Skip to main content

Zero-Knowledge User Authentication: An Old Idea Whose Time Has Come

  • Conference paper
  • First Online:
Security Protocols XXVII (Security Protocols 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12287))

Included in the following conference series:

Abstract

User authentication can rely on various factors (e.g., a password, a cryptographic key, and/or biometric data) but should not reveal any secret information held by the user. This seemingly paradoxical feat can be achieved through zero-knowledge proofs. Unfortunately, naive password-based approaches still prevail on the web. Multi-factor authentication schemes address some of the weaknesses of the traditional login process, but generally have deployability issues or degrade usability even further as they assume users do not possess adequate hardware. This assumption no longer holds: smartphones with biometric sensors, cameras, short-range communication capabilities, and unlimited data plans have become ubiquitous. In this paper, we show that, assuming the user has such a device, both security and usability can be drastically improved using an augmented password-authenticated key agreement (PAKE) protocol and message authentication codes.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 64.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 84.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Also referred to as asymmetric password-authenticated key establishment or aPAKE.

References

  1. Bonneau, J.: Getting web authentication right: a best-case protocol for the remaining life of passwords. In: Proceedings of the 19th International Workshop on Security Protocols (2011)

    Google Scholar 

  2. Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In: Proceedings of the 33rd IEEE Symposium on Security and Privacy (S&P) (2012)

    Google Scholar 

  3. Gibson Research Corporation: SQRL secure quick reliable login. https://www.grc.com/sqrl/sqrl.htm

  4. Dechand, S., Schürmann, D., Busse, K., Acar, Y., Fahl, S., Smith, M.: An empirical study of textual key-fingerprint representations. In: Proceedings of the 25th USENIX Security Symposium (2016)

    Google Scholar 

  5. Franceschi-Bicchierai, L.: Another day, another hack: 117 million LinkedIn emails and passwords. Motherboard, May 2016. https://perma.cc/6MC6-EVHH

  6. Google. 2-step verification. https://www.google.com/landing/2step

  7. Jarecki, S., Krawczyk, H., Xu, J.: OPAQUE: an asymmetric PAKE protocol secure against pre-computation attacks. In: Proceedings of the 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques (Eurocrypt) (2018)

    Google Scholar 

  8. Kamp, P.-H.: LinkedIn password leak: salt their hide. ACM Queue 10(6), 20 (2012)

    Article  Google Scholar 

  9. Karapanos, N., Marforio, C., Soriente, C., Capkun, S.: Sound-Proof: usable two-factor authentication based on ambient sound. In: Proceedings of the 24th USENIX Security Symposium (2015)

    Google Scholar 

  10. M’Raihi, D., Machani, S., Pei, M., Rydell, J.: TOTP: time-based one-time password algorithm. RFC 6238, May 2011

    Google Scholar 

  11. OneSpan: CRONTO mobile app. https://perma.cc/THZ6-3YFW

  12. Schneier, B.: Two-factor authentication: too little, too late. Commun. ACM 48(4), 136 (2005)

    Article  Google Scholar 

  13. Schneier, B.: Real-time attacks against two-factor authentication. Schneier on Security, December 2018. https://perma.cc/FQ9R-USG6

  14. Shin, S., Kobara, K.: Efficient augmented password-only authentication and key exchange for IKEv2. RFC 6628, June 2012

    Google Scholar 

  15. Singh, S., Cabraal, A., Demosthenous, C., Astbrink, G., Furlong, M.: Password sharing: implications for security design based on social practice. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (2007)

    Google Scholar 

  16. Stajano, F.: Pico: no more passwords!. In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds.) Security Protocols 2011. LNCS, vol. 7114, pp. 49–81. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25867-1_6

    Chapter  Google Scholar 

  17. Tan, J., Bauer, L., Bonneau, J., Cranor, L.F., Thomas, J., Ur, B.: Can unicorns help users compare crypto key fingerprints? In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (2017)

    Google Scholar 

  18. The FIDO Alliance: Specifications overview (FIDO2, WebAuthn, FIDO UAF, FIDO U2F). https://fidoalliance.org/specifications

  19. Thomas, D.R., Beresford, A.R.: Better authentication: password revolution by evolution. In: Christianson, B., Malcolm, J., Matyáš, V., Švenda, P., Stajano, F., Anderson, J. (eds.) Security Protocols 2014. LNCS, vol. 8809, pp. 130–145. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-12400-1_13

    Chapter  Google Scholar 

  20. Wu, T.: SRP-6: improvements and refinements to the Secure Remote Password protocol. IEEE P1363 Working Group, October 2002

    Google Scholar 

  21. Yubico: YubiKey strong two factor authentication for business and individual use. https://www.yubico.com

Download references

Acknowledgments

We gratefully thank Eduardo Solana for his valuable input in the early stages of this project, Daniel R. Thomas for his extensive feedback, and all the workshop attendees who participated in the discussion and helped improve this paper.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Laurent Chuat .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Chuat, L., Plocher, S., Perrig, A. (2020). Zero-Knowledge User Authentication: An Old Idea Whose Time Has Come. In: Anderson, J., Stajano, F., Christianson, B., Matyáš, V. (eds) Security Protocols XXVII. Security Protocols 2019. Lecture Notes in Computer Science(), vol 12287. Springer, Cham. https://doi.org/10.1007/978-3-030-57043-9_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-57043-9_19

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-57042-2

  • Online ISBN: 978-3-030-57043-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics