Accountable authentication with privacy protection: The Larch system for universal login

• URL: http://arxiv.org/abs/2305.19241v8
• Date: Mon, 23 Sep 2024 16:11:02 GMT
• Title: Accountable authentication with privacy protection: The Larch system for universal login
• Authors: Emma Dauterman, Danny Lin, Henry Corrigan-Gibbs, David Mazières,
• Abstract summary: larch is an accountable authentication framework with strong security and privacy properties. We implement larch for FIDO2, TOTP, and password-based login. Given a client with four cores and a log server with eight cores, an authentication with larch takes 150ms for FIDO2, 91ms for TOTP, and 74ms for passwords.
• Score: 6.227269392905129
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Credential compromise is hard to detect and hard to mitigate. To address this problem, we present larch, an accountable authentication framework with strong security and privacy properties. Larch protects user privacy while ensuring that the larch log server correctly records every authentication. Specifically, an attacker who compromises a user's device cannot authenticate without creating evidence in the log, and the log cannot learn which web service (relying party) the user is authenticating to. To enable fast adoption, larch is backwards-compatible with relying parties that support FIDO2, TOTP, and password-based login. Furthermore, larch does not degrade the security and privacy a user already expects: the log server cannot authenticate on behalf of a user, and larch does not allow relying parties to link a user across accounts. We implement larch for FIDO2, TOTP, and password-based login. Given a client with four cores and a log server with eight cores, an authentication with larch takes 150ms for FIDO2, 91ms for TOTP, and 74ms for passwords (excluding preprocessing, which takes 1.23s for TOTP).

Related papers

• SudoLM: Learning Access Control of Parametric Knowledge with Authorization Alignment [51.287157951953226]
  We propose SudoLM, a framework that lets LLMs learn access control over specific parametric knowledge. Experiments on two application scenarios demonstrate that SudoLM effectively controls the user's access to the parametric knowledge and maintains its general utility.
  arXiv  Detail & Related papers  (2024-10-18T17:59:51Z)
• An Alternative to Multi-Factor Authentication with a Triple-Identity Authentication Scheme [0.0]
  A dual-password login-authentication system has two entry points (i.e., username and password fields) to interact with the outside. No identifiers can be defined for the username and password without using any personal information. A triple-identity authentication is established, the key of which is that the readily available user's login name and password are randomly converted into a matrix of meaningless hash elements.
  arXiv  Detail & Related papers  (2024-07-28T10:27:35Z)
• Nudging Users to Change Breached Passwords Using the Protection Motivation Theory [58.87688846800743]
  We draw on the Protection Motivation Theory (PMT) to design nudges that encourage users to change breached passwords. Our study contributes to PMT's application in security research and provides concrete design implications for improving compromised credential notifications.
  arXiv  Detail & Related papers  (2024-05-24T07:51:15Z)
• Systematic Solutions to Login and Authentication Security Problems: A Dual-Password Login-Authentication Mechanism [0.0]
  Credential theft and remote attacks are the most serious threats to user authentication mechanisms. We design a dual-password login-authentication mechanism, where a user-selected secret-free login password is converted into an untypable authentication password. The authenticatable functionality of the login password and the typable functionality of the authentication password can be disabled or invalidated to prevent credential theft and remote attacks.
  arXiv  Detail & Related papers  (2024-04-02T10:05:47Z)
• Evaluating the Influence of Multi-Factor Authentication and Recovery Settings on the Security and Accessibility of User Accounts [0.0]
  This paper presents a study on the account settings of Google and Apple users. Considering the multi-factor authentication configuration and recovery options, we analyzed the account security and lock-out risks. Our results provide insights into the usage of multi-factor authentication in practice, show significant security differences between Google and Apple accounts, and reveal that many users would miss access to their accounts when losing a single authentication device.
  arXiv  Detail & Related papers  (2024-03-22T10:05:37Z)
• A Novel Protocol Using Captive Portals for FIDO2 Network Authentication [45.84205238554709]
  We introduce FIDO2CAP: FIDO2 Captive-portal Authentication Protocol. We develop a prototype of FIDO2CAP authentication in a mock scenario. This work makes the first systematic approach for adapting network authentication to the new authentication paradigm relying on FIDO2 authentication.
  arXiv  Detail & Related papers  (2024-02-20T09:55:20Z)
• Tamper-Evident Pairing [55.2480439325792]
  Tamper-Evident Pairing (TEP) is an improvement of the Push-Button configuration (PBC) standard. TEP relies on the Tamper-Evident Announcement (TEA), which guarantees that an adversary can neither tamper a transmitted message without being detected, nor hide the fact that the message has been sent. This paper provides a comprehensive overview of the TEP protocol, including all information needed to understand how it works.
  arXiv  Detail & Related papers  (2023-11-24T18:54:00Z)
• ROSTAM: A Passwordless Web Single Sign-on Solution Mitigating Server Breaches and Integrating Credential Manager and Federated Identity Systems [0.0]
  We envision a passwordless future which provides a frictionless and trustworthy online experience for users by integrating credential management and federated identity systems. In this regard, our implementation ROSTAM offers a dashboard that presents all applications the user can access with a single click after a passwordless SSO. The security of web passwords on the credential manager is ensured with a Master Key, rather than a Master Password, so that encrypted passwords can remain secure even if stolen from the server.
  arXiv  Detail & Related papers  (2023-10-08T16:41:04Z)
• SyzTrust: State-aware Fuzzing on Trusted OS Designed for IoT Devices [67.65883495888258]
  We present SyzTrust, the first state-aware fuzzing framework for vetting the security of resource-limited Trusted OSes. SyzTrust adopts a hardware-assisted framework to enable fuzzing Trusted OSes directly on IoT devices. We evaluate SyzTrust on Trusted OSes from three major vendors: Samsung, Tsinglink Cloud, and Ali Cloud.
  arXiv  Detail & Related papers  (2023-09-26T08:11:38Z)
• Secure access system using signature verification over tablet PC [62.21072852729544]
  We describe a highly versatile and scalable prototype for Web-based secure access using signature verification. The proposed architecture can be easily extended to work with different kinds of sensors and large-scale databases.
  arXiv  Detail & Related papers  (2023-01-11T11:05:47Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.