CSE 363 Offensive Security

2025-03-11 Authentication

Michalis Polychronakis

Stony Brook University

Authentication
The process of verifying someone’s identity or role
User, device, service, request, …

What is identity?
Which characteristics uniquely identify an entity?

Authentication is a critical service

Enables communicating parties to verify the identity of their peers
Many other security mechanisms rely on it

Two main types

Human to computer
Computer to computer

2
Credentials
Evidence used to prove an identity
User Authentication: credentials supplied by a person
Something you know
Something you have
Something you are
Computer authentication: cryptography, secret tokens, location, …
Computers (in contrast to humans) can “remember” large secrets (keys or tokens) and
can perform complex cryptographic operations
Location: evidence that an entity is at a specific place (IP, subnet, switch port, …)
Authentication can be delegated
The verifying entity relies on a trusted third party to establish authentication 
Identity and Access Management (IAM) services (e.g., Okta, Duo, OneLogin)
3
Something You Know: Password-based Authentication
Passwords, passphrases, pins, key-phrases, access codes, …
Good passwords are easy to remember and hard to guess
Easy to remember  easy to guess
Hard to guess  hard to remember
Bad ideas: date of birth, SSN, zip code, favorite team name, …

Password space (bits) depends on:

Password length
Character set

Better way to think about strong passwords: long passphrases

Can be combined with custom variations, symbols, numbers, capitalization, …

4
© XKCD - https://xkcd.com/936/
mikepo@styx:~> zxcvbn
Password:
{
"password": "Tr0ub4dor&3",
"guesses": "100000000001",
"guesses_log10": 11.000000000004341,
"crack_times_seconds": {
"online_throttling_100_per_hour": "3600000000036.000199840144435",
"online_no_throttling_10_per_second": "10000000000.1",
"offline_slow_hashing_1e4_per_second": "10000000.0001",
"offline_fast_hashing_1e10_per_second": "10.0000000001"
},
"crack_times_display": {
"online_throttling_100_per_hour": "centuries",
"online_no_throttling_10_per_second": "centuries",
"offline_slow_hashing_1e4_per_second": "4 months",
"offline_fast_hashing_1e10_per_second": "10 seconds"
},
}

“Assumes multiple attackers, proper

user-unique salting, and a slow hash
function w/ moderate work factor,
such as bcrypt, scrypt, PBKDF2.”

“Assumes user-unique salting but a fast hash

function like SHA-1, SHA-256 or MD5. A wide
range of reasonable numbers anywhere from
one billion - one trillion guesses per second,
depending on number of cores/machines.”

6
mikepo@styx:~> zxcvbn
Password:
{
"password": "correct horse battery staple",
"guesses": "213811968952000000000",
"guesses_log10": 20.330032012866745,
"crack_times_seconds": {
"online_throttling_100_per_hour": "7697230882272000427282.147568",
"online_no_throttling_10_per_second": "21381196895200000000",
"offline_slow_hashing_1e4_per_second": "21381196895200000",
"offline_fast_hashing_1e10_per_second": "21381196895.2"
},
"crack_times_display": {
"online_throttling_100_per_hour": "centuries",
"online_no_throttling_10_per_second": "centuries",
"offline_slow_hashing_1e4_per_second": "centuries",
"offline_fast_hashing_1e10_per_second": "centuries"
},
}

7
Password Policies (often have the opposite effect)
Password rules (miss the point)
“At least one special character,” “Minimum/Maximum length of 8/12 characters,” “Must
contain at least one number,” “Must contain at least one capital letter”
Makes passwords hard to remember!  encourages password reuse
Better: encourage long passphrases, and evaluate strength on-the-fly

Periodic password changing (does more harm than good)

“You haven’t changed your password in the last 90 days”
Probably too late anyway if password has already been stolen
Makes remembering passwords harder  more password resets
Hinders the use of password managers (!)
What users do: password1  password2  password3  …

10
11
Attacking Passwords
Offline cracking
Brute force attacks
Online guessing
Eavesdropping
Capturing

