Encrypted Access Logging for Online Accounts: Device Attributions without Device Tracking

Channel:
Microsoft Research
Subscribers:
351,000
Published on ● Video Link: https://www.youtube.com/watch?v=27guWil6aeg


Duration: 0:00
161 views
8

Despite improvements in authentication mechanisms, compromise of online accounts remains prevalent. Therefore, technologies to detect compromise retroactively are also necessary. Service providers try to help users diagnose the security status of their accounts via account security interfaces (ASIs) that display recent logins or other activity. Recent work showed how major services' ASIs are untrustworthy because they rely on easily manipulated client-provided values. The reason is a seemingly fundamental tension between accurately attributing accesses to particular devices and the need to prevent online services from tracking devices.

We propose client-side encrypted access logging (CSAL) as a new approach that navigates the tension between tracking privacy and ASI utility. The key idea is to add to account activity logs end-to-end (E2E) encrypted device identification information, leveraging OS support and FIDO2-style attestations. We detail a full proposal for a CSAL protocol that works alongside existing authentication mechanisms and provide a formal analysis of integrity, privacy, and unlinkability in the face of honest-but-curious adversaries. Interestingly, a key challenge is characterizing what is feasible in terms of logging in this setting. We discuss security against active adversaries, provide a proof-of-concept implementation, and overall show feasibility of how OS vendors and service providers can work together towards improved account security and user safety.

Speaker: Carolina Ortega Pérez (Cornell University)



Other Videos By Microsoft Research


4 days agoDetecting Compromise of Passkey Storage on the Cloud
4 days agoEncrypted Access Logging for Online Accounts: Device Attributions without Device Tracking
5 days agoMicrosoft Research India - The evolution
5 days agoMicrosoft Research India - The lab culture
2025-09-24Understanding How Users Prepare for and React to Smartphone Theft
2025-09-24When LLMs Go Online: The Emerging Threat of Web-Enabled LLMs
2025-09-24A Formal Analysis of Apple’s iMessage PQ3 Protocol
2025-09-24Email Spoofing with SMTP Smuggling: How the Shared Email Infrastructures Magnify this Vulnerability
2025-09-24A Framework for Abusability Analysis: The Case of Passkeys in Interpersonal Threat Models
2025-09-24‘Hey mum, I dropped my phone down the toilet’: Investigating Hi Mum and Dad SMS Scams in the UK
2025-09-24Dehumanizing machines: Making sense of AI systems that seem human
2025-09-24Scalable emulation of protein equilibrium ensembles with BioEmu
2025-09-24Disrupting the AI infrastructure with MicroLEDs
2025-09-24Dion: The distributed orthonormal update revolution is here
2025-09-24Pushing boundaries of complex reasoning in small language models
2025-09-22zk-promises: Anonymous Moderation, Reputation, & Blocking from Anonymous Credentials with Callbacks
2025-09-22More is Less: Extra Features in Contactless Payments Break Security
2025-09-18Sub-Population Identification of Multi-morbidity in Sub-Saharan African Populations
2025-09-03Echoes in GenAI generations
2025-08-27Six Years of Rowhammer: Breakthroughs and Future Directions
2025-08-25Sub-Population Identification of Multi-morbidity in Sub-Saharan African Populations