MFDPG: Multi-Factor Authenticated Password Management With Zero Stored Secrets

TL;DR

This paper reviews existing deterministic password generators, identifies their limitations, and introduces MFDPG, a multi-factor password generator that enhances security without storing credentials and upgrades weak sites to multi-factor authentication.

Contribution

The paper presents MFDPG, a novel multi-factor deterministic password generator that improves security, privacy, and usability over existing solutions, enabling zero-stored secrets and site upgrades.

Findings

Surveyed 45 existing DPGs highlighting key issues.

MFDPG achieves strong, zero-stored credential password management.

Enables upgrading weak websites to multi-factor authentication.

Abstract

While password managers are a vital tool for internet security, they can also create a massive central point of failure, as evidenced by several major recent data breaches. For over 20 years, deterministic password generators (DPGs) have been proposed, and largely rejected, as a viable alternative to password management tools. In this paper, we survey 45 existing DPGs to asses the main security, privacy, and usability issues hindering their adoption. We then present a new multi-factor deterministic password generator (MFDPG) design that aims to address these shortcomings. The result not only achieves strong, practical password management with zero credential storage, but also effectively serves as a progressive client-side upgrade of weak password-only websites to strong multi-factor authentication.