Passwords continue to dominate the authentication landscape. In 2012, Bonneau et al. analyzed a broad collection of web authentication schemes designed to replace passwords. They demonstrated that passwords have a unique combination of usability, security, and deployability that has proven difficult to supplant. For these reasons, we believe that it is important that research be done that enhances the security of password-based authentication as we wait for a scheme that can finally replace passwords.
Our research into this area falls into two categories. First, we are exploring strong password protocols. To this end, we have begun research into password authenticated key exchange. We have created a formal proof of the Secure Remote Password protocol (SRP). We are working on an elliptic curve instantiation of this protocol, allowing it to be suitable for more constrained environments. We are also working on creating three-party variants that are efficient, secure, provide incentives to all parties, and are privacy preserving.
The second area of focus is safe password entry. While strong password protocols can protect passwords from phishing, they are ineffectual if an attacker can trick a user into using an interface which does not use strong password protocols. In this area, we are preparing research that will examine the current state-of-the-art in research (e.g., Dynamic Security Skins). Based on the results of these studies, we plan to design systems that enable safe password entry and are validated using user studies.
S. Ruoti, B. Roberts, K. Seamons. Authentication Melee: A Usability Analysis of Seven Web Authentication Systems 24th Annual International Conference on World Wide Web (WWW 2015), Florence, Italy, May 2015. [Presentation]
T. W. van der Horst and K. E. Seamons. pwdArmor: Protecting Conventional Password-based Authentications. 24th Annual Computer Security Applications Conference (ACSAC 2008), Anaheim, CA, December 2008. [Presentation]
A. Harding, T. W. van der Horst, and K. E. Seamons. Wireless Authentication using Remote Passwords. 1st ACM Conference on Wireless Network Security (WiSec), Alexandria, VA, March 2008.
T. W. van der Horst, and K. E. Seamons. Simple Authentication for the Web. 3rd International Conference on Security and Privacy in Communication Networks, Nice, France, September, 2007. [Presentation]
S. Ruoti, B. Roberts, K. Seamons. Authentication Melee: A Usability Analysis of Seven Web Authentication Systems, Poster Session at the Symposium on Usable Privacy and Security (SOUPS 2015). Montreal, Canada, 2015. Distinguished Poster Award. [Poster]
T. van der Horst, and K. Seamons. Simple Authentication for the Web. Poster Session at the International World Wide Web Conference (WWW2007), Banff, Alberta, Canada, May 2007.
Scott Ruoti. Authentication Melee: A Usability Analysis of Seven Web Authentication Systems. December 2014.
Pavan Vankamamidi. Proofs of Correctness for Three Decentralized Authentication Protocols Using Strand Spaces. June 2011.
Andrew Harding. Wireless Authentication using Remote Passwords (WARP). January 2008.