Abstract
Despite known problems with their security and ease-of-use, passwords will likely continue to be the main form of web authentication for the foreseeable future. We define a certain class of password-based authentication protocols and call them protected login. Protected login mechanisms present reasonable security in the face of real-world threat models. We find that some websites already employ protected login mechanisms, but observe that they struggle to protect first logins from new devices – reducing usability and security. Armed with this insight, we make a recommendation for increasing the security of web authentication: reduce the number of unprotected logins, and in particular, offer opportunistic protection of first logins. We provide a sketch of a possible solution.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Balfanz, D., Smetters, D., Upadhyay, M., Barth, A.: TLS Origin-Bound Certificates (Working Draft) (July 2011), http://tools.ietf.org/html/draft-balfanz-tls-obc
Everitt, K.M., Bragin, T., Fogarty, J., Kohno, T.: A comprehensive study of frequency, interference, and training of multiple graphical passwords. In: Proceedings of the 27th International Conference on Human Factors in Computing Systems, CHI 2009, pp. 889–898. ACM, New York (2009)
Facebook. What are Login Notifications? (2011), https://www.facebook.com/help/?faq=162968940433354
Fallows, J.: Hacked! (2011), http://www.theatlantic.com/magazine/archive/2011/11/hacked/8673/
Forget, A., Chiasson, S., Biddle, R.: Shoulder-surfing resistance with eye-gaze entry in cued-recall graphical passwords. In: Proceedings of the 28th International Conference on Human Factors in Computing Systems, CHI 2010, pp. 1107–1110. ACM, New York (2010)
Gajek, S., Schwenk, J., Steiner, M., Xuan, C.: Risks of the CardSpace Protocol. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 278–293. Springer, Heidelberg (2009)
Herley, C., van Oorschot, P.: A Research Agenda Acknowledging the Persistence of Passwords. IEEE Security & Privacy Magazine (2011)
Google Inc. Getting started with 2-step verification (2011), http://goo.gl/5r8Za
Leyden, J.: Anonymous hack showed password re-use becoming endemic (2011), http://www.theregister.co.uk/2011/02/10/password_re_use_study/
Williams, N.: On the Use of Channel Bindings to Secure Channels. RFC 5056, RFC Editor (November 2007), http://www.ietf.org/rfc/rfc5056.txt
Zetter, K.: Diginotar files for bankruptcy in wake of devastating hack (2011), http://www.wired.com/threatlevel/2011/09/diginotar-bankruptcy/
Zetter, K.: Sarah Palin E-mail Hacker Sentenced to 1 Year in Custody (2011), http://www.wired.com/threatlevel/2010/11/palin-hacker-sentenced/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Czeskis, A., Balfanz, D. (2012). Protected Login. In: Blyth, J., Dietrich, S., Camp, L.J. (eds) Financial Cryptography and Data Security. FC 2012. Lecture Notes in Computer Science, vol 7398. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34638-5_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-34638-5_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34637-8
Online ISBN: 978-3-642-34638-5
eBook Packages: Computer ScienceComputer Science (R0)