One-Time Password Access to Any Server Without Changing the Server
Date: September 2008
Publication: Proceedings of the 11th international conference on Information Security, ISC '08
Page(s): 401 - 420
Source 1: http://research.microsoft.com/pubs/78026/1569113867_final_email.pdf.pdf
Source 2: http://link.springer.com/chapter/10.1007/978-3-540-85886-7_28
In this paper we describe a service that allows users one-time password access to any web account, without any change to the server, without changing anything on the client, and without storing user credentials in-the-cloud. The user pre-encrypts his password using an assigned set of keys and these encryptions are sent as one-time passwords to his cell phone or carried. To login he merely enters one of the encryptions as prompted, and the URRSA service decrypts before forwarding to the login server. Since credentials are not stored (the service merely decrypts and forwards) it has no need to authenticate users. Thus, while the user must trust the service, there are no additional passwords or secrets to remember. Since our system requires no server changes it can be used on a trust-appropriate basis: the user can login normally from trusted machines, but when roaming use one-time passwords. No installation of any software or alteration of any settings is required at the untrusted machine: the user merely requires access to a browser address bar.
Do you have additional information to contribute regarding this research paper? If so, please email email@example.com with the details.