The quest to replace passwords: A framework for comparative evaluation of web authentication schemes

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2012, Pages 553-567

  Bonneau, Joseph ^a   Herley, Cormac ^b   Van Oorschot, Paul C ^c   Stajano, Frank ^a  

^a UNIVERSITY OF CAMBRIDGE   (United Kingdom)

^b MICROSOFT RESEARCH   (United States)

^c CARLETON UNIVERSITY   (Canada)

Author keywords

authentication; computer security; deployability; economics; human computer interaction; security and usability; software engineering

Indexed keywords

AUTHENTICATION; SOFTWARE ENGINEERING;

AUTHENTICATION SCHEME; COMPARATIVE EVALUATIONS; DEPLOYABILITY; IDEAL SCHEMES; MANAGEMENT SOFTWARE; PASSWORD MANAGEMENT; SECURITY AND USABILITIES; TEXT PASSWORD; USER AUTHENTICATION; WEB AUTHENTICATION;

HUMAN COMPUTER INTERACTION;

EID: 84878353718     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2012.44     Document Type: Conference Paper

References (67)

1. J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano, "The quest to replace passwords: A framework for comparative evaluation of web authentication schemes," University of Cambridge Computer Laboratory, Tech Report 817, 2012, www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.html.
2. R. Morris and K. Thompson, "Password security: a case history," Commun. ACM, vol. 22, no. 11, pp. 594-597, 1979.
3. A. Adams and M. Sasse, "Users Are Not The Enemy," Commun. ACM, vol. 42, no. 12, pp. 41-46, 1999.
4. C. Herley and P. C. van Oorschot, "A research agenda acknowledging the persistence of passwords," IEEE Security & Privacy, vol. 10, no. 1, pp. 28-36, 2012.
5. D. Florêncio and C. Herley, "One-Time Password Access to Any Server Without Changing the Server," ISC 2008, Taipei.
6. M. Mannan and P. C. van Oorschot, "Leveraging personal devices for stronger password authentication from untrusted computers," Journal of Computer Security, vol. 19, no. 4, pp. 703-750, 2011.
7. S. Chiasson, E. Stobert, A. Forget, R. Biddle, and P. C. van Oorschot, "Persuasive cued click-points: Design, implementation, and evaluation of a knowledge-based authentication mechanism," IEEE Trans. on Dependable and Secure Computing, vol. 9, no. 2, pp. 222-235, 2012.
8. F. Stajano, "Pico: No more passwords!" in Proc. Sec. Protocols Workshop 2011, ser. LNCS, vol. 7114. Springer.
9. L. O'Gorman, "Comparing passwords, tokens, and biometrics for user authentication," Proceedings of the IEEE, vol. 91, no. 12, pp. 2019-2040, December 2003.
10. K. Renaud, "Quantification of authentication mechanisms: a usability perspective," J. Web Eng., vol. 3, no. 2, pp. 95-123, 2004.
11. R. Biddle, S. Chiasson, and P. C. van Oorschot, "Graphical Passwords: Learning from the First Twelve Years," ACM Computing Surveys, vol. 44, no. 4, 2012.
12. J. Nielsen and R. Mack, Usability Inspection Methods. John Wiley & Sons, Inc, 1994.
13. J. Bonneau and S. Preibusch, "The password thicket: technical and market failures in human authentication on the web," in Proc. WEIS 2010, 2010.
14. J. Bonneau, "The science of guessing: analyzing an anonymized corpus of 70 million passwords," IEEE Symp. Security and Privacy, May 2012.
15. K. Fu, E. Sit, K. Smith, and N. Feamster, "Dos and don'ts of client authentication on the web," in Proc. USENIX Security Symposium, 2001.
