Skip navigation
Please use this identifier to cite or link to this item:
Title: The Research-Practice Gap in User Authentication
Authors: Lee, Kevin
Advisors: Narayanan, Arvind
Contributors: Computer Science Department
Keywords: audit
Subjects: Computer science
Web studies
Issue Date: 2022
Publisher: Princeton, NJ : Princeton University
Abstract: The gap between user authentication research and practice has led to weaknesses in critical, widely-deployed systems used by millions of people. In these systems, policy and process vulnerabilities—not software vulnerabilities—allow UI-bound, low-tech adversaries to exploit weaknesses to threaten user safety. The disconnect is caused partly by practice failing to heed advice from research. But it is also caused by research not understanding the practical constraints of these systems, while discouraging studies that try to do so. Ultimately, users are the ones who suffer when these weaknesses remain undiscovered. Here, we studied user authentication practices that were not necessarily cutting-edge, but broadly impacted user safety. We identified security policy and process flaws, quantified the risk of harm to users through manual measurements, and called for policy solutions to mitigate the risks. More broadly, we honed a methodology through these studies which can potentially bridge the research-practice gap in user authentication as well as in other topics in information security. First, we studied call center authentication for SIM swap requests at mobile carriers. We found flaws in their authentication policy and processes which could facilitate SIM swap attacks. Furthermore, we found that most websites did not stand up well against SIM swaps, demonstrating that users' accounts could easily be hijacked. Our results have influenced policy changes at carriers and websites, and have motivated ongoing rulemaking by the FCC. Next, we studied security and privacy risks of phone number recycling in the U.S. at mobile carriers. We found that most numbers we sampled were recycled and vulnerable to attacks on previous owners, while carriers had design weaknesses that could facilitate attacks. We have raised awareness about the risks of number recycling at carriers, and have communicated a practical constraint of SMS-based authentication to the research community. Finally, we studied password policies of top websites. Despite well-established recommendations from research, we found few websites actually following them, which could put accounts at risk of password compromise. We hypothesized reasons why these websites were not following best practices, and discussed ways the research community could engage website system administrators to bridge the research-practice gap.
Alternate format: The Mudd Manuscript Library retains one bound copy of each dissertation. Search for these copies in the library's main catalog:
Type of Material: Academic dissertations (Ph.D.)
Language: en
Appears in Collections:Computer Science

Files in This Item:
File Description SizeFormat 
Lee_princeton_0181D_14218.pdf1.41 MBAdobe PDFView/Download

Items in Dataspace are protected by copyright, with all rights reserved, unless otherwise indicated.