Abstract
In this paper we present UAuth, a two-layer authentication framework that provides more security assurances than two-factor authentication while offering a simpler authentication experience. When authenticating, users first verified their static credentials (such as password, fingerprint, etc.) in the local layer, then submit the OTP-signed response generated by their device to the server to complete the server-layer authentication. We also propose the three-level account association mechanism, which completes the association of devices, users and services, establishing a mapping from a user’s device to the user’s accounts in the Internet. Users can easily gain access to different service via a single personal device. Our goal is to provide a quick and convenient SSO-like login process on the basis of security authentication. To meet the goal, we implement our UAuth, and evaluate our designs.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
SSL, GONE IN 30 SECONDS. https://media.blackhat.com/us-13/US-13-Prado-SSL-Gone-in-30-seconds-A-BREACH-beyond-CRIME-Slides.pdf
TOTP: Time-Based One-Time Password Algorithm. http://tools.ietf.org/html/rfc6238
The Domino Effect of the Password Leak at Gawker. http://voices.yahoo.com/the-domino-effectpassword-leak-gawker-10566853.html
Google 2-Step Verification. http://www.google.com/landing/2step/
FIDO Alliance. http://fidoalliance.org/
The YubiKey Manual. http://static.yubico.com/var/uploads/pdfs/YubiKey_Manual_2010-09-16.pdf
Millions of Adobe hack victims used horrible passwords. http://www.pcworld.com/article/2060825/123456:millions-of-adobe-hack-victims-used-horrible-passwords.html
The OAuth 2.0 Authorization Framework. http://tools.ietf.org/html/rfc6749
OpenID Authentication 2.0. http://openid.net/specs/openid-authentication-2_0.html
Kelley, P.G., Komanduri, S., Mazurek, M.L., Shay, R., Vidas, T., Bauer, L., Christin, N., Cranor, L.F., Lopez, J.: Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In: IEEE Symposium on Security and Privacy, pp. 523–537 (2012)
Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. Technical Report UCAM-CL-TR-817, University of Cambridge, Computer Laboratory (March 2012)
Cheswick, W.: Rethinking passwords. Commun. ACM 56(2), 40–44 (2013)
Czeskis, A., Dietz, M., Kohno, T., Wallach, D., Balfanz, D.: Strengthening user authentication through opportunistic cryptographic identity assertions. In: Proceedings of the 2012 ACM CCS, pp. 404–414 (2012)
Ives, B., Walsh, K.R., Schneider, H.: The domino effect of password reuse. Commun. ACM 47(4), 75–78 (2004)
Marforio, C., Karapanos, N., Soriente, C.: Smartphones as practical and secure location verification tokens for payments. In: NDSS 2014 (2014)
Wimberly, H., Liebrock, L.M.: Using fingerprint authentication to reduce system security: an empirical study. In: 2011 IEEE Symposium on Security and Privacy (SP), pp. 32–46 (2011)
Kontaxis, G., Athanasopoulos, E., Portokalidis, G., Keromytis, A.D.: SAuth: protecting user accounts from password database leaks. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 187–198 (2013)
Acknowledgments
This work has been supported by National Natural ScienceFoundation of China (Grant No. 61202476); the Strategic Priority Research Program of the Chinese Academy of Sciences (No. XDA06010701, XDA06040502).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Wang, Y., Hu, M., Li, C. (2015). UAuth: A Strong Authentication Method from Personal Devices to Multi-accounts. In: Tian, J., Jing, J., Srivatsa, M. (eds) International Conference on Security and Privacy in Communication Networks. SecureComm 2014. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 152. Springer, Cham. https://doi.org/10.1007/978-3-319-23829-6_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-23829-6_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-23828-9
Online ISBN: 978-3-319-23829-6
eBook Packages: Computer ScienceComputer Science (R0)