Skip to content

Recommendations and Mitigations

Mohamed A. Baset edited this page Aug 1, 2016 · 11 revisions

Recommendations and Mitigations

Our top recommendation is to just stop using Login with QR code except when it is necessary also there is a lot of ways to mitigate such issue and here is some ways to be used together or standalone:

  1. Session Confirmation, We recommend implementing a confirmation message/notification displaying characteristic information about the session made by the client/server.

  2. IP Restrictions, Restricting any authentication process on different networks (WANs) will minimize the attack window.

  3. Location-based Restrictions, Restricting any authentication process based on different locations will minimize the attack window.

  4. Sound-based Authentication, One of the techniques to mitigate this kind of attack [And maintain the same usability level as to not require any additional interaction from the user other than scanning the QR ] is to add sound-based authentication step to the process , we have seen this kind of technology where it is possible to generate unique data and convert it to audio that can be recognized back into its original form [SlickLogin and Sound-Proof] so it is possible to include this technology in the process .

The purposes of this added step is to make sure that scanned QR code is generated in the same physical location as the mobile device that is doing the scan and therefore eliminating the possibility of a remote attacker deceiving the user into scanning his qr code.

Figure(5) An illustration of the login process [QR code login + Sound authentication]

The Attack Scenario (with the mitigation):

  1. Attacker visits the website and opens a session.
  2. The Website Generates QR Code which holds a session key.
  3. Attacker crafts a phishing website with the received QR Code and sends it to the user.
  4. User scans the attacker's QR Code in the phishing website.
  5. The mobile App generates the authentication sound and play it to the phishing website.
  6. The phishing website fails to process and capture the authentication audio as it requires additional browser permissions.
  7. Even if the attacker tries to generate the authentication sound based on the (User ID) he still lacks the private key.

Figure(6) An illustration of the login process [QR code login + Sound authentication] attacks & mitigation