On secure and pseudonymous client-relationships with multiple servers
ACM Transactions on Information and System Security (TISSEC)
Pseudorandomness and Cryptographic Applications
Pseudorandomness and Cryptographic Applications
Identification Tokens - or: Solving the Chess Grandmaster Problem
CRYPTO '90 Proceedings of the 10th Annual International Cryptology Conference on Advances in Cryptology
How to Make Personalized Web Browising Simple, Secure, and Anonymous
FC '97 Proceedings of the First International Conference on Financial Cryptography
Secure object identification: or: solving the Chess Grandmaster Problem
Proceedings of the 2003 workshop on New security paradigms
A PIN-entry method resilient against shoulder surfing
Proceedings of the 11th ACM conference on Computer and communications security
Two-factor authentication: too little, too late
Communications of the ACM - Transforming China
Seeing-Is-Believing: Using Camera Phones for Human-Verifiable Authentication
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
A convenient method for securely managing passwords
WWW '05 Proceedings of the 14th international conference on World Wide Web
Passpet: convenient password management and phishing protection
SOUPS '06 Proceedings of the second symposium on Usable privacy and security
Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft
Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft
Stronger password authentication using browser extensions
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Dynamic pharming attacks and locked same-origin policies for web browsers
Proceedings of the 14th ACM conference on Computer and communications security
Using a personal device to strengthen password authentication from an untrusted computer
FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
Multichannel protocols to prevent relay attacks
FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
Phoolproof phishing prevention
FC'06 Proceedings of the 10th international conference on Financial Cryptography and Data Security
Hi-index | 0.00 |
OTP (One Time Password) devices are highly deployed trust enhancing (password entropy increasing) devices which are used to authenticate a user with a second factor (a pseudorandom sequence of digits produced by a device the user owns) and to cope with off-line phishing of password information. Wireless connection adds usability to OTP protocols in an obvious way: instead of the person copying the information between machines, the wireless (say, Bluetooth) mechanism can transfer the value directly. Indeed, OTP devices implemented in a smartphone and communicating with the browser over Bluetooth can act in usable fashion (and this extension was implemented in our organization and got very positive usability feedback). What we then noticed as a key observation is that this mode of OTP wireless transfer has turned the "man to machine" nature of the OTP tokens to a "(mobile) device to machine (the browser on the computer)" method, so we can now employ protocols between the two interacting computers. Thus, we asked what can this new mode contribute to security (rather than to usability only) and cope with increased set of attacks. Specifically, the question we are dealing with is whether wireless OTP devices (i.e., smartphones) can be hardened at a reasonable cost (i.e., without costly OTP infrastructural changes, public-key infrastructure/ operations, and with small modification to browsers) so as to be useful against one type of interesting and currently growing and highly publicized Man in the Middle (MITM) attacks. The work herein summarizes our study which is based on our proposed new notion of Contextual OTP (XOTP for short), which exploits session contexts to break the symmetry between the "user-MITM" and the "MITM-server" sessions.