This presentation is part of the Works-in-Progress session, which aims to provide authors with early feedback to adjust on-going research. Manuscript titles are redacted until the work has been published.

trends suggest that this assumption does not hold, and users may unknowingly or otherwise inadvertently approve login confirmations for users other than themselves, thereby improving the chance of successful phishing or otherwise malicious activity. While this mistake may stem from insufficient user training, it nevertheless poses a significant entry point for malicious actors even in the face of security mechanisms.

In this paper, we develop a model of the “Semi-Untrusted User” problem and discuss how errant login request approvals can lead to compromised user accounts and possibly wider breaches of SSO services. We identify the requirements for a solution that can mitigate this issue, and propose a simple mechanism to prevent mishandled login requests. Briefly, we develop a login page that is unavailable (i.e. not visible or returns 404) to unauthorized users so that malicious actors cannot use these credentials without enrolling the device requesting login, which in turn requires an already trusted device for the account of the user in question (e.g. TOTP or similar time-bound primitive).

Michael Sandborn is a graduate research assistant in computer science and Russell G. Hamilton Scholar at Vanderbilt University. He is advised by Dr. Jules White who leads the Magnum Research Group. Michael's research focuses on cyber-physical systems and computer security and aims to improve the security guarantees of authentication methods in both cyber and physical domains.