Xin Zhang (Fudan University), Xiaohan Zhang (Fudan University), Huijun Zhou (Fudan University), Bo Zhao (Fudan University)
Cross-device authentication (XDAuth) has become an essential mechanism for seamless account access across multiple devices. In this paradigm, a user can sign in on one device (the target device) by completing authentication on another trusted device (the authentication device) that holds an active session or stored credentials, improving user experience. However, the decoupling of the authentication device and target device introduces new risks: the physical and contextual separation disrupts the usual authentication flow, creates information asymmetry, and makes it hard for users to assess the legitimacy of an authentication request. Consequently, users may inadvertently approve malicious logins and face account compromise, especially when key contextual details, explicit confirmation, or revocation mechanisms are missing.
To address these risks, we start from a user-centric perspective grounded in three fundamental user rights: the right to know, the right to consent, and the right to control, to safeguard the security and usability of XDAuth systems. We investigate how these rights are supported in practice by examining 27 major services spanning three typical XDAuth schemes. Our findings are concerning: over half of the services do not provide any information about the target device during authentication, not all services enforce explicit user confirmation, and six lack a way to revoke suspicious authorizations. We responsibly disclosed these issues to the affected vendors, several of whom acknowledged the problems and responded positively. We further conduct a user study with 100 participants, uncovering that the vast majority consider these rights essential and expect them to be upheld in XDAuth. Our study reveals a clear gap between current implementations and user expectations, underscoring the need for stronger user rights support to develop more secure, user-centered XDAuth.