CICI: UCSS: Towards Secure and Usable Push Notification Authentication for Collaborative Scientific Infrastructures

CICI：UCSS：为协作科学基础设施实现安全可用的推送通知身份验证

• 批准号: 2115107
• 负责人: Nitesh Saxena
• 金额: $ 49.99万
• 依托单位: University of Alabama at Birmingham
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-08-15 至 2021-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2115107&HistoricalAwards=false
• 关键词: CICI; UCSS; Towards; Secure; Usable

Second factor (2FA) or passwordless authentication based on notifications pushed to a user's personal device (e.g., a phone) that the user can simply approve (or deny) has become widely popular due to its convenience, especially to protect scientific resources at Universities and similar organizations. This project is studying the premise that the effortlessness of this approach gives rise to a fundamental design vulnerability arising from concurrent login sessions (one initiated by the user and the other initiated by the attacker), and then redesigning push-based authentication systems that can counter the identified vulnerability without degrading the overall usability of the approach. The proposed new design attempts to address the concurrent login attacks by establishing a unique binding between the user’s browser session and the push notification.The research consists of three inter-related activities: (1) formalization and study of a fundamental vulnerability against standard push notification authentication schemes; (2) design and implementation of low-effort push-based authentication schemes that can defeat the identified vulnerability without undermining the usability; and (3) formal studies of the proposed new push-based authentication schemes, conducted in lab settings and field environments. The developed resilient push authentication system designs are expected to offer an improved level of protection, accessibility and usability to everyday users in scientific and collaborative settings. The research prototypes are expected to be of broader value in future research on building resilient and usable authentication services in practice. The project is emphasizing technology transfer by working with major players in the push-based authentication domain. The proposed research is being integrated with educational activities in the form of advanced curriculum development and student mentoring in the broad domains of Authentication and Human-Computer Interaction, and the involvement of high school and K-12 students and minority populations are broadening the reach of the project.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

第二因素（2FA）或基于推送到用户个人设备的通知的无密码认证（例如，电话），用户可以简单地批准（或拒绝），由于其便利性，特别是为了保护大学和类似组织的科学资源，已经变得广泛流行。该项目正在研究的前提是，这种方法的轻松性会导致并发登录会话（一个由用户发起，另一个由攻击者发起）引起的基本设计漏洞，然后重新设计基于推送的身份验证系统，可以对抗已识别的漏洞，而不会降低该方法的整体可用性。本文提出的新设计试图通过在用户浏览器会话和推送通知之间建立一个唯一的绑定来解决并发登录攻击，研究包括三个相互关联的活动：（1）针对标准推送通知认证方案的基本漏洞的形式化和研究;（2）设计和实现低工作量的基于推送的认证方案，该方案可以在不破坏可用性的情况下击败所识别的漏洞;以及（3）在实验室设置和现场环境中对所提出的新的基于推送的认证方案进行正式研究。预计开发的弹性推送认证系统设计将为科学和协作环境中的日常用户提供更高级别的保护，可访问性和可用性。研究原型预计将在未来的研究更广泛的价值在实践中建立弹性和可用的认证服务。该项目通过与基于推送的认证领域的主要参与者合作，强调技术转让。拟议中的研究正在与教育活动相结合，以先进的课程开发和学生指导的形式，在认证和人机交互的广泛领域，以及高中和K-这个奖项反映了NSF的法定使命，并通过使用基金会的知识产权进行评估，被认为值得支持。优点和更广泛的影响审查标准。