Comparative Analysis and Framework Evaluating Mimicry-Resistant and Invisible Web Authentication Schemes

TL;DR

This paper explores the integration of mimicry-resistance into web authentication schemes, evaluating invisible techniques like device fingerprinting, PUFs, and geolocation for enhanced security without user awareness.

Contribution

It introduces a new framework for analyzing mimicry-resistance in web authentication and evaluates several invisible techniques for their security and usability benefits.

Findings

Device fingerprinting offers significant mimicry-resistance.

PUFs provide robust security against impersonation.

Geolocation mechanisms add an extra layer of defense.

Abstract

Many password alternatives for web authentication proposed over the years, despite having different designs and objectives, all predominantly rely on the knowledge of some secret. This motivates us, herein, to provide the first detailed exploration of the integration of a fundamentally different element of defense into the design of web authentication schemes: a mimicry-resistance dimension. We analyze web authentication mechanisms with respect to new usability and security properties related to mimicry-resistance (augmenting the UDS framework), and in particular evaluate invisible techniques (those requiring neither user actions, nor awareness) that provide some mimicry-resistance (unlike those relying solely on static secrets), including device fingerprinting schemes, PUFs (physically unclonable functions), and a subset of Internet geolocation mechanisms.