Comparative Analysis and Framework Evaluating Mimicry-Resistant and Invisible Web Authentication Schemes
This work addresses security and usability issues in web authentication for users and developers by introducing a novel framework, though it appears incremental in augmenting existing frameworks.
The paper tackles the problem of web authentication by exploring mimicry-resistance as a new defense dimension, analyzing and evaluating invisible techniques like device fingerprinting and PUFs that do not rely on user actions or awareness.
Many password alternatives for web authentication proposed over the years, despite having different designs and objectives, all predominantly rely on the knowledge of some secret. This motivates us, herein, to provide the first detailed exploration of the integration of a fundamentally different element of defense into the design of web authentication schemes: a mimicry-resistance dimension. We analyze web authentication mechanisms with respect to new usability and security properties related to mimicry-resistance (augmenting the UDS framework), and in particular evaluate invisible techniques (those requiring neither user actions, nor awareness) that provide some mimicry-resistance (unlike those relying solely on static secrets), including device fingerprinting schemes, PUFs (physically unclonable functions), and a subset of Internet geolocation mechanisms.