kristen K. Greene, and Mary F. Theofanos. 2013. NIST Special Publication 800-63B – Digital Identity Guidelines – Authentication and Lifecycle Management. Technical Report. Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology.
[11]
Eric Grosse and Mayank Upadhyay. 2013. Authentication at Scale. IEEE Security & Privacy 11, 1 (2013), 15–22. https://doi.org/10.1109/MSP.2012.162
[12]
Sven Hammann, Saša Radomirović, Ralf Sasse, and David Basin. 2019. User Account Access Graphs. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS) (London, United Kingdom). ACM, New York, NY, USA, 1405––1422. https://doi.org/10.1145/3319535.3354193
[13]
Joon Kuy Han, Xiaojun Bi, Hyoungshick Kim, and Simon S. Woo. 2020. PassTag: A Graphical-Textual Hybrid Fallback Authentication System. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security (Asia CCS)(Taipei, Taiwan). ACM, New York, NY, USA, 60––72. https://doi.org/10.1145/3320269.3384737
[14]
Ashar Javed, David Bletgen, Florian Kohlar, Markus Dürmuth, and Jörg Schwenk. 2014. Secure Fallback Authentication and the Trusted Friend Attack. In Proceedings of the 34th IEEE International Conference on Distributed Computing Systems Workshops (ICDCSW) (Madrid, Spain). IEEE, New York, NY, USA, 22–28. https://doi.org/10.1109/ICDCSW.2014.30
[15]
Lydia Kraus, Mária Svidronová, and Elizabeth Stobert. 2021. How Do Users Chain Email Accounts Together?. In ICT Systems Security and Privacy Protection, Audun Jøsang, Lynn Futcher, and Janne Hagen (Eds.). Springer International Publishing, Cham, 416–429.
[16]
Johannes Kunke, Stephan Wiefling, Markus Ullmann, and Luigi Lo Iacono. 2021. Evaluation of Account Recovery Strategies with FIDO2-based Passwordless Authentication. In Proceedings of the Open Identity Summit 2021(Virtual Event, Denmark), Heiko Roßnagel, Christian H. Schunck, and Sebastian Mödersheim (Eds.). GI, Bonn, Germany, 59–70.
[17]
Yue Li, Haining Wang, and Kun Sun. 2018. Email as a Master Key: Analyzing Account Recovery in the Wild. In Proceedings of the IEEE Conference on Computer Communications (INFOCOM) (Honolulu, HI, USA). IEEE, New York, NY, USA, 1646–1654. https://doi.org/10.1109/INFOCOM.2018.8486017
[18]
Nate Lord. 2020. Uncovering Password Habits: Are Users’ Password Security Habits Improving? (Infographic). Retrieved 2022/06/12 08:59:45 from https://digitalguardian.com/blog/uncovering-password-habits-are-users-password-security-habits-improving-infographic
[19]
Siqi Ma, Runhan Feng, Juanru Li, Yang Liu, Surya Nepal, Diethelm, Elisa Bertino, Robert H. Deng, Zhuo Ma, and Sanjay Jha. 2019. An Empirical Study of SMS One-Time Password Authentication in Android Apps. In Proceedings of the 35th ACM Annual Computer Security Applications Conference (ACSAC) (San Juan, Puerto Rico, USA). ACM, New York, NY, USA, 339–354. https://doi.org/10.1145/3359789.3359828
[20]
Fatma Al Maqbali and Chris J Mitchell. 2018. Email-based Password Recovery - Risking or Rescuing Users?. In Proceedings of the International IEEE Carnahan Conference on Security Technology (ICCST)(Montreal, QC, Canada). IEEE, New York, NY, USA, 1–5. https://doi.org/10.1109/CCST.2018.8585576
[21]
Philipp Markert, Maximilian Golla, Elizabeth Stobert, and Markus Dürmuth. 2020. Work in Progress: A Comparative Long-Term Study of Fallback Authentication. In Workshop on Usable Security and Privacy (USEC ’19) (San Diego, CA, USA). NDSS, Reston, VA, USA, 1–8. https://doi.org/10.14722/usec.2019.23030
[22]
Nicholas Micallef and Nalin Asanka Gamagedara Arachchilage. 2017. Changing users’ security behaviour towards security questions: A game based learning approach. In Proceedings of the IEEE Military Communications and Information Systems Conference (MilCIS) (Canberra, Australia). IEEE, New York, NY, USA, 1–6. https://doi.org/10.1109/MilCIS.2017.8190424
[23]
Daniel Miessler. 2021. The Consumer Authentication Strength Maturity Model (CASMM) v5. Retrieved 2022/06/12 08:59:45 from https://danielmiessler.com/blog/casmm-consumer-authentication-security-maturity-model/
[24]
MITRE Corporation. 2021. CWE-640: Weak Password Recovery Mechanism for Forgotten Password. Retrieved 2022/06/12 08:59:45 from https://cwe.mitre.org/data/definitions/640.html
[25]
Mark Nottingham. 2019. Well-Known Uniform Resource Identifiers (URIs). RFC 8615. RFC Editor.
[26]
Sören Preibusch and Joseph Bonneau. 2010. The Password Game: Negative Externalities from Weak Password Practices. In Decision and Game Theory for Security, Tansu Alpcan, Levente Buttyán, and John S. Baras (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 192–207.
[27]
Ariel Rabkin. 2008. Personal Knowledge Questions for Fallback Authentication: Security Questions in the Era of Facebook. In Proceedings of the 4th USENIX Symposium on Usable Privacy and Security (SOUPS) (Pittsburgh, PA, USA). USENIX, Cambridge, MA, USA, 13–23. https://doi.org/10.1145/1408664.1408667
[28]
Dominik Reichl. 2022. KeePass Plugins and Extensions. Retrieved 2022/06/12 08:59:45 from https://keepass.info/plugins.html
[29]
Nafiz Sadman, Kishor Datta Gupta, Md Ariful Haque, Sajib Sen, and Subash Poudyal. 2020. Stylometry as a Reliable Method for Fallback Authentication. In Proceedings of the 17th IEEE International Conference on Electrical Engineering/Electronics, Computer, Telecommunications and Information Technology (ECTI-CON) (Phuket, Thailand). IEEE, New York, NY, USA, 660–664. https://doi.org/10.1109/ECTI-CON49241.2020.9158216
[30]
Stephan Wiefling, Luigi Lo Iacono, and Markus Dürmuth. 2019. Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild. In ICT Systems Security and Privacy Protection(IFIP Advances in Information and Communication Technology), Gurpreet Dhillon, Fredrik Karlsson, Karin Hedström, and André Zúquete (Eds.). Springer International Publishing, Cham, 134–148. https://doi.org/10.1007/978-3-030-22312-0_10
[31]
Yanlin Zhu, Lirong Xia, and Oshani Seneviratne. 2019. A Proposal for Account Recovery in Decentralized Applications. In Proceedings of the International IEEE Conference on Blockchain (Blockchain) (Atlanta, GA, USA). IEEE, New York, NY, USA, 148–155. https://doi.org/10.1109/Blockchain.2019.00028

