Painless Migration from Passwords to Two Factor Authentication
Authors: Ziqing Mao, Dinei Florencio, Cormac Herley

Date: November 29 2011
Publication: 2011 IEEE International Workshop on Information Forensics and Security
Page(s): 1 - 6
Publisher: IEEE
Source 1:
Source 2: - Subscription or payment required

Abstract or Summary:
In spite of growing frequency and sophistication of attacks two factor authentication schemes have seen very limited adoption in the US, and passwords remain the single factor of authentication for most bank and brokerage accounts. Clearly the cost benefit analysis is not as strongly in favor of two factor as we might imagine. Upgrading from passwords to a two factor authentication system usually involves a large engineering effort, a discontinuity of user experience and a hard key management problem. In this paper we describe a system to convert a legacy password authentication server into a two factor system. The existing password system is untouched, but is cascaded with a new server that verifies possession of a smartphone device. No alteration, patching or updates to the legacy system is necessary. There are now two alternative authentication paths: one using passwords alone, and a second using passwords and possession of the trusted device. The bank can leave the password authentication path available while users migrate to the two factor scheme. Once migration is complete the passwordonly path can be severed. We have implemented the system and carried out two factor authentication against real accounts at several major banks.

Do you have additional information to contribute regarding this research paper? If so, please email with the details.

<-- Back to Authentication Research Paper Index

[Home] [About Us] [News] [Research]

Copyright © 2019