TR-06-08: Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer

Abstract

Among the most significant current threats to online banking are keylogging and phishing. These attacks extract user identity and account information (e.g. userid, password) to be used later for unauthorized access to users’ financial accounts. We propose a simple approach which cryptographically separates a user’s long-term secret input from client (typically untrusted) PCs; a client PC performs most computations but has access only to temporary secrets. The user’s long-term secret (typically short and low-entropy, e.g., a password or PIN) is input through an independent personal trusted device such as a cellphone. The personal device provides a user’s long-term secrets to a client PC only after encrypting the secrets using a pre-installed, “correct” public key of a remote service (the intended recipient of the secrets). The proposed protocol (MP-Auth) realizes such an approach, and is intended to safeguard passwords from keyloggers, other malware (including rootkits), phishing attacks and pharming, as well as to provide transaction security for online banking. We also provide a comprehensive survey of web authentication techniques — both proposed in the literature and/or developed in practice — that use an additional factor (e.g. a cellphone, PDA or hardware token) of authentication, and compare MP-Auth with these.

TR-06-08.pdf