Practical, Usable, and Secure Authentication and Authorization on the Web

Abstract

User authentication and authorization are two of the most critical aspects of computer security and privacy on the web. However, despite their importance, <italic>in practice</italic>, authentication and authorization are achieved through the use of decade-old techniques that are both often inconvenient for users and have been shown to be insecure against practical attackers. Many approaches have been proposed and attempted to improve and strengthen user authentication and authorization. Among them are authentication schemes that use hardware tokens, graphical passwords, one-time-passcode generators, and many more. Similarly, a number of approaches have been proposed to change how user authorization is performed. Unfortunately, none of the new approaches have been able to displace the traditional authentication and authorization strategies on the web. Meanwhile, attacks against user authentication and authorization continue to be rampant and are often (due to the lack of progress in practical defenses) successful. This dissertation examines the existing challenges to providing secure, private, and usable user authentication and authorization on the web. We begin by analyzing previous approaches with the goal of fundamentally understanding why and how previous solutions have not been adopted. Second, using this insight, we present three systems, each aiming to improve an aspect of user authentication and authorization on the web. <italic>Origin-Bound Certificates</italic> provide a deployable and secure building block for user credential transfer on the web. <italic>PhoneAuth</italic> uses Origin-Bound Certificates in order to allow users to securely authenticate to service providers in the face of strong attackers while maintaining the traditional username/password authentication model. Finally, <italic>Allowed Referrer Lists</italic> allow developers to easily protect applications against authorization vulnerabilities. We present the design, implementation, and evaluation for each of the three systems, demonstrating the feasibility of our approaches. Together, these works advance the state of the art in practical, usable and secure user authentication and authorization on the web. These systems demonstrate that through deep consideration of fundamental stakeholder values and careful engineering, it is possible to build systems that increase the security of user authentication and authorization without adversely impacting the user and developer experiences, while at the same time being deployable and practical.