Pitfalls in Designing Zero-Effort Deauthentication: Opportunistic Human Observation Attacks

Otto Huhta, Prakash Shrestha, Swapnil Udar, Mika Juuti, Nitesh Saxena, N Asokan

Research output: Chapter in Book/Report/Conference proceedingConference contributionScientificpeer-review

109 Downloads (Pure)


Deauthentication is an important component of any authentication system. The widespread use of computing devices in daily life has underscored the need for zero-effort deauthentication schemes. However, the quest for eliminating user
effort may lead to hidden security flaws in the authentication schemes.

As a case in point, we investigate a prominent zero-effort deauthentication scheme, called ZEBRA, which provides an interesting and a useful solution to a difficult problem as demonstrated in the original paper. We identify a subtle incorrect assumption in its adversary model that leads to a fundamental design flaw. We exploit this to break the scheme with a class of attacks that are much easier for a human to perform in a realistic adversary model, compared to the naive attacks studied in the ZEBRA paper. For example, one of our main attacks, where the human attacker has to opportunistically mimic only the victim’s
keyboard typing activity at a nearby terminal, is significantly more successful compared to the naive attack that requires mimicking keyboard and mouse activities as well as keyboardmouse movements. Further, by understanding the design flaws in ZEBRA as cases of tainted input, we show that we can draw on
well-understood design principles to improve ZEBRA’s security.
Original languageEnglish
Title of host publicationNetwork and Distributed System Security Symposium 2016
Place of PublicationSan Diego
PublisherInternet Society
ISBN (Print)1-891562-41-X
Publication statusPublished - 2016
MoE publication typeA4 Article in a conference publication
EventNetwork and Distributed System Security Symposium - Catamaran Resort Hotel & Spa, San Diego, United States
Duration: 21 Feb 201624 Feb 2016
Conference number: 23


ConferenceNetwork and Distributed System Security Symposium
Abbreviated titleNDSS
CountryUnited States
CitySan Diego
Internet address

Fingerprint Dive into the research topics of 'Pitfalls in Designing Zero-Effort Deauthentication: Opportunistic Human Observation Attacks'. Together they form a unique fingerprint.

Cite this