Subtle and sometimes baffling variations in the implementation of password-based authentication are widespread on the web. Despite being imperceptible to end users, such variations often require that password managers implement complex heuristics in order to act on the user's behalf. These heuristics are inherently brittle. As a result, password managers are unnecessarily complex and yet they still occasionally fail to work properly on some websites. In this paper we propose PMF, a specification of simple semantic labels for password-related web forms. These semantic labels allow a software agent such as a password manager to extract meaning, such as which site the login form is for and what field in the form corresponds to the username. Our spec also allows the agent to generate a strong password on the user's behalf. PMF reduces a password manager's dependency on complex heuristics, making its operation more effective and dependable and bringing usability and security advantages to users and website operators.
One recent thread of academic and commercial research into web authentication has focused on schemes where users scan a visual code with their smartphone, which is a convenient alternative to passwordbased login. We find that many schemes in the literature (including, previously, our own) are, unfortunately, vulnerable to relay attacks. We explain the inherent reasons for this vulnerability and offer an architectural fix, evaluating its trade-offs and discussing why it has never been proposed by other authors.
Abstract. In previous work we presented Pico, an authentication system designed to be both more usable and more secure than passwords. One unsolved problem was that Pico, in its quest to explore the whole solution space without being bound by compatibility shackles, requires changes at both the prover and the verifier, which makes it hard to convince anyone to adopt it: users won't buy an authentication gadget that doesn't let them log into anything and service providers won't support a system that no users are equipped to log in with. In this paper we present three measures to break this vicious circle, starting with the "Pico Lens" browser add-on that rewrites websites on the fly so that they appear Pico-enabled. Our add-on offers the user most (though not all) of the usability and security benefits of Pico, thus fostering adoption from users even before service providers are on board. This will enable Pico to build up a user base. We also developed a server-side Wordpress plugin which can serve both as a reference example and as a useful enabler in its own right (as Wordpress is one of the leading content management platforms on the web). Finally, we developed a software version of the Pico client running on a smartphone, the Pico App, so that people can try out Pico (at the price of slightly reduced security) without having to acquire and carry another gadget. Having broken the vicious circle we'll be in a stronger position to persuade providers to offer support for Pico in parallel with passwords.
Abstract-Security and usability issues with passwords suggest a need for a new authentication scheme. Several alternatives involve a physical device or token. We investigate one such alternative, Pico: an authentication scheme that utilizes multiple wearable devices. We present the grounded theory results of a series of semi-structured interviews for exploring perceptions of this scheme. We found that the idea of carrying physical devices increases perceived personal responsibility for secure authentication, making the risks and inconvenience associated with loss and theft salient for participants. Although our work is focused on Pico, the results of the study contribute to a broader understanding of user perception and concerns of responsibility for any token-based authentication schemes.
Abstract. Pico is a user authentication system that does not require remembering secrets. It is based on a personal handheld token that holds the user's credentials and that is unlocked by a "personal aura" generated by digital accessories worn by the owner. The token, acting as prover, engages in a public-key-based authentication protocol with the verifier. What would happen to Pico if success of the mythical quantum computer meant secure public key primitives were no longer available, or if for other reasons such as energy consumption we preferred not to deploy them? More generally, what would happen under those circumstances to user authentication on the web, which relies heavily on public key cryptography through HTTPS/TLS? Although the symmetric-key-vs-public-key debate dates back to the 1990s, we note that the problematic aspects of public key deployment that were identified back then are still ubiquitous today. In particular, although public key cryptography is widely deployed on the web, revocation still doesn't work. We discuss ways of providing desirable properties of public-key-based user authentication systems using symmetric-key primitives and tamperevident tokens. In particular, we present a protocol through which a compromise of the user credentials file at one website does not require users to change their credentials at that website or any other. We also note that the current prototype of Pico, when working in compatibility mode through the Pico Lens (i.e. with websites that are unaware of the Pico protocols), doesn't actually use public key cryptography, other than that implicit in TLS. With minor tweaks we adopt this as the native mode for Pico, dropping public key cryptography and achieving much greater deployability without any noteworthy loss in security.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.