16. D. Florêncio and C. Herley, "Where Do Security Policies Come From?" in ACM SOUPS 2010: Proc. 6th Symp. on Usable Privacy and Security.
17. L. Falk, A. Prakash, and K. Borders, "Analyzing websites for user-visible security design flaws," in ACM SOUPS 2008, pp. 117-126.
18. S. Gaw and E. W. Felten, "Password Management Strategies for Online Accounts," in ACM SOUPS 2006: Proc. 2nd Symp. on Usable Privacy and Security, pp. 44-55.
19. th International Conf. on the World Wide Web. ACM, 2007, pp. 657-666.
20. D. Balzarotti, M. Cova, and G. Vigna, "ClearShot: Eavesdropping on Keyboard Input from Video," in IEEE Symp. Security and Privacy, 2008, pp. 170-183.
21. B. Kaliski, RFC 2898: PKCS #5: Password-Based Cryptography Specification Version 2.0, IETF, September 2000.
22. Mozilla Firefox, ver. 10.0.2, www.mozilla.org/.
23. A. Pashalidis and C. J. Mitchell, "Impostor: A single signon system for use from untrusted devices," Proc. IEEE Globecom, 2004.
24. R. M. Needham and M. D. Schroeder, "Using encryption for authentication in large networks of computers," Commun. ACM, vol. 21, pp. 993-999, December 1978.
25. J. Kohl and C. Neuman, "The Kerberos Network Authentication Service (V5)," United States, 1993.
26. A. Pashalidis and C. J. Mitchell, "A Taxonomy of Single Sign-On Systems," in Proc. ACISP 2003, Information Security and Privacy, 8th Australasian Conference. Springer LNCS 2727, 2003, pp. 249-264.
27. D. Recordon and D. Reed, "OpenID 2.0: a platform for usercentric identity management," in DIM '06: Proc. 2nd ACM Workshop on Digital Identity Management, 2006, pp. 11-16.
28. S.-T. Sun, Y. Boshmaf, K. Hawkey, and K. Beznosov, "A billion keys, but few locks: the crisis of web single sign-on," Proc. NSPW 2010, pp. 61-72.
29. B. Laurie, "OpenID: Phishing Heaven," January 2007, www. links.org/?p=187.
30. R. Jhawar, P. Inglesant, N. Courtois, and M. A. Sasse, "Make mine a quadruple: Strengthening the security of graphical one-time pin authentication," in Proc. NSS 2011, pp. 81-88.
31. L. Lamport, "Password authentication with insecure communication," Commun. ACM, vol. 24, no. 11, pp. 770-772, 1981.
32. N. Haller and C. Metz, "RFC 1938: A One-Time Password System," 1998.
33. M. Kuhn, "OTPW - a one-time password login package," 1998, www.cl.cam.ac.uk/~mgk25/otpw.html.
34. RSA, "RSA SecurID Two-factor Authentication," 2011, www. rsa.com/products/securid/sb/10695-SIDTFA-SB-0210.pdf.
35. P. Bright, "RSA finally comes clean: SecurID is compromised," Jun. 2011, arstechnica.com/security/news/2011/06/rsa-finally-comes-clean- securid-is-compromised.ars.
36. B. Parno, C. Kuo, and A. Perrig, "Phoolproof Phishing Prevention," in Proc. Fin. Crypt. 2006, pp. 1-19.
37. A. K. Jain, A. Ross, and S. Pankanti, "Biometrics: a tool for information security," IEEE Transactions on Information Forensics and Security, vol. 1, no. 2, pp. 125-143, 2006.
38. A. Ross, J. Shah, and A. K. Jain, "From Template to Image: Reconstructing Fingerprints from Minutiae Points," IEEE Trans. Pattern Anal. Mach. Intell., vol. 29, no. 4, pp. 544-560, 2007. (Pubitemid 46464396)
39. J. Daugman, "How iris recognition works," IEEE Trans. Circuits Syst. Video Techn., vol. 14, no. 1, pp. 21-30, 2004.
40. P. S. Aleksic and A. K. Katsaggelos, "Audio-Visual Biometrics," Proc. of the IEEE, vol. 94, no. 11, pp. 2025-2044, 2006.
