Let Your Camera See for You: A Novel Two-Factor Authentication Method against Real-Time Phishing Attacks

TL;DR

This paper introduces PhotoAuth, a novel 2FA method that uses a photo of the web browser with the domain name as a second factor, effectively preventing real-time phishing attacks without requiring special hardware.

Contribution

The paper proposes a new 2FA system leveraging OCR on user-taken photos to verify website authenticity, addressing vulnerabilities of existing methods against real-time phishing.

Findings

PhotoAuth effectively detects fake websites in real-time

The system is scalable and easy to deploy without special hardware

Prototyped system shows good performance in various environments

Abstract

Today, two-factor authentication (2FA) is a widely implemented mechanism to counter phishing attacks. Although much effort has been investigated in 2FA, most 2FA systems are still vulnerable to carefully designed phishing attacks, and some even request special hardware, which limits their wide deployment. Recently, real-time phishing (RTP) has made the situation even worse because an adversary can effortlessly establish a phishing website replicating a target website without any background of the web page design technique. Traditional 2FA can be easily bypassed by such RTP attacks. In this work, we propose a novel 2FA system to counter RTP attacks. The main idea is to request a user to take a photo of the web browser with the domain name in the address bar as the 2nd authentication factor. The web server side extracts the domain name information based on Optical Character Recognition (OCR), and then determines if the user is visiting this website or a fake one, thus defeating the RTP attacks where an adversary must set up a fake website with a different domain. We prototyped our system and evaluated its performance in various environments. The results showed that PhotoAuth is an effective technique with good scalability. We also showed that compared to other 2FA systems, PhotoAuth has several advantages, especially no special hardware or software support is needed on the client side except a phone, making it readily deployable.