Xin Zhang (Fudan University), Xiaohan Zhang (Fudan University), Huijun Zhou (Fudan University), Bo Zhao (Fudan University)

Cross-device authentication (XDAuth) has become an essential mechanism for seamless account access across multiple devices. In this paradigm, a user can sign in on one device (the target device) by completing authentication on another trusted device (the authentication device) that holds an active session or stored credentials, improving user experience. However, the decoupling of the authentication device and target device introduces new risks: the physical and contextual separation disrupts the usual authentication flow, creates information asymmetry, and makes it hard for users to assess the legitimacy of an authentication request. Consequently, users may inadvertently approve malicious logins and face account compromise, especially when key contextual details, explicit confirmation, or revocation mechanisms are missing.

To address these risks, we start from a user-centric perspective grounded in three fundamental user rights: the right to know, the right to consent, and the right to control, to safeguard the security and usability of XDAuth systems. We investigate how these rights are supported in practice by examining 27 major services spanning three typical XDAuth schemes. Our findings are concerning: over half of the services do not provide any information about the target device during authentication, not all services enforce explicit user confirmation, and six lack a way to revoke suspicious authorizations. We responsibly disclosed these issues to the affected vendors, several of whom acknowledged the problems and responded positively. We further conduct a user study with 100 participants, uncovering that the vast majority consider these rights essential and expect them to be upheld in XDAuth. Our study reveals a clear gap between current implementations and user expectations, underscoring the need for stronger user rights support to develop more secure, user-centered XDAuth.

View More Papers

PhantomMap: GPU-Assisted Kernel Exploitation

Jiayi Hu (Zhejiang University), Qi Tang (Jilin University), Xingkai Wang (Zhejiang University), Jinmeng Zhou (Zhejiang University), Rui Chang (Zhejiang University), Wenbo Shen (Zhejiang University)

Read More

CAT: Can Trust be Predicted with Context-Awareness in Dynamic...

Jie Wang (State Key Laboratory of Integrated Services Networks, School of Cyber Engineering, Xidian University), Zheng Yan (State Key Laboratory of Integrated Services Networks, School of Cyber Engineering, Xidian University and Hangzhou Institute of Technology, Xidian University), Jiahe Lan (State Key Laboratory of Integrated Services Networks, School of Cyber Engineering, Xidian University), Xuyan Li (Hangzhou…

Read More

Benchmarking and Understanding Safety Risks in AI Character Platforms

Yiluo Wei (The Hong Kong University of Science and Technology (Guangzhou)), Peixian Zhang (The Hong Kong University of Science and Technology (Guangzhou)), Gareth Tyson (The Hong Kong University of Science and Technology (Guangzhou))

Read More