Users frequently reuse their passwords when authenticating to various online services. Combined with the use of weak passwords or honeypot/phishing attacks, this brings high risks to the security of the user’s account information. We created several protocols that can allow a user to use a single password to authenticate to multiple services securely. All our constructions provably protect the user from dictionary attacks on the password, and cross-site impersonation or honeypot attacks by the online service providers.
Our solutions assume the user has access to either an untrusted online cloud storage service, or a mobile storage device that is trusted until stolen. We also consider schemes that oprovide anonymity and unlinkability of the user’s actions. We do not assume existence of synchronization, tamper resistance, special or expensive hardware, or extensive cryptographic capabilities of the mobile device. Most importantly, the user’s password remains secure even after the mobile device is stolen.
Our constructions are relatively easy to deploy, especially if a few single sign-on services (e.g., Microsoft, Google, Facebook) adopt our proposal.
- Tolga Acar, Mira Belenkiy, Alptekin Küpçü, "Single Password Authentication", Elsevier Computer Networks Journal, Volume 57, Issue 13, Pages 2597–2614, 9 September 2013, doi:10.1016/j.comnet.2013.05.007.
- Patent granted: US12755426.
We are grateful for the support from the Royal Society Newton Advanced Fellowship.