12
Password Storage
Storing passwords as plaintext is disastrous
Better way: store a cryptographic hash of the password

Even better: store the hash of a “salted” version of the password

Salt: non-secret random value stored along with the username  does not make
brute-force guessing a given password harder!
Benefit 1: Defend against dictionary attacks: prevent precomputation of hash values
(wordlists of popular passwords, rainbow tables, …)
Benefit 2: Unique salt per user: even if two users have the same password, their hash
values will be different  need to be cracked separately
Username Salt Password hash
George 4238 hash(4238, 1234567890) Password databases are
Tony 2918 hash(2918, 63%Tdx^FV) still getting leaked…
Mitsos 6902 hash(6902, zour1da)
...
13
Password Cracking
Exhaustive search  infeasible for large password spaces
Dictionary attacks (words, real user passwords from previous leaks, …)
Variations, common patterns, structure rules
Prepend/append symbols/numbers/dates, weird capitalization, l33tspeak, visually
similar characters, intended misspellings, …
Target-specific information
DOB, family names, favorite team, pets, hobbies, anniversaries, language, slang, …
Easy to acquire from social networking services and other public sites
Particularly effective against “security questions”
Advanced techniques
Probabilistic context-free grammars, Markov models, …

14
15
50 Most-used (Worse) Passwords

123456 1234567 123 ashley evite

123456789 qwerty omgpop 987654321 123abc
picture1 abc123 123321 unknown 123qwe
password Million2 654321 zxcvbnm sunshine
12345678 000000 qwertyuiop 112233 121212
111111 1234 qwer123456 chatbooks dragon
123123 iloveyou 123456a 20100728 1q2w3e4r
12345 aaron431 a123456 123123123 5201314
1234567890 password1 666666 princess 159753
senha qqww1122 asdfghjkl jacket025 0123456789

https://en.wikipedia.org/wiki/List_of_the_most_common_passwords
Distribution of 4-digit
sequences within
RockYou passwords

A birthday present every eleven wallets? The security of customer-chosen banking PINs. Joseph Bonneau, Sören Preibusch and Ross Anderson – FC ’12
Wordlists
ce#ebc.dk 4637324 gea8mw4yz fujinshan masich gothpunksk8er 20081010
goddess5 bugger825 kukumbike counter pengaiwei rftaeo48 leelou44
20071002 marmaris 260888 N8mr0n coalesce 8d7R0K 8UfjeGbO
271075711 jinjin111 jordi10 520057 56402768 5172032 200358808
zs3cu7za 170383gp lexusis adc123 thesis aics07 dellede
scoopn 3484427 kj011a039 bmaster aabbcc894 34mariah liang123.
frygas1411 fl33321 c84bwlrb qbjh04zg marion&maxime dongqinwei captainettekt
SL123456sl zwqrfg priyanka05 ueldaa79 614850 samarica kwiki-mart
12345687ee123 67070857 loveneverdies EMANUELLI ydz220105 cap10l4 mdovydas
xuexi2010 432106969 u8Aqebj576 yanjing 584521584521 0167387943 tigmys2001
daigoro 6856 FGYfgy77 assynt txudecp AE86Trueno denial
12345614 704870704870 659397 62157173 84410545 19700913 678ad5251
DICK4080 pv041886 327296 0704224950753 pietro.chiara mcsuap woaiwuai
567891234 20060814 74748585 6903293 jman1514 bu56mpbu 1591591591212
tilg80 512881535 19720919 axaaxa heryarma danbee hNbDGN
6z08c861 milanimilani 050769585 hilall 39joinmam passw<> cardcap
:zark: 472619 nicopa 30091983 timelapse money521 13985039393
ravishsneha dbyxw888 2232566 2510618981 mwinkar conan83 001104
150571611369 85717221 bearss soukuokpan 251422 nxfjpl desare11
661189 cc841215 n0tpublic tosecondlife willrock rateg143 412724198
passme ariana19321 isitreal00 p4os8m6q YHrtfgDK kojyihen nibh1kab
trolovinasveta bbbnnn ashraf19760 015614117 xys96exq 058336257 asferg
abdulkhaleque ang34hehiu 48144 acw71790 mercadotecnia sarah4444 hqb555
007816 wj112358 22471015 lsyljm2 8s5sBEx7 7363437 xgames7
xLDSX Brenda85 antyzhou115 2xgialdl 0125040344 freindship muckerlee
Florida2011 786525pb 0167005246 gaybar9 margitka JytmvWO848 choqui67
037037 shi461988 ec13kag 88203009 omaopa sb inbau 12130911
WestC0untry pingu 226226226226 MKltyh87 dfTi6nh 30907891 lierwei120
hitsugaiya yeybozip 6767537/33 quiggle 1314520521 0515043111 skytdvn
955998126 71477nak mimilebrock 2063775206 pixma760 1973@ati milena1995
3n3rmax stokurew gueis8850 fr3iH3it pearpear wlxgjf kambala11

