Abstract
User authentication can be compromised both by subverting the system and by subverting the user; the threat modelling of the former is well studied, the latter less so. We propose a method to determine opportunities to subvert the user allowing vulnerabilities to be systematically identified. The method is applied to VeriSign’s OpenID authentication mechanism.
Chapter PDF
Similar content being viewed by others
References
Anti-phishing work group home page (2007), http://www.antiphishing.org/
Flinn, S., Lumsden, J.: User perceptions of privacy and security on the web. In: The Third Annual Conference on Privacy, Security and Trust (PST 2005), St. Andrews, New Brunswick, Canada, October 12-14 (2005)
Dhamija, R., Tygar, D., Hearst, M.: Why phishing works. In: CHI 2006: Proceedings of the SIGCHI conference on Human Factors in computing systems, ACM Special Interest Group on Computer-Human Interaction, pp. 581–590 (2006)
Dong, X., Clark, J.A., Jacob, J.: A user-phishing interaction model. In: Conference on Human System Interaction (2008)
Downs, J.S., Holbrook, M.B., Cranor, L.F.: Decision strategies and susceptibility to phishing. In: SOUPS 2006: Proceedings of the second symposium on Usable privacy and security, pp. 79–90. ACM Press, New York (2006)
Florencio, D., Herley, C.: A large-scale study of web password habits. In: WWW 2007: Proceedings of the 16th international conference on World Wide Web, pp. 657–666. ACM Press, New York (2007)
Friedman, B., Hurley, W.D., Howe, D.C., Nissenbaum, H., Felten, E.W.: Users’ conceptions of risks and harms on the web: a comparative study. In: CHI Extended Abstracts, pp. 614–615 (2002)
Jagatic, T., Johnson, N., Jakobsson, M., Menczer, F.: Social phishing. ACM Communication (October 2007)
Jakobsson, M., Tsow, A., Shah, A., Blevis, E., Lim, Y.-K.: What instills trust? a qualitative study of phishing. In: USEC 2007 (2007) (Extended abstract)
Nikander, P., Karvonen, K.: Users and trust in cyberspace, pp. 24–35 (2001)
Schechter, S., Dhamija, R., Ozment, A., Fischer, I.: The emperor’s new security indicators: An evaluation of website authentication and the effect of role playing on usability studies. In: 2007 IEEE Symposium on Security and Privacy (2007)
Whalen, T., Inkpen, K.M.: Gathering evidence: use of visual security cues in web browsers. In: GI 2005: Proceedings of Graphics Interface 2005, School of Computer Science, University of Waterloo, Waterloo, Ontario, Canada, pp. 137–144. Canadian Human-Computer Communications Society (2005)
Wikipedia. Phishing. web, http://en.wikipedia.org/wiki/Phishing
Wu, M., Miller, R.C., Garfinkel, S.L.: Do security toolbars actually prevent phishing attacks? In: CHI 2006: Proceedings of the SIGCHI conference on Human Factors in computing systems, pp. 601–610. ACM Press, New York (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Dong, X., Clark, J.A., Jacob, J.L. (2008). Threat Modelling in User Performed Authentication. In: Chen, L., Ryan, M.D., Wang, G. (eds) Information and Communications Security. ICICS 2008. Lecture Notes in Computer Science, vol 5308. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-88625-9_4
Download citation
DOI: https://doi.org/10.1007/978-3-540-88625-9_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-88624-2
Online ISBN: 978-3-540-88625-9
eBook Packages: Computer ScienceComputer Science (R0)