2,178 research outputs found
Enforcing email addresses privacy using tokens
We propose a system which allows users to monitor how their email addresses are used and how they spread over the Internet. This protects the privacy of the user and can reduce the spam phenomenon. Our solution does not require changes to the email infrastructure, can be set up by the end user on an individual basis and is compatible with any email client as long as emails are centralized on a server (e.g. an IMAP server). Nevertheless, it requires that people use email messaging quite differentl
Lost and not Found: An Investigation of Recovery Methods for Multi-Factor Authentication
Multi-Factor Authentication is intended to strengthen the security of
password-based authentication by adding another factor, such as hardware tokens
or one-time passwords using mobile apps. However, this increased authentication
security comes with potential drawbacks that can lead to account and asset
loss. If users lose access to their additional authentication factors for any
reason, they will be locked out of their accounts. Consequently, services that
provide Multi-Factor Authentication should deploy procedures to allow their
users to recover from losing access to their additional factor that are both
secure and easy-to-use. To the best of our knowledge, we are the first to
first-hand investigate the security and user experience of deployed
Multi-Factor Authentication recovery procedures. We first evaluate the official
help and support pages of 1,303 websites that provide Multi-Factor
Authentication and collect documented information about their recovery
procedures. Second, we select a subset of 71 websites, create accounts, set up
Multi-Factor Authentication, and perform an in-depth investigation of their
recovery procedure security and user experience. We find that many websites
deploy insecure Multi-Factor Authentication recovery procedures and allowed us
to circumvent and disable Multi-Factor Authentication when having access to the
accounts' associated email addresses. Furthermore, we commonly observed
discrepancies between our in-depth analysis and the official help and support
pages, implying that information meant to aid users is often either incorrect
or outdated
"Make Them Change it Every Week!": A Qualitative Exploration of Online Developer Advice on Usable and Secure Authentication
Usable and secure authentication on the web and beyond is mission-critical.
While password-based authentication is still widespread, users have trouble
dealing with potentially hundreds of online accounts and their passwords.
Alternatives or extensions such as multi-factor authentication have their own
challenges and find only limited adoption. Finding the right balance between
security and usability is challenging for developers. Previous work found that
developers use online resources to inform security decisions when writing code.
Similar to other areas, lots of authentication advice for developers is
available online, including blog posts, discussions on Stack Overflow, research
papers, or guidelines by institutions like OWASP or NIST.
We are the first to explore developer advice on authentication that affects
usable security for end-users. Based on a survey with 18 professional web
developers, we obtained 406 documents and qualitatively analyzed 272 contained
pieces of advice in depth. We aim to understand the accessibility and quality
of online advice and provide insights into how online advice might contribute
to (in)secure and (un)usable authentication. We find that advice is scattered
and that finding recommendable, consistent advice is a challenge for
developers, among others. The most common advice is for password-based
authentication, but little for more modern alternatives. Unfortunately, many
pieces of advice are debatable (e.g., complex password policies), outdated
(e.g., enforcing regular password changes), or contradicting and might lead to
unusable or insecure authentication. Based on our findings, we make
recommendations for developers, advice providers, official institutions, and
academia on how to improve online advice for developers.Comment: Extended version of the paper that appears at ACM CCS 2023. 18 pages,
4 figures, 11 table
Are anonymity-seekers just like everybody else? An analysis of contributions to Wikipedia from Tor
User-generated content sites routinely block contributions from users of
privacy-enhancing proxies like Tor because of a perception that proxies are a
source of vandalism, spam, and abuse. Although these blocks might be effective,
collateral damage in the form of unrealized valuable contributions from
anonymity seekers is invisible. One of the largest and most important
user-generated content sites, Wikipedia, has attempted to block contributions
from Tor users since as early as 2005. We demonstrate that these blocks have
been imperfect and that thousands of attempts to edit on Wikipedia through Tor
have been successful. We draw upon several data sources and analytical
techniques to measure and describe the history of Tor editing on Wikipedia over
time and to compare contributions from Tor users to those from other groups of
Wikipedia users. Our analysis suggests that although Tor users who slip through
Wikipedia's ban contribute content that is more likely to be reverted and to
revert others, their contributions are otherwise similar in quality to those
from other unregistered participants and to the initial contributions of
registered users.Comment: To appear in the IEEE Symposium on Security & Privacy, May 202
Using semantics for automating the authentication of Web APIs
Recent technology developments in the area of services on the Web are marked by the proliferation of Web applications and APIs. The implementation and evolution of applications based on Web APIs is, however, hampered by the lack of automation that can be achieved with current technologies. Research on semantic Web services is there fore trying to adapt the principles and technologies that were devised for traditional Web services, to deal with this new kind of services. In this paper we show that currently more than 80% of the Web APIs require some form of authentication. Therefore authentication plays a major role for Web API invocation and should not be neglected in the context of mashups and composite data applications. We present a thorough analysis carried out over a body of publicly available APIs that determines the most commonly used authentication approaches. In the light of these results, we propose an ontology for the semantic annotation of Web API authentication information and demonstrate how it can be used to create semantic Web API descriptions. We evaluate the applicability of our approach by providing a prototypical implementation, which uses authentication annotations as the basis for automated service invocation
- …