Abstract
Nowadays, many daily duties being of a private as well as of a business nature are handled with the help of online services. Due to migrating formerly local desktop applications into clouds (e.g., Microsoft Office Online, etc.), services become available by logging in into a user account through a web browser. But possibilities for authenticating a user in a web browser are limited and employing a username with a password is still de facto standard, disregarding open security or usability issues. Notwithstanding new developments on that subject, there is no sufficient alternative available. In this paper, we specify the requirements for a secure, easy-to-use, and third-party-independent authentication architecture. Moreover, we present KeyPocket, a user-centric approach aligned to these requirements with the help of the user’s smartphone. Subsequently, we present its state of implementation and discuss its individual capabilities and features.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Van Eimeren, B.: Always on - smartphone, tablet und co. als neue taktgeber im netz (ard/zdf). Media Perspektiven 7(2013), 386–390 (2013)
Adams, A., Sasse, M.A.: Users are not the enemy. Communications of the ACM 42(12), 40–46 (1999)
Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, pp. 657–666. ACM (2007)
Gaw, S., Felten, E.W.: Password management strategies for online accounts. In: Proceedings of the Second Symposium on Usable Privacy and Security, pp. 44–55. ACM (2006)
Morris, R., Thompson, K.: Password security: A case history. Communications of the ACM 22(11), 594–597 (1979)
Parwani, T., Kholoussi, R., Karras, P.: How to hack into facebook without being a hacker. In: Proceedings of the 22nd International Conference on World Wide Web Companion, pp. 751–754. International World Wide Web Conferences Steering Committee (2013)
Bonneau, J., Herley, C., Van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 553–567. IEEE (2012)
Munro, K.: Android scraping: accessing personal data on mobile devices. Network Security 2014(11), 5–9 (2014)
Android 5.0 Encryption 2015. https://source.android.com/devices/tech/security/encryption/ (accessed January 20, 2015)
Heider, J., Boll, M.: iOS keychain weakness FAQ. Fraunhofer Institute for Secure Technology (2011)
Rescorla, E.: Rfc 2818: Http over tls. Internet Engineering Task Force (2000)
Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: X. 509 internet public key infrastructure online certificate status protocol. IETF RFC2560, June 1999
Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating ssl certificates in non-browser software. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 38–49. ACM (2012)
Durumeric, Z., Kasten, J., Adrian, D., Halderman, J.A., Bailey, M., Li, F., Weaver, N., Amann, J., Beekman, J., Payer, M., et al.: The matter of heartbleed. In: Proceedings of the 2014 Conference on Internet Measurement Conference, pp. 475–488. ACM (2014)
Tsoutsos, N.G., Maniatakos, M.: Trust no one: thwarting “heartbleed” attacks using privacy-preserving computation. In: 2014 IEEE Computer Society Annual Symposium on VLSI (ISVLSI), pp. 59–64. IEEE (2014)
Callegati, F., Cerroni, W., Ramilli, M.: Man-in-the-middle attack to the https protocol. IEEE Security and Privacy 7(1), 78–81 (2009)
Czeskis, A., Dietz, M., Kohno, T., Wallach, D., Balfanz, D.: Strengthening user authentication through opportunistic cryptographic identity assertions. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 404–414. ACM (2012)
Borchert, B.: Ekaay-smart login (2013). http://www.ekaay.com/
eKaay Smart Login System (2015). http://www.ekaay.com/ (accessed January 14, 2015)
Van Rijswijk, R.M., Van Dijk, J.: Tiqr: a novel take on two-factor authentication. In: LISA (2011)
Dodson, B., Sengupta, D., Boneh, D., Lam, M.S.: Snap2pass: Consumer-friendly challenge-response authentication with a phone. Stanford University (2010)
Galois QR Authentication (2015). http://galois.com/blog/2011/01/quick-authentication-using-mobile-devices-and-qr-codes/ (accessed January 19, 2015)
Schieb, J.: Schieb. de Wissen—Das sichere Login: So haben Hacker keine Chance, vol. 1, pp. 42–44 (2014)
Click2Pass Handy statt Passwort (2015). http://www.click2pass.net/ (accessed January 14, 2015)
Next Authentication and Authorization Plattform (2015). https://launchkey.com/platform/mobile/ (accessed January 14, 2015)
Zapper (2015). https://www.zapper.com/about.php/ (accessed January 19, 2015)
CLEF Secure Two Factor Login (2015). https://getclef.com/features/ (accessed January 19, 2015)
Jones, M., Hardt, D.: The oauth 2.0 authorization framework: Bearer token usage. Technical report, RFC 6750, October 2012
OneID (2015). https://www.oneid.com/ (accessed September 03, 2015)
KnockToUnlock (2015). http://www.knocktounlock.com/ (accessed September 03, 2015)
BlueID (2015). https://www.blueid.net/ (accessed September 03, 2015)
Asokan, N., Niemi, V., Nyberg, K.: Man-in-the-middle in tunnelled authentication protocols. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2003. LNCS, vol. 3364, pp. 28–41. Springer, Heidelberg (2005)
Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A survey of mobile malware in the wild. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 3–14. ACM (2011)
Hong, J.: The state of phishing attacks. Communications of the ACM 55(1), 74–81 (2012)
Silver, D., Jana, S., Chen, E., Jackson, C., Boneh, D.: Password managers: attacks and defenses. In: Proceedings of the 23rd Usenix Security Symposium (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Ebert, A., Marouane, C., Rott, B., Werner, M. (2015). KeyPocket - Improving Security and Usability for Provider Independent Login Architectures with Mobile Devices. In: Thuraisingham, B., Wang, X., Yegneswaran, V. (eds) Security and Privacy in Communication Networks. SecureComm 2015. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 164. Springer, Cham. https://doi.org/10.1007/978-3-319-28865-9_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-28865-9_3
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-28864-2
Online ISBN: 978-3-319-28865-9
eBook Packages: Computer ScienceComputer Science (R0)