Virtually all computer users have experienced the process of authenticating to a device, program, or web page using a user name and password. In response to various types of attacks, information security specialists have devised a variety of improvements or replacements to this process. For example, in a phishing attack a user may be presented with a fake login page. The attacker obtains users' credentials when they enter them into the fake login page. To subvert this type of attack, when a user account is created, the user may be asked to select an image that will be used to identify a genuine login page. During the authentication process, the user may be asked for a user name, and then shown the selected image before being asked to enter a password. This approach may thwart most attacks of this type, since the attacker is unlikely to know which image to display for a user.
Another refinement to the authentication process is known as “multi-factor authentication,” in which users may be asked to provide one or more additional authentication tokens besides a password. Multi-factor authentication systems may require users to possess a magnetic card or electronic device, answer challenge questions, or submit to biometric scanning.
Several enhancements to the authentication process involve the use of a personal device, such as a mobile phone or tablet computer. During creation of a user account, the user may be asked to identify a personal device that is expected to remain in the user's possession. When authenticating on another device, the user may be asked to endorse the authentication attempt on the personal device. For example, when authenticating to a social media account on a computer, the social media service may send an SMS message to the user's mobile phone, asking them to verify that the user is attempting to log into the service by replying to the message or by clicking on a button or link.
Unfortunately, these enhancements to the authentication process are subject to an attack known as “session hijacking.” By monitoring a user's activities, an attacker may time an attack to coincide with an authentication attempt by the user. The user may mistakenly endorse the attacker's authentication attempt either because the attacker's endorsement request arrived at the user's personal device first, or because the user assumed a system error resulted in a second endorsement request being sent. Accordingly, what is needed are additional and improved systems and methods for preventing session hijacking.