One-Time Password Access to Any Server without Changing the Server

  • Dinei Florêncio
  • Cormac Herley
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5222)


In this paper we describe a service that allows users one-time password access to any web account, without any change to the server, without changing anything on the client, and without storing user credentials in-the-cloud. The user pre-encrypts his password using an assigned set of keys and these encryptions are sent as one-time passwords to his cell phone or carried. To login he merely enters one of the encryptions as prompted, and the URRSA service decrypts before forwarding to the login server. Since credentials are not stored (the service merely decrypts and forwards) it has no need to authenticate users. Thus, while the user must trust the service, there are no additional passwords or secrets to remember. Since our system requires no server changes it can be used on a trust-appropriate basis: the user can login normally from trusted machines, but when roaming use one-time passwords. No installation of any software or alteration of any settings is required at the untrusted machine: the user merely requires access to a browser address bar.


Passwords one-time passwords authentication replay resistance 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
  3. 3.
  4. 4.
  5. 5.
  6. 6.
  7. 7.
  8. 8.
  9. 9.
  10. 10.
  11. 11.
    Herley, C., Florêncio, D.: How To Login From an Internet Café without Worrying about Keyloggers. In: Symp. on Usable Privacy and Security (2006)Google Scholar
  12. 12.
    Cheswick, W.: Johnny Can Obfuscate: Beyond Mother’s Maiden Name. In: Proc. Usenix HotSec (2006)Google Scholar
  13. 13.
    Coskun, B., Herley, C.: Can “Something You Know” be Saved? In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 421–440. Springer, Heidelberg (2008)Google Scholar
  14. 14.
    Florêncio, D., Herley, C.: A Large-Scale Study of Web Password Habits. In: WWW 2007, Banff (2007)Google Scholar
  15. 15.
    Florêncio, D., Herley, C.: KLASSP: Entering Passwords on a Spyware Infected Machine. In: Jesshope, C., Egan, C. (eds.) ACSAC 2006. LNCS, vol. 4186. Springer, Heidelberg (2006)Google Scholar
  16. 16.
    Florêncio, D., Herley, C., Coskun, B.: Do Strong Web Passwords Accomplish Anything?. In: Proc. Usenix Hot Topics in Security (2007)Google Scholar
  17. 17.
    Gaber, E., Gibbons, P., Matyas, Y., Mayer, A.: How to make personalized web browsing simple, secure and anonymous. In: Proc. Finan. Crypto 1997 (1997)Google Scholar
  18. 18.
    Golle, P., Wagner, D.: Cryptanalysis of a Cognitive Authentication Scheme. In: Symp. on Security and Privacy (2007)Google Scholar
  19. 19.
    Haller, N.: The S/KEY One-Time Password System. In: Proc. ISOC Symposium on Network and Distributed System Security (1994)Google Scholar
  20. 20.
    Herley, C., Florêncio, D.: Phishing as a Tragedy of the Commons. In: NSPW 2008, Lake Tahoe, CA (2008)Google Scholar
  21. 21.
    Jammalamadaka, R.C., van der Horst, T.W., Mehrotra, S., Seamons, K., Venkasubramanian, N.: Delegate: A Proxy based Architecture fort Secure Website Access from an Untrusted Machine. In: Jesshope, C., Egan, C. (eds.) ACSAC 2006. LNCS, vol. 4186. Springer, Heidelberg (2006)Google Scholar
  22. 22.
    Lamport, L.: Password Authentication with Insecure Communication. Communications of the ACM (1981)Google Scholar
  23. 23.
    Luotonen, A.: Web Proxy Servers. Prentice-Hall, Englewood Cliffs (1998)Google Scholar
  24. 24.
    Mannan, M., van Oorschot, P.C.: Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886. Springer, Heidelberg (2007)Google Scholar
  25. 25.
    Wu, M., Garfinkel, S., Miller, R.: Secure Web Authentication with Mobile Phones. In: DIMACS Workshop on Usable Privacy and Security Software (2004)Google Scholar
  26. 26.
    Mao, Z., Herley, C.: Robust Reverse Proxy Implementation. MSR-TRGoogle Scholar
  27. 27.
    Pashalidis, A., Mitchell, C.J.: Impostor: A single sign-on system for use from untrusted devices. In: Proceedings of IEEE Globecom (2004)Google Scholar
  28. 28.
    Pering, T., Sundar, M., Light, J., Want, R.: Photographic Authentication through Untrusted Terminals. IEEE Security and Privacy (2003)Google Scholar
  29. 29.
    Schneier, B.: Applied Cryptography, 2nd edn. Wiley, Chichester (1996)Google Scholar
  30. 30.
    Bell, T.C., Cleary, J.G., Witten, I.H.: Text Compression. Prentice-Hall, Englewood Cliffs (1990)Google Scholar
  31. 31.
    Tan, D., Keryana, P., Czerwinski, M.: Spy-resistant keyboard: more secure password entry on public touch screen displays. In: CHISIG 2005 (2005)Google Scholar
  32. 32.
    Weinshall, D.: Cognitive Authentication Schemes Safe Against Spyware. In: Symp. on Security and Privacy (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Dinei Florêncio
    • 1
  • Cormac Herley
    • 1
  1. 1.Microsoft ResearchRedmond 

Personalised recommendations