Abstract
User authentication can rely on various factors (e.g., a password, a cryptographic key, and/or biometric data) but should not reveal any secret information held by the user. This seemingly paradoxical feat can be achieved through zero-knowledge proofs. Unfortunately, naive password-based approaches still prevail on the web. Multi-factor authentication schemes address some of the weaknesses of the traditional login process, but generally have deployability issues or degrade usability even further as they assume users do not possess adequate hardware. This assumption no longer holds: smartphones with biometric sensors, cameras, short-range communication capabilities, and unlimited data plans have become ubiquitous. In this paper, we show that, assuming the user has such a device, both security and usability can be drastically improved using an augmented password-authenticated key agreement (PAKE) protocol and message authentication codes.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Also referred to as asymmetric password-authenticated key establishment or aPAKE.
References
Bonneau, J.: Getting web authentication right: a best-case protocol for the remaining life of passwords. In: Proceedings of the 19th International Workshop on Security Protocols (2011)
Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In: Proceedings of the 33rd IEEE Symposium on Security and Privacy (S&P) (2012)
Gibson Research Corporation: SQRL secure quick reliable login. https://www.grc.com/sqrl/sqrl.htm
Dechand, S., Schürmann, D., Busse, K., Acar, Y., Fahl, S., Smith, M.: An empirical study of textual key-fingerprint representations. In: Proceedings of the 25th USENIX Security Symposium (2016)
Franceschi-Bicchierai, L.: Another day, another hack: 117 million LinkedIn emails and passwords. Motherboard, May 2016. https://perma.cc/6MC6-EVHH
Google. 2-step verification. https://www.google.com/landing/2step
Jarecki, S., Krawczyk, H., Xu, J.: OPAQUE: an asymmetric PAKE protocol secure against pre-computation attacks. In: Proceedings of the 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques (Eurocrypt) (2018)
Kamp, P.-H.: LinkedIn password leak: salt their hide. ACM Queue 10(6), 20 (2012)
Karapanos, N., Marforio, C., Soriente, C., Capkun, S.: Sound-Proof: usable two-factor authentication based on ambient sound. In: Proceedings of the 24th USENIX Security Symposium (2015)
M’Raihi, D., Machani, S., Pei, M., Rydell, J.: TOTP: time-based one-time password algorithm. RFC 6238, May 2011
OneSpan: CRONTO mobile app. https://perma.cc/THZ6-3YFW
Schneier, B.: Two-factor authentication: too little, too late. Commun. ACM 48(4), 136 (2005)
Schneier, B.: Real-time attacks against two-factor authentication. Schneier on Security, December 2018. https://perma.cc/FQ9R-USG6
Shin, S., Kobara, K.: Efficient augmented password-only authentication and key exchange for IKEv2. RFC 6628, June 2012
Singh, S., Cabraal, A., Demosthenous, C., Astbrink, G., Furlong, M.: Password sharing: implications for security design based on social practice. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (2007)
Stajano, F.: Pico: no more passwords!. In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds.) Security Protocols 2011. LNCS, vol. 7114, pp. 49–81. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25867-1_6
Tan, J., Bauer, L., Bonneau, J., Cranor, L.F., Thomas, J., Ur, B.: Can unicorns help users compare crypto key fingerprints? In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (2017)
The FIDO Alliance: Specifications overview (FIDO2, WebAuthn, FIDO UAF, FIDO U2F). https://fidoalliance.org/specifications
Thomas, D.R., Beresford, A.R.: Better authentication: password revolution by evolution. In: Christianson, B., Malcolm, J., Matyáš, V., Švenda, P., Stajano, F., Anderson, J. (eds.) Security Protocols 2014. LNCS, vol. 8809, pp. 130–145. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-12400-1_13
Wu, T.: SRP-6: improvements and refinements to the Secure Remote Password protocol. IEEE P1363 Working Group, October 2002
Yubico: YubiKey strong two factor authentication for business and individual use. https://www.yubico.com
Acknowledgments
We gratefully thank Eduardo Solana for his valuable input in the early stages of this project, Daniel R. Thomas for his extensive feedback, and all the workshop attendees who participated in the discussion and helped improve this paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Chuat, L., Plocher, S., Perrig, A. (2020). Zero-Knowledge User Authentication: An Old Idea Whose Time Has Come. In: Anderson, J., Stajano, F., Christianson, B., Matyáš, V. (eds) Security Protocols XXVII. Security Protocols 2019. Lecture Notes in Computer Science(), vol 12287. Springer, Cham. https://doi.org/10.1007/978-3-030-57043-9_19
Download citation
DOI: https://doi.org/10.1007/978-3-030-57043-9_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-57042-2
Online ISBN: 978-3-030-57043-9
eBook Packages: Computer ScienceComputer Science (R0)