Advisory Committee Chair
Nitesh Saxena
Advisory Committee Members
Purushotham Bangalore
Sidharth Kumar
Tzipora Halevi
Wasim Alhamdani
Document Type
Dissertation
Date of Award
2021
Degree Name by School
Doctor of Philosophy (PhD) College of Arts and Sciences
Abstract
Passwords are widely used by web services to authenticate their users. Unfortunately, passwords suffer from several well-documented security and usability issues. The two of the main techniques to address password problems are password managers and two-factor authentication (2FA), which form the central focus of this dissertation work. In particular, we explore the security and usability of newly proposed and emerging forms of password managers and 2FA systems. We first investigate a “store-less” online password manager that can prevent the leakage of the passwords from the password manager service itself. We also design and evaluate a new 2FA scheme that offers end-to-end security protection with user interaction models different from currently deployed2FA schemes. Further, we investigate the currently deployed password management and 2FA schemes in terms of their security and usability. This dissertation comprises two parts: password management and two-factor authentication. In the first part of the dissertation, we first study the usability of a new class of online password managers (referred to as HIPPO) that does not reveal the password or the master password to the password management service itself. Second, we compare the usability and the security of two forms of password management, a store-less password manager (i.e., HIPPO)and traditionally- deployed store-based password managers(e.g., LastPass). In the second part of this dissertation, we first study the usability of a recently designed 2FA protocol (referred to as Op-2FA), which aims to provide optimal security from both server-side and authentication terminal sides based on simple and flexible users interaction modes. Second, we introduce and study a fundamental design vulnerability of push-based 2FA (a form of “Just Confirm” approach such as Duo Push), and we run a lab study to investigate this vulnerability. Third, we evaluate the usability and security of the “Compare-and-Confirm” approach of push-based 2FA. We consider two scenarios where the user deploys a second-factor device physically separated from the authentication terminal, and when the user utilizes the second-factor device as the authentication terminal itself.
Recommended Citation
Jubur, Mohammed, "On the Security and Usability of New Paradigms of Web Authentication" (2021). All ETDs from UAB. 816.
https://digitalcommons.library.uab.edu/etd-collection/816