CS858 - User Authentication

CS858 - User Authentication - Fall 2024

Schedule & Reading List

Sep 10	Course Logistics / Introduction I
	Course Logistics
	Introduction to User Authentication I
Paper bids due Sep 16.
Sep 17	Introduction II / Presentation Advice / Project Topics
	Introduction to User Authentication II
No reviews need	Password Security: A Case History Robert Morris, Ken Thompson [CACM 1979]
to be submitted	The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, Frank Stajano [Oakland 2012]
for these papers	Passwords and the Evolution of Imperfect Authentication Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, Frank Stajano [CACM 2015]
	Advice on Giving Technical Presentations
	Sample Project Topics
Sep 24	Passwords in the real world
	A Large-Scale Measurement of Website Login Policies Al Roomi et al. [USENIX Security 2023]
	Investigating the Password Policy Practices of Website Administrators Sahin et al. [Oakland 2023]
	An Empirical Analysis of Enterprise-Wide Mandatory Password Updates Mirian et al. [ACSAC 2023]
Sep 31	Password managers
	Dissecting Nudges in Password Managers: Simple Defaults are Powerful Zibaei et al. [SOUPS 2023]
	“Would You Give the Same Priority to the Bank and a Game? I Do Not!” Exploring Credential Management Strategies and Obstacles during Password Manager Setup Amft et al. [SOUPS 2023]
	Measuring the Prevalence of Password Manager Issues Using In-Situ Experiments Hutchinson et al. [NDSS 2024]
Oct 7	Password guessing
	Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms Gage et al. [Oakland 2012] (Winner of Oakland 2023 Test-of-Time Award)
	Where The Wild Things Are: Brute-Force SSH Attacks In The Wild And How To Stop Them Singh et al. [NSDI 2024]
	Hidden Reality: Caution, Your Hand Gesture Inputs in the Immersive Virtual World are Visible to All! Gopal et al. [USENIX Security 2023]
Oct 14	No class due to Reading Week
Oct 21	Two-factor authentication and risk-based access control
Project proposal due Oct 21.	A Systematic Study of the Consistency of Two-Factor Authentication User Journeys on Top-Ranked Websites Lyastani et al. [NDSS 2023]
	A Study of Multi-Factor and Risk-Based Authentication Availability Gavazzi et al. [USENIX Security 2023]
	Security and Privacy Failures in Popular 2FA Apps Gilsenan et al. [USENIX Security 2023]
Oct 28	Fallback authentication
	“We've Disabled MFA for You”: An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments Amft et al. [CCS 2023]
	A Comparative Long-Term Study of Fallback Authentication Schemes Lassak et al. [CHI 2024]
	A Mixed-Methods Study on User Experiences and Challenges of Recovery Codes for an End-to-End Encrypted Service Höltervennhoff et al. [USENIX Security 2024]
Nov 4	Browser fingerprinting
	Phish in Sheep's Clothing: Exploring the Authentication Pitfalls of Browser Fingerprinting Lin et al. [USENIX Security 2022]
	The Double Edged Sword: Identifying Authentication Pages and their Fingerprinting Behavior Senol et al. [WWW 2024]
	Understanding Users' Interaction with Login Notifications Markert et al. [CHI 2024]
Nov 11	Biometrics and behavioural authentication
	TouchTone: Smartwatch Privacy Protection via Unobtrusive Finger Touch Gestures Yang et al. [MobiSys 2024]
	Masterkey attacks against free-text keystroke dynamics and security implications of demographic factors VanHamme et al. [Euro S&P 2023]
	InfinityGauntlet: Expose Smartphone Fingerprint Authentication to Brute-force Attack Chen et al. [USENIX Security 2023]
Nov 18	Passkeys
	Evaluating the Security Posture of Real-World FIDO2 Deployments Kuchhal et al. [CCS 2023]
	“It's Stored, Hopefully, on an Encrypted Server”: Mitigating Users' Misconceptions About FIDO2 Biometric WebAuthn Lassak et al. [USENIX Security 2021]
	Why Aren't We Using Passkeys? Obstacles Companies Face Deploying FIDO2 Passwordless Authentication Lassak et al. [USENIX Security 2024]
Nov 25	Miscellaneous Topics
	Understanding How People Share Passwords Moh et al. [SOUPS 2024]
	“Make Them Change it Every Week!”: A Qualitative Exploration of Online Developer Advice on Usable and Secure Authentication Klemmer et al. [CCS 2023]
	SOAP: A Social Authentication Protocol Linker and Basin [USENIX Security 2024]
Dec 2	Project Presentations
Final project report due Dec 13.