Systematic Solutions to Login and Authentication Security Problems: A Dual-Password Login-Authentication Mechanism

TL;DR

This paper introduces a dual-password login mechanism that enhances security by converting user passwords into untypable authentication passwords, preventing credential theft and remote attacks without storing local passwords.

Contribution

It proposes a novel dual-password authentication scheme that disables password reuse and credential theft vulnerabilities by using a password converter as an open hashing algorithm.

Findings

Prevents credential theft and remote attacks effectively.

Eliminates the need for local password storage.

Provides a unique, unforgeable identity for login processes.

Abstract

Credential theft and remote attacks are the most serious threats to user authentication mechanisms. The crux of these problems is that we cannot control such behaviors. However, if a password does not contain user secrets, stealing it is useless. If unauthorized inputs are invalidated, remote attacks can be disabled. Thus, credential secrets and account input fields can be controlled. Rather than encrypting passwords, we design a dual-password login-authentication mechanism, where a user-selected secret-free login password is converted into an untypable authentication password. Subsequently, the authenticatable functionality of the login password and the typable functionality of the authentication password can be disabled or invalidated to prevent credential theft and remote attacks. Thus, the usability-security tradeoff and password reuse issues are resolved; local authentication password storage is no longer necessary. More importantly, the password converter acts as an open hashing algorithm, meaning that its intermediate elements can be used to define a truly unique identity for the login process to implement a novel dual-identity authentication scheme. In particular, the system-managed elements are concealed, inaccessible, and independent of any personal information and therefore can be used to define a perfect unforgeable process identifier to identify unauthorized inputs.