Visible to the public Authentication Shutter: Alternative Countermeasure Against Password Reuse Attack by Availability Control

TitleAuthentication Shutter: Alternative Countermeasure Against Password Reuse Attack by Availability Control
Publication TypeConference Paper
Year of Publication2017
AuthorsTakada, Tetsuji
Conference NameProceedings of the 12th International Conference on Availability, Reliability and Security
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-5257-4
KeywordsAvailability, I-O Systems, i-o systems security, Password reuse attack, pubcrawl, Scalability, Security User authentication, self-control, Shutter, Web system

A mass attack to web services using leaked account information has been done in recent years. The causes of the attack are information leakage and use of a same password among multiple services. Available measures to the attack are mainly using an alternative authentication method such as two-factor authentication or one-time password. Such measures put an additional operation load or credential management on users, and may also impose additional management costs to users or service providers for dedicated devices. These issues limit the applicability of such measures to only parts of various services. Therefore, I propose an alternative measure against the attack by using the concept of shutters in car garages. The proposed scheme is referred as the "authentication shutter". In this scheme, a legitimate user can control the availability of user authentication directly. This means that, even if an attacker has a valid user ID and password, if a legitimate user sets the user authentication as unavailable, an attacker cannot pass user authentication. I explain the basic idea and how to implement the scheme as a web system, and also discuss about the usability and security of the scheme.

Citation Keytakada_authentication_2017