open menu
SAuth: protecting user accounts from password database leaks_Seminar Series: CyberSecurity in Spring: The Spring of CyberSecurity
SAuth: protecting user accounts from password database leaks

by Elias Athanasopoulos, Assistant Professor, University of Cyprus

March 10th, 2021 16:00

Host: Evangelos Markatos, Computer Science Department, University of Crete

Password-based authentication is the dominant form of access control in web services. Unfortunately, it proves to be more and more inadequate every year. Even if users choose long and complex passwords, vulnerabilities in the way they are managed by a service may leak them to an attacker. Recent incidents in popular services such as LinkedIn and Twitter demonstrate the impact that such an event could have. The use of one-way hash functions to mitigate the problem is countered by the evolution of hardware which enables powerful password-cracking platforms. In this work we propose SAuth, a protocol which employs authentication synergy among different services. Users wishing to access their account on service S will also have to authenticate for their account on service V, which acts as a vouching party. Both services S and V are regular sites visited by the user everyday (e.g., Twitter, Facebook, Gmail). Should an attacker acquire the password for service S he will be unable to log in unless he also compromises the password for service V and possibly more vouching services. SAuth is an extension and not a replacement of existing authentication methods. It operates one layer above without ties to a specific method, thus