Zero-Knowledge User Authentication: An Old Idea Whose Time Has Come
OPEN ACCESS
Loading...
Author / Producer
Date
2020
Publication Type
Conference Paper
ETH Bibliography
yes
Citations
Altmetric
OPEN ACCESS
Data
Rights / License
Abstract
User authentication can rely on various factors (e.g., a password, a cryptographic key, and/or biometric data) but should not reveal any secret information held by the user. This seemingly paradoxical feat can be achieved through zero-knowledge proofs. Unfortunately, naive password-based approaches still prevail on the web. Multi-factor authentication schemes address some of the weaknesses of the traditional login process, but generally have deployability issues or degrade usability even further as they assume users do not possess adequate hardware. This assumption no longer holds: smartphones with biometric sensors, cameras, short-range communication capabilities, and unlimited data plans have become ubiquitous. In this paper, we show that, assuming the user has such a device, both security and usability can be drastically improved using an augmented password-authenticated key agreement (PAKE) protocol and message authentication codes.
Permanent link
Publication status
published
External links
Book title
Security Protocols XXVII
Journal / series
Volume
12287
Pages / Article No.
203 - 212
Publisher
Springer
Event
27th International Workshop on Security Protocols
Edition / version
Methods
Software
Geographic location
Date collected
Date created
Subject
Security protocols; User authentication; Zero-knowledge proofs
Organisational unit
03975 - Perrig, Adrian / Perrig, Adrian