41. T. Matsumoto, H. Matsumoto, K. Yamada, and S. Hoshino, "Impact of artificial "gummy" fingers on fingerprint systems," in SPIE Conf. Series, vol. 4677, Apr. 2002, pp. 275-289. (Pubitemid 35229811)
42. LastPass, www.lastpass.com/.
43. D. P. Kormann and A. D. Rubin, "Risks of the Passport single signon protocol," Computer Networks, vol. 33, no. 1-6, 2000.
44. "Facebook Connect," 2011, www.facebook.com/advertising/? connect.
45. M. Hanson, D. Mills, and B. Adida, "Federated Browser-Based Identity using Email Addresses," W3C Workshop on Identity in the Browser, May 2011.
46. T. W. van der Horst and K. E. Seamons, "Simple Authentication for the Web," in Intl. Conf. on Security and Privacy in Communications Networks, 2007, pp. 473-482.
47. H. Tao, "Pass-Go, a New Graphical Password Scheme," Master's thesis, School of Information Technology and Engineering, University of Ottawa, June 2006.
48. D. Weinshall, "Cognitive Authentication Schemes Safe Against Spyware (Short Paper)," in IEEE Symposium on Security and Privacy, May 2006.
49. N. Hopper and M. Blum, "Secure human identification protocols," ASIACRYPT 2001, pp. 52-66, 2001.
50. S. Smith, "Authenticating users by word association," Computers & Security, vol. 6, no. 6, pp. 464-470, 1987.
51. A. Wiesmaier, M. Fischer, E. G. Karatsiolis, and M. Lippert, "Outflanking and securely using the PIN/TAN-System," CoRR, vol. cs.CR/0410025, 2004.
52. "PassWindow," 2011, www.passwindow.com.
53. Yubico, "The YubiKey Manual, v. 2.0," 2009, static.yubico.com/var/uploads/YubiKey-manual-2.0.pdf.
54. Ironkey, www.ironkey.com/internet-authentication.
55. S. Drimer, S. J. Murdoch, and R. Anderson, "Optimised to Fail: Card Readers for Online Banking," in Financial Cryptography and Data Security, 2009, pp. 184-200.
56. Cronto, www.cronto.com/.
57. Google Inc., "2-step verification: how it works," 2012, www.google.com/accounts.
58. S. Schechter, A. J. B. Brush, and S. Egelman, "It's no secret: Measuring the security and reliability of authentication via 'secret' questions," in IEEE Symp. Security and Privacy, 2009, pp. 375-390.
59. M. Jakobsson, L. Yang, and S. Wetzel, "Quantifying the Security of Preference-based Authentication," in ACM DIM 2008: 4th Workshop on Digital Identity Management.
60. J. Brainard, A. Juels, R. L. Rivest, M. Szydlo, and M. Yung, "Fourth-factor authentication: somebody you know," in ACM CCS 2006, pp. 168-178.
61. D. Weinshall, "Cognitive Authentication Schemes Safe Against Spyware," IEEE Symp. Security and Privacy, 2006.
62. P. Golle and D. Wagner, "Cryptanalysis of a Cognitive Authentication Scheme," IEEE Symp. Security and Privacy, 2007.
63. B. Coskun and C. Herley, "Can "Something You Know" be Saved?" ISC 2008, Taipei.
64. Q. Yan, J. Han, Y. Li, and H. Deng, "On limitations of designing usable leakage-resilient password systems: Attacks, principles and usability." Proc. NDSS, 2012.
65. H. Wimberly and L. M. Liebrock, "Using Fingerprint Authentication to Reduce System Security: An Empirical Study," in IEEE Symp. Security and Privacy, 2011, pp. 32-46.
66. J. Adams, "Risk and morality: three framing devices," in Risk and Morality, R. Ericson and A. Doyle, Eds. University of Toronto Press, 2003.
67. A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner, "A survey of mobile malware in the wild," in ACM SPSM 2011: 1st Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 3-14.