讲座预告：

1、报告人：李万鹏

2、报告题目：Simple But Not Secure: Empirical Security Analysis of Two Factor Authentication Systems

3、报告时间：7月4日（周五）14:00

4、报告地点：柏彦大厦F12会议室1
5、邀请人：吴发国

6、报告摘要：

To protect users from data breaches and phishing attacks, service providers typically implement two-factor authentication (2FA) as an extra layer of defense against suspicious login attempts. However, to balance security with user convenience, many websites seek to reduce the frequency of 2FA prompts—often by storing the user's "Remember the Device'' preference in a cookie, so that 2FA is only triggered when the cookie expires or the user logs in from a new device. While this approach improves usability, it may introduce security risks. To evaluate and improve the security of 2FA systems in real-world settings, we propose SE2FA, we propose SE2FA, a vulnerability evaluation framework that analyzes the security of 407 2FA systems across popular websites in the Tranco Top 10,000 list. Our study uncovered three zero-day vulnerabilities that could allow attackers to bypass 2FA entirely and gain unauthorized access without the second authentication factor. These vulnerabilities were rooted in design decisions intended to simplify 2FA workflows, inadvertently weakening their security. We have responsibly disclosed these issues to the affected service providers and assisted mitigation efforts.  Based on the insights from this research, we provide practical recommendations to strengthen 2FA security and prevent similar threats.

主讲人介绍：

李万鹏, 利物浦大学计算机科学系的网络安全助理教授，博士生导师。在此之前，他曾在阿伯丁大学计算机科学系以及曼彻斯特城市大学计算与数学系担任助理教授, 计算机学院网络空间安全系主任，博士生导师。他还曾在英国城市大学计算机学院Toms Chen教授团队从事博士后研究工作。

主要研究方向集中在身份管理系统，网站安全, 应用密码学和软件安全, 其在身份管理系统方面的研究成果，在网络与信息安全领域发了多篇高水平国际会议，极大地提高了Google以及多家互联网厂商的 OpenID connect 的系统安全，被Google列入了安全中心名人堂。