Related papers: Systematic Solutions to Login and Authentication Security Problems: A Dual-Password Login-Authentication Mechanism

Systematic Solutions to Login and Authentication Security Problems: A Dual-Password Login-Authentication Mechanism

URL: http://arxiv.org/abs/2404.01803v2
Date: Fri, 31 May 2024 07:45:35 GMT
Title: Systematic Solutions to Login and Authentication Security Problems: A Dual-Password Login-Authentication Mechanism
Authors: Suyun Borjigin,
Abstract summary: Credential theft and remote attacks are the most serious threats to user authentication mechanisms. We design a dual-password login-authentication mechanism, where a user-selected secret-free login password is converted into an untypable authentication password. The authenticatable functionality of the login password and the typable functionality of the authentication password can be disabled or invalidated to prevent credential theft and remote attacks.
Score: 0.0
License: http://creativecommons.org/licenses/by-nc-nd/4.0/
Abstract: Credential theft and remote attacks are the most serious threats to user authentication mechanisms. The crux of these problems is that we cannot control such behaviors. However, if a password does not contain user secrets, stealing it is useless. If unauthorized inputs are invalidated, remote attacks can be disabled. Thus, credential secrets and account input fields can be controlled. Rather than encrypting passwords, we design a dual-password login-authentication mechanism, where a user-selected secret-free login password is converted into an untypable authentication password. Subsequently, the authenticatable functionality of the login password and the typable functionality of the authentication password can be disabled or invalidated to prevent credential theft and remote attacks. Thus, the usability-security tradeoff and password reuse issues are resolved; local authentication password storage is no longer necessary. More importantly, the password converter acts as an open hashing algorithm, meaning that its intermediate elements can be used to define a truly unique identity for the login process to implement a novel dual-identity authentication scheme. In particular, the system-managed elements are concealed, inaccessible, and independent of any personal information and therefore can be used to define a perfect unforgeable process identifier to identify unauthorized inputs.

Related papers

An Alternative to Multi-Factor Authentication with a Triple-Identity Authentication Scheme [0.0]
A dual-password login-authentication system has two entry points (i.e., username and password fields) to interact with the outside. No identifiers can be defined for the username and password without using any personal information. A triple-identity authentication is established, the key of which is that the readily available user's login name and password are randomly converted into a matrix of meaningless hash elements.
arXiv Detail & Related papers (2024-07-28T10:27:35Z)
Nudging Users to Change Breached Passwords Using the Protection Motivation Theory [58.87688846800743]
We draw on the Protection Motivation Theory (PMT) to design nudges that encourage users to change breached passwords. Our study contributes to PMT's application in security research and provides concrete design implications for improving compromised credential notifications.
arXiv Detail & Related papers (2024-05-24T07:51:15Z)
A Novel Protocol Using Captive Portals for FIDO2 Network Authentication [45.84205238554709]
We introduce FIDO2CAP: FIDO2 Captive-portal Authentication Protocol. We develop a prototype of FIDO2CAP authentication in a mock scenario. This work makes the first systematic approach for adapting network authentication to the new authentication paradigm relying on FIDO2 authentication.
arXiv Detail & Related papers (2024-02-20T09:55:20Z)
Passwords Are Meant to Be Secret: A Practical Secure Password Entry Channel for Web Browsers [7.049738935364298]
Malicious client-side scripts and browser extensions can steal passwords after they have been autofilled by the manager into the web page. This paper explores what role the password manager can take in preventing the theft of autofilled credentials without requiring a change to user behavior.
arXiv Detail & Related papers (2024-02-09T03:21:14Z)
A Review of Password-less User Authentication Schemes [0.0]
Review examines password-less authentication schemes that have been proposed since after the death knell was placed on passwords in 2004. We evaluate the truly password-less and practical schemes based on their impact on user experience, overall security, and ease of deployment.
arXiv Detail & Related papers (2023-12-05T15:57:40Z)
Tamper-Evident Pairing [55.2480439325792]
Tamper-Evident Pairing (TEP) is an improvement of the Push-Button configuration (PBC) standard. TEP relies on the Tamper-Evident Announcement (TEA), which guarantees that an adversary can neither tamper a transmitted message without being detected, nor hide the fact that the message has been sent. This paper provides a comprehensive overview of the TEP protocol, including all information needed to understand how it works.
arXiv Detail & Related papers (2023-11-24T18:54:00Z)
ROSTAM: A Passwordless Web Single Sign-on Solution Mitigating Server Breaches and Integrating Credential Manager and Federated Identity Systems [0.0]
We envision a passwordless future which provides a frictionless and trustworthy online experience for users by integrating credential management and federated identity systems. In this regard, our implementation ROSTAM offers a dashboard that presents all applications the user can access with a single click after a passwordless SSO. The security of web passwords on the credential manager is ensured with a Master Key, rather than a Master Password, so that encrypted passwords can remain secure even if stolen from the server.
arXiv Detail & Related papers (2023-10-08T16:41:04Z)
PassGPT: Password Modeling and (Guided) Generation with Large Language Models [59.11160990637616]
We present PassGPT, a large language model trained on password leaks for password generation. We also introduce the concept of guided password generation, where we leverage PassGPT sampling procedure to generate passwords matching arbitrary constraints.
arXiv Detail & Related papers (2023-06-02T13:49:53Z)
Accountable authentication with privacy protection: The Larch system for universal login [6.227269392905129]
larch is an accountable authentication framework with strong security and privacy properties. We implement larch for FIDO2, TOTP, and password-based login. Given a client with four cores and a log server with eight cores, an authentication with larch takes 150ms for FIDO2, 91ms for TOTP, and 74ms for passwords.
arXiv Detail & Related papers (2023-05-30T17:31:11Z)
RiDDLE: Reversible and Diversified De-identification with Latent Encryptor [57.66174700276893]
This work presents RiDDLE, short for Reversible and Diversified De-identification with Latent Encryptor. Built upon a pre-learned StyleGAN2 generator, RiDDLE manages to encrypt and decrypt the facial identity within the latent space.
arXiv Detail & Related papers (2023-03-09T11:03:52Z)
Skeptic: Automatic, Justified and Privacy-Preserving Password Composition Policy Selection [44.040106718326605]
The choice of password composition policy to enforce on a password-protected system represents a critical security decision. In practice, this choice is not usually rigorous or justifiable, with a tendency for system administrators to choose password composition policies based on intuition alone. We propose a novel methodology that draws on password probability distributions constructed from large sets of real-world password data.
arXiv Detail & Related papers (2020-07-07T22:12:13Z)

This list is automatically generated from the titles and abstracts of the papers in this site.