Cited By

View all
  • (2024)A framework for analyzing authentication risks in account networksComputers and Security10.1016/j.cose.2023.103515135:COnline publication date: 10-Jan-2024
  • (2024)Is It Really You Who Forgot the Password? When Account Recovery Meets Risk-Based AuthenticationUbiquitous Security10.1007/978-981-97-1274-8_26(401-419)Online publication date: 13-Mar-2024
  • (2023)Tactics for Account Access GraphsComputer Security – ESORICS 202310.1007/978-3-031-51479-1_23(452-470)Online publication date: 25-Sep-2023

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security
August 2022
1371 pages
ISBN:9781450396707
DOI:10.1145/3538969
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 August 2022

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. authentication
  2. fallback authentication
  3. identity management
  4. recovery authentication

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Funding Sources

  • Bavarian Ministry for Digital Affairs

Conference

ARES 2022

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)52
  • Downloads (Last 6 weeks)6
Reflects downloads up to 17 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2024)A framework for analyzing authentication risks in account networksComputers and Security10.1016/j.cose.2023.103515135:COnline publication date: 10-Jan-2024
  • (2024)Is It Really You Who Forgot the Password? When Account Recovery Meets Risk-Based AuthenticationUbiquitous Security10.1007/978-981-97-1274-8_26(401-419)Online publication date: 13-Mar-2024
  • (2023)Tactics for Account Access GraphsComputer Security – ESORICS 202310.1007/978-3-031-51479-1_23(452-470)Online publication date: 25-Sep-2023

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media