Search for: All records

Password managers provide significant security benefits to users. However, malicious client-side scripts and browser extensions can steal passwords after the manager has autofilled them into the web page. In this paper, we extend prior work by Stock and Johns, showing how password autofill can be hardened to prevent these local attacks. We implement our design in the Firefox browser and conduct experiments demonstrating that our defense successfully protects passwords from XSS attacks and malicious extensions. We also show that our implementation is compatible with 97% of the Alexa top 1000 websites. Next, we generalize our design, creating a second defense that prevents recently discovered local attacks against the FIDO2 protocols. We implement this second defense into Firefox, demonstrating that it protects the FIDO2 protocol against XSS attacks and malicious extensions. This defense is compatible with all websites, though it does require a small change (2–3 lines) to web servers implementing FIDO2. 

Users continue to authenticate on a wide range of devices. Logging into such devices is often complex due to factors related to the variety of devices used and because of passwords. While passwords can present a challenge for users—especially in creating secure passwords—password managers can help users generate and store passwords. However, research has shown that users avoid generating passwords, often giving the rationale that it is difficult to enter generated passwords on devices without a password manager. In this paper, we conduct a survey (n = 999) of individuals from the US, UK, and Europe, exploring the range of devices on which they enter passwords and the challenges associated with password entry on those devices. We find that password entry on devices without password managers is a common occurrence and comes with significant usability challenges that often lead users to weaken their passwords to increase the ease of entry. We conclude this paper by discussing how future research could address these challenges and encourage users to adopt generated passwords. 

—This work explores the security and privacy perceptions, practices, and challenges Pakistani immigrants face in the US. We also explore how parent-child dynamics affect immigrants’ learning about and adaptation to security and privacy practices in the US. Through 25 semi-structured interviews with Pakistani immigrants, we find that first-generation immigrants perceive heightened risks of discrimination, surveillance, and isolation due to their status as Muslim immigrants. They also report tensions regarding self-expression and self-censorship in online settings. In contrast, second-generation immigrants quickly adapt to life in the US and do not perceive most of these challenges. We find that first- and second-generation immigrants mutually support each other in learning to use technology and reacting to perceived threats. Our findings underscore an urgent need for tailored digital safety initiatives and designs that consider the unique needs of at-risk populations to ensure their security and privacy. Recognizing and addressing these challenges can foster more inclusive digital landscapes, empowering immigrant populations with resilience and agency. 

In this the digital age, parents and children may turn to online security advice to determine how to proceed. In this paper, we examine the advice available to parents and children regarding content filtering and circumvention as found on YouTube and TikTok. In an analysis of 839 videos returned from queries on these topics, we found that half (n=399) provide relevant advice to the target demographic. Our results show that of these videos, roughly three-quarters are accurate, with the remaining one-fourth containing incorrect advice. We find that videos targeting children are both more likely to be incorrect and actionable than videos targeting parents, leaving children at increased risk of taking harmful action. Moreover, we find that while advice videos targeting parents will occasionally discuss the ethics of content filtering and device monitoring (including recommendations to respect children’s autonomy) no such discussion of the ethics or risks of circumventing content filtering is given to children, leaving them unaware of any risks that may be involved with doing so. Our findings suggest that video-based social media has the potential to be an effective medium for propagating security advice and that the public would benefit from security researchers and practitioners engaging more with these platforms, both for the creation of content and of tools designed to help with more effective filtering. 

Two-factor authentication (2FA) defends against account compromise by protecting an account with both a password—the primary authentication factor—and a device or resource that is hard to steal—the secondary authentication factor (SAF). However, prior research shows that users need help registering their SAFs with websites and successfully enabling 2FA. To address these issues, we propose the concept of a SAF manager that helps users manage SAFs through their entire life cycle: setup, authentication, removal, replacement, and auditing. We design and implement two proof-of-concept prototypes. In a between-subjects user study (N=60), we demonstrate that our design improves users' ability to correctly and quickly setup and remove a SAF on their accounts. Qualitative results show that users responded very positively to the SAF manager and were enthusiastic about its ability to help them rapidly replace a SAF. Furthermore, our SAF manager prevented fatal errors that users experienced when not using the manager.