Abstract

Users authenticate in multiple security domains: at work, at home and to third parties. This is mostly done with passwords, with several shared across many domains. This does not scale well when a device or domain is compromised. We would rather not trust systems not owned by the user. The problems with passwords are well known and yet they are not replaced. With protocols like SSH they are replaced by public-key cryptography where one public SSH key is distributed to many security domains. However that does not work for physically proximate devices or in other contexts requiring password input. We propose a one time token system based on public keys that is backwards compatible with passwords and hence deployable. Our solution proposes a new verification function that does not trust the verifier or expose the user to brute force attacks and allows users to monitor their credentials and revoke access in the case of compromise.

This is a practice talk for the Security Protocols Workshop (2014-03-19—2014-03-21) the maximum time including questions is half an hour and interruptions for questions are encouraged.