Painless migration from passwords to two factor authentication
- 1 November 2011
- conference paper
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE)
Abstract
In spite of growing frequency and sophistication of attacks two factor authentication schemes have seen very limited adoption in the US, and passwords remain the single factor of authentication for most bank and brokerage accounts. Clearly the cost benefit analysis is not as strongly in favor of two factor as we might imagine. Upgrading from passwords to a two factor authentication system usually involves a large engineering effort, a discontinuity of user experience and a hard key management problem. In this paper we describe a system to convert a legacy password authentication server into a two factor system. The existing password system is untouched, but is cascaded with a new server that verifies possession of a smartphone device. No alteration, patching or updates to the legacy system is necessary. There are now two alternative authentication paths: one using passwords alone, and a second using passwords and possession of the trusted device. The bank can leave the password authentication path available while users migrate to the two factor scheme. Once migration is complete the password-only path can be severed. We have implemented the system and carried out two factor authentication against real accounts at several major banks.Keywords
This publication has 8 references indexed in Scilit:
- Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground EconomyPublished by Springer Science and Business Media LLC ,2010
- Where do security policies come from?Published by Association for Computing Machinery (ACM) ,2010
- A robust link-translating proxy server mirroring the whole webPublished by Association for Computing Machinery (ACM) ,2010
- Choose the red pill and the blue pillPublished by Association for Computing Machinery (ACM) ,2008
- Examining the impact of website take-down on phishingPublished by Association for Computing Machinery (ACM) ,2007
- Phoolproof Phishing PreventionLecture Notes in Computer Science, 2006
- Impostor: a single sign-on system for use from untrusted devices.Published by Institute of Electrical and Electronics Engineers (IEEE) ,2005
- Password authentication with insecure communicationCommunications of the ACM, 1981