LiU Electronic Press
Download:
File size:
979 kb
Format:
application/pdf
Author:
Vapen, Anna (Linköping University, Department of Computer and Information Science, Database and information techniques) (Linköping University, The Institute of Technology) (ADIT)
Title:
Contributions to Web Authentication for Untrusted Computers
Department:
Linköping University, Department of Computer and Information Science, Database and information techniques
Linköping University, The Institute of Technology
Publication type:
Licentiate thesis, monograph (Other academic)
Language:
English
Place of publ.: Linköping Publisher: Linköping University Electronic Press
Pages:
51
Series:
Linköping Studies in Science and Technology. Thesis, ISSN 0280-7971; 1481
Year of publ.:
2011
URI:
urn:nbn:se:liu:diva-67274
Permanent link:
http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-67274
ISBN:
978-91-7393-172-4
Subject category:
Computer Science
SVEP category:
Computer science
Keywords(en) :
Authentication, security levels, identity management, 2-clickAuth, information security
Abstract(en) :

Authentication methods offer varying levels of security. Methods with one-time credentials generated by dedicated hardware tokens can reach a high level of security, whereas password-based authentication methods have a low level of security since passwords can be eavesdropped and stolen by an attacker. Password-based methods are dominant in web authentication since they are both easy to implement and easy to use. Dedicated hardware, on the other hand, is not always available to the user, usually requires additional equipment and may be more complex to use than password-based authentication.

Different services and applications on the web have different requirements for the security of authentication.  Therefore, it is necessary for designers of authentication solutions to address this need for a range of security levels. Another concern is mobile users authenticating from unknown, and therefore untrusted, computers. This in turn raises issues of availability, since users need secure authentication to be available, regardless of where they authenticate or which computer they use.

We propose a method for evaluation and design of web authentication solutions that takes into account a number of often overlooked design factors, i.e. availability, usability and economic aspects. Our proposed method uses the concept of security levels from the Electronic Authentication Guideline, provided by NIST.

We focus on the use of handheld devices, especially mobile phones, as a flexible, multi-purpose (i.e. non-dedicated) hardware device for web authentication. Mobile phones offer unique advantages for secure authentication, as they are small, flexible and portable, and provide multiple data transfer channels. Phone designs, however, vary and the choice of channels and authentication methods will influence the security level of authentication. It is not trivial to maintain a consistent overview of the strengths and weaknesses of the available alternatives. Our evaluation and design method provides this overview and can help developers and users to compare and choose authentication solutions.

Presentation:
2011-06-13, Alan Turing, Hus E, Campus Valla, Linköpings universitet, Linköping, 13:15 (English)
Degree:
Licentiate of Engineering
Supervisor:
Shahmehri, Nahid, Professor (Linköping University, Department of Computer and Information Science, IISLAB - Laboratory for Intelligent Information Systems) (Linköping University, The Institute of Technology)
Opponent:
Fischer-Hübner, Simone, Professor (Department of Computer Science, Karlstad University, Sweden)
Available from:
2011-05-13
Created:
2011-04-07
Last updated:
2013-05-15
Statistics:
332 hits
FILE INFORMATION
File size:
979 kb
Mimetype:
application/pdf
Type:
fulltext
Statistics:
1210 hits
File size:
175 kb
Mimetype:
application/pdf
Type:
cover
Statistics:
26 hits