Beamauth: two-factor web authentication with a bookmark

We propose BeamAuth, a two-factor web authentication technique where the second factor is a specially crafted bookmark. BeamAuth presents two interesting features: (1) only server-side deployment is required alongside any modern, out-of-the-box web browser on the client side, and (2) credentials remain safe against many types of phishing attacks, even if the user fails to check proper user interface indicators. BeamAuth is deployable immediately by any login-protected web server with only minimal work, and it neither weakens nor interferes with other anti-phishing techniques. We believe BeamAuth may be most useful in preventing a number of phishing attacks at high-value single sign-on sites, e.g. OpenID providers.

[1]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[2]  Jesse James Garrett Ajax: A New Approach to Web Applications , 2007 .

[3]  Michael B. Jones,et al.  Design Rationale behind the Identity Metasystem Architecture , 2007, ISSE.

[4]  Simson L. Garfinkel,et al.  Email-Based Identification and Authentication: An Alternative to PKI? , 2003, IEEE Secur. Priv..

[5]  Markus Jakobsson,et al.  Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft , 2006 .

[6]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[7]  Markus Jakobsson,et al.  Cache cookies for browser authentication , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[8]  Helen J. Wang,et al.  Subspace: secure cross-domain communication for web mashups , 2007, WWW '07.

[9]  Dan Boneh,et al.  Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[10]  Bradley N. Miller,et al.  The Python Programming Language , 2006 .

[11]  Ronald L. Rivest,et al.  Lightweight Email Signatures (Extended Abstract) , 2006, SCN.

[12]  Simson L. Garfinkel,et al.  Secure Web Authentication with Mobile Phones , 2004 .

[13]  Sean W. Smith,et al.  Trusted paths for browsers , 2002, TSEC.

[14]  Tony A. Meyer,et al.  SpamBayes: Effective open-source, Bayesian based, email classification system , 2004, CEAS.

[15]  Emin Gün Sirer,et al.  Perils of transitive trust in the domain name system , 2005, IMC '05.

[16]  Amir Herzberg,et al.  TrustBar: Protecting (even Naïve) Web Users from Spoofing and Phishing Attacks , 2004 .

[17]  Roy T. Fielding,et al.  Uniform Resource Identifier (URI): Generic Syntax , 2005, RFC.

[18]  Susan T. Dumais,et al.  A Bayesian Approach to Filtering Junk E-Mail , 1998, AAAI 1998.

[19]  Andrea Rossi,et al.  As simple as possible, but not simpler , 2000, Intensive Care Medicine.

[20]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[21]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.