Analysis and Improvements of Real-Time Phishing Resilience for Two-Factor Authentication Apps Based on One-Time Passwords
Abstract
Traditional authentication systems based on fixed passwords are vulnerable to dictionary attacks, shoulder surfing attacks, eavesdropping attacks, spyware attacks, and phishing attacks. Therefore, many two-factor authentication (2FA) systems based on one-time passwords have been proposed. Although these 2FA systems based on one-time passwords can resist common phishing attacks, they still lack strong defensive capabilities against real-time phishing attacks, in which attackers can use various types of real-time phishing tools to break through the defenses of 2FA systems based on one-time passwords. In recent years, as the threats of real-time phishing attacks against 2FA systems based on one-time passwords increase significantly, security events related to real-time phishing attacks occur frequently. In this paper, we first analyze the general security strength and usability of the five most popular 2FA apps based on one-time passwords, including Aegis Authenticator, Google Authenticator, Microsoft Authenticator, andOTP, and Bitwarden. In particular, we also analyze their resiliencies to real-time phishing attacks. According to the comprehensive comparison results, we select Bitwarden, which has higher overall security, as the base app to embed our proposed security improvement mechanisms, including the security check mechanism for URI setting and the instant URI comparison mechanism, to enhance the system’s resilience to real-time phishing attacks.
Xing-Min Wu, Wei-Chi Ku, Chuan-Hsin Yu, "Analysis and Improvements of Real-Time Phishing Resilience for Two-Factor Authentication Apps Based on One-Time Passwords," Communications of the CCISA, vol. 29, no. 1 , pp. 1-15, Feb. 2023.
Full Text:
PDFRefbacks
- There are currently no refbacks.
Published by Chinese Cryptology and Information Security Association (CCISA), Taiwan, R.O.C
CCCISA Editorial Office, No.1, Sec. 1, Shennong Rd., Yilan City, Yilan County 260, Taiwan (R.O.C.)
E-mail: ccisa.editor@gmail.com