Even though they are insecure, passwords are still the main form of authentication available on the web. There are several reasons for this. Users are used to passwords, and trust them. Teaching them to use something new requires time and effort. If users don’t see the benefit of a new system, they will continue using passwords. Services have been using passwords for ages. Using a different method requires a significant effort (in terms of time and other resources). Moreover, authentication systems form a two-sided market with cross side effects. This creates the chicken-egg dilemma that users will not migrate to a form of authentication that is not offered by a significant number of services, and services will not offer a new authentication method if no users use it.
The challenge is to break this vicious cycle. And UbiKiMa aims to achieve just that.
The main idea of UbiKiMa is to use a smart phone to authenticate users on the web in such a way that that it supports a gradual yet seamless transition towards an authentication scheme that is more secure than passwords. To this end we introduce a protocol that, using a proxy, a bookmarklet, and a password management app on a smartphone, allows users to sign in at arbitrary websites, without the need to remember and retype account names and passwords. The communication between the browser and the smart phone (mediated by the proxy) is encrypted. This ensures that the proxy does not learn your passwords, and also does not learn which websites you visit.
The same app (and associated stored account data) can be used anywhere, at any PC and browser that allow such a bookmarklet to be saved. Because the normal password based signin procedure is used, the service provider does not need to change anything to make this possible. In fact, the service provider is not even aware users are using UbiKiMa. (It would actually be good though if the service provider could somehow be informed of the fraction of its users that use UbiKiMa to sign in, so that it knows when it makes sense to switch to the new, more secure, form of authentication. See below.)
In addition we propose an authentication protocol based on public key cryptography, that is integrated within the same smartphone app, for a secure form of authentication at websites. The protocol is based on the modified Needham-Schroeder protocol and uses QR codes to link the browsing session with the smartphone app. The service provider generates a QR code on the login page, that is associated with this particular TLS browser session. The user scans this QR with his smart phone. The QR code contains a session identifier and the endpoint at the service provider that will run the authentication protocol. The smart phone authenticates using the private key stored in the phone. The service provider verifies using the corresponding public key stored in the user profile. Once verified, the user is logged in on the corresponding browser session. To prevent tracking across service providers, users use different keypairs for different services.
Both ideas by itself are nothing new. There are plenty of password management apps (although far less that offer the same level of ubiquity and user friendliness). Also, many pubic key authentication protocols exist. The main innovation is to combine both in a single smart phone app. Because the same app supports both forms of authentication, websites can independently decide to migrate towards supporting this stronger form of authentication. This allows is to break the vicious cycle and move beyond the password status quo.
The details of the UbiKiMa design are documented in this paper, that I wrote with a few (ex)-colleagues from TNO, and that was presented two weeks ago at the Digital Identity Management (DIM) workshop in Berlin.
The current implementation is a proof of concept. The app runs on Android only. We would definitely welcome ideas to improve the performance, functionality, usability and security of UbiKiMa. That’s why this post was filed in the seeds category….