Strengthening user authentication through opportunistic cryptographic identity assertions

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2012, Pages 404-414

  Czeskis, Alexei ^a   Dietz, Michael ^b   Kohno, Tadayoshi ^a   Wallach, Dan ^b   Balfanz, Dirk ^c  

^a UNIVERSITY OF WASHINGTON   (United States)

^b RICE UNIVERSITY   (United States)

^c GOOGLE INC   (United States)

Author keywords

Authentication; Login; Second factor; Web

Indexed keywords

AUTHENTICATION SCHEME; DEPLOYABILITY; LOGIN; PERSONAL DEVICES; PHISHING; PHISHING ATTACKS; SECOND FACTOR; SECURITY ASSURANCE; TWO FACTOR AUTHENTICATION; USER AUTHENTICATION; USER AUTHENTICATION SYSTEMS; WEB; WEB SERVERS;

CHROMIUM; COMPUTER CRIME; SECURITY OF DATA; TELEPHONE SETS; WEB SERVICES;

AUTHENTICATION;

EID: 84869430752     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2382196.2382240     Document Type: Conference Paper

References (30)

1. Android Cloud to Device Messaging Framework, 2012. https://developers. google.com/android/c2dm/.
2. BrowserID - Quick Setup, 2012. https://developer.mozilla.org/en/ BrowserID/Quick-Setup.
3. Core Concepts - Authentication, 2012. https://developers.facebook.com/ docs/authentication/.
4. J. Bonneau. Measuring password re-use empirically, 2011. http://www.lightbluetouchpaper.org/2011/02/09/measuring-password-re-use- empirically/.
5. J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, pages 553-567, May 2012.
6. M. Brian. Gawker media is compromised. the responsible parties reach out to tnw [updated], 2010. http://goo.gl/0SvCj.
7. D. Chappell. Introducing windows cardspace. http://msdn.microsoft.com/en- us/library/aa480189.aspx, April 2006.
8. S. Chiasson, P. C. van Oorschot, and R. Biddle. A usability study and critique of two password managers. In Proceedings of the 15th conference on USENIX Security Symposium - Volume 15, USENIX-SS'06, Berkeley, CA, USA, 2006. USENIX Association.
9. G. Cluley. 600,000+ compromised account logins every day on Facebook, official figures reveal, 2011. http://nakedsecurity.sophos.com/2011/10/28/ compromised-facebook-account-logins/.
10. A. Czeskis and D. Balfanz. Protected Login. In Proceedings of the Workshop on Usable Security (at the Financial Cryptography and Data Security Conference), March 2012.
11. T. Dierks and C. Allen. The TLS protocol, version 1.0. http://tools.ietf.org/html/rfc2246, Jan 1999.
12. T. Dierks and E. Rescorla. The transport layer security (TLS) protocol, version 1.2. http://tools.ietf.org/html/rfc5246, Aug 2008.
13. M. Dietz, A. Czeskis, D. Wallach, and D. Balfanz. Origin-bound certificates: A fresh approach to strong client authentication for the web. In Proc. 21st USENIX Security Symposium, 2012. Preprint obtained from authors.
14. S. Gaw and E. W. Felten. Password management strategies for online accounts. In Proc. SOUPS 2006, ACM Press, pages 44-55. ACM Press, 2006.
15. E. Grosse. Gmail account security in Iran, 2011. http:// googleonlinesecurity.blogspot.com/2011/09/gmail-account-security-in-iran.html.
16. J. A. Halderman, B. Waters, and E. W. Felten. A convenient method for securely managing passwords. In Proceedings of the 14th international conference on World Wide Web, WWW '05, pages 471-479, New York, NY, USA, 2005. ACM.
17. A. Langley. Protecting data for the long term with forward secrecy, 2011. http://goo.gl/YMpXy.
18. Mozilla. Location-aware browsing, 2012. http://www.mozilla.org/en-US/ firefox/geolocation/.
19. R. Oppliger, R. Hauser, and D. Basin. SSL/TLS session-aware user authentication-or how to effectively thwart the man-in-the-middle. Computer Communications, 29(12):2338-2246, 2006.
20. C. Palmer and C. Evans. Certificate Pinning via HSTS, 2011. http://www.ietf.org/mail-archive/web/websec/current/msg00505.html.
21. J. Prins. Interim report diginotar certificate authority breach "operation black tulip". Technical report, 2011. http://www. rijksoverheid.nl/bestanden/documenten-en-publicaties/rapporten/2011/09/05/ diginotar-public-report-version-1/rapport-fox-it-operation-black-tulip-v1-0.pdf.
22. D. Recordon and B. Fitzpatrick. OpenID authentication 1.1. http://openid.net/specs/openid-authentication-1-1.html, May 2008.
23. B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. Mitchell. Stronger password authentication using browser extensions. In Proceedings of the 14th Usenix Security Symposium, 2005.
24. N. Sakimura, D. Bradley, B. de Mederiso, M. Jones, and E. Jay. OpenID connect standard 1.0 - draft 07. http://openid.net/specs/openid-connect- standard-1
25. F. Security. National Cybersecurity Awareness Month Updates, 2011. https://www.facebook.com/notes/facebook-security/national-cybersecurity- awareness-month-updates/10150335022240766.
26. P. Seybold. Sony's response to the u.s. house of representatives, 2011. http://goo.gl/YkXSv.
27. O. Source. Google Authenticator, 2012. https://code.google.com/p/google- authenticator/.
28. R. Vogelei. Bluetooth-Enabled Device Shipments Expected to Exceed 2 Billion in 2013, 2011. http://www.instat.com/press.asp?ID=3238&sku= IN1104968MI.
29. K.-P. Yee and K. Sitaker. Passpet: convenient password management and phishing protection. In Proceedings of the second symposium on Usable privacy and security, SOUPS '06, pages 32-43, New York, NY, USA, 2006. ACM.
30. K. Zetter. Security cavities ail bluetooth, 2004. http://www.wired.com/ politics/security/news/2004/08/64463.