We evaluate two decades of proposals to replace text passwords for general-purpose user authentication on the web using a broad set of twenty-five usability, deployability and security benefits that an ideal scheme might provide. The scope of proposals we survey is also extensive, including password management software, federated login protocols, graphical password schemes, cognitive authentication schemes, one-time passwords, hardware tokens, phone-aided schemes and biometrics. Our comprehensive approach leads to key insights about the difficulty of replacing passwords. Not only does no known scheme come close to providing all desired benefits: none even retains the full set of benefits that legacy passwords already provide. In particular, there is a wide range from schemes offering minor security benefits beyond legacy passwords, to those offering significant security benefits in return for being more costly to deploy or more difficult to use. We conclude that many academic proposals have failed to gain traction because researchers rarely consider a sufficiently wide range of real-world constraints. Beyond our analysis of current schemes, our framework provides an evaluation methodology and benchmark for future web authentication proposals.

/pdf/the-quest-to-replace-passwords-a-framework-for-comparative-3ohujijx0b.pdf

The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes

Current embodiments provide for authorization and payment of an online commercial transaction between a purchaser and a merchant including verification of an identity of the purchaser and verification of an ability of the purchaser to pay for the transaction, where the identity provider and the payment provider are often different network entities. Other embodiments also provide for protocols, computing systems, and other mechanisms that allow for identity and payment authentication using a mobile module, which establishes single or multilevel security over an untrusted network (e.g., the Internet). Still other embodiments also provide for a three-way secure communication between a merchant, consumer, and payment provider such that sensitive account information is opaque to the merchant, yet the merchant is sufficiently confident of the consumer's ability to pay for requested purchases. In yet another embodiment, electronic billing information is used for authorization, auditing, payment federation, and other purposes.

Authentication for a commercial transaction using a mobile module

We report the results of the first large-scale empirical analysis of password implementations deployed on the Internet. Our study included 150 websites which offer free user accounts for a variety of purposes, including the most popular destinations on the web and a random sample of e-commerce, news, and communication websites. Although all sites evaluated relied on user-chosen textual passwords for authentication, we found many subtle but important technical variations in implementation with important security implications. Many poor practices were commonplace, such as a lack of encryption to protect transmitted passwords, storage of cleartext passwords in server databases, and little protection of passwords from brute force attacks. While a spectrum of implementation quality exists with a general correlation between implementation choices within more-secure and less-secure websites, we find a surprising number of inconsistent choices within individual sites, suggesting that the lack of a standards is harming security. We observe numerous ways in which the technical failures of lower-security sites can compromise higher-security sites due to the well-established tendency of users to re-use passwords. Our data confirms that the worst security practices are indeed found at sites with few security incentives, such as newspaper websites, while sites storing more sensitive information such as payment details or user communication implement more password security. From an economic viewpoint, password insecurity is a negative externality that the market has been unable to correct, undermining the viability of password-based authentication. We also speculate that some sites deploying passwords do so primarily for psychological reasons, both as a justification for collecting marketing data and as a way to build trusted relationships with customers. This theory suggests that efforts to replace passwords with moresecure protocols or federated identity systems may fail because they don’t recreate the entrenched ritual of password authentication. WEIS 2010 The Ninth Workshop on the Economics of Information Security

/pdf/the-password-thicket-technical-and-market-failures-in-human-3lt1yqnol1.pdf

The Password Thicket: Technical and Market Failures in Human Authentication on the Web.

In a switched file system, a file switching device is logically positioned between clients and file servers and communicates with the clients and the file servers using standard network file protocols. The file switching device appears as a server to the client devices and as a client to the file servers. The file switching device aggregates storage from multiple file servers into a global filesystem and presents a global namespace to the client devices. The file switching device typically supports a “native” mode for integrating legacy files into the global namespace and an “extended” mode for actively managing files across one or more file servers. Typically, native-mode files may be accessed directly or indirectly via the file switching device, while extended-mode files may be accessed only through the file switching device. The file switching device may manage file storage using various types of rules, e.g., for managing multiple storage tiers or for applying different types of encoding schemes to files. Rules may be applied to pre-existing files.

