A User-Friendly Two-Factor Authentication Method against Real-Time Phishing Attacks

Today, two-factor authentication (2FA) is a widely implemented mechanism to counter phishing attacks. Although much effort has been investigated in 2FA, most 2FA systems are still vulnerable to carefully designed phishing attacks, and some even request special hardware, which limits their wide deployment. Recently, real-time phishing (RTP) has made the situation even worse because an adversary can effortlessly establish a phishing website without any background of the web page design technique. Traditional 2FA can be easily bypassed by such RTP attacks. In this work, we propose a novel 2FA system to counter RTP attacks. The main idea is to request a user to take a photo of the web browser with the domain name in the address bar as the 2nd authentication factor. The web server side extracts the domain name information based on Optical Character Recognition (OCR), and then determines if the user is visiting this website or a fake one, thus defeating the RTP attacks where an adversary must set up a fake website with a different domain. We prototyped our system and evaluated its performance in various environments. The results showed that PhotoAuth is an effective technique with good scalability. We also showed that compared to other 2FA systems, PhotoAuth has several advantages, especially no special hardware or software support is needed on the client side except a phone, making it readily deployable.

Files

Metadata

Work Title A User-Friendly Two-Factor Authentication Method against Real-Time Phishing Attacks
Access
Open Access
Creators
  1. Yuanyi Sun
  2. Sencun Zhu
  3. Yan Zhao
  4. Pengfei Sun
License In Copyright (Rights Reserved)
Work Type Article
Publisher
  1. 2022 IEEE Conference on Communications and Network Security (CNS)
Publication Date October 3, 2022
Publisher Identifier (DOI)
  1. https://doi.org/10.1109/CNS56114.2022.9947253
Deposited February 27, 2023

Versions

Analytics

Collections

This resource is currently not in any collection.

Work History

Version 1
published

  • Created
  • Added PhotoAuth__CNS_2022_.pdf
  • Added Creator Yuanyi Sun
  • Added Creator Sencun Zhu
  • Added Creator Yan Zhao
  • Added Creator Pengfei Sun
  • Published
  • Updated Publisher Show Changes
    Publisher
    • 2022 IEEE Conference on Communications and Network Security (CNS)