liu.seSearch for publications in DiVA
Change search
ReferencesLink to record
Permanent link

Direct link
Contributions to Web Authentication for Untrusted Computers
2011 (English)Licentiate thesis, monograph (Other academic)
Abstract [en]

Authentication methods offer varying levels of security. Methods with one-time credentials generated by dedicated hardware tokens can reach a high level of security, whereas password-based authentication methods have a low level of security since passwords can be eavesdropped and stolen by an attacker. Password-based methods are dominant in web authentication since they are both easy to implement and easy to use. Dedicated hardware, on the other hand, is not always available to the user, usually requires additional equipment and may be more complex to use than password-based authentication.

Different services and applications on the web have different requirements for the security of authentication.  Therefore, it is necessary for designers of authentication solutions to address this need for a range of security levels. Another concern is mobile users authenticating from unknown, and therefore untrusted, computers. This in turn raises issues of availability, since users need secure authentication to be available, regardless of where they authenticate or which computer they use.

We propose a method for evaluation and design of web authentication solutions that takes into account a number of often overlooked design factors, i.e. availability, usability and economic aspects. Our proposed method uses the concept of security levels from the Electronic Authentication Guideline, provided by NIST.

We focus on the use of handheld devices, especially mobile phones, as a flexible, multi-purpose (i.e. non-dedicated) hardware device for web authentication. Mobile phones offer unique advantages for secure authentication, as they are small, flexible and portable, and provide multiple data transfer channels. Phone designs, however, vary and the choice of channels and authentication methods will influence the security level of authentication. It is not trivial to maintain a consistent overview of the strengths and weaknesses of the available alternatives. Our evaluation and design method provides this overview and can help developers and users to compare and choose authentication solutions.

Place, publisher, year, pages
Linköping: Linköping University Electronic Press, 2011. 51 p.
Series
Linköping Studies in Science and Technology. Thesis, ISSN 0280-7971 ; 1481
Keyword [en]
Authentication, security levels, identity management, 2-clickAuth, information security
National Category
Computer Science
Identifiers
urn:nbn:se:liu:diva-67274 (URN)978-91-7393-172-4 (ISBN)oai:DiVA.org:liu-67274 (OAI)diva2:416574 (DiVA)
Presentation
2011-06-13, Alan Turing, Hus E, Campus Valla, Linköpings universitet, Linköping, 13:15 (English)
Opponent
Supervisors
Available from2011-05-13 Created:2011-04-07 Last updated:2013-05-15Bibliographically approved

Open Access in DiVA

fulltext(979 kB)1319 downloads
File information
File name FULLTEXT01.pdfFile size 979 kBChecksum SHA-512
f857e5739f8aa9b5c92e9d03fdfa2f9dcba13f149dd76cc76233ab8972b5d8f7793803cc8c2c1091fee4e0872c3986568376a47ad2d763fb8838637ac773827f
Type fulltextMimetype application/pdf
cover(175 kB)27 downloads
File information
File name COVER01.pdfFile size 175 kBChecksum SHA-512
d56981edc633f36cbe8796e19956c76075da923af0c308f3e1e0587532a9b1924b9c5d60447c45052d9ace17537845ffdbdc81a29d828c864135254a768bde0b
Type coverMimetype application/pdf

Search in DiVA

By author/editor
Vapen, Anna
By organisation
Database and information techniquesThe Institute of Technology
Computer Science

Search outside of DiVA

GoogleGoogle Scholar
Total: 1319 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

Total: 336 hits
ReferencesLink to record
Permanent link

Direct link