Exploring Mobile Proxies for Better Password Authentication

Saxena, Nitesh; Voris, Jonathan

doi:10.1007/978-3-642-34129-8_26

Cited by 2 publications

(2 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…MP-Auth and Phool Proof store hashed password on the servers and thus provide only O(|D|) level of security against offline dictionary attack. PIN-Audio [24] and Tapas [21] use the phone as a mobile password manager that is used to store long and random passwords. These two schemes make the offline dictionary attacks infeasible because passwords are no longer humanmemorable and a dictionary attack is not viable.…”

Section: Related Workmentioning

confidence: 99%

“…We aim to comply with browser security features and to remain forward-compatible, 2) FBD-WF-WF: The FBD-WF-WF mechanism utilize WiFi as a bidirectional D-C communication medium. While Bluetooth has been explored in user authentication domain in prior work (e.g., [19], [24], [20]), WiFi has received little attention so far. Ad hoc mode WiFi is a common point-to-point infrastructureless wireless channel that can be formed between a device and client terminal equipped with WiFi adaptors.…”

Section: ) Fbd-bt-btmentioning

confidence: 99%

See 1 more Smart Citation

Two-Factor Authentication Resilient to Server Compromise Using Mix-Bandwidth Devices

Shirvanian

Jarecki

Saxena

et al. 2014

Proceedings 2014 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

Two-factor authentication (TFA), enabled by hardware tokens and personal devices, is gaining momentum. The security of TFA schemes relies upon a human-memorable password p drawn from some implicit dictionary D and a t-bit device-generated one-time PIN z. Compared to password-only authentication, TFA reduces the probability of adversary's online guessing attack to 1/(|D| * 2 t) (and to 1/2 t if the password p is leaked). However, known TFA schemes do not improve security in the face of offline dictionary attacks, because an adversary who compromises the service and learns a (salted) password hash can still recover the password with O(|D|) amount of effort. This password might be reused by the user at another site employing password-only authentication. We present a suite of efficient novel TFA protocols which improve upon password-only authentication by a factor of 2 t with regards to both the online guessing attack and the offline dictionary attack. To argue the security of the presented protocols, we first provide a formal treatment of TFA schemes in general. The TFA protocols we present enable utilization of devices that are connected to the client over several channel types, formed using manual PIN entry, visual QR code capture, wireless communication (Bluetooth or WiFi), and combinations thereof. Utilizing these various communication settings we design, implement, and evaluate the performance of 13 different TFA mechanisms, and we analyze them with respect to security, usability (manual effort needed beyond typing a password), and deployability (need for additional hardware or software), showing consistent advantages over known TFA schemes. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.

show abstract

Section: Related Workmentioning

confidence: 99%