Doctoral Dissertations

Date of Award

5-2024

Degree Type

Dissertation

Degree Name

Doctor of Philosophy

Major

Computer Science

Major Professor

Scott Ruoti

Committee Members

Adam Aviv, Kent Seamons, Jinyuan Sun

Abstract

Password-based authentication is the predominant method for securing access on the web, yet it is fraught with challenges due to the web’s lack of inherent design for authentication. Password managers have emerged as auxiliary tools to assist users in generating, storing, and inputting passwords more securely and efficiently. But both the browser and the server are oblivious of the password manager’s presence, leading to usability and security issues. However, because the web wasn’t originally built to accommodate password-based authentication, password managers serve as a temporary fix and encounter several usability and security problems that limit their widespread use. This dissertation proposes a novel approach to enhance the usability and security of password-based authentication by integrating authentication as a core component of the web infrastructure, through the introduction of standardized interfaces for the interaction among browsers, password managers, and websites.

To achieve this, the dissertation introduces four implementations as an exploration: (1) the development of a Password Composition Policy (PCP) language designed to standardize and enhance password generation processes; (2) the creation of a Secure Browser Channel (SBC) aimed at bolstering security of passwords against prevalent web threats such as cross-site scripting (XSS) attacks and malicious browser extensions; (3) implementing the concept of SBC in FIDO2 passwordless authentication to show that the concept is important to more than just passwords; and (4) the application of SBC in different context than credential entry – the detection and auditing of browser-based attacks. We implemented and performed real-world evaluations, demonstrating their practical viability and effectiveness in improving web authentication. The dissertation concludes with reflections on the lessons learned from these implementations and outlines future research directions that could further cement authentication as an integral, first-class component of the web, thereby substantially improving the security and usability landscape of web authentication.

Comments

This work is based upon research supported by the National Science Foundation under award CNS-2226404.

Download
Files over 3MB may be slow to open. For best results, right-click and select "save as..."

Share

COinS