Multi-factor Authentication Mechanism Based on Browser Fingerprinting and Graphical HoneyTokens

Jonsson, Dillon, Marteni, Amin

January 2022

Multi-factor authentication (MFA) offers a wide range of methods and techniques available today. The security benefits of using MFA are almost indisputable, however, users are reluctant to adopt the technology. While many new MFA solutions are being proposed, there is a lack of consideration for user sentiment in the early stages of development. In an attempt to balance security and usability, this report investigates the feasibility of a new authentication mechanism that uses browser fingerprinting, graphical passwords, and honeytokens. This was evaluated by conducting a limited literature review, producing a prototype, interviews with test users, and security experts, as well as ensuring feasibility through a requirements checklist. The results of this research provides evidence that this mechanism is feasible, and appealing to end users. However, more investigation is required in order to ensure the mechanism's viability in a real-world deployment.

Multi-factor Authentication

Browser Fingerprinting

Graphical Passwords

Honeytokens

Computer Sciences

Datavetenskap (datalogi)

Feeding Phishers

Lynch, Nicholas J

01 July 2009

Phishing campaigns continue to deceive users into revealing their credentials, despite advancing spam filters, browser and toolbar warnings, and educational efforts. Recently, researchers have begun investigating how fake credentials --- or honeytokens --- can be used to detect phishing sites and protect users. BogusBiter, one such work, creates sets of honeytokens based on users' real credentials and sends them alongside real user submissions to phishing sites. In this paper, we present Phish Feeder, an anti-phishing tool which extends the BogusBiter honeytoken generation algorithm in order to create more realistic and authentic-looking credentials. Phish Feeder also employs a ``honeytoken repository'' which stores generated credentials and provides a lookup service for legitimate sites that encounter invalid credentials. The Phish Feeder client is implemented as a Firefox extension and the repository is implemented as a Java web application. We compare the effectiveness of the Phish Feeder generation algorithm to that of the previous work and find that it is up to four times as effective at hiding real users' credentials within a set. Furthermore, we find that Phish Feeder introduces only negligible overhead during normal browsing, and a low overhead during credential creation and submission.

phishing

identity theft

honeytokens

fake credentials

browser extension

Other Computer Sciences

Deception strategies for web application security: application-layer approaches and a testing platform

Izagirre, Mikel

January 2017

The popularity of the internet has made the use of web applications ubiquitous and essential to the daily lives of people, businesses and governments. Web servers and web applications are commonly used to handle tasks and data that can be critical and highly valuable, making them a very attractive target for attackers and a vector for successful attacks that are aimed at the application layer. Existing misuse and anomaly-based detection and prevention techniques fail to cope with the volume and sophistication of new attacks that are continuously appearing, which suggests that there is a need to provide new additional layers of protection. This work aims to design a new layer of defense based on deception that is employed in the context of web application-layer traffic with the purpose of detecting and preventing attacks. The proposed design is composed of five deception strategies: Deceptive Comments, Deceptive Request Parameters, Deceptive Session Cookies, Deceptive Status Codes and Deceptive JavaScript. The strategies were implemented as a software artifact and their performance evaluated in a testing environment using a custom test script, the OWASP ZAP penetration testing tool and two vulnerable web applications. Deceptive Parameter strategy obtained the best security performance results, followed by Deceptive Comments and Deceptive Status Codes. Deceptive Cookies and Deceptive JavaScript got the poorest security performance results since OWASP ZAP was unable to detect and use deceptive elements generated by these strategies. Operational performance results showed that the deception artifact could successfully be implemented and integrated with existing web applications without changing their source code and adding a low operational overhead.

deception

computer deception

cyberdeception

intrusion detection

intrusion deception

security

cybersecurity

web

web applications

HTTP

penetration testing

security testing

honeypots

honeytokens

decoy

active defense

attacks

web vulnerability scanners

OWASP ZAP

BodgeIt

WAVSEP

Computer Systems

Datorsystem