Strengthening user authentication through opportunistic cryptographic identity assertions
Date: October 2012
Publication: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12
Page(s): 404 - 414
Source 1: http://homes.cs.washington.edu/~yoshi/papers/czeskis-phoneauth-ccs12.pdf
Source 2: http://homes.cs.washington.edu/~aczeskis/research/pubs/czeskis-phoneauth-ccs12.pdf
Source 3: http://dx.doi.org/10.1145/2382196.2382240 - Subscription or payment required
Abstract or Summary:
User authentication systems are at an impasse. The most ubiquitous method -- the password -- has numerous problems, including susceptibility to unintentional exposure via phishing and cross-site password reuse. Second-factor authentication schemes have the potential to increase security but face usability and deployability challenges. For example, conventional second-factor schemes change the user authentication experience. Furthermore, while more secure than passwords, second-factor schemes still fail to provide sufficient protection against (single-use) phishing attacks.
We present PhoneAuth, a system intended to provide security assurances comparable to or greater than that of conventional two-factor authentication systems while offering the same authentication experience as traditional passwords alone. Our work leverages the following key insights. First, a user's personal device (eg a phone) can communicate directly with the user's computer (and hence the remote web server) without any interaction with the user. Second, it is possible to provide a layered approach to security, whereby a web server can enact different policies depending on whether or not the user's personal device is present. We describe and evaluate our server-side, Chromium web browser, and Android phone implementations of PhoneAuth.
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.