Date: February 28, 2014
Source:University of Alabama at Birmingham
Summary:
A new article proposes and tests four two-factor schemes that require servers to growth a randomized hash of the passwords and a second device, such as the users security token or smartphone, to accretion a corresponding unspecified code.
Passwords protect each and every one part of from our cellphones to our bank accounts, but they often facility a relatively colorless challenge to hackers looking for the information that passwords should protect. New research from the University of Alabama at Birmingham, in collaboration together together amid the University of California at Irvine, proposes and tests a variety of methods that grow a hermetic second store of security to a password.
In a paper presented at the 2014 Network and Distributed Systems Security Symposium, researchers offered fresh-minded options to swell the security of two-factor authentication systems even if plus ensuring the systems usability.
There have been many attacks upon servers that stockpile passwords lately, such as the breaches at PayPal and LinkedIn, said Nitesh Saxena, Ph.D., colleague professor in the Department of Computer and Information Sciences and a core fan of the Center for Information Assurance and Joint Forensics Research.
Many people use the same few uncomplicated passwords repeatedly, making them easy to recall. Passwords are typically stored upon servers in a hashed form. Hackers can garner passwords either by an online mammal-force ferociousness, or by hacking a server gone poor security and using a dictionary of passwords to test offline.
A single server crack-in can lead to several of a fanatics accounts instinctive compromised, because theywhen mention to using the linked password in several places, Saxena said.
Two-factor authentication schemes, such as Google Authenticator, or hardware tokens, such as RSA SecureID, use a second device to generate a every second personal identification number, or PIN, that the fanatic must enter along once their password. But current two-factor schemes execution the same vulnerabilities to server hacks as password-single-handedly authentication, Saxena says.
If someone hacks into the server, they could learn the passwords via an offline dictionary exasperated, he said. Learning the passwords wouldnt compromise the second authentication factor, but the enthusiast might be using that same password elsewhere. The hacker might not be able to log into Facebook if Facebook uses two-factor authentication, but they could log into Twitter if Twitter uses the single-factor authentication using the thesame password.
The paper proposes and tests four two-factor schemes that require servers to lineage a randomized hash of the passwords and a second device, such as the users security token or smartphone, to amassing a corresponding nameless code. The paper presents these schemes at several levels of computer system bandwidth, effectively turning four schemes into 13 security options.
Rather than requiring the user to enter both their password and a PIN generated by an app, the user could enter a password, and their smartphone could automatically send a PIN standoffish than a Bluetooth relationship or through a easy QR code, Saxena said.
Saxena and his co-authors, UAB graduate student Maliheh Shirvanian, Stanislaw Jarecki and Naveen Nathan of the University of California at Irvine, analyze each plot in terms of security provided, usability and deployability.
The schemes are geared toward using soft tokens, taking into consideration smartphones. Using smartphones to offer unknown codes can manage to pay for a security system the adaptableness to protect several passwords considering a single soft token.
Hard tokens are traditionally used within the context of a company that needs more security, Saxena said. With soft tokens in conduct yourself, you can use just one token, such as your smartphone, to log into swap websites securely.
However, the proposed approaches are applicable to hardware tokens too.
With each of our proposals, you profit a high level of security considering the same or enlarged level of usability than the current two-factor authentication schemes, Shirvanian said.
No comments:
Post a Comment