ABSTRACT
In this paper, we provide a security analysis for generic authentication systems in which users have multiple passwords (or personal questions) and the system asks some of them to grant access. We analyze two schemes. In the first one, only one password is asked out of the password set of the user in order to access the system. In the second scheme, two passwords are asked to gain access to the system. We assume existence of an attacker who is capable to eavesdrop on the authentication channel and crack passwords with a certain probability. We derive analytical formulations for impersonation probabilities and compare the security provided by both schemes. The results of our analysis imply that asking more passwords for authentication does not necessarily mean a strengthened security; in fact it may carry a higher risk of impersonation as compared to asking less passwords when the passwords are aged.
- Adams, A. and Sasse M. A. 1999. Users are not the Enemy. In Communications of the ACM. vol. 42, no. 12, December 1999, pp. 40--46. Google ScholarDigital Library
- FFIEC, Federal Financial Institutions Examination Council, 2005. Authentication in an Internet Banking Environment. retrieved from http://www.ffiec.gov/pdf/authentication_guidance.pdf on 9.11.2007Google Scholar
- Gorman, L. O, Bagga A., Bentley J. 2004. Call center customer verification by query-directed passwords. In Financial Cryptography, A. Juels (ed.), Lecture Notes in Computer Science, LNCS 3110, Springer-Verlag, Berlin, 2004, pp. 54--67.Google Scholar
- Gorman, L. O., 2003. Comparing Passwords, Tokens, and Biometrics for User Authentication. In Proceedings of the IEEE. vol. 91, no. 12, Dec. 2003, pp. 2019--2040.Google Scholar
- Hiltgen, A., Kramp T. and Weigold T. 2006. Secure Internet Banking Authentication. In IEEE Security & Privacy. vol.4, no. 2, March-April 2006, pp. 21--29. Google ScholarDigital Library
- Rassmussen, J. L. 2006. Password Authentication. In The Handbook of Information Security. H. Bidgoli (ed.), pp. 424--438. Wiley, 2006.Google Scholar
- Site Key at Bank of America. 2007. Retrieved from http://www.bankofamerica.com/privacy/sitekey/ on 21.11.2007Google Scholar
- Strong Authentication in Banking and Beyond 2007. Retrieved form http://www.zurich.ibm.com/pdf/csc/SecureInternetBankingAuthentication.pdf on 5.11.2207Google Scholar
Index Terms
- Towards a framework for security analysis of multiple password schemes
Recommendations
Security analysis of two certificateless short signature schemes
Certificateless public key cryptography (CL‐PKC) combines the advantage of both traditional PKC and identity‐based cryptography (IBC) as it eliminates the certificate management problem in traditional PKC and resolves the key escrow problem in IBC. ...
On the security of some multi-PKG/multi-recipient signcryption schemes
ASID'09: Proceedings of the 3rd international conference on Anti-Counterfeiting, security, and identification in communicationSigncryption is an asymmetric cryptographic method that provides simultaneously both message confidentiality and unforgeability at a low computational and communication overhead. Indistinguishability and unforgeability are two primitive properties of a ...
On the Security Flaws in ID-based Password Authentication Schemes for Telecare Medical Information Systems
Telecare medical information systems (TMIS) enable healthcare delivery services. However, access of these services via public channel raises security and privacy issues. In recent years, several smart card based authentication schemes have been ...
Comments