Maginot Line: Assessing a New Cross-app Threat to PII-as-Factor Authentication in Chinese Mobile Apps
Fannv He
Network and Distributed System Security (NDSS) Symposium 2024 · Day 2 · Mobile & Authentication
In the rapidly evolving landscape of mobile application security, especially within the vast Chinese digital ecosystem, the reliance on Personally Identifiable Information (PII) as an authentication factor has become increasingly prevalent. This talk, "Maginot Line: Assessing a New Cross-app Threat to PII-as-Factor Authentication in Chinese Mobile Apps," presented by Fannv He, sheds light on a critical, yet previously under-explored, vulnerability stemming from the interconnected nature of mobile applications. The research introduces **PII-as-Factor Authentication (PaFA)**, a method where sensitive personal data like national ID numbers or bank card numbers are used to verify user identity, often for password recovery or sensitive transactions. While ostensibly designed to enhance security, the study reveals that the simultaneous usage and business interactions between multiple apps can inadvertently create systemic weaknesses, making PaFA less secure than intended.