SAuth: Protecting User Accounts from Password Database Leaks
Date: December 2013
Publication: 20th ACM Conference on Computer and Communications Security, CCS 2013
Source 1: http://www.cs.columbia.edu/~kontaxis/papers/sauth.ccs13.pdf
Source 2: http://users.ics.forth.gr/~elathan/papers/ccs13.pdf
Source 3: http://www.cs.stevens.edu/~gportoka/files/sauth_ccs13.pdf
Abstract or Summary:
Password-based authentication is the dominant form of access control in web services. Unfortunately, it proves to be more and more inadequate every year. Even if users choose long and complex passwords, vulnerabilities in the way they are managed by a service may leak them to an attacker. Recent incidents in popular services such as LinkedIn and Twitter demonstrate the impact that such an event could have. The use of one-way hash functions to mitigate the problem is countered by the evolution of hardware which enables powerful password-cracking platforms.
In this paper we propose SAuth, a protocol which employs authentication synergy among different services. Users wishing to access their account on service S will also have to authenticate for their account on service V, which acts as a vouching party. Both services S and V are regular sites visited by the user everyday (e.g., Twitter, Facebook, Gmail). Should an attacker acquire the password for service S he will be unable to log in unless he also compromises the password for service V and possibly more vouching services. SAuth is an extension and not a replacement of existing authentication methods. It operates one layer above without ties to a specic method, thus enabling different services to employ heterogeneous systems. Finally we employ password decoys to protect users that share a password across services.
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.