Secure Client-Managed Authentication: A Passport-Free Solution

This paper presents a novel authentication service that enforces security by assisting the management of the overwhelming and constantly increasing collections of user identifiers and passwords. As the number of these authentication credentials (i.e., userid and password) increases, maintaining and recalling them on demand becomes a challenge. Studies show that users typically choose the same easy-to-guess password for multiple services and store it unprotected. This behavior implies that credential leaks within poorly protected services can compromise or disrupt better protected critical services.

The new secure client-managed authentication service proposed in this paper is suitable for a large spectrum of applications, including Internet Services and network management services. Our main contributions are (1) the delegation of credential management to a local secure agent while keeping the users in control of their credentials, (2) a three-level user control of credential release, and (3) generality, i.e., allowing secure credential release to authorized server applications without requiring client application or operating system modifications. Offering a key differentiation to centralized solutions such as Microsoft Passport, our authentication service empowers users to control the release of their identity and related credentials on demand. We compare the performances of our prototype (fully functioning implementation) to those of a conventional user authentication service and we show that our prototype is faster and easier to use.