Anchors of Trust: A Usability Study on User Awareness, Consent, and Control in Cross-Device Authentication
Xin Zhang
Network and Distributed System Security (NDSS) Symposium 2026 · Day 2 · Usable Security
Xin Zhang from Fenin University presents a systematic evaluation of **cross-device authentication (XDA)** across 27 major real-world services, revealing that none adequately protect all three fundamental user rights: the **right to know** (what device is being authorized), the **right to consent** (explicit approval), and the **right to control** (post-authentication session management). The study found that **52% of services** provide zero information about the target device during authentication, enabling attacks like **QRL jacking** where users unknowingly authorize attacker-controlled sessions. Even more concerning, some services bypass user consent entirely after QR code scanning, and 10 services send no notification when a login occurs. A discovered **zombie session bug** in Zoho allowed real-time chat access to persist even after session revocation. A user study with 100 participants confirmed that **91% prefer** knowing target device details, and **98% believe** these rights enhance security. The work led to Zoho acknowledging the findings and adding the recommended features to their product roadmap.
AI review
A usability study documenting that cross-device authentication services don't show users enough information about what they're approving. The zombie session bug in Zoho is the only concrete security finding. The rest is cataloging UX deficiencies across 27 services and proposing a three-rights framework that amounts to 'show users more info and add a deny button.' Useful for product security teams but not for security researchers.