Out-of-band password based authentication towards web services

A username/password combination is still the most commonly used method for user authentication in a Web based context. Users are familiar with this type of authentication and the registration phase for new users is straightforward. It, however, also has several disadvantages. For instance, users have to deal with an explosion of different usernames and passwords. This may cause users to use short easy to remember passwords, use the same password for multiple services, etc. Further, if malware is running on the workstation, it can eavesdrop on the username and password when entered via the keyboard. Therefore, this paper presents a solution that maintains the familiar wide spread password based authentication mechanism but tackles both the password management problem and prevents malware running on the workstation from stealing the user's credentials. The usernames and corresponding passwords of the user are stored encrypted on his mobile device. The mobile device handles the authentication towards the service provider and transfers the established authenticated session to the workstation. Subsequently, the user can further consume the service on the workstation without having to enter his credentials on the workstation. © 2014 Springer International Publishing Switzerland.

ISBN:9783319054391

Accessibility:Closed