Text compression
Web proxy servers
Password authentication with insecure communication
Communications of the ACM
How to Make Personalized Web Browising Simple, Secure, and Anonymous
FC '97 Proceedings of the First International Conference on Financial Cryptography
Spy-resistant keyboard: more secure password entry on public touch screen displays
OZCHI '05 Proceedings of the 17th Australia conference on Computer-Human Interaction: Citizens Online: Considerations for Today and the Future
Cognitive Authentication Schemes Safe Against Spyware (Short Paper)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Delegate: A Proxy Based Architecture for Secure Website Access from an Untrusted Machine
ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
KLASSP: Entering Passwords on a Spyware Infected Machine Using a Shared-Secret Proxy
ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
A large-scale study of web password habits
Proceedings of the 16th international conference on World Wide Web
Cryptanalysis of a Cognitive Authentication Scheme (Extended Abstract)
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Johnny can obfuscate: beyond mother's maiden name
HOTSEC'06 Proceedings of the 1st USENIX Workshop on Hot Topics in Security
Do strong web passwords accomplish anything?
HOTSEC'07 Proceedings of the 2nd USENIX workshop on Hot topics in security
Can "Something You Know" Be Saved?
ISC '08 Proceedings of the 11th international conference on Information Security
A profitless endeavor: phishing as tragedy of the commons
Proceedings of the 2008 workshop on New security paradigms
Using a personal device to strengthen password authentication from an untrusted computer
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
Can "Something You Know" Be Saved?
ISC '08 Proceedings of the 11th international conference on Information Security
Enhancing cardspace authentication using a mobile device
DBSec'11 Proceedings of the 25th annual IFIP WG 11.3 conference on Data and applications security and privacy
Tunneled TLS for multi-factor authentication
Proceedings of the 11th annual ACM workshop on Digital rights management
Client-based authentication technology: user-centric authentication using secure containers
Proceedings of the 7th ACM workshop on Digital identity management
Website credential storage and two-factor web authentication with a java SIM
WISTP'10 Proceedings of the 4th IFIP WG 11.2 international conference on Information Security Theory and Practices: security and Privacy of Pervasive Systems and Smart Devices
SP'11 Proceedings of the 19th international conference on Security Protocols
Hi-index | 0.00 |
In this paper we describe a service that allows users one-time password access to any web account, without any change to the server, without changing anything on the client, and without storing user credentials in-the-cloud. The user pre-encrypts his password using an assigned set of keys and these encryptions are sent as one-time passwords to his cell phone or carried. To login he merely enters one of the encryptions as prompted, and the URRSA service decrypts before forwarding to the login server. Since credentials are not stored (the service merely decrypts and forwards) it has no need to authenticate users. Thus, while the user must trust the service, there are no additional passwords or secrets to remember. Since our system requires no server changes it can be used on a trust-appropriate basis: the user can login normally from trusted machines, but when roaming use one-time passwords. No installation of any software or alteration of any settings is required at the untrusted machine: the user merely requires access to a browser address bar.