I Bought a New Security Token and All I Got Was This Lousy Phish—Relay Attacks on Visual Code Authentication Schemes

  • Graeme Jenkinson
  • Max SpencerEmail author
  • Chris Warrington
  • Frank Stajano
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8809)


One recent thread of academic and commercial research into web authentication has focused on schemes where users scan a visual code with their smartphone, which is a convenient alternative to password-based login. We find that many schemes in the literature (including, previously, our own) are, unfortunately, vulnerable to relay attacks. We explain the inherent reasons for this vulnerability and offer an architectural fix, evaluating its trade-offs and discussing why it has never been proposed by other authors.


Authentication Scheme Authentication Protocol Visual Code Quick Response Code Rendezvous Point 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We gratefully acknowledge the European Research Council for funding this research under grant 307224.

We also thank Olgierd Pieczul for pointing out the login gifting attack during the workshop.


  1. 1.
    Beth, T., Desmedt, Y.G.: Identification tokens – or: solving the chess grandmaster problem. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 169–176. Springer, Heidelberg (1991)Google Scholar
  2. 2.
    Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP ’12, pp. 553–567. IEEE Computer Society, Washington (2012).
  3. 3.
    Brands, S., Chaum, D.: Distance bounding protocols (extended abstract). In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 344–359. Springer, Heidelberg (1994)Google Scholar
  4. 4.
    Cobos, J.J.L., Hoz, P.C.D.L.: Method and system for authenticating a user my means of a mobile device. Patent filed 17 September 2009, published 4 September 2012Google Scholar
  5. 5.
    Desmedt, Y.G., Goutier, C., Bengio, S.: Special uses and abuses of the fiat shamir passport protocol. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 21–39. Springer, Heidelberg (1988). Google Scholar
  6. 6.
    Desmedt, Y.G., Goutier, C., Bengio, S.: Special uses and abuses of the fiat shamir passport protocol. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 21–39. Springer, Heidelberg (1988)Google Scholar
  7. 7.
    DeSoto, D.B., Peskin, M.A.: Login using QR code. Patent filed 15 February 2013, published 22 August 2013Google Scholar
  8. 8.
    Dodson, B., Sengupta, D., Boneh, D., Lam, M.S.: Secure, consumer-friendly web authentication and payments with a phone. In: Gris, M., Yang, G. (eds.) MobiCASE 2010. LNICST, vol. 76, pp. 17–38. Springer, Heidelberg (2012)Google Scholar
  9. 9.
    Fu, H.P.: Pico: no more passwords! Msc thesis, University of Leuven, Flanders, Belgium (2013).
  10. 10.
    Gibson, S.: Secure quick reliable login., October 2013. Accessed 6 Nov 2013
  11. 11.
    Howard, A.: QRAuth. Bsc. thesis, Bournemouth University, Bournemouth, UK (2012).
  12. 12.
    Computing Objects Inc.: QRAuth. (2012). Accessed 13 Nov 2013
  13. 13.
    ISO: Information technology–automatic identification and data capture techniques–QR Code 2005 bar code symbology specification. ISO 18004:2006, International Organization for Standardization, Geneva, Switzerland (2006)Google Scholar
  14. 14.
    Kelsey, J., Schneier, B., Wagner, D.: Protocol interactions and the chosen protocol attack. In: Christianson, B., Lomas, M., Crispo, B., Roe, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 91–104. Springer, Heidelberg (1998). Google Scholar
  15. 15.
    Krawczyk, H.: SIGMA: the ‘SIGn-and-MAc approach’ to authenticated Diffie-Hellman and its use in the IKE protocols. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 400–425. Springer, Heidelberg (2003). Google Scholar
  16. 16.
    Laurie, B., Singer, A.: Choose the red pill and the blue pill: a position paper. In: Proceedings of the 2008 Workshop on New Security Paradigms, NSPW ’08, pp. 127–133. ACM, New York (2008).
  17. 17.
    Mannan, M.S., van Oorschot, P.C.: Using a personal device to strengthen password authentication from an untrusted computer. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 88–103. Springer, Heidelberg (2007). Google Scholar
  18. 18.
    M’Raihi, D., Rydell, J., Bajaj, S., Machani, S., Naccache, D.: OCRA: OATH Challenge-Response Algorithm. RFC 6287 (Informational), June 2011.
  19. 19.
    Parno, B., Kuo, C., Perrig, A.: Phoolproof phishing prevention. In: Di Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, pp. 1–19. Springer, Heidelberg (2006)Google Scholar
  20. 20.
    Stajano, F., Stajano, F.: Pico: no more passwords!. In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds.) Security Protocols 2011. LNCS, vol. 7114, pp. 49–81. Springer, Heidelberg (2011). Google Scholar
  21. 21.
    Van Rijswijk, R.M., Van Dijk, J.: Tiqr: a novel take on two-factor authentication. In: Proceedings of the 25th International Conference on Large Installation System Administration, LISA’11, p. 7. USENIX Association, Berkeley (2011).

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Graeme Jenkinson
    • 1
  • Max Spencer
    • 1
    Email author
  • Chris Warrington
    • 1
  • Frank Stajano
    • 1
  1. 1.Computer LaboratoryUniversity of CambridgeCambridgeUK

Personalised recommendations