Skip directly to content

Minimize RSR Award Detail

Research Spending & Results

Award Detail

Awardee:UNIVERSITY OF ALABAMA AT BIRMINGHAM
Doing Business As Name:University of Alabama at Birmingham
PD/PI:
  • Nitesh Saxena
  • (205) 975-3432
  • saxena@uab.edu
Award Date:05/11/2021
Estimated Total Award Amount: $ 499,934
Funds Obligated to Date: $ 499,934
  • FY 2021=$499,934
Start Date:08/15/2021
End Date:07/31/2024
Transaction Type:Grant
Agency:NSF
Awarding Agency Code:4900
Funding Agency Code:4900
CFDA Number:47.070
Primary Program Source:040100 NSF RESEARCH & RELATED ACTIVIT
Award Title or Description:CICI: UCSS: Towards Secure and Usable Push Notification Authentication for Collaborative Scientific Infrastructures
Federal Award ID Number:2115107
DUNS ID:063690705
Parent DUNS ID:808245794
Program:Cybersecurity Innovation
Program Officer:
  • Robert Beverly
  • (703) 292-7068
  • rbeverly@nsf.gov

Awardee Location

Street:AB 1170
City:Birmingham
State:AL
ZIP:35294-0001
County:Birmingham
Country:US
Awardee Cong. District:07

Primary Place of Performance

Organization Name:University of Alabama at Birmingham
Street:1300 University Blvd.
City:Birmingham
State:AL
ZIP:35294-0001
County:Birmingham
Country:US
Cong. District:07

Abstract at Time of Award

Second factor (2FA) or passwordless authentication based on notifications pushed to a user's personal device (e.g., a phone) that the user can simply approve (or deny) has become widely popular due to its convenience, especially to protect scientific resources at Universities and similar organizations. This project is studying the premise that the effortlessness of this approach gives rise to a fundamental design vulnerability arising from concurrent login sessions (one initiated by the user and the other initiated by the attacker), and then redesigning push-based authentication systems that can counter the identified vulnerability without degrading the overall usability of the approach. The proposed new design attempts to address the concurrent login attacks by establishing a unique binding between the user’s browser session and the push notification. The research consists of three inter-related activities: (1) formalization and study of a fundamental vulnerability against standard push notification authentication schemes; (2) design and implementation of low-effort push-based authentication schemes that can defeat the identified vulnerability without undermining the usability; and (3) formal studies of the proposed new push-based authentication schemes, conducted in lab settings and field environments. The developed resilient push authentication system designs are expected to offer an improved level of protection, accessibility and usability to everyday users in scientific and collaborative settings. The research prototypes are expected to be of broader value in future research on building resilient and usable authentication services in practice. The project is emphasizing technology transfer by working with major players in the push-based authentication domain. The proposed research is being integrated with educational activities in the form of advanced curriculum development and student mentoring in the broad domains of Authentication and Human-Computer Interaction, and the involvement of high school and K-12 students and minority populations are broadening the reach of the project. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

For specific questions or comments about this information including the NSF Project Outcomes Report, contact us.