Date: March 2012
Publication: Workshop on Usable Security USEC '12
Source 1: http://infosecon.net/usec12/papers/czeskis-balfanz-usec12.pdf
Source 2: http://homes.cs.washington.edu/~aczeskis/research/pubs/protected-login.pdf
Abstract or Summary:
Despite known problems with their security and ease-of-use, passwords will likely continue to be the main form of web authentication for the foreseeable future. We define a certain class of password-based authentication protocols and call them protected login. Protected login mechanisms present reasonable security in the face of real-world threat models. We find that some websites already employ protected login mechanisms, but observe that they struggle to protect first logins from new devices – reducing usability and security. Armed with this insight, we make a recommendation for increasing the security of web authentication: reduce the number of unprotected logins, and in particular, offer opportunistic protection of first logins. We provide a sketch of a possible solution.
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.