CS858 - User Authentication - Fall 2022
Schedule & Reading List
| Week 1 | Sep 7 Introduction |
|
|---|---|---|
| Introduction to the Course | ||
| Week 2 | Sep 12 Basics |
Sep 14 Future Trends |
| Paper bids due Sep 11. | Basics of User Authentication | Recent Trends of User Authentication |
| Password Security: A Case History Robert Morris, Ken Thompson [CACM 22/11] |
The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, Frank Stajano [Oakland'12] |
|
| Week 3 | Sep 19 Guest Lectures |
Sep 21 Advice |
| OneButtonPIN: A Single Button Authentication Method for Blind or Low Vision Users to Improve Accessibility and Prevent Eavesdropping Manisha Varma Kamarushi, Stacey Watson, Garreth Tigwell, Roshan Peiris [MobileHCI'12] |
Presentation Advice | |
| Sharing without Scaring: Enabling Smartphones to Become Aware of Temporary Sharing Jiayi Chen, Urs Hengartner, Hassan Khan [SOUPS'22] |
Project Opportunities | |
| Week 4 | Sep 26 Passwords I |
Sep 28 Passwords II |
| Practical Recommendations for Stronger, More Usable Passwords Combining Minimum-Strength, Minimum-Length, and Blocklist Requirements Joshua Tan, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor [CCS'20] |
“The Same PIN, Just Longer”: On the (In)Security of Upgrading PINs from 4 to 6 Digits Collins W. Munyendo, Philipp Markert, Alexandra Nisenoff, Miles Grant, Elena Korkes, Blase Ur, Adam J. Aviv [USENIX Security'22] |
|
| Password policies of most top websites fail to follow best practices Kevin Lee, Sten Sjöberg, Arvind Narayanan [SOUPS'22] |
Gossamer: Securely Measuring Password-based Logins Marina Sanusi Bohuk, Mazharul Islam, Suleman Ahmad, Michael Swift, Thomas Ristenpart, Rahul Chatterjee [USENIX Security'22] |
|
| Week 5 | Oct 3 Passwords III |
Oct 5 Password Managers I |
| Let’s Hash: Helping Developers with Password Security Lisa Geierhaas, Anna-Marie Ortloff, Matthew Smith, Alena Naiakshina [SOUPS'22] |
Why Users (Don't) Use Password Managers at a Large Educational Institution Peter Mayer, Collins W. Munyendo, Michelle L. Mazurek, Adam J. Aviv [USENIX Security'22] |
|
| Chunk-Level Password Guessing: Towards Modeling Refined Password Composition Representations Ming Xu, Chuanwang Wang, Jitao Yu, Junjie Zhang, Kai Zhang, Weili Han [CCS'21] |
Do Password Managers Nudge Secure (Random) Passwords? Samira Zibaei, Dinah Rinoa Malapaya, Benjamin Mercier, Amirali Salehi-Abari, Julie Thorpe [SOUPS'22] |
|
| Week 6 No classes - Reading Week |
Oct 10 | Oct 12 |
| Week 7 | Oct 17 Password Managers II |
Oct 19 Phishing |
| Project proposal due Oct 19. | They Would do Better if They Worked Together: The Case of Interaction Problems Between Password Managers and Websites Nicolas Huaman, Sabrina Amft, Marten Oltrogge, Yasemin Acar, Sascha Fahl [Oakland'21] |
Phishing in Organizations: Findings from a Large-Scale and Long-Term Study Daniele Lain, Kari Kostiainen, Srdjan Čapkun [Oakland'22] |
| That Was Then, This Is Now: A Security Evaluation of Password Generation, Storage, and Autofill in Browser-Based Password Managers Sean Oesch, Scott Ruoti [USENIX Security'20] |
Phish in Sheep's Clothing: Exploring the Authentication Pitfalls of Browser Fingerprinting Xu Lin, Panagiotis Ilia, Saumya Solanki, Jason Polakis [USENIX Security'22] |
|
| Week 8 | Oct 24 Two-Factor Authentication |
Oct 26 FIDO2 |
| An Empirical Study of Wireless Carrier Authentication for SIM Swaps Kevin Lee, Benjamin Kaiser, Jonathan Mayer, Arvind Narayanan [SOUPS'20] |
Is FIDO2 the Kingslayer of User Authentication? A Comparative Usability Study of FIDO2 Passwordless Authentication Sanam Ghorbani Lyastani, Michael Schilling, Michaela Neumayr, Michael Backes, Sven Bugiel [Oakland'20] |
|
