Out-of-Band Password Based Authentication towards Web Services

A username/password combination is still the most commonly used method for user authentication in a Web based context. Users are familiar with this type of authentication and the registration phase for new users is straightforward. It, however, also has several disadvantages. For instance, users have to deal with an explosion of different usernames and passwords. This may cause users to use short easy to remember passwords, use the same password for multiple services, etc. Further, if malware is running on the workstation, it can eavesdrop on the username and password when entered via the keyboard. Therefore, this paper presents a solution that maintains the familiar wide spread password based authentication mechanism but tackles both the password management problem and prevents malware running on the workstation from stealing the user’s credentials. The usernames and corresponding passwords of the user are stored encrypted on his mobile device. The mobile device handles the authentication towards the service provider and transfers the established authenticated session to the workstation. Subsequently, the user can further consume the service on the workstation without having to enter his credentials on the workstation.

[1]  Danny Dolev,et al.  On the Security of Public Key Protocols (Extended Abstract) , 1981, FOCS.

[2]  Nasir D. Memon,et al.  PassPoints: Design and longitudinal evaluation of a graphical password system , 2005, Int. J. Hum. Comput. Stud..

[3]  João Correia Lopes,et al.  High Performance Computing for Computational Science - VECPAR 2010 - 9th International conference, Berkeley, CA, USA, June 22-25, 2010, Revised Selected Papers , 2011, VECPAR.

[4]  Wassim El-Hajj,et al.  Two factor authentication using mobile phones , 2009, 2009 IEEE/ACS International Conference on Computer Systems and Applications.

[5]  Bart De Decker,et al.  Using a Smartphone to Access Personalized Web Services on a Workstation , 2011, PrimeLife.

[6]  Günther Pernul,et al.  Public Key Infrastructures, Services and Applications , 2011, Lecture Notes in Computer Science.

[7]  Joachim Biskup,et al.  Computer Security - ESORICS 2007, 12th European Symposium On Research In Computer Security, Dresden, Germany, September 24-26, 2007, Proceedings , 2007, ESORICS.

[8]  Robert Biddle,et al.  Graphical Password Authentication Using Cued Click Points , 2007, ESORICS.

[9]  Robert Biddle,et al.  Graphical passwords: Learning from the first twelve years , 2012, CSUR.

[10]  Sean W. Smith,et al.  PorKI: Portable PKI Credentials via Proxy Certificates , 2010, EuroPKI.

[11]  Ben Adida,et al.  Beamauth: two-factor web authentication with a bookmark , 2007, CCS '07.

[12]  Kai Rannenberg,et al.  Privacy and Identity Management for Life , 2011, Privacy and Identity Management for Life.