Skip to main content
SpringerLink
Log in

auth.js: Advanced Authentication for the Web

  • Conference paper
  • First Online:
Emerging Technologies for Authorization and Authentication (ETAA 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12515))

  • 328 Accesses

Abstract

Several research works attempt to replace simple authentication schemes, where the cryptographic digest of a plaintext password is stored at the server. Those proposals are based on more elaborate schemes, such as PAKE-based protocols. However, in practice, only a very limited amount of applications in the web use such schemes. The reason for this limited deployment is perhaps their complexity as far as the cryptography involved is concerned. Today, even the most successful web applications use text-based passwords, which are simply hashed and stored at the server. This has broad implications for both the service and the user. Essentially, the users are forced to reveal their plain passwords for both registering and authenticating with a service.

In this paper, we attempt to make it easier for any web service to a) enable easily advanced authentication schemes, and b) switch from one scheme to another. More precisely, we design and realize auth.js, a framework that allows a web application to offer advanced authentication that leverages sophisticated techniques compared to typical cryptographically hashed text-based passwords. In fact, auth.js can be easily enabled in all web applications and supports traditional passwords – however, once enabled, switching to a more elaborate scheme is straight forward. auth.js leverages advanced cryptographic primitives, which can be used for implementing strong authentication, such as PAKE and similar solutions, by ensuring that all cryptographic primitives are trusted and executed using the browser’s engine. For this, we extend Mozilla Crypto with more cryptographic primitives, such as scrypt and the edwards25519 elliptic curve. Finally, we evaluate auth.js with real web applications, such as WordPress.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    To be precise, WordPress has three default authentication methods: one using username and password, one using email and password and one using a cookie.

References

  1. Keybase.io. https://keybase.io/

  2. Keybase.io Login API Documentation. https://keybase.io/docs/api/1.0/call/login

  3. Keybase.io Signup API Documentation. https://keybase.io/docs/api/1.0/call/signup

  4. Supercop Benchmarking Tool. https://bench.cr.yp.to/supercop.html

  5. Tarsnap Scrypt 1.3.0. https://www.tarsnap.com/scrypt/scrypt-1.3.0.tgz

  6. Abu-Nimeh, S., Chen, T., Alzubi, O.: Malicious and spam posts in online social networks. Computer 44(9), 23–28 (2011)

    Article  Google Scholar 

  7. Aertsen, M., et al.: How to bring HTTPS to the masses? Measuring issuance in the first year of let’s encrypt (2017)

    Google Scholar 

  8. Alkaldi, N., Renaud, K.: Why do people adopt, or reject, smartphone password managers? (January 2016)

    Google Scholar 

  9. Aumasson, J.P., Neves, S., Wilcox-O’Hearn, Z., Winnerlein, C.: BLAKE2: simpler, smaller, fast as MD5. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) Applied Cryptography and Network Security. ACNS 2013. Lecture Notes in Computer Science, vol. 7954. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38980-1_8

  10. Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 72–84. IEEE (1992)

    Google Scholar 

  11. Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-speed high-security signatures. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 124–142. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23951-9_9

    Chapter  Google Scholar 

  12. Biryukov, A., Dinu, D., Khovratovich, D.: Argon2: new generation of memory-hard functions for password hashing and other applications. In: 2016 IEEE European Symposium on Security and Privacy (EuroS P), pp. 292–302 (2016)

    Google Scholar 

  13. Costello, C., Longa, P.: Four\(\mathbb{Q}\): four-dimensional decompositions on a \(\mathbb{Q}\)-curve over the Mersenne Prime. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 214–235. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_10

    Chapter  Google Scholar 

  14. Gaw, S., Felten, E.W.: Password management strategies for online accounts. In: Proceedings of the Symposium on Usable Privacy and Security, SOUPS (2006)

    Google Scholar 

  15. Hardt, D.E.: The OAuth 2.0 authorization framework. Internet Requests for Comments (October 2012)

    Google Scholar 

  16. Hofstede, N., Bleeken, N.V.D.: Using the W3C WebCrypto API for document signing (2013)

    Google Scholar 

  17. Manousis, A., Ragsdale, R., Draffin, B., Agrawal, A., Sekar, V.: Shedding light on the adoption of let’s encrypt. CoRR, abs/1611.00469 (2016)

    Google Scholar 

  18. Percival, C.: Stronger key derivation via sequential memory-hard functions (2009)

    Google Scholar 

  19. Provos, N., Mazieres, D.: A future-adaptable password scheme. In: USENIX Annual Technical Conference, FREENIX Track, pp. 81–91 (1999)

    Google Scholar 

  20. Microsoft SEAL (release 3.4): Microsoft Research, Redmond, WA (October 2019). https://github.com/Microsoft/SEAL

  21. Thomas, K., Grier, C., Song, D., Paxson, V.: Suspended accounts in retrospect: an analysis of twitter spam. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, IMC 2011, pp. 243–258. Association for Computing Machinery, New York (2011)

    Google Scholar 

  22. Wu, T.D., et al.: The secure remote password protocol. In: NDSS, vol. 98, pp. 97–111. Citeseer (1998)

    Google Scholar 

  23. Zhang, Z., Wang, Y., Yang, K.: Strong authentication without temper-resistant hardware and application to federated identities (January 2020)

    Google Scholar 

Download references

Acknowledgments

We thank the anonymous reviewers for helping us to improve the final version of this paper. This work was supported by the European Union’s Horizon 2020 research and innovation programme under grant agreements No. 786669 (ReAct), No. 830929 (CyberSec4Europe), and No. 826278 (SERUMS), and by the RESTART programmes of the research, technological development and innovation of the Research Promotion Foundation, under grant agreement ENTERPRISES/0916/0063 (PERSONAS).

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Cyprus, P.O. Box 20537, 1678, Nicosia, Cyprus

    Neophytos Christou & Elias Athanasopoulos

Authors
  1. Neophytos Christou
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Elias Athanasopoulos
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Neophytos Christou .

Editor information

Editors and Affiliations

  1. Istituto di Informatica e Telematica, Consiglio Nazionale delle Ricerche, Pisa, Pisa, Italy

    Andrea Saracino

  2. Institute of Informatics and Telematics, Pisa, Italy

    Paolo Mori

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Christou, N., Athanasopoulos, E. (2020). auth.js: Advanced Authentication for the Web. In: Saracino, A., Mori, P. (eds) Emerging Technologies for Authorization and Authentication. ETAA 2020. Lecture Notes in Computer Science(), vol 12515. Springer, Cham. https://doi.org/10.1007/978-3-030-64455-0_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-64455-0_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-64454-3

  • Online ISBN: 978-3-030-64455-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation