Zero-Knowledge User Authentication: An Old Idea Whose Time Has Come
This work addresses authentication issues for users by offering a more secure and usable alternative to naive password-based methods, though it is incremental as it builds on existing PAKE protocols.
The paper tackles the problem of user authentication by proposing an augmented password-authenticated key agreement protocol and message authentication codes, leveraging ubiquitous smartphones with biometric sensors to drastically improve both security and usability.
User authentication can rely on various factors (e.g., a password, a cryptographic key, biometric data) but should not reveal any secret or private information. This seemingly paradoxical feat can be achieved through zero-knowledge proofs. Unfortunately, naive password-based approaches still prevail on the web. Multi-factor authentication schemes address some of the weaknesses of the traditional login process, but generally have deployability issues or degrade usability even further as they assume users do not possess adequate hardware. This assumption no longer holds: smartphones with biometric sensors, cameras, short-range communication capabilities, and unlimited data plans have become ubiquitous. In this paper, we show that, assuming the user has such a device, both security and usability can be drastically improved using an augmented password-authenticated key agreement (PAKE) protocol and message authentication codes.