Securing Password Authentication for Web-based Applications

Autor:	Tan, Teik Guan, Szalachowski, Pawel, Zhou, Jianying
Rok vydání:	2020
Předmět:	Computer Science - Networking and Internet Architecture Computer Science - Cryptography and Security
Druh dokumentu:	Working Paper
Popis:	The use of passwords and the need to protect passwords are not going away. The majority of websites that require authentication continue to support password authentication. Even high-security applications such as Internet Banking portals, which deploy 2-factor authentication, rely on password authentication as one of the authentication factors. However phishing attacks continue to plague password-based authentication despite aggressive efforts in detection and takedown as well as comprehensive user awareness and training programs. There is currently no foolproof mechanism even for security-conscious websites to prevent users from being directed to fraudulent websites and having their passwords phished. In this paper, we apply a threat analysis on the web password login process, and uncover a design vulnerability in the HTML field. This vulnerability can be exploited for phishing attacks as the web authentication process is not end-to-end secured from each input password field to the web server. We identify four properties that encapsulate the requirements to stop web-based password phishing, and propose a secure protocol to be used with a new credential field that complies with the four properties. We further analyze the proposed protocol through an abuse-case evaluation, discuss various deployment issues, and also perform a test implementation to understand its data and execution overheads Comment: 23 pages, 1 figure
Databáze:	arXiv
Externí odkaz:	http://arxiv.org/abs/2011.06257 Zobrazit plný text záznamu View this record from Arxiv