Internet users regularly register accounts with websites, cloud applications, or other online services. The user's account information, including a username and password, is generally kept securely by the service and used for the purpose of authenticating that a subsequent visitor to the service is the user they purport to be. Once authenticated, the user is granted access to the service.
Most online services use traditional username and password checks as a first layer of security. To improve account security, online services may also layer additional factors of authentication before authenticating a user. A common form of a second factor of authentication involves the exchange of a one-time code between the online service and a visitor to the service via a verification device that has already been associated with a user of the service. By successfully exchanging the one-time code, the service visitor ostensibly demonstrates their possession of the verification device, thereby providing a further indication that they are the user they purport to be. Often the verification device is the user's mobile telephone and is distinct from the login device used to access the online service, or receives the one-time code through a communication channel different from that used by the login device. By authenticating users through a combination of a username and password check as well as one-time code exchange (the combination commonly referred to as two-factor authentication, or “2FA”), online services are able to more securely grant account access to only intended users while preventing access by those who have compromised one of the two security layers.
Unfortunately, the additional security provided by two-factor authentication can be undermined by an unauthorized individual, by manipulating communication with the verification device or the device itself. For example, if a one-time code that is intended for the verification device of a user is instead received by a different device in possession of an unauthorized individual, then the unauthorized individual may be able to exchange the one-time code with the online service, thereby making the individual appear to be in possession of the known verification device. In other words, the unauthorized individual may be able to satisfy the second factor of authentication without actual possession of the verification device associated with the user, thus aiding the individual's unauthorized access of the user account. It would therefore be desirable to be able to identify when the one-time code exchange between an online service and a trusted verification device associated with a user account has been compromised, thereby preventing potentially fraudulent access to the user account.
The techniques introduced in this disclosure can be better understood by referring to the following Detailed Description in conjunction with the accompanying drawings.