Securing Password Authentication for Web-based Applications
Teik Guan Tan, Pawel Szalachowski, Jianying Zhou
TL;DR
This paper identifies vulnerabilities in web password input fields that enable phishing attacks and proposes a new secure protocol with a dedicated credential field to prevent such attacks, supported by analysis and implementation testing.
Contribution
It introduces a novel secure protocol and credential field design that address specific vulnerabilities in web password authentication to prevent phishing.
Findings
Identified a design vulnerability in HTML password fields.
Proposed a secure protocol with a new credential field.
Analyzed deployment issues and tested implementation overheads.
Abstract
The use of passwords and the need to protect passwords are not going away. The majority of websites that require authentication continue to support password authentication. Even high-security applications such as Internet Banking portals, which deploy 2-factor authentication, rely on password authentication as one of the authentication factors. However phishing attacks continue to plague password-based authentication despite aggressive efforts in detection and takedown as well as comprehensive user awareness and training programs. There is currently no foolproof mechanism even for security-conscious websites to prevent users from being directed to fraudulent websites and having their passwords phished. In this paper, we apply a threat analysis on the web password login process, and uncover a design vulnerability in the HTML<inputtype="password"> field. This vulnerability can be…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsUser Authentication and Security Systems · Privacy, Security, and Data Protection · Spam and Phishing Detection