Abstract
This chapter is on user authentication—humans being authenticated by a computer system. Chapter 4 addresses machine-to-machine authentication and related cryptographic protocols. The main topics of focus herein are passwords, hardware-based tokens, and biometric authentication. We also discuss password managers, CAPTCHAs, graphical passwords, and background on entropy relevant to the security of user-chosen passwords.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
M. Abadi, T. M. A. Lomas, and R. Needham. Strengthening passwords. SRC Technical Note 1997-033, DEC Systems Research Center, Palo Alto, CA, 1997. September 4 with minor revision December 16.
L. Ballard, S. Kamara, F. Monrose, and M. K. Reiter. Towards practical biometric key generation with randomized biometric templates. In ACM Comp. & Comm. Security (CCS), pages 235–244, 2008.
L. Ballard, F. Monrose, and D. P. Lopresti. Biometric authentication revisited: Understanding the impact of wolves in sheep’s clothing. In USENIX Security, 2006.
R. Biddle, S. Chiasson, and P. C. van Oorschot. Graphical passwords: Learning from the first twelve years. ACM Computing Surveys, 44(4):19:1–19:41, 2012.
A. Biryukov, D. Dinu, and D. Khovratovich. Argon2: New generation of memory-hard functions for password hashing and other applications. In IEEE Eur. Symp. Security & Privacy, pages 292–302, 2016.
D. Boneh, H. Corrigan-Gibbs, and S. E. Schechter. Balloon hashing: A memory-hard function providing provable protection against sequential attacks. In ASIACRYPT, 2016.
J. Bonneau. Guessing Human-Chosen Secrets. PhD thesis, University of Cambridge, U.K., 2012.
J. Bonneau. The science of guessing: Analyzing an anonymized corpus of 70 million passwords. In IEEE Symp. Security and Privacy, pages 538–552, 2012.
J. Bonneau, E. Bursztein, I. Caron, R. Jackson, and M.Williamson. Secrets, lies, and account recovery: Lessons from the use of personal knowledge questions at Google. In WWW—Int’l Conf. on World Wide Web, pages 141–150, 2015.
J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In IEEE Symp. Security and Privacy, pages 553–567, 2012
W. E. Burr, D. F. Dodson, E. M. Newton, R. A. Perlner, W. T. Polk, S. Gupta, and E. A. Nabbus. NIST Special Pub 800-63-1: Electronic Authentication Guideline. U.S. Dept. of Commerce. Dec 2011 (121 pages), supersedes [12]; superseded by SP 800-63-2, Aug 2013 (123 pages), itself superseded by [29].
W. E. Burr, D. F. Dodson, and W. T. Polk. NIST Special Pub 800-63: Electronic Authentication Guideline. U.S. Dept. of Commerce. Ver. 1.0, Jun 2004 (53 pages), including Appendix A: Estimating Password Entropy and Strength (8 pages). Superseded by [11].
C. Cachin. Entropy Measures and Unconditional Security in Cryptography. PhD thesis, Swiss Federal Institute of Technology Zurich, Switzerland, May 1997.
S. Chiasson and P. C. van Oorschot. Quantifying the security advantage of password expiration policies. Designs, Codes and Cryptography, 77(2-3):401–408, 2015.
S. Chiasson, P. C. van Oorschot, and R. Biddle. A usability study and critique of two password managers. In USENIX Security, 2006.
J. Daugman. How iris recognition works. IEEE Trans. Circuits Syst. Video Techn., 14(1):21–30, 2004.
X. de Carn´e de Carnavalet and M. Mannan. A large-scale evaluation of high-impact password strength meters. ACM Trans. Inf. Systems and Security, 18(1):1:1–1:32, 2015.
P. J. Denning, editor. Computers Under Attack: Intruders, Worms, and Viruses. Addison-Wesley, 1990. Edited collection (classic papers, articles of historic or tutorial value).
DoD. Password Management Guideline. Technical Report CSC-STD-002-85 (Green Book), U.S. Department of Defense. 12 April 1985.
