Skip to main content
SpringerLink
Log in

One-Time Password Access to Any Server without Changing the Server

  • Conference paper
Information Security (ISC 2008)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 5222))

Included in the following conference series:

Abstract

In this paper we describe a service that allows users one-time password access to any web account, without any change to the server, without changing anything on the client, and without storing user credentials in-the-cloud. The user pre-encrypts his password using an assigned set of keys and these encryptions are sent as one-time passwords to his cell phone or carried. To login he merely enters one of the encryptions as prompted, and the URRSA service decrypts before forwarding to the login server. Since credentials are not stored (the service merely decrypts and forwards) it has no need to authenticate users. Thus, while the user must trust the service, there are no additional passwords or secrets to remember. Since our system requires no server changes it can be used on a trust-appropriate basis: the user can login normally from trusted machines, but when roaming use one-time passwords. No installation of any software or alteration of any settings is required at the untrusted machine: the user merely requires access to a browser address bar.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. http://labs.zarate.org/passwd/

  2. http://www.cl.cam.ac.uk/~mgk25/otpw.html

  3. http://www.rsasecurity.com

  4. http://www.kyps.net

  5. http://www.csoft.co.uk/sms/character_sets/encoding.htm

  6. http://www.jmarshall.com/tools/cgiproxy

  7. http://www.clickatell.com

  8. http://www.fiddlertool.com

  9. http://www.xk72.com/charles/

  10. http://www.portswigger.net/proxy

  11. Herley, C., Florêncio, D.: How To Login From an Internet Café without Worrying about Keyloggers. In: Symp. on Usable Privacy and Security (2006)

    Google Scholar 

  12. Cheswick, W.: Johnny Can Obfuscate: Beyond Mother’s Maiden Name. In: Proc. Usenix HotSec (2006)

    Google Scholar 

  13. Coskun, B., Herley, C.: Can “Something You Know” be Saved? In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 421–440. Springer, Heidelberg (2008)

    Google Scholar 

  14. Florêncio, D., Herley, C.: A Large-Scale Study of Web Password Habits. In: WWW 2007, Banff (2007)

    Google Scholar 

  15. Florêncio, D., Herley, C.: KLASSP: Entering Passwords on a Spyware Infected Machine. In: Jesshope, C., Egan, C. (eds.) ACSAC 2006. LNCS, vol. 4186. Springer, Heidelberg (2006)

    Google Scholar 

  16. Florêncio, D., Herley, C., Coskun, B.: Do Strong Web Passwords Accomplish Anything?. In: Proc. Usenix Hot Topics in Security (2007)

    Google Scholar 

  17. Gaber, E., Gibbons, P., Matyas, Y., Mayer, A.: How to make personalized web browsing simple, secure and anonymous. In: Proc. Finan. Crypto 1997 (1997)

    Google Scholar 

  18. Golle, P., Wagner, D.: Cryptanalysis of a Cognitive Authentication Scheme. In: Symp. on Security and Privacy (2007)

    Google Scholar 

  19. Haller, N.: The S/KEY One-Time Password System. In: Proc. ISOC Symposium on Network and Distributed System Security (1994)

    Google Scholar 

  20. Herley, C., Florêncio, D.: Phishing as a Tragedy of the Commons. In: NSPW 2008, Lake Tahoe, CA (2008)

    Google Scholar 

  21. Jammalamadaka, R.C., van der Horst, T.W., Mehrotra, S., Seamons, K., Venkasubramanian, N.: Delegate: A Proxy based Architecture fort Secure Website Access from an Untrusted Machine. In: Jesshope, C., Egan, C. (eds.) ACSAC 2006. LNCS, vol. 4186. Springer, Heidelberg (2006)

    Google Scholar 

  22. Lamport, L.: Password Authentication with Insecure Communication. Communications of the ACM (1981)

    Google Scholar 

  23. Luotonen, A.: Web Proxy Servers. Prentice-Hall, Englewood Cliffs (1998)

    Google Scholar 

  24. Mannan, M., van Oorschot, P.C.: Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886. Springer, Heidelberg (2007)

    Google Scholar 

  25. Wu, M., Garfinkel, S., Miller, R.: Secure Web Authentication with Mobile Phones. In: DIMACS Workshop on Usable Privacy and Security Software (2004)

    Google Scholar 

  26. Mao, Z., Herley, C.: Robust Reverse Proxy Implementation. MSR-TR

    Google Scholar 

  27. Pashalidis, A., Mitchell, C.J.: Impostor: A single sign-on system for use from untrusted devices. In: Proceedings of IEEE Globecom (2004)

    Google Scholar 

  28. Pering, T., Sundar, M., Light, J., Want, R.: Photographic Authentication through Untrusted Terminals. IEEE Security and Privacy (2003)

    Google Scholar 

  29. Schneier, B.: Applied Cryptography, 2nd edn. Wiley, Chichester (1996)

    Google Scholar 

  30. Bell, T.C., Cleary, J.G., Witten, I.H.: Text Compression. Prentice-Hall, Englewood Cliffs (1990)

    Google Scholar 

  31. Tan, D., Keryana, P., Czerwinski, M.: Spy-resistant keyboard: more secure password entry on public touch screen displays. In: CHISIG 2005 (2005)

    Google Scholar 

  32. Weinshall, D.: Cognitive Authentication Schemes Safe Against Spyware. In: Symp. on Security and Privacy (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Microsoft Research, One Microsoft Way, Redmond, WA,  

    Dinei Florêncio & Cormac Herley

Authors
  1. Dinei Florêncio
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Cormac Herley
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Tzong-Chen Wu Chin-Laung Lei Vincent Rijmen Der-Tsai Lee

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Florêncio, D., Herley, C. (2008). One-Time Password Access to Any Server without Changing the Server. In: Wu, TC., Lei, CL., Rijmen, V., Lee, DT. (eds) Information Security. ISC 2008. Lecture Notes in Computer Science, vol 5222. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-85886-7_28

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-85886-7_28

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-85884-3

  • Online ISBN: 978-3-540-85886-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation