CICI: UCSS: Towards Secure and Usable Push Notification Authentication for Collaborative Scientific Infrastructures

Second factor (2FA) or passwordless authentication based on notifications pushed to a user's personal device (e.g., a phone) that the user can simply approve (or deny) has become widely popular due to its convenience, especially to protect scientific resources at Universities and similar organizations. This project is studying the premise that the effortlessness of this approach gives rise to a fundamental design vulnerability arising from concurrent login sessions (one initiated by the user and the other initiated by the attacker), and then redesigning push-based authentication systems that can counter the identified vulnerability without degrading the overall usability of the approach.

The proposed new design attempts to address the concurrent login attacks by establishing a unique binding between the user’s browser session and the push notification.

The research consists of three inter-related activities: (1) formalization and study of a fundamental vulnerability against standard push notification authentication schemes; (2) design and implementation of low-effort push-based authentication schemes that can defeat the identified vulnerability without undermining the usability; and (3) formal studies of the proposed new push-based authentication schemes, conducted in lab settings and field environments. The developed resilient push authentication system designs are expected to offer an improved level of protection, accessibility and usability to everyday users in scientific and collaborative settings.

The research prototypes are expected to be of broader value in future research on building resilient and usable authentication services in practice. The project is emphasizing technology transfer by working with major players in the push-based authentication domain. The proposed research is being integrated with educational activities in the form of advanced curriculum development and student mentoring in the broad domains of Authentication and Human-Computer Interaction, and the involvement of high school and K-12 students and minority populations are broadening the reach of the project.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.