CICI: UCSS: Towards Secure and Usable Push Notification Authentication for Collaborative Scientific Infrastructures

CICI：UCSS：为协作科学基础设施实现安全可用的推送通知身份验证

• 批准号: 2115107
• 负责人: Nitesh Saxena
• 金额: $ 49.99万
• 依托单位: University of Alabama at Birmingham
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-08-15 至 2021-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2115107&HistoricalAwards=false
• 关键词: CICI; UCSS; Towards; Secure; Usable

Second factor (2FA) or passwordless authentication based on notifications pushed to a user's personal device (e.g., a phone) that the user can simply approve (or deny) has become widely popular due to its convenience, especially to protect scientific resources at Universities and similar organizations. This project is studying the premise that the effortlessness of this approach gives rise to a fundamental design vulnerability arising from concurrent login sessions (one initiated by the user and the other initiated by the attacker), and then redesigning push-based authentication systems that can counter the identified vulnerability without degrading the overall usability of the approach. The proposed new design attempts to address the concurrent login attacks by establishing a unique binding between the user’s browser session and the push notification.The research consists of three inter-related activities: (1) formalization and study of a fundamental vulnerability against standard push notification authentication schemes; (2) design and implementation of low-effort push-based authentication schemes that can defeat the identified vulnerability without undermining the usability; and (3) formal studies of the proposed new push-based authentication schemes, conducted in lab settings and field environments. The developed resilient push authentication system designs are expected to offer an improved level of protection, accessibility and usability to everyday users in scientific and collaborative settings. The research prototypes are expected to be of broader value in future research on building resilient and usable authentication services in practice. The project is emphasizing technology transfer by working with major players in the push-based authentication domain. The proposed research is being integrated with educational activities in the form of advanced curriculum development and student mentoring in the broad domains of Authentication and Human-Computer Interaction, and the involvement of high school and K-12 students and minority populations are broadening the reach of the project.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

第二个因素（2FA）或无密码的身份验证，基于将用户的个人设备（例如手机）推向用户可以简单地批准（或拒绝）的通知，由于其便利性而变得广泛流行，尤其是为了保护大学和类似组织的科学资源。该项目正在研究以下前提：这种方法的毫无用处会导致并发登录会议引起的根本设计脆弱性（一个由用户启动，另一个由攻击者发起），然后重新设计了基于推动的身份验证系统，该系统可以在无需降解整个方法的整体可用性的情况下来抵消已确定的脆弱性。拟议的新设计试图通过在用户的浏览器会话和推送通知之间建立独特的绑定来解决并发登录攻击。该研究由三个相关活动组成：（1）格式化和研究针对标准推送通知认证方案的基本脆弱性； （2）设计和实施基于推动力的低及身份验证方案，这些方案可以定义确定的漏洞而不会破坏可用性； （3）对在实验室环境和现场环境中进行的拟议新的基于推动的身份验证方案的正式研究。预计开发的弹性推送身份验证系统设计将为我们的科学和协作环境中的每天用户提供改进的保护，可访问性和可用性。预计研究原型将在实践中建立弹性和可用身份验证服务的未来研究中具有更大的价值。该项目通过与基于推动的身份验证域中的主要参与者合作来强调技术转移。拟议的研究正在以高级课程发展和学生心态的形式与教育活动整合在一起，并在广泛的身份验证和人为计算机互动的领域，高中的参与以及K-12的学生和少数人群正在扩大该项目的范围。该奖项通过评估律师的范围来表现出众多的支持者，这一奖项对众所周知的构成构成了众多的影响力，这是一项伟大的支持者的范围。