The Research-Practice Gap in User Authentication

Abstract

The gap between user authentication research and practice has led to weaknesses in critical, widely-deployed systems used by millions of people. In these systems, policy and process vulnerabilities—not software vulnerabilities—allow UI-bound, low-tech adversaries to exploit weaknesses to threaten user safety. The disconnect is caused partly by practice failing to heed advice from research. But it is also caused by research not understanding the practical constraints of these systems, while discouraging studies that try to do so. Ultimately, users are the ones who suffer when these weaknesses remain undiscovered. Here, we studied user authentication practices that were not necessarily cutting-edge, but broadly impacted user safety. We identified security policy and process flaws, quantified the risk of harm to users through manual measurements, and called for policy solutions to mitigate the risks. More broadly, we honed a methodology through these studies which can potentially bridge the research-practice gap in user authentication as well as in other topics in information security. First, we studied call center authentication for SIM swap requests at mobile carriers. We found flaws in their authentication policy and processes which could facilitate SIM swap attacks. Furthermore, we found that most websites did not stand up well against SIM swaps, demonstrating that users' accounts could easily be hijacked. Our results have influenced policy changes at carriers and websites, and have motivated ongoing rulemaking by the FCC. Next, we studied security and privacy risks of phone number recycling in the U.S. at mobile carriers. We found that most numbers we sampled were recycled and vulnerable to attacks on previous owners, while carriers had design weaknesses that could facilitate attacks. We have raised awareness about the risks of number recycling at carriers, and have communicated a practical constraint of SMS-based authentication to the research community. Finally, we studied password policies of top websites. Despite well-established recommendations from research, we found few websites actually following them, which could put accounts at risk of password compromise. We hypothesized reasons why these websites were not following best practices, and discussed ways the research community could engage website system administrators to bridge the research-practice gap.