ABSTRACT
A mass attack to web services using leaked account information has been done in recent years. The causes of the attack are information leakage and use of a same password among multiple services. Available measures to the attack are mainly using an alternative authentication method such as two-factor authentication or one-time password. Such measures put an additional operation load or credential management on users, and may also impose additional management costs to users or service providers for dedicated devices. These issues limit the applicability of such measures to only parts of various services. Therefore, I propose an alternative measure against the attack by using the concept of shutters in car garages. The proposed scheme is referred as the "authentication shutter". In this scheme, a legitimate user can control the availability of user authentication directly. This means that, even if an attacker has a valid user ID and password, if a legitimate user sets the user authentication as unavailable, an attacker cannot pass user authentication. I explain the basic idea and how to implement the scheme as a web system, and also discuss about the usability and security of the scheme.
- Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano. 2012. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP '12). 553--567. Google ScholarDigital Library
- Identity Theft Resrouce Center. 2017. 2016 Data Breaches Insider Theft Category Summary. (12 Jan. 2017). Retrieved June 6, 2017 from http://www.idtheftcenter.org/images/breach/2016/ITRCBreachStatsInsiderTheftSummary2016.pdfGoogle Scholar
- Identity Theft Resrouce Center. 2017. Data Breaches Increase 40 Percent in 2016. (19 Jan. 2017). Retrieved June 6, 2017 from http://www.idtheftcenter.org/2016databreaches.htmlGoogle Scholar
- Sonia Chiasson, Paul C van Oorschot, and Robert Biddle. 2006. A Usability Study and Critique of Two Password Managers. In Proc. of the 15th USENIX Security Symposium. Google ScholarDigital Library
- Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, and Xiaofeng Wang. 2014. The Tangled Web of Password Reuse. In 21st Annual Network and Distributed System Security Symposium,NDSS. http://www.internetsociety.org/doc/tangled-web-password-reuseGoogle Scholar
- John E Dunn. 2017. 21 of the most infamous data breaches affecting the UK. (18 May 2017). Retrieved June 6, 2017 from http://www.techworld.com/security/uks-most-infamous-data-breaches-3604586/Google Scholar
- Dinei Florencio and Cormac Herley. 2007. A large-scale study of web password habits. In Proc. of the 16th international conference on World Wide Web. ACM, 657--666. Google ScholarDigital Library
- Dinei Florencio, Cormac Herley, and Paul C Van Oorschot. 2014. Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts. In Proc. of the 23rd Usenix Security Symposium. 575--590. Google ScholarDigital Library
- Shirley Gaw and Edward W Felten. 2006. Password management strategies for online accounts. In Proc. of the 2nd symposium on Usable privacy and security. ACM, 44--55. Google ScholarDigital Library
- EijiHayashi and Jason Hong. 2011. A diary study of password usage in daily life. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2627--2630. Google ScholarDigital Library
- information is beautiful. 2017. World's Biggest Data Breaches. (25 Apr. 2017). Retrieved June 6, 2017 from http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/Google Scholar
- Blake Ives, Kenneth R. Walsh, and Helmut Schneider. 2004. The Domino Effect of Password Reuse. Commun. ACM 47, 4 (April 2004), 75--78. Google ScholarDigital Library
- Ambarish Karole, Nitesh Saxena, and Nicolas Christin. 2011. A Comparative Usability Evaluation of Traditional Password Managers. 233--251.Google Scholar
- Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song. 2014. The Emperor's New Password Manager: Security Analysis of Web-based Password Managers. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX Association, San Diego, CA, 465--479. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/li_zhiwei Google ScholarDigital Library
- Micke. 2015. LastPass Hacked - Can Password Managers be Trusted? (16 June 2015). Retrieved April 6, 2017 from http://safeandsavvy.f-secure.com/2015/06/16/lastpass-hacked-can-password-managers-be-trusted/Google Scholar
- Michael Mimoso. 2015. LastPass Network Breached; Calls for Master Password Reset. (15 June 2015). Retrieved April 6, 2017 from https://threatpost.com/lastpass-network-breached-calls-for-master-password-reset/113324/Google Scholar
- Michael Mimoso. 2017. Breached Credentials Used to Access GitHub Repositories (threat post). (17 June 2017). Retrieved April 6, 2017 from https://threatpost.com/breached-credentials-used-to-access-github-repositories/118746/Google Scholar
- Thanasis Petsas, Giorgos Tsirantonakis, Elias Athanasopoulos, and Sotiris Ioannidis. 2015. Two-factor Authentication: Is the World Ready?: Quantifying 2FA Adoption. In Proceedings of the Eighth European Workshop on System Security (EuroSec '15). Article 4, 7pages. Google ScholarDigital Library
- Tom Spring. 2016. GOTOMYPC Suffers Major Password Reuse Attack. (20 June 2016). Retrieved April 6, 2017 from https://threatpost.com/gotomypc-suffers-major-password-reuse-attack/118781/.Google Scholar
- Tom Spring. 2016. No Simple Fix for Password Reuse. (08 June 2016). Retrieved April 6, 2017 from https://threatpost.com/no-simple-fix-for-password-reuse/118536/.Google Scholar
- Elizabeth Stobert and Robert Biddle. 2014. The Password Life Cycle: User Behaviour in Managing Passwords. In Symposium On Usable Privacy and Security (SOUPS 2014). USENIX Association, Menlo Park, CA, 243--255. https://www.usenix.org/conference/soups2014/proceedings/presentation/stobertGoogle Scholar
- San-Tsai Sun, Eric Pospisil, Ildar Muslukhov, Nuray Dindar, Kirstie Hawkey, and Konstantin Beznosov. 2011. What Makes Users Refuse Web Single Sign-on?: An Empirical Investigation of OpenID. In Proceedings of the Seventh Symposium on Usable Privacy and Security (SOUPS '11). Article 4, 20 pages. Google ScholarDigital Library
- Tetsuji Takada and Hideki Koike. 1999. Nigelog: Protecting logging information by hiding multiple backups in directories. In Proc. of the 10th Workshop on Database and Expert Systems Applications. IEEE, 874--878. Google ScholarDigital Library
Index Terms
- Authentication Shutter: Alternative Countermeasure against Password Reuse Attack by Availability Control
Recommendations
ProcurePass: A User Authentication Protocol to Resist Password Stealing and Password Reuse Attack
ISCBI '13: Proceedings of the 2013 International Symposium on Computational and Business IntelligenceThe most popular form of user authentication is the text password, which is the most convenient and the simplest. Users mostly choose weak passwords and reuse the same password across different websites and thus, a domino effect. i.e., when an adversary ...
Unconditionally secure ring authentication
ASIACCS '07: Proceedings of the 2nd ACM symposium on Information, computer and communications securityWe propose ring authentication in unconditionally secure setting. In a ring authentication system a sender can choose a set of users and construct an authenticated message for a receiver such that the receiver can verify authenticity of the message with ...
Secure Authentication Schemes for Vehicular Adhoc Networks: A Survey
AbstractVehicular Adhoc Network (VANET) is based on the principles of Mobile Adhoc NETwork (MANET) where vehicles are considered as nodes and secure communication is established to provide a safe driving experience. Due to its unique characteristics, it ...
Comments