Vulnerabilities of Multi-factor Authentication in Modern Computer Networks Public
Downloadable Contentopen in viewer
Multi-factor authentication (MFA) is a common method of securing private accounts in conjunction with a username and password, and helps protect against a variety of attacks. However, despite offering more security, it relies on the user to take certain actions to verify their identity. This study aims to test how secure MFA is against attacks that attempt to deceive the user into taking an incorrect action that compromises their account. We researched the types of attacks that could target MFA. From those we created two attacks that both focused on deceiving the user and had symptoms that could be noticed by the user. Then we ran a user study where we performed attacks on volunteers in which their actions controlled whether or not the account was compromised. We compared study results where users were and were not deceived into providing their credentials, as well as how users acted while logging in. We found that most users, contrary to our expectations, failed to carefully read the push notifications and treated MFA as an obstacle to logging in rather than a security measure to be carefully examined. Even when more context was added to hint at an attack, users still tended to rush through and accept an attacker's login attempt. We concluded that an important next step to improving MFA is researching how to counteract the fatigue users experience from frequent use of MFA.
- This report represents the work of one or more WPI undergraduate students submitted to the faculty as evidence of completion of a degree requirement. WPI routinely publishes these reports on its website without editorial or peer review.
- Date created
- Resource type
- Rights statement
Permanent link to this page: https://digital.wpi.edu/show/5d86p313s