{"id":13170,"date":"2021-12-06T19:29:10","date_gmt":"2021-12-07T00:29:10","guid":{"rendered":"https:\/\/carleton.ca\/scs\/?page_id=13170"},"modified":"2026-06-02T14:59:24","modified_gmt":"2026-06-02T18:59:24","slug":"tr-06-08-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer","status":"publish","type":"page","link":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2006\/tr-06-08-using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer\/","title":{"rendered":"TR-06-08: Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer"},"content":{"rendered":"\n<section class=\"w-screen px-6 cu-section cu-section--white ml-offset-center md:px-8 lg:px-14\">\n    <div class=\"space-y-6 cu-max-w-child-5xl  md:space-y-10 cu-prose-first-last\">\n\n            <div class=\"cu-textmedia flex flex-col lg:flex-row mx-auto gap-6 md:gap-10 my-6 md:my-12 first:mt-0 max-w-5xl\">\n        <div class=\"justify-start cu-textmedia-content cu-prose-first-last\" style=\"flex: 0 0 100%;\">\n            <header class=\"font-light prose-xl cu-pageheader md:prose-2xl cu-component-updated cu-prose-first-last\">\n                                    <h1 class=\"cu-prose-first-last font-semibold !mt-2 mb-4 md:mb-6 relative after:absolute after:h-px after:bottom-0 after:bg-cu-red after:left-px text-3xl md:text-4xl lg:text-5xl lg:leading-[3.5rem] pb-5 after:w-10 text-cu-black-700 not-prose\">\n                        TR-06-08: Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer\n                    <\/h1>\n                \n                                \n                            <\/header>\n\n                    <\/div>\n\n            <\/div>\n\n    <\/div>\n<\/section>\n\n<p>Carleton University<br>\n<a href=\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2006\/\">Technical Report<\/a> TR-06-08<br>\nMay 9, 2006<\/p>\n\n\n\n<h2 id=\"using-a-personal-device-to-strengthen-password-authentication-from-an-untrusted-computer\" class=\"wp-block-heading\">Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer<\/h2>\n\n\n\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<p class=\"tr_t3\">Mohammad Mannan &amp; Paul C. Van Oorschot<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div>\n<h3>Abstract<\/h3>\n<p>Among the most significant current threats to online banking are keylogging and phishing. These attacks extract user identity and account information (e.g. userid, password) to be used later for unauthorized access to users&#8217; financial accounts. We propose a simple approach which cryptographically separates a user&#8217;s long-term secret input from client (typically untrusted) PCs; a client PC performs most computations but has access only to temporary secrets. The user&#8217;s long-term secret (typically short and low-entropy, e.g., a password or PIN) is input through an independent personal trusted device such as a cellphone. The personal device provides a user&#8217;s long-term secrets to a client PC only after encrypting the secrets using a pre-installed, &#8220;correct&#8221; public key of a remote service (the intended recipient of the secrets). The proposed protocol (MP-Auth) realizes such an approach, and is intended to safeguard passwords from keyloggers, other malware (including rootkits), phishing attacks and pharming, as well as to provide transaction security for online banking. We also provide a comprehensive survey of web authentication techniques &#8212; both proposed in the literature and\/or developed in practice &#8212; that use an additional factor (e.g. a cellphone, PDA or hardware token) of authentication, and compare MP-Auth with these.<\/p>\n<p><a href=\"https:\/\/carleton.ca\/scs\/wp-content\/uploads\/sites\/260\/TR-06-08.pdf\">TR-06-08.pdf<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Carleton University Technical Report TR-06-08 May 9, 2006 Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer Mohammad Mannan &amp; Paul C. Van Oorschot Abstract Among the most significant current threats to online banking are keylogging and phishing. These attacks extract user identity and account information (e.g. userid, password) to be used [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"parent":12352,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"_cu_dining_location_slug":"","footnotes":"","_links_to":"","_links_to_target":""},"cu_page_type":[],"class_list":["post-13170","page","type-page","status-publish","hentry"],"acf":{"cu_post_thumbnail":false},"_links":{"self":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13170","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/comments?post=13170"}],"version-history":[{"count":1,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13170\/revisions"}],"predecessor-version":[{"id":13171,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13170\/revisions\/13171"}],"up":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/12352"}],"wp:attachment":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/media?parent=13170"}],"wp:term":[{"taxonomy":"cu_page_type","embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/cu_page_type?post=13170"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}