Presentation at RWC 2026
Real World Crypto Symposium (RWC) is an annual conference focused on the practical application and deployment of cryptography in real-world systems. It brings together researchers and practitioners from academia and industry to discuss topics such as secure protocols, privacy-enhancing technologies, cryptographic implementations, and system security. The symposium emphasizes practice-oriented contributions and operates primarily in an invited-talk format, making it a key venue for connecting advanced cryptographic research with real-world use cases.
At RWC 2026, Carolina Ortega Pérez and Paul Gerhart (both TU Wien Informatics, Privacy Enhancing Technologies Group) presented their joint research, together with Alaa Daffalla (Cornell University) and Thomas Ristenpart (Cornell Tech), titled “Improving Account Security for Victims of Account Compromise through Client-Side Access Logging.”
The work addresses a persistent and practically relevant challenge in modern cybersecurity: despite continuous improvements in authentication mechanisms, account compromise remains widespread, while users still lack reliable tools to determine which devices have accessed their accounts. At the same time, providing such transparency conflicts with strict privacy requirements on the modern web, which discourage or prohibit the use of stable device identifiers by online services.
Recent approaches have attempted to reconcile this tension through client-side encrypted access logging (CSAL). However, existing solutions remain limited, as they do not guarantee complete retrieval of log entries, potentially leaving users unaware of adversarial or unauthorized access events.
To overcome these limitations, the authors introduce Trace, a novel CSAL system that enables complete and privacy-preserving access logging. Trace records verifiable evidence of each authentication event in an encrypted log maintained by an independent logging service, ensuring that only the user can access and inspect this information. Importantly, the design maintains full backward compatibility with existing authentication infrastructures, as web services remain unaware of the logging process.
Compared to prior work, Trace achieves a unique combination of properties: verifiable device attribution, strong privacy guarantees, backward compatibility, and formally analyzed security against malicious adversaries. The system has also been evaluated in a prototype implementation, demonstrating performance of over 10,000 authentications per second on a single core, indicating strong potential for deployment at scale in real-world services.
This contribution highlights an important step toward reconciling usability, security, and privacy in account protection mechanisms, and reflects the growing importance of user-centric security designs in modern web ecosystems.
Further reading: Trace: Complete Client-Side Account Access Logging