M. D¨urmuth and T. Kranz. On password guessing with GPUs and FPGAs. In PASSWORDS 2014, pages 19–38.
M. Egele, L. Bilge, E. Kirda, and C. Kruegel. CAPTCHA smuggling: hijacking web browsing sessions to create CAPTCHA farms. In ACM Symp. Applied Computing (SAC), pages 1865–1870, 2010.
M. W. Eichin and J. A. Rochlis. With microscope and tweezers: An analysis of the Internet virus of November 1988. In IEEE Symp. Security and Privacy, pages 326–343, 1989.
N. Ferguson and B. Schneier. Practical Cryptography. Wiley, 2003.
D. Florˆencio, C. Herley, and P. C. van Oorschot. An administrator’s guide to Internet password research. In Large Installation Sys. Admin. Conf. (LISA), pages 35–52. USENIX, 2014.
D. Florˆencio, C. Herley, and P. C. van Oorschot. Password portfolios and the finite-effort user: Sustainably managing large numbers of accounts. In USENIX Security, pages 575–590, 2014.
S. L. Garfinkel and H. R. Lipford. Usable Security: History, Themes, and Challenges. Synthesis Lectures (mini-book series). Morgan and Claypool, 2014.
P. Garrett. The Mathematics of Coding Theory. Pearson Prentice Hall, 2004.
N. Gelernter, S. Kalma, B. Magnezi, and H. Porcilan. The password reset MitM attack. In IEEE Symp. Security and Privacy, pages 251–267, 2017.
P. A. Grassi et al. NIST Special Pub 800-63-3: Digital Identity Guidelines. U.S. Dept. of Commerce. Jun 2017, supersedes [11]. Additional parts SP 800-63A: Enrollment and Identity Proofing, SP 800- 63B: Authentication and Lifecycle Management, SP 800-63C: Federation and Assertions.
N. Haller. The S/KEY One-Time Password System. In Netw. Dist. Sys. Security (NDSS), 1994.
N. Haller and C. Metz. RFC 1938: A one-time password system, May 1996. Cf. RFC 1760 (Feb 1995).
F. Hao, R. J. Anderson, and J. Daugman. Combining crypto with biometrics effectively. IEEE Trans. Computers, 55(9):1081–1088, 2006.
G. Hatzivasilis. Password-hashing status. Cryptography, 1(2):10:1–10:31, 2017.
J.M. G. Hidalgo and G. A´ .Maran˜o´n. CAPTCHAs: An artificial intelligence application to web security. Advances in Computers, 83:109–181, 2011.
A. K. Jain, A. Ross, and S. Pankanti. Biometrics: a tool for information security. IEEE Trans. Info. Forensics and Security, 1(2):125–143, 2006.
A. K. Jain, A. Ross, and S. Prabhakar. An introduction to biometric recognition. IEEE Trans. Circuits Syst. Video Techn., 14(1):4–20, 2004.
H. Khan, U. Hengartner, and D. Vogel. Targeted mimicry attacks on touch input based implicit authentication schemes. In MobiSys 2016 (Mobile Systems, Applic. and Services), pages 387–398, 2016.
J. Lang, A. Czeskis, D. Balfanz, M. Schilder, and S. Srinivas. Security Keys: Practical cryptographic second factors for the modern web. In Financial Crypto, pages 422–440, 2016.
P. J. Denning, editor. Computers Under Attack: Intruders, Worms, and Viruses. Addison-Wesley, 1990. Edited collection (classic papers, articles of historic or tutorial value).
U. Manber. A simple scheme to make passwords based on one-way functions much harder to crack. Computers & Security, 15(2):171–176, 1996.
T. Matsumoto, H. Matsumoto, K. Yamada, and S. Hoshino. Impact of artificial “gummy” fingers on fingerprint systems. In Proc. SPIE 4677, Optical Security and Counterfeit Deterrence Techniques IV, pages 275–289, 2002.
R. J. McEliece. The Theory of Information and Coding. In G.-C. Rota, editor, Encyclopedia of Mathematics and Its Applications, volume 3. Addison-Wesley, 1977.