File Aggregation in a Switched File System

Trust management is one of the most challenging issues in the emerging cloud computing area. Over the past few years, many studies have proposed different techniques to address trust management issues. However, despite these past efforts, several trust management issues such as identification, privacy, personalization, integration, security, and scalability have been mostly neglected and need to be addressed before cloud computing can be fully embraced. In this article, we present an overview of the cloud service models and we survey the main techniques and research prototypes that efficiently support trust management of services in cloud environments. We present a generic analytical framework that assesses existing trust management research prototypes in cloud computing and relevant areas using a set of assessment criteria. Open research issues for trust management in cloud environments are also discussed.

https://cs.adelaide.edu.au/~qsheng/papers/csur-2013.pdf

Trust management of services in cloud environments: Obstacles and solutions

At present, network users have to manage one set of authentication credentials (usually a username/password pair) for every service with which they are registered Single Sign-On (SSO) has been proposed as a solution to the usability, security and management implications of this situation Under SSO, users authenticate themselves only once and are logged into the services they subsequently use without further manual interaction Several architectures for SSO have been developed, each with different properties and underlying infrastructures This paper presents a taxonomy of these approaches and puts some of the SSO schemes, services and products into that context This enables decisions about the design and selection of future approaches to SSO to be made within a more structured context; it also reveals some important differences in the security properties that can be provided by various approaches

/pdf/a-taxonomy-of-single-sign-on-systems-1meipmpm5u.pdf

A taxonomy of single sign-on systems

At present, network users have to manage a set of authentication credentials (usually a username/password pair) for every service with which they are registered. Single sign-on (SSO) has been proposed as a solution to the usability, security and management implications of this situation. Under SSO, users need to manage only one set of authentication credentials in order to log into the services they subsequently use. This paper presents the design of an SSO system that is based on a trusted proxy, and that is suitable for use from an untrusted network access device. Unlike existing proxy-based SSO schemes, which require an infrastructure to be in place between the proxy and the service providers, the one presented here does not. An open-source implementation of the scheme, called 'Impostor', is also described. The prototype is implemented as an HTTP proxy, resulting in a system that works with common Web browsers.

/pdf/impostor-a-single-sign-on-system-for-use-from-untrusted-4gxv0lr0pq.pdf

Impostor: a single sign-on system for use from untrusted devices

At present, network users have to remember a user-name and a corresponding password for every service with which they are registered. Single sign-on (SSO) has been proposed as a solution to the usability, security and management implications of this situation. Under SSO, users authenticate themselves only once to an entity termed the 'authentication service provider' (ASP) and subsequently use disparate service providers (SPs) without re-authenticating. The information about the user's authentication status is handled between the ASP and the desired SP in a manner transparent to the user. We propose an SSO protocol where a GSM or UMTS operator plays the role of the ASP and by which its subscribers can be authenticated to SPs without any user interaction and in a way that preserves the user's privacy and mobility. The protocol requires only minimal changes to the deployed GSM infrastructure.

/pdf/using-gsm-umts-for-single-sign-on-3zqv4581ob.pdf

Using GSM/UMTS for single sign-on

This paper identifies certain privacy threats that apply to anonymous credential systems. The focus is on timing attacks that apply even if the system is cryptographically secure. The paper provides some simple heuristics that aim to mitigate the exposure to the threats and identifies directions for further research.

/pdf/limits-to-anonymity-when-using-credentials-1azrhpub7e.pdf

Limits to anonymity when using credentials

At present, network users have to manage a set of authentication credentials (usually a username/password pair) for every service with which they are registered. Single Sign-On (SSO) has been proposed as a solution to the usability, security and management implications of this situation. Under SSO, users authenticate themselves only once to an entity termed the ‘Authentication Service Provider’ (ASP) and are subsequently logged into disparate network Service Providers (SPs) without necessarily having to re-authenticate. The information about the user’s authentication status is handled between the ASP and the desired SP in a manner transparent to the user. In this paper we propose an SSO scheme where user authentication is based on payment cards conforming to the EMV industry standard. The card itself, in conjunction with the EMV architecture, takes the role of the ASP. The associated SSO protocol does not require online card issuer participation, preserves user mobility and does not put user’s financial data at risk.

/pdf/using-emv-cards-for-single-sign-on-2pok0sm7qp.pdf

Andreas Pashalidis

Papers

A taxonomy of single sign-on systems

Impostor: a single sign-on system for use from untrusted devices

Using GSM/UMTS for single sign-on

Limits to anonymity when using credentials

Using EMV Cards for Single Sign-On