18
19
20
23
Password Hashing Functions
Hash functions are very fast to evaluate  facilitate fast password cracking
Solution: slow down the guessing process (password “stretching”)
Benefit: cracking becomes very inefficient (e.g., 10-100ms per check)
Drawback: increased cost for the server if it must authenticate many users

Make heavy use of available resources

Fast enough computation to validate honest users, but render password guessing infeasible
Adaptable: flexible cost (time/memory complexity) parameters

Bcrypt [Provos and Mazières, 1999]

Cost-parameterized, modified version of the Blowfish encryption algorithm
Tunable cost parameter (exponential number of loop iterations)

Alternatives: Scrypt (memory-hard), PBKDF2 (PKCS standard)

A Future-Adaptable Password Scheme – USENIX ATC 1999 24
Online Guessing
Similar strategy to offline guessing, but rate-limited
Connect, try a few passwords, get disconnected, repeat…
Prerequisite: know a valid user name
Credential stuffing: try username + password combinations from previous breaches
Many failed attempts can lead to a system reaction
Introduce delay before accepting future attempts (exponential backoff )
Shut off completely (e.g., ATM capturing/disabling the card after 3 tries)
Ask user to solve a CAPTCHA
Very common against publicly accessible SSH, VPN, RDP, and other servers
Main reason people move sshd to a non-default port
Fail2Ban: block IP after many failed attempts  attackers may now be able to lock you out
Better: disable password authentication altogether and use a key pair  cumbersome if
having to log in from several devices or others’ computers

25
26
 (a) Successful login
(b) Login rejected after name is entered
(c) Login rejected after name and password are typed  less information makes guessing harder

Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved. 0-13-6006639
Before guessing, try
the default first…

28
Eavesdropping and Replay
Physical world
Post-it notes, notebooks, …
Lift fingerprints (e.g., Apple Touch ID)

Network
Sniffing (LAN, WiFi, …)
Man-in-the-Middle attacks

Defenses
Encryption
One-time password schemes

29
30
Password Capture
Hardware bugs/keyloggers
Software keyloggers/malware
Shoulder surfing
Cameras (e.g., ATM skimmers)
Social engineering

32
 (a) Correct login screen
(b) Phony login screen

Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved. 0-13-6006639 34
Something You Have: Authentication Tokens
One-time passcode tokens
Time-based or counter-based

Various other authentication tokens

Store certificates, encryption keys, challenge–response, …

Smartcards (contact or contactless)

Identification, authentication, data storage, limited processing
Magnetic stripe cards, EMV (chip-n-pin credit cards), SIM cards, RFID tags, …

USB/BLE/NFC tokens, mobile phones, watches, …

Can be used as authentication devices

35
Something You Are: Biometrics
Fingerprint reader
Face recognition
Depth sensing, infrared cameras, …
Liveness detection (pulse, thermal) to foil simple picture attack