A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996. Openly available, http://cacr.uwaterloo.ca/hac/.
C. E. Metz. Basic Principles of ROC Analysis. Seminars in Nuclear Medicine, 8(4):283–298, Oct. 1978. See also: John Eng, “Receiver Operator Characteristic Analysis: A Primer”, Academic Radiology 12 (7):909–916, July 2005.
F. Monrose, M. K. Reiter, and S. Wetzel. Password hardening based on keystroke dynamics. Int. J. Inf. Sec., 1(2):69–83, 2002.
M. Motoyama, K. Levchenko, C. Kanich, D. McCoy, G. M. Voelker, and S. Savage. Re:CAPTCHAs— Understanding CAPTCHA-solving services in an economic context. In USENIX Security, 2010.
J. A. Muir and P. C. van Oorschot. Internet geolocation: Evasion and counterevasion. ACM Computing Surveys, 42(1):4:1–4:23, 2009.
A. Narayanan and V. Shmatikov. Fast dictionary attacks on passwords using time-space tradeoff. In ACM Comp. & Comm. Security (CCS), pages 364–372, 2005.
NIST. FIPS 112: Password Usage. U.S. Dept. of Commerce, May 1985.
P. Oechslin. Making a faster cryptanalytic time-memory trade-off. In CRYPTO, pages 617–630, 2003.
B. Pinkas and T. Sander. Securing passwords against dictionary attacks. In ACM Comp. & Comm. Security (CCS), pages 161–170, 2002.
N. Provos and D. Mazi`eres. A future-adaptable password scheme. In USENIX Annual Technical Conf., pages 81–91, 1999. FREENIX Track.
J. A. Rochlis and M. W. Eichin. With microscope and tweezers: The Worm from MIT’s perspective. Comm. ACM, 32(6):689–698, 1989. Reprinted as [18, Article 11]; see also more technical paper [22].
A. D. Rubin. White-Hat Security Arsenal. Addison-Wesley, 2001.
C. Shannon. A mathematical theory of communication. The Bell System Technical Journal, vol.27, 1948. Pages 379–423 (Jul) and 623–656 (Oct).
E. H. Spafford. Crisis and aftermath. Comm. ACM, 32(6):678–687, 1989. Reprinted: [18, Article 12].
B. Ur, S. M. Segreti, L. Bauer, N. Christin, L. F. Cranor, S. Komanduri, D. Kurilova, M. L. Mazurek, W. Melicher, and R. Shay. Measuring real-world accuracies and biases in modeling password guessability. In USENIX Security, pages 463–481, 2015.
P. C. van Oorschot and S. G. Stubblebine. On countering online dictionary attacks with login histories and humans-in-the-loop. ACM Trans. Inf. Systems and Security, 9(3):235–258, 2006.
P. C. van Oorschot and J. Thorpe. On predictive models and user-drawn graphical passwords. ACM Trans. Inf. Systems and Security, 10(4):1–33 (Article 17), 2008.
M. Weir, S. Aggarwal, M. P. Collins, and H. Stern. Testing metrics for password creation policies by attacking large sets of revealed passwords. In ACM Comp. & Comm. Security (CCS), 2010.
D. L. Wheeler. zxcvbn: Low-budget password strength estimation. In USENIX Security, pages 157– 173, 2016.
Y. Zhang, F. Monrose, and M. K. Reiter. The security of modern password expiration: an algorithmic framework and empirical analysis. In ACM Comp. & Comm. Security (CCS), pages 176–186, 2010.
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2021 The Author(s)
About this chapter
Cite this chapter
van Oorschot, P.C. (2021). User Authentication—Passwords, Biometrics and Alternatives. In: Computer Security and the Internet. Information Security and Cryptography. Springer, Cham. https://doi.org/10.1007/978-3-030-83411-1_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-83411-1_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-83410-4
Online ISBN: 978-3-030-83411-1
eBook Packages: Computer ScienceComputer Science (R0)