Enhancing security and usability in password-based web systems through standardized authentication interactions

Password-based authentication is the predominant method for securing access on the web, yet it is fraught with challenges due to the web’s lack of inherent design for authentication. Password managers have emerged as auxiliary tools to assist users in generating, storing, and inputting passwords more securely and efficiently. But both the browser and the server are oblivious of the password manager’s presence, leading to usability and security issues. However, because the web wasn’t originally built to accommodate password-based authentication, password managers serve as a temporary fix and encounter several usability and security problems that limit their widespread use. This dissertation proposes a novel approach to enhance the usability and security of password-based authentication by integrating authentication as a core component of the web infrastructure, through the introduction of standardized interfaces for the interaction among browsers, password managers, and websites.

To achieve this, the dissertation introduces four implementations as an exploration: (1) the development of a Password Composition Policy (PCP) language designed to standardize and enhance password generation processes; (2) the creation of a Secure Browser Channel (SBC) aimed at bolstering security of passwords against prevalent web threats such as cross-site scripting (XSS) attacks and malicious browser extensions; (3) implementing the concept of SBC in FIDO2 passwordless authentication to show that the concept is important to more than just passwords; and (4) the application of SBC in different context than credential entry – the detection and auditing of browser-based attacks. We implemented and performed real-world evaluations, demonstrating their practical viability and effectiveness in improving web authentication. The dissertation concludes with reflections on the lessons learned from these implementations and outlines future research directions that could further cement authentication as an integral, first-class component of the web, thereby substantially improving the security and usability landscape of web authentication.

This work is based upon research supported by the National Science Foundation under award CNS-2226404.