130 likes | 145 Views
In the quest to replace passwords, this study evaluates 35 password replacement schemes to address issues like server security and user inconvenience. The framework rates each scheme based on 25 properties covering usability, deployability, and security benefits. The study categorizes benefits like memory efficiency, accessibility, and resistance to observation-based attacks. Pros and cons are thoroughly analyzed to assess the suitability of each scheme, focusing on user authentication on various devices. The goal is to find a secure, user-friendly alternative to traditional passwords.
E N D
The Quest to Replace Passwords By Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, Frank Stajano
Introduction • At present, the PASSWORDS are playing dominant role as End-User authentication. • The issues commonly encountered are • Though web technology is evolving, the passwords stubbornly survive and reproduce with each web site. • Have server security issues. • Openly hated because of inconvenience of usage. • To address the issues of passwords, many security researchers came up with alternative authentication schemes. • Several authentication schemes are invented as replacement to passwords. To name a few categories • Password management software • Federal login protocols • Graphical Password schemes • Cognitive authentication schemes • Hardware tokens. • One-time passwords • Phone aided schemes etc. • To evaluate all these schemes, a standard benchmark and framework is introduced with 25 properties for analyzing wide spectrum of benefits they offer, when compared to text passwords. • To rate the pros and cons of each scheme, this framework is used extensively on 35 password replacement schemes • Main focus in the rating process is user authentication on the web, specifically from client devices like PCs to remote verifiers. That means, human-to-machine authentication, but not machine-to-machine.
Benefits • The benefits of the each scheme to be considered are placed under three categories Usability Benefits Deployability Benefits Security Benefits • Usability Benefits (Total 8) • Memorywise Effortless • Quasi-Memorywise effortless (if to remember one secret for every thing) • Scalable for users • Using the same scheme for hundreds of accounts does not increase burden on the user. • from user’s cognitive load perspective , but not system resource perspective • Nothing-to-Carry ( no need to carry a physical object including piece of paper) • Quasi-Nothing-to-Carry ( for devices that are carried every where all the time. Eg. mobile phone) • Physically-Effortless (no physical user effort beyond, say, pressing a button) • Quasi-Physically-Effortless ( if the user’s effort is limited to speaking) • Easy-to-Learn (easy to learn and easy to recall with out too much trouble) • Efficient-to-Use (time spent for each authorization is to be short) • Infrequent-Errors (reliable and no regular rejections for genuine users) • Easy-Recovery-from-Loss (Low latency before restored, Low user inconvenience , Assurance for recovery) • Deployability Benefits (Total 4) • Accessibile • not prevented by disabilities or other physical conditions) • Negligible-Cost-per_User ( summation of cost per user, costs at prover’s end and verifier’s end is negligible) • Server-Compatible (text-based passwords should be compatible at the verifier’s end) • Browser-Compatible( not to change the client and machine with an up-to-date, standard compliant web browser with no additional plugins) • Quasi-Browser-Compatible ( if they rely on non-standard but very common plugins, e.g., Flash)
Benefits (continued..) • Mature ( this is decided based on the following factors..) • implemented and deployed on large scale • Undergone user testing • Whether standards community has published related documents • Whether any open source project is implementing this scheme • Whether any third part has adopted the scheme • Amount of literature on this scheme. • Non-Proprietary • no royalties to be paid for any purpose usage, • published openly and not protected by patents or trade secrets • Security Benefits (Total 11) • Resilient-to-Physical-Observation • An attacker can not impersonate a user after observing the authentication one or more times. • Attacks include shoulder surfing, filming the keyboard, recording keystroke sounds or thermal imaging of keypad. • Quasi-Resilient-to-Physical-Observation • If the scheme can be broken by observing more than, say, 10-20 times. • Resilient-to-Targeted-Impersonation • Can not impersonate a specific user by exploiting knowledge of personal details(birth date, names of relatives etc.) • Resilient-to-Throttled-Guessing • An attacker whose rate of guessing is constrained by the verifier. • Throttling mechanism can be enforced by an online server, a tamper-resistant chip. • Resilient-to-Unthrottled-Guessing • An attacker whose guessing rate is constrained only by available computing resources. • Resilient-to-Internal-Observation • Can not impersonate a user by intercepting the user’s input from inside the user’s device(e.g., by key logging malware) • Cant not impersonate by eavesdropping on the clear text communication between prover and verifier(assumig attacker can also defeat TLS if it is used, perhaps through the CA)
Benefits (continued..) • Hardware devices dedicated exclusively to the scheme can be made malware-free, though personal computers and mobile phones may contain malware. • Quasi-Resilient-to-Internal-Observation • If the scheme could be broken by intercepting or eavesdropping by more than, say, 10-20 times. • Resilient-to-Leaks-from-Other-Verifiers • Nothing that a verifier could possibly leak can help an attacker impersonate the user to another verifier. • Resilient-to-Phishing • An attacker who simulates a valid verifier (including by DNS manipulation) cannot collect credentials that can later be user to impersonate the user to the actual verifier. • Resilient-to-Theft • If the scheme uses a physical object for authentication, the object can not be used by another person who gains possession of it. • Quasi-Resilient-to-Theft • If the protection is achieved with the modest strength of a PIN. • No-Trusted-Third-Party • The scheme does not rely on a trusted third party(other than the prover and the verifier) • Requiring-Explicit-Consent • The authentication process can not be started with out the explicit consent of the user. • This is both a security and a privacy feature. • Unlinkable • This is privacy feature. • Colluding verifiers can not determine, from the authenticator alone, whether the same user is authenticating both.
Evaluation of Schemes with ratings • Evaluation of Legacy Passwords • Highly scores in Deployability. • Evaluation of Encrypted Password Managers : Mozilla Firefox • Highly scores in Deployability.
Evaluation of Schemes with ratings • Evaluation of Proxy Based : URRSA • Evaluation of Federated Singel Sign-On : OpenID • Favorable from deployment point of view.
Evaluation of Schemes with ratings • Evaluation of Graphical Passwords : Persuasive Cued Clickpoints (PCCP) • Evaluation of Cognitive Authentication : GrIDsure
Evaluation of Schemes with ratings • Evaluation of Paper Tokens : OTPW • Evaluation of Hardware tokens : RSA Secure ID
Evaluation of Schemes with ratings • Evaluation of Mobile Phone-based : Phoolproof • Evaluation of Biometrics : Fingerprint recognition
Conclusion • No Scheme that is examined is perfect- or even comes close to perfect scores. • The incumbent (traditional passwords) achieves all benefits on deployability. • Not a single scheme is dominant over passwords.