Contributions to Web Authentication for Untrusted Computers

Authentication methods offer varying levels of security. Methods with one-time credentials generated by dedicated hardware tokens can reach a high level of security, whereas passwordbased authentication methods have a low level of security since passwords can be eavesdropped and stolen by an attacker. Password-based methods are dominant in web authentication since they are both easy to implement and easy to use. Dedicated hardware, on the other hand, is not always available to the user, usually requires additional equipment and may be more complex to use than password-based authentication. Different services and applications on the web have different requirements for the security of authentication. Therefore, it is necessary for designers of authentication solutions to address this need for a range of security levels. Another concern is mobile users authenticating from unknown, and therefore untrusted, computers. This in turn raises issues of availability, since users need secure authentication to be available, regardless of where they authenticate or which computer they use. We propose a method for evaluation and design of web authentication solutions that takes into account a number of often overlooked design factors, i.e. availability, usability and economic aspects. Our proposed method uses the concept of security levels from the Electronic Authentication Guideline, provided by NIST. We focus on the use of handheld devices, especially mobile phones, as a flexible, multipurpose (i.e. non-dedicated) hardware device for web authentication. Mobile phones offer unique advantages for secure authentication, as they are small, flexible and portable, and provide multiple data transfer channels. Phone designs, however, vary and the choice of channels and authentication methods will influence the security level of authentication. It is not trivial to maintain a consistent overview of the strengths and weaknesses of the available alternatives. Our evaluation and design method provides this overview and can help developers and users to compare and choose authentication solutions. This work has been partially supported by ELLIIT. List of Publications Anna Vapen, David Byers and Nahid Shahmehri, “2-clickAuth Optical ChallengeResponse Authentication,” in Fifth International Conference on Availability, Reliability and Security, (ARES '10), Krakow, Poland, 15-18 Feb. 2010, pp.79-86. Anna Vapen and Nahid Shahmehri, “Security Levels for Web Authentication using Mobile Phones,” PrimeLife/IFIP Summer School, 2010 (Published in electronic preproceedings, distributed to summer school participants.) Anna Vapen and Nahid Shahmehri, “Security Levels for Web Authentication using Mobile Phones”, Post-proceedings of PrimeLife/IFIP Summer School, 2010. (Published by Springer 2011.) Anna Vapen and Nahid Shahmehri, “2-clickAuth Optical Challenge-Response Authentication using Mobile Handsets,” International Journal of Mobile Computing and Multimedia Communications (IJMCMC), vol. 3(2), pp. 1-18, April-June 2011.