Secure display for FIDO transaction confirmation

Yongxian Zhang, Xinluo Wang, Ziming Zhao, Hui Li

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

FIDO protocols enable online services to leverage native authenticators of end-user computing devices including fingerprint readers for authentication to replace or complement passwords. FIDO protocols also offer support for prompting a user to confirm a specific transaction. However, due to the lack of a trusted display module in most Authenticators, operating systems of user devices display transaction contents directly on the main screen. In the paper, we demonstrate an attack on FIDO transaction confirmation in which malicious applications leverage the disparity between the displayed and actual transaction contents to trick users into confirming falsified transactions. In addition, we propose a lightweight secure display mechanism for FIDO transaction confirmations on mobile devices by leveraging the ARM TrustZone technology.

Original languageEnglish (US)
Title of host publicationCODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy
PublisherAssociation for Computing Machinery, Inc
Pages155-157
Number of pages3
Volume2018-January
ISBN (Electronic)9781450356329
DOIs
StatePublished - Mar 13 2018
Event8th ACM Conference on Data and Application Security and Privacy, CODASPY 2018 - Tempe, United States
Duration: Mar 19 2018Mar 21 2018

Other

Other8th ACM Conference on Data and Application Security and Privacy, CODASPY 2018
CountryUnited States
CityTempe
Period3/19/183/21/18

Keywords

  • FIDO
  • Secure Display
  • Transaction Confirmation

ASJC Scopus subject areas

  • Computer Science Applications
  • Information Systems
  • Software

Fingerprint Dive into the research topics of 'Secure display for FIDO transaction confirmation'. Together they form a unique fingerprint.

  • Cite this

    Zhang, Y., Wang, X., Zhao, Z., & Li, H. (2018). Secure display for FIDO transaction confirmation. In CODASPY 2018 - Proceedings of the 8th ACM Conference on Data and Application Security and Privacy (Vol. 2018-January, pp. 155-157). Association for Computing Machinery, Inc. https://doi.org/10.1145/3176258.3176946