Retina/iris scanner
Voice recognition  broken
…

Related concept: continuous authentication

Keystroke timing, usage patterns, …
36
“The probability that a random person the population [sic] could look at
your iPhone X and unlock it using Face ID is approximately 1 in 1,000,000
(versus 1 in 50,000 for Touch ID).
For additional protection, Face ID allows only five unsuccessful match
attempts before a passcode is required to obtain access to your iPhone.
The probability of a false match is different for twins and siblings that look
like you as well as among children under the age of 13, because their
distinct facial features may not have fully developed. If you're concerned
about this, we recommend using a passcode to authenticate.”

https://www.apple.com/business-docs/FaceID_Security_Guide.pdf 37
38
Multi-factor Authentication
Must provide several separate credentials of different types
Most common: two-factor authentication (2FA)
Example: Password + hardware token/SMS message/authenticator app, …
Example: ATM card + PIN
Motivation: a captured/cracked password is now not enough to
compromise a victim’s account  not always true
Man-in-the-Middle: set up fake banking website, relay password to real website, let
the user deal with the second factor…
Man-in-the-Browser: hijack/manipulate an established web session after
authentication has been completed (malware, e.g., banking trojans)
Dual infection: compromise both PC and mobile device (rare)
More importantly: the most commonly used 2nd factor (SMS) is the least secure

39
SMS Is Not a Secure 2nd Factor
(but still better than no 2nd factor)

Social engineering
Call victim’s mobile operator and hijack the phone number
SIM swaping, message/call forwarding, …

Message interception
Rogue cell towers: IMSI catchers, StingRays,…
Some phones even display text messages on the lock screen (!)

SS7 attacks
The protocol used for inter-provider signaling is severely outdated and vulnerable
Allows attackers to spoof change requests to users' phone numbers and intercept
calls or text messages
40
41
42
https://keydiscussions.com/2024/02/05/sim-swap-attacks-can-be-blamed-on-companies-embracing-sms-based-password-resets/ 43
SMS as 2nd Factor vs. SMS for Account Recovery
Despite its shortcomings, SMS as a 2nd factor is better than nothing
Data point (Google): prevented 100% of 3.3B automated password stuffing attacks,
96% of 12M bulk phishing, and even 76% of <10k targeted attacks seen over a year

Unfortunately, the convenience of phone numbers has led many

services to overload SMS as the sole authentication factor
SMS-based onboarding
SMS-based authentication (login with phone number)
SMS-based password reset/account recovery

These are disastrous: a simple SIM-swap attack can take over an

account without knowing the password
Password reset via email is much more secure
Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials – CCS 2017 44
Better Alternative: Authenticator Apps
Time-based one-time password (TOTP)
Six/eight digit code provided after password validation
HMAC of a shared secret key and the current time
The key is negotiated during registration
Requires “rough” client–server synchronization
Code constantly changes in 30-second intervals
User-friendly alternative: push notification (e.g., Duo Push)
MFA “fatigue” attacks: flood a user with push notifications
More importantly: Phishing is still possible!
The attacker just needs to proxy the captured credentials in real time
(rather than collecting them for later use)

45
46
The attacker then repeatedly tried to log in to the Uber account
using the illegally obtained credentials, prompting a two-factor
login approval request each time. After the contractor initially
blocked those requests, the attacker contacted the target on
WhatsApp posing as tech support, telling the person to accept
the MFA prompt — thus allowing the attacker to log in.

47
Evilginx2 https://github.com/kgretzky/evilginx2

Man-in-the-middle attack framework for phishing login credentials

along with session cookies
Bypasses 2-factor authentication

No need for HTML templates: just a web proxy

Victim’s traffic is forwarded to the real website
TLS termination at the proxy (e.g., using a LetsEncrypt certificate)

© Kuba Gretzky - https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/ 48

© Kuba Gretzky - https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/
Even Better Alternative: U2F Tokens (AKA Security Keys)
Universal Second Factor (U2F)
FIDO (Fast IDentity Online) alliance: Google, Yubico, …
Supported by all popular browsers and many online services

A different key pair is generated for each origin during registration

Origin = <protocol, hostname, port>
Private key stored re-generated on device
Public key sent to server

Additions to the authentication flow:

Origin (URI): prevents phishing
TLS Channel ID (optional): prevents MitM

50
© Yubico - https://developers.yubico.com/U2F/ 51
U2F tokens
Benefits
Easy: just tap the button (no typing)
Works out of the box (no drivers to install)
USB, NFC, Bluetooth communication
No shared secret between client and server
Origin checking  prevents phishing!

