Doctoral candidate (PhD student) in Computer Science

The candidate’s tasks include:

• Assistance with teaching classes in security
• Conducting research publishable in reputable international venues
• Writing of progress reports and presentations towards thesis
• Work constructively towards goals set by supervisors

The candidate should be prepared to engage in the project ``Semi-Controlled Distributed Account Management’’ described below. The project is within the Security and Trust of Software System (SaToSS) research group led by Prof Sjouke Mauw.

Description of proposed PhD thesis topic...

The use of a password manager is a current best practice that many users and organisations follow. Password managers facilitate the generation and maintenance of unique, complex and random passwords and thus help prevent account compromise due to weak or reused passwords. However, with the rising number of apps, online accounts, smart devices and authentication methods, we are facing many new threats that are not related to passwords. For example, we must now also worry about misconfigured apps, third-party access permissions to accounts, vulnerabilities of devices, and security incidents at service providers.

Moreover, our apps, accounts, and devices are interconnected: An email app on a smartphone provides access to the email account to anyone who can unlock the smartphone. If, say, the smartphone user’s groceries account supports password resetting by email, then the user’s groceries account, too, can be accessed by anyone who can unlock the smartphone. There are many other such connections due to multi-factor, single sign-on, and other authentication methods. We refer to this collection of apps, devices, accounts, and authentication methods as an account ecosystem.

The interconnected nature of items in an account ecosystem means that for any security incident involving one item, there are potential ramifications for every other item in an account ecosystem. In our user study of 20 young to middle aged adults, they reported on average 43 items in their account ecosystems that were in active use.  The complexity of account ecosystems is expected to further increase significantly with new services, such as Open Banking, connecting our existing accounts with new third-party account services, and new items, such as wearable devices, smart home appliances, car infotainment systems connecting to our existing devices such as smartphones, home routers, and introducing new apps and cloud services to control them.

Yet, there is no tool that helps managing our account ecosystems and no simple way to assess the risks to the integrity and availability of items in our account ecosystem. Indeed, it is precisely the lack of such a tool at the larger scale of an organisation’s account ecosystem that leaves many institutions blind to the possible attack paths that ransomware attacks have exploited.