Communications of the ACM
An attack on the Needham-Schroeder public-key authentication protocol
Information Processing Letters
Using encryption for authentication in large networks of computers
Communications of the ACM
Handbook of Applied Cryptography
Handbook of Applied Cryptography
SessionJuggler: secure web login from an untrusted terminal using session hijacking
Proceedings of the 21st international conference on World Wide Web
tiqr: a novel take on two-factor authentication
LISA'11 Proceedings of the 25th international conference on Large Installation System Administration
IEEE Security and Privacy
Hi-index | 0.00 |
Passwords are the only ubiquitous form of authentication currently available on the web. Unfortunately, passwords are insecure. In this paper we therefore propose the use of strong cryptography, using the fact that users increasingly own a smartphone that can perform the required cryptographic operations on their behalf. This is not as trivial as it sounds. Services will not migrate to new forms of authentication if few users have the means to use it. Similarly, users will not acquire the means if there are few services that accept them. Moreover, enabling one's smartphone to seamlessly sign in at a website when browsing on an arbitrary PC is non-trivial. We propose a system, based on a smartphone app, that can be used to sign in with username and password to arbitrary websites using an arbitrary PC or laptop. We describe the protocol and implementation to achieve this without the need for typing usernames and passwords. Furthermore, we propose an authentication protocol based on public key cryptography, integrated in the same smartphone app. This allows websites to seamlessly migrate towards a much more secure authentication method on the web, independently of each other. A prototype of our system has been developed.