Drawbacks
Can be lost  need a fallback (backup codes, 2nd U2F token, authenticator app, …)
Cumbersome: have to pull keychain out and plug token in (or have an always
pugged-in token, in which case though it can be stolen along with the device)
Cost ($10–$70)

54
55
56
57
2FA Recap – What threats does it prevent?
SMS: useful against two main threats
Credential stuffing (people tend to reuse passwords across different services)
Leaked passwords (post-it, hardware keyloggers, cameras, shoulder surfing, …)
Introduces new security/privacy issues: SIM swapping, SMS account recovery, SMS spam…

Authenticator Apps/Push Auth: much better alternative than SMS

Protects against the same threats without relying on phone numbers

U2F: additional protection against phishing

Modern phishing toolkits bypass SMS/Authenticator/Push 2FA through MitM
Humans fall for typosquatting, but U2F’s origin check doesn’t

None of the above protect against session hijacking and Man-in-the-Browser

Game over anyway if the host is compromised after the user has successfully logged in

58
Password Managers
Have become indispensable
Encourage the use of complex/non-memorable passwords
Obviate the need for password reuse: unique passwords per site/service
Protection against phishing: auto-fill won’t work for incorrect domains
As long as users don’t copy/paste passwords out of the password manager (!)
Various options: third-party applications, OS-level, in-browser
Password synchronization across devices
Can the service provider access all my passwords or not?
Preferable option: passwords should be encrypted locally with a master password
never visible to the cloud service
Single point of failure (!)
59
Lastpass breach

60
61
Single Sign-on/Social Login
Use a central authentication service for multiple sites
Pros
Convenience: fewer passwords to remember
Easier development: outsource user registration/management
Rich experience through social features

Cons
Same credentials for multiple sites: single point of failure
Third-parties gain access to users’ profiles
Provider can track users

63
WebAuthn
W3C Web Authentication standard (FIDO2): Successor of FIDO U2F
Use cases
Low friction and phishing-resistant 2FA (in conjunction with a password)
Passwordless, biometrics-based re-authorization
2FA without a password (passwordless login)

Authenticators: devices that can generate private/public key pairs and

gather consent (simple tap, fingerprint read, …)
Roaming Authenticators:
USB/BLE/NFC security keys
Platform Authentications:
Built-in fingerprint readers, cameras, …

https://www.yubico.com/authentication-standards/webauthn/ 64
65
Passkeys
Completely replace passwords with cryptographic key pairs
Server only keeps a user’s public key
Based on WebAuthn: rely on biometric identification (Face ID, Windows Hello, …)

Key enabler: identity providers (Apple, Google, …) who also sell devices
The device becomes an authenticator: what if it gets lost?  recovery through vendor
Users have more than one device  seamless syncing

 

https://www.passkeys.io/ 66
67
68
Multi-factor vs. Multi-step
Factor: something you know/have/are
Step: user-specific action
Type password, tap fingerprint reader, press security key, look at camera, …

Example: U2F flow with passwords

Type password + tap security key  two factors, two steps ********* +

Example: FIDO2 passwordless flow

Tap biometric security key  two factors, one step
Phone Face ID  two factors, one step

https://medium.com/webauthnworks/its-single-step-not-factor-clarifying-more-fido-terminology-d06d9c31b4f2 69
Best Practices
Use long passphrases instead of passwords
Never reuse the same password on different services

Use two-factor authentication

Avoid SMS if possible! Use an authenticator app or even better U2F (or passkeys)
Remove phone number from account after authenticator/U2F setup
Store your backup codes/backup key in a safe location

Use a password manager

Pick non-memorable passwords and avoid copy/pasting them
Password auto-fill helps against phishing! (auto-fill will fail if the domain is wrong)

Use SSH keys instead of passwords

82