The quest to replace passwords: a framework for comparative evaluation of Web authentication schemes
Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, Frank Stajano
March 2012, 32 pages
Abstract
We evaluate two decades of proposals to replace text passwords for general-purpose user authentication on the web using a broad set of twenty-five usability, deployability and security benefits that an ideal scheme might provide. The scope of proposals we survey is also extensive, including password management software, federated login protocols, graphical password schemes, cognitive authentication schemes, one-time passwords, hardware tokens, phone-aided schemes and biometrics. Our comprehensive approach leads to key …
The quest to replace passwords: a framework for comparative evaluation of Web authentication schemes
Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, Frank Stajano
March 2012, 32 pages
Abstract
We evaluate two decades of proposals to replace text passwords for general-purpose user authentication on the web using a broad set of twenty-five usability, deployability and security benefits that an ideal scheme might provide. The scope of proposals we survey is also extensive, including password management software, federated login protocols, graphical password schemes, cognitive authentication schemes, one-time passwords, hardware tokens, phone-aided schemes and biometrics. Our comprehensive approach leads to key insights about the difficulty of replacing passwords. Not only does no known scheme come close to providing all desired benefits: none even retains the full set of benefits which legacy passwords already provide. In particular, there is a wide range between schemes offering minor security benefits beyond legacy passwords, to those offering significant security benefits in return for being more costly to deploy or difficult to use. We conclude that many academic proposals have failed to gain traction because researchers rarely consider a sufficiently wide range of real-world constraints. Beyond our analysis of current schemes, our framework provides an evaluation methodology and benchmark for future web authentication proposals.
This report is an extended version of the peer-reviewed paper by the same name. In about twice as many pages it gives full ratings for 35 authentication schemes rather than just 9.
Full text
PDF (0.5 MB)
BibTeX record
@TechReport{UCAM-CL-TR-817,
author = {Bonneau, Joseph and Herley, Cormac and Oorschot, Paul C.
van and Stajano, Frank},
title = {{The quest to replace passwords: a framework for
comparative evaluation of Web authentication schemes}},
year = 2012,
month = mar,
url = {https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.pdf},
institution = {University of Cambridge, Computer Laboratory},
doi = {10.48456/tr-817},
number = {UCAM-CL-TR-817}
}