Visual Authentication Notes

A survey of visual authentication schemes. Illustrates how most visual authentication schemes are broken:

Fake/malicious website would have captured your first factor which typically is the ‘What you know (password)’. Getting hold the result (the cookie) from the authentication process essentially allows the attacker to create a session as you.

Think about the typical 2-Factor/Step authentication process, it doesn’t matter the number of factors/steps involved. As long it is still going through the fake/malicious interface (can be a website, thick software client, spoofed OS/system UI element), the attacker can create a valid session on your behalf.

Factor != Step. Passwords are ‘what you know’ with a long usable life-span, OTP tokens may seem like a what you have but effectively it is still a ‘what you know’ with a short life-span; thus 2-Step authentication. Meaning to say if an attacker can trick the users to key in these two information, then ‘what you have’ factor becomes immaterial.

A true 2-Factor authentication scheme should be something like ‘What you know/have’ (eg. OTP or Visual Authentication) & ‘What you are’ (fingerprint). A user-friendly combination could be a Visual Authentication scanner that can be activated via Fingerprint touch. Making secure & convenient appear in the same sentence is not straight forward.

Attack Conditions

  1. Get in between the victim & service to read & replay
  2. Fake interface (eg. Phishing sites, fake UIs)

The paper’s proposed solution (right diagram)

Compare the right diagram with the left, notice the session cookie is no longer transported between the Website & Web Browser which the attacker can get in between. Based on the right diagram, getting between the Web Browser & Website becomes pointless since only a single identifier is flowing through that path. Bear in mind the whole point of the paper is replacing passwords with visual authentication.

The security of this scheme depends on the difficulty of getting in between Scanner & Web Browser (assuming the Scanner is trusted/hardened).