当前位置:首页 > 报告详情

失物招领:无密码未来​​中账户恢复的隐患.pdf

上传人: 竿*** 编号:981868 2025-11-29 55页 2.68MB

1、Lost&FoundThe Hidden Risks of Account Recovery in a Passwordless FutureBlackhat USA 2025August 7,ThursdaySpeakers:Sid Rao,Gabriela SonkeriNote:This handout version of the slide deck has slightly different(and more)content than the presentation versionWho are we?Senior Security ResearcherDr.Sid Rao2S

2、ecurity EngineerGabriela Sonkeri*User and Impact ResearcherAmel Bourdoucen*Associate ProfessorProf.Janne Lindqvist*Contributions while working at Nokia Bell LabsContributions while working at Nokia Bell LabsNokia Bell Labs FinlandWolt FinlandF-Secure,Aalto UniversityFinlandAalto UniversityFinlandSpe

3、cial thanks:Prof.Tuomas Aura,Dr.Thanh Bui,and Dr.Markku AntikainenBackgroundUsers authentication credentials become unavailable#1:Authentication credentials are forgotten or mislaid by the user#2:Authentication credentials are inaccessible to the userPersonal device is lostLogging in from a new devi

4、ce or location 3Genuine scenarios in which a benign user wants to reclaim control over or recover their accountThe service provider needs to provision reclaiming control in such genuine scenariosGenuine-looking scenarios can be maliciousGenuineness cannot be verifiedFlaws in the recovery flowAccount

5、 Recovery OverviewAn automated process provisioned by the service provider for benign users to reclaim access4Recovery Method(independent communication channel)Step 1:Recover my accountStep 0:Establish Out-of-band trustRecovery Token(OTP or URL)Step 2:Generates recovery tokenStep 4:Retrieve the toke

6、nStep 3:Send the tokenStep 5:Submit the retrieved tokenStep 6:Allow recovery if token is validService ProviderUserRecovery Session(unauthenticated user session)Account Recovery Lifecycle5Password ChangeSet up a new password3Trigger recoveryUser clicks,e.g.,“Forgot password”Or“Unable to login”1 Verif

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据报告的内容,以下是对全文主要内容的简明概括: 1. **账户恢复风险**:账户恢复流程存在安全漏洞,可能导致账户接管和滥用。 2. **常见问题**:用户忘记密码或设备丢失是常见的账户恢复触发原因。 3. **账户恢复流程**:流程包括验证、发送恢复令牌、提交令牌和重新认证等步骤。 4. **安全漏洞**:包括未验证的恢复方法、不一致的验证、限制安全功能、允许并行会话等。 5. **安全政策弱点**:如未在恢复期间使用多因素认证、密码更改后不强制执行密码更改、MFA仅在恢复后使用等。 6. **最佳实践建议**:包括账户创建时添加和验证多个方法、在恢复处理中确保流程安全、使用可互换的恢复和MFA方法等。 7. **研究方法**:通过审计框架对22个最受欢迎的网站进行测试,发现至少存在1个安全漏洞。 8. **关键数据**:4/5的用户在过去90天内至少忘记了一个凭证,25%的用户每天都需要进行账户恢复。
**密码无未来?账户恢复风险大揭秘** 黑客如何窃取你的账号?** **密码时代终结?揭秘账户恢复的安全隐患**
客服
商务合作
小程序
服务号
折叠