Sign In

Communications of the ACM

ACM TechNews

Dump User Names, Says Dartmouth Research


Username/password login fields.

Research by a joint academic/industry team has found that two-factor authentication schemes depending on user names and passwords are inherently flawed.

Credit: bizlabonline.co

Campus Technology

A joint academic and industry research team from WWPass and Dartmouth College's Institute for Security, Technology, and Society (ISTS) concludes in a new paper that two-factor authentication schemes depending on user names and passwords are inherently flawed. According to the paper, such schemes are only as strong as the weakest user in the network.

"We must make it harder for attackers to select and leverage the next round of targets," WWPass CEO Eugene Shablygin says. The only way to defeat "the epidemic of account breaches is to reduce this plethora of weak links by eliminating the use of usernames and passwords."

The WWPass/ISTS collaboration is testing a mechanism to replace two-factor authentication with a passkey-based approach in which an application, website, or domain is registered with WWPass and assigned a Service Provider ID and a digital certificate. When the user logs onto the application, it initially authenticates with WWPass; upon verification, the user receives proof from WWPass the application is genuine. When users enter an access code to complete the login, they are authenticated by WWPass, and the credential data is transmitted to the application. The data is stored in the cloud, where it is encrypted, fragmented, and dispersed.

From Campus Technology
View Full Article

 

Abstracts Copyright © 2015 Information Inc., Bethesda, Maryland, USA


 

No entries found