失物招领：无密码未来​​中账户恢复的隐患.pdf

1、Lost&FoundThe Hidden Risks of Account Recovery in a Passwordless FutureBlackhat USA 2025August 7,ThursdaySpeakers:Sid Rao,Gabriela SonkeriNote:This handout version of the slide deck has slightly different(and more)content than the presentation versionWho are we?Senior Security ResearcherDr.Sid Rao2S

2、ecurity EngineerGabriela Sonkeri*User and Impact ResearcherAmel Bourdoucen*Associate ProfessorProf.Janne Lindqvist*Contributions while working at Nokia Bell LabsContributions while working at Nokia Bell LabsNokia Bell Labs FinlandWolt FinlandF-Secure,Aalto UniversityFinlandAalto UniversityFinlandSpe

3、cial thanks:Prof.Tuomas Aura,Dr.Thanh Bui,and Dr.Markku AntikainenBackgroundUsers authentication credentials become unavailable#1:Authentication credentials are forgotten or mislaid by the user#2:Authentication credentials are inaccessible to the userPersonal device is lostLogging in from a new devi

4、ce or location 3Genuine scenarios in which a benign user wants to reclaim control over or recover their accountThe service provider needs to provision reclaiming control in such genuine scenariosGenuine-looking scenarios can be maliciousGenuineness cannot be verifiedFlaws in the recovery flowAccount

5、 Recovery OverviewAn automated process provisioned by the service provider for benign users to reclaim access4Recovery Method(independent communication channel)Step 1:Recover my accountStep 0:Establish Out-of-band trustRecovery Token(OTP or URL)Step 2:Generates recovery tokenStep 4:Retrieve the toke

6、nStep 3:Send the tokenStep 5:Submit the retrieved tokenStep 6:Allow recovery if token is validService ProviderUserRecovery Session(unauthenticated user session)Account Recovery Lifecycle5Password ChangeSet up a new password3Trigger recoveryUser clicks,e.g.,“Forgot password”Or“Unable to login”1 Verif