Casey Lee Silver
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.
Date of Graduation
Master of Science (MS)
Department of Computer Science
This paper explores how existing push notification based two-factor authentication systems are susceptible to real-time man-in-the-middle relay attacks and proposes a system for mitigating such attacks. A fully functional reference system of the proposed mitigation was built and compared to an existing push notification two-factor authentication system while undergoing a real-time man-in-the-middle relay attack. The reference systems used cloud infrastructure for hosting, an Apple iPhone as the notification receiver, and Apple’s push notification service to send notifications. A publicly available tool for conducting real-time man-in-the-middle relay attacks was used to conduct the attacks. The results of the tests were recorded and contrasted to show how existing implementations fail to identify such attacks and how the proposed system could. It is recommended that the existing push notification two-factor authentication providers implement additional measures to protect users against real-time man-in-the-middle relay attacks while appropriately weighing key usability issues. While the proposed mitigation system is shown to prevent such attacks, it has usability drawbacks that should be considered.
Silver, Casey, "Mitigating real-time relay phishing attacks against mobile push notification based two-factor authentication systems" (2020). Masters Theses, 2020-current. 4.