Skip to main content

Protected Login

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7398)

Abstract

Despite known problems with their security and ease-of-use, passwords will likely continue to be the main form of web authentication for the foreseeable future. We define a certain class of password-based authentication protocols and call them protected login. Protected login mechanisms present reasonable security in the face of real-world threat models. We find that some websites already employ protected login mechanisms, but observe that they struggle to protect first logins from new devices – reducing usability and security. Armed with this insight, we make a recommendation for increasing the security of web authentication: reduce the number of unprotected logins, and in particular, offer opportunistic protection of first logins. We provide a sketch of a possible solution.

Keywords

  • Authentication Mechanism
  • Threat Model
  • Trust Rank
  • Graphical Password
  • Factor Authentication

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (Canada)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (Canada)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   49.99
Price excludes VAT (Canada)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Balfanz, D., Smetters, D., Upadhyay, M., Barth, A.: TLS Origin-Bound Certificates (Working Draft) (July 2011), http://tools.ietf.org/html/draft-balfanz-tls-obc

  2. Everitt, K.M., Bragin, T., Fogarty, J., Kohno, T.: A comprehensive study of frequency, interference, and training of multiple graphical passwords. In: Proceedings of the 27th International Conference on Human Factors in Computing Systems, CHI 2009, pp. 889–898. ACM, New York (2009)

    CrossRef  Google Scholar 

  3. Facebook. What are Login Notifications? (2011), https://www.facebook.com/help/?faq=162968940433354

  4. Fallows, J.: Hacked! (2011), http://www.theatlantic.com/magazine/archive/2011/11/hacked/8673/

  5. Forget, A., Chiasson, S., Biddle, R.: Shoulder-surfing resistance with eye-gaze entry in cued-recall graphical passwords. In: Proceedings of the 28th International Conference on Human Factors in Computing Systems, CHI 2010, pp. 1107–1110. ACM, New York (2010)

    Google Scholar 

  6. Gajek, S., Schwenk, J., Steiner, M., Xuan, C.: Risks of the CardSpace Protocol. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 278–293. Springer, Heidelberg (2009)

    CrossRef  Google Scholar 

  7. Herley, C., van Oorschot, P.: A Research Agenda Acknowledging the Persistence of Passwords. IEEE Security & Privacy Magazine (2011)

    Google Scholar 

  8. Google Inc. Getting started with 2-step verification (2011), http://goo.gl/5r8Za

  9. Leyden, J.: Anonymous hack showed password re-use becoming endemic (2011), http://www.theregister.co.uk/2011/02/10/password_re_use_study/

  10. Williams, N.: On the Use of Channel Bindings to Secure Channels. RFC 5056, RFC Editor (November 2007), http://www.ietf.org/rfc/rfc5056.txt

  11. Zetter, K.: Diginotar files for bankruptcy in wake of devastating hack (2011), http://www.wired.com/threatlevel/2011/09/diginotar-bankruptcy/

  12. Zetter, K.: Sarah Palin E-mail Hacker Sentenced to 1 Year in Custody (2011), http://www.wired.com/threatlevel/2010/11/palin-hacker-sentenced/

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Czeskis, A., Balfanz, D. (2012). Protected Login. In: Blyth, J., Dietrich, S., Camp, L.J. (eds) Financial Cryptography and Data Security. FC 2012. Lecture Notes in Computer Science, vol 7398. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34638-5_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-34638-5_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-34637-8

  • Online ISBN: 978-3-642-34638-5

  • eBook Packages: Computer ScienceComputer Science (R0)