| Empirical Measurement of Systemic 2FA Usability Joshua Reynolds, Nikita Samarin, Joseph Barnes, Taylor Judd, Joshua Mason, and Michael Bailey, Serge Egelman [USENIX Security'20] |
“It's Stored, Hopefully, on an Encrypted Server”: Mitigating Users' Misconceptions About FIDO2 Biometric WebAuthn Leona Lassak, Annika Hildebrandt, Maximilian Golla, Blase Ur [USENIX Security'21] |
|
| Week 9 | Oct 31 Fallback Authentication |
Nov 2 Attacks on FIDO2 |
| “I’m Surprised So Much Is Connected” Sven Hammann, Michael Crabb, Sasa Radomirovic, Ralf Sasse, David Basin [CHI'22] |
How Not to Handle Keys: Timing Attacks on FIDO Authenticator Privacy Michal Kepkowski, Lucjan Hanzlik, Ian Wood, Mohamed Ali Kaafar [PoPETS'22] |
|
| Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google Joseph Bonneau, Elie Bursztein, Ilan Caron, Rob Jackson, Mike Williamson [WWW'15] |
Trust Dies in Darkness: Shedding Light on Samsung's TrustZone Keymaster Design Alon Shakevsky, Eyal Ronen, Avishai Wool [USENIX Security'22] |
|
| Week 10 | Nov 7 Risk-based Authentication |
Nov 9 Shoulder Surfing |
| Evaluating Login Challenges as a Defense Against Account Takeover Periwinkle Doerfler, Kurt Thomas, Maija Marincenko, Juri Ranieri, Yu Jiang, Angelika Moscicki, Damon McCoy [WWW'19] |
Virtual Reality Observations: Using Virtual Reality to Augment Lab-Based Shoulder Surfing Research Florian Mathis, Joseph O’Hagan, Mohamed Khamis, Kami Vaniea [VR'22] |
|
| What’s in Score for Website Users: A Data-Driven Long-Term Study on Risk-Based Authentication Characteristics Stephan Wiefling, Markus Dürmuth, Luigi Lo Iacono [FC'21] |
Stay Home! Conducting Remote Usability Evaluations of Novel Real-World Authentication Systems Using Virtual Reality Florian Mathis, Joseph O'Hagan, Kami Vaniea, Mohamed Khamis [AVI'22] |
|
| Week 11 | Nov 14 Biometrics |
Nov 16 Implicit/Continuous Authentication |
| EchoPrint: Two-factor Authentication Using Acoustics and Vision on Smartphones Bing Zhou, Jay Lohokare, Ruipeng Gao, Fan Ye [MobiCom'18] |
Common Evaluation Pitfalls in Touch-Based Authentication Systems Martin Georgiev, Simon Eberz, Henry Turner, Giulio Lovisotto, Ivan Martinovic [AsiaCCS'22] |
|
| Inexpensive Brainwave Authentication: New Techniques and Insights on User Acceptance Patricia Arias-Cabarcos, Thilo Habrich, Karen Becker, Christian Becker, Thorsten Strufe [USENIX Security'21] |
EarGate: Gait-based User Identification with In-ear Microphones Andrea Ferlini, Dong Ma, Robert Harle, Cecilia Mascolo [MobiCom'21] |
|
| Week 12 | Nov 21 Voice Authentication |
Nov 23 De-Authentication |
| Who is Real Bob? Adversarial Attacks on Speaker Recognition Systems Guangke Chen, Sen Chenb, Lingling Fan, Xiaoning Du, Zhe Zhao, Fu Song, Yang Liu [Oakland'21] |
Privacy-Friendly De-authentication with BLUFADE: Blurred Face Detection Matteo Cardaioli, Mauro Conti, Pier Paolo Tricomi, Gene Tsudik [PerCom'22] |
|
| “Hello, It's Me”: Deep Learning-based Speech Synthesis Attacks in the Real World Emily Wenger, Max Bronckers, Christian Cianfarani, Jenna Cryan, Angela Sha, Haitao Zheng, Ben Y. Zhao [CCS'21] |
Beware of Your Vibrating Devices! Vibrational Relay Attacks on Zero-Effort Deauthentication Prakash Shrestha, Nitesh Saxena [ACNS'22] |
|
| Week 13 | Nov 28 Cryptographic Authentication Systems |
Nov 30 Project Presentations |
| With a Little Help from My Friends: Constructing Practical Anonymous Credentials Lucjan Hanzlik, Daniel Slamanig [CCS'21] |
||
| Let’s Authenticate: Automated Certificates for User Authentication James Conners, Corey Devenport, Stephen Derbidge, Natalie Farnsworth, Kyler Gates, Stephen Lambert, Christopher McClain, Parker Nichols, Daniel Zappala [NDSS'22] |
||
| Week 14 | Dec 5 Project Presentations |
|
| Final project report due Dec 16. |