How to evaluate web authentication methods
Authentication evaluation white paper includes popular and obscure methods and outlines a framework for assessing their security effectiveness.
Have you ever come across something years old that is so dead on about a topic important to you that you can’t believe you didn’t know it existed? I felt that way when I stumbled across an excellent authentication evaluation whitepaper entitled The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes, by Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, and Frank Stajano.
First released at the IEEE Security and Privacy conference in 2012, the white paper presents a holistic framework for evaluating web authentication methods, including passwords and dozens of other two-factor methods and devices. It’s the most comprehensive look at authentication I’ve seen. It rates passwords and dozens of two-factor authentication (2FA) solutions across 25 different attributes spread over three categories: usability, deployability and security. The authors have created a comparative framework that any user or admin can use to rate a particular authentication solution.
Here are some other random tidbits I learned from reading the paper:
- The average web user has 25 web accounts, but has only six different passwords.
- OpenID is particularly susceptible to session cookie theft and phishing.
- Humans’ ability to remember images exceeds their ability to memorize text.
- Most hardware tokens are proprietary and require trust in a third party.
- Biometric identities do not have as many bits of entropy as I had previously believed.
Want to know how hardware tokens compare to phone-based solutions or how graphical solutions compare to biometric authentication? Read this paper.
Many types of web authentication methods
If you’ve ever wondered about all the web authentication possibilities, this is the paper to read. It covers passwords, password managers, browser-stored passwords, proxy-based authentication, federated single sign-on (e.g., OpenID or Kerberos), graphical passwords, cognitive authentication, paper tokens, hardware tokens (e.g., RSA SecureID or Yubikey), mobile phone-based solutions, biometrics, visual crypto, and even recovery methods.
The white paper introduced me to types of protective schemes that I never knew existed. For example, proxy-based authentication solutions, such as Universal Replay‐Resistant Secure Authentication (URRSA) and Impostor. URSSA looks like an abandoned service now, but the documentation will help you understand how it works and how to implement the still available Imposter open source implementation.
With proxy-based authentication, the user’s original password for each website is converted into multiple new, intermediate forms that are stored on the proxy. The user is sent a list of directly related “keys” (i.e., one-time passwords) that they enter each time they want to visit a registered website. The one-time password they supply is converted by the proxy into the final password and proxied unto the eventual target website.
The user’s computer doesn’t store the final password, and neither does the proxy. The proxy only has the multiple intermediate forms, each of which can be used to generate the final password. If either the user’s computer or the proxy is compromised, the attacker will not easily get the password used by the target website. While it solves some security problems and can be used on websites that only accept passwords, the user now has to carry around all the one-time passwords to be entered for each different session of the targeted website. It’s not very user friendly and probably not going to take over the world anytime soon, but nice to know about.
Another new, to me, authentication method is pervasive cued clickpoints. Using this method, a user is presented with multiple images (say, five) that they then need to pick or place in a previously defined sequential order.
I’ve seen logon methods where a person is displayed a previously picked single image, and then moves their finger or cursor, in a predefined pattern, to logon on, not this sequential method. I’ve been doing computer security for 30 years, so if I’m learning about new authentication methods, then most readers will probably pick up something new as well.
Web authentication attributes
I liked this paper because it considered a wide range of attributes across its three main categories of usability, deployability and security. I knew most of them, but some I hadn’t thought about or given enough importance to. The paper covered them all.
Two attributes I hadn’t give a lot of thought to are “requiring explicit consent” and “resilient to leaks from other verifiers.” The former ensures that a user’s authentication is not initiated without them knowing about it, and the latter is about preventing related authentication secrets from being used to deduce the original authentication credential. The authors evaluate all the covered authentication solutions across all attributes, and they include a nice matrix chart so you can see how each compared to the other. It’s a genius table that should have been created a long time ago.
The authors rate each authentication option as satisfying, not satisfying or partially satisfying each attribute. The attributes aren’t ranked, but anyone could easily take the unweighted framework, add or delete attributes, and weight it with their own needed importance. For example, many authentication evaluators looking for real-world solutions will want to add cost (both initial and ongoing) and vendor product solutions.
The author’s candid conclusions include: “A clear result of our exercise is that no [authentication] scheme we examined is perfect – or even comes close to perfect scores.” This should not be surprising. There are very few perfect solutions in the world. Most are trade-offs, where one thing works for one person or scenario and not as well for another person or scenario. You need to pick your poison, and this whitepaper and its framework matrix can help with that.
The paper is a few years old and may have missed some newer authentication methods, vendors or related attributes, but it has the best coverage I’ve seen. Accordingly, many authentication subject matter experts (SME) now consider the framework presented in the paper the way to evaluate all current and future proposed authentication schemes. I agree, at least until something better comes along. I’m just sad that it took me six years to discover it.
In reminiscing about writing the paper with his other co-authors, Dr. Herley recently told me, “It was very fun and a lot of work. I think we calculated that we did 50-plus hours of conference calls, had 1,500-plus emails, 621 version check-ins of the paper, and zero face-to-face meetings. The first time we were all simultaneously in the same place was at the conference to present.”
If you like this paper, like I did, then I suggest you search on the author’s names. You’ll find many other good computer security research papers. Many contain information that would surprise most people. Did you know that the more a person knows about digital certificates, the more likely they are to ignore a digital certificate warning? It’s because of this fact that most of today’s modern browsers give less, not more, information about broken digital certificates.
I loved discovering this paper, not only because of what it taught me, but that it led me to a dozen other IT security papers. I can’t wait to read the Secrets, Lies, and Account Recovery: Lessons from the User of Personal Knowledge Questions at Google. Some of my less technical co-workers didn’t find them as exciting, so you have to be the type of person who wants to know more about a lot of things to get as energized as I did.
With that warning, go fight the good fight!