Level-1 exam - Ahmed Tanvir Mahdad

This is a past event.

Level-1 Exam

For the Level 1 Qualifying Exam, PhD students develop a written survey and critique covering the breadth of a research area and give an oral presentation of the work. The students present a public seminar followed by a Q&A session with all the graduate faculty members about their research when they propose the list of prospective research articles. These seminars are public, and students are especially encouraged to come learn about on-going research in the Department of Computer and Information Sciences. This public seminar is a background study of the student's proposed area of research. Please attend! 

***Note that PhD students are required to attend, and attendance will be taken and counted towards annual performance evaluation. If you are not able to attend, please email me.***


Advisor: Dr. Nitesh Saxena

Title: On the Insecurity of Authentication from an Untrusted Terminal: Passwords, 2FA, Passwordless and More

Abstract: Authentication is the primary mechanism to safeguard an individual or organizational entity’s sensitive data from unauthorized access. The study of an authentication system’s security is vital as it is the gateway to access confidential information or resources available online. The use of a password-only authentication system is most common, but this system can be compromised easily by adversaries. Introduction of multi-factor authentication schemes, secure alternative of traditional Two-Factor Authentication (2FA) methods, and passwordless authentication methods are some of the attempts to boost the security of password-only authentication. In this survey, we concentrate on the general problem of malware-infected terminals, a prevalent and well-known threat to authentication systems. It is obvious that password-only authentication can not provide any protection in the face of malware on terminals. However, do the emerging authentication methods mentioned above provide security in the presence of infected terminals, given they introduce a password-independent factor in the authentication process? The community view present in the literature seems to suggest that 2FA methods remain secure in the presence of malware on the authentication terminal (except for session hijacking). Is this really the case?

In our work, we challenge the above perception and posit that many of the academic authentication systems, we have studied may actually not be secure against a slightly advanced, yet practical malware threat. In particular, we consider a malware threat that initiates a concurrent attack during the benign login of the user and can take over the user’s account without taking any assistance outside of the compromised terminal. This attack framework is more capable and stealthier than well-known security threats (e.g., session hijacking). We evaluate popular commercial and academic authentication schemes against this attack framework, which covered literature in this area from the last fifteen years. We categorize these schemes into nine primary categories based on authentication factors and system design. 

Our anticipated contribution of this survey is three-fold. First, we analyze a wide range of commercial and academic authentication schemes against the malware on terminal threat model, specifically considering the concurrent login attack scenario. Second, we identify the common attack entry points that will make most/all of these authentication schemes vulnerable to concurrent login attacks initiated by malicious entities. Third, we carefully scrutinize and systematize every scheme’s workflow, pinpoint the primary contribution, and evaluate it for the studied vulnerability. Based on our evaluation, we observe that almost all of the schemes examined, have the attack entry points and vulnerability to the concurrent attack framework we represent.

Dial-In Information

Meeting ID: 983 5610 7788
Passcode: 588619

Wednesday, April 7, 2021 at 11:15am to 12:05pm

Virtual Event
Event Type

Lectures & Presentations


Science & Technology

Department of Computer Science
Google Calendar iCal Outlook

Recent Activity

UAB is an Equal Opportunity/Affirmative Action Employer committed to fostering a diverse, equitable and family-friendly environment in which all faculty and staff can excel and achieve work/life balance irrespective of race, national origin, age, genetic or family medical history, gender, faith, gender identity and expression as well as sexual orientation. UAB also encourages applications from individuals with disabilities and veterans.