Alexei’s return to the stage @USEC’12

Protected Login

by Alexei Czeskis, University of Washington, Dirk Balfanz, Google

One of the presentors of the first paper, Alexei Czeskis, took the stage anew in the same morning session in order to present a second paper at USEC’12. This time his co-author was Dirk Balfanz from Google, a pretty well-known security researcher who currently works at Google.

The author address usability problems with password usage. In their view this work is needed as though new types of authentication are constantly presented also, passwords are still likely to remain with us as the most common means of user authentication for the time being. However passwords are often weak due to bad user understanding of what makes for a good – secure – password and also due to many users’ reluctance to deal with hard-to-remember passwords, even when they realise they should.

Czeskis and Balfanz propse protected login. In protected login, users are identified and authenticated by additional means besides user-created credentials: A protected login involves credentials beyond just user-supplied credentials. The authors claim this creates additional security, because these additional credentials are never supplied by the user (and presumably not even known to the user), the user cannot be phished for them. Furthermore, according to the authors this solution is also more usable, as using protected logins, which use supplementary credentials such as special cookies, require from the user at most a password, whereas the unprotected login requires user to create other credentials.

However, there are problems with bootstrapping, where unprotected login is usually used. The suggested solution in the paper is reduce the number of such logins. According to Czeskis and Balfanz, “if unprotected logins are very rare, websites can afford to “raise alarms” whenever an unprotected login occurs and legitimately treat those sessions as less secure.” They then go on by explaining how this could be managed without sacrificing service availability, and so on. Click here to read the whole paper.

This paper is quite theoretical by nature, so just how well the suggested solution would work and what its level of usability would be remain to be seen. However, it addresses a significant problem in safeguarding users against phishing attacks – a very definite and real usable security problem.