All ETDs from UAB

Advisory Committee Chair

Nitesh Saxena

Advisory Committee Members

Purushotham Bangalore

Sidharth Kumar

Tzipora Halevi

Wasim Alhamdani

Document Type


Date of Award


Degree Name by School

Doctor of Philosophy (PhD) College of Arts and Sciences


Passwords are widely used by web services to authenticate their users. Unfortunately, passwords suffer from several well-documented security and usability issues. The two of the main techniques to address password problems are password managers and two-factor authentication (2FA), which form the central focus of this dissertation work. In particular, we explore the security and usability of newly proposed and emerging forms of password managers and 2FA systems. We first investigate a “store-less” online password manager that can prevent the leakage of the passwords from the password manager service itself. We also design and evaluate a new 2FA scheme that offers end-to-end security protection with user interaction models different from currently deployed2FA schemes. Further, we investigate the currently deployed password management and 2FA schemes in terms of their security and usability. This dissertation comprises two parts: password management and two-factor authentication. In the first part of the dissertation, we first study the usability of a new class of online password managers (referred to as HIPPO) that does not reveal the password or the master password to the password management service itself. Second, we compare the usability and the security of two forms of password management, a store-less password manager (i.e., HIPPO)and traditionally- deployed store-based password managers(e.g., LastPass). In the second part of this dissertation, we first study the usability of a recently designed 2FA protocol (referred to as Op-2FA), which aims to provide optimal security from both server-side and authentication terminal sides based on simple and flexible users interaction modes. Second, we introduce and study a fundamental design vulnerability of push-based 2FA (a form of “Just Confirm” approach such as Duo Push), and we run a lab study to investigate this vulnerability. Third, we evaluate the usability and security of the “Compare-and-Confirm” approach of push-based 2FA. We consider two scenarios where the user deploys a second-factor device physically separated from the authentication terminal, and when the user utilizes the second-factor device as the authentication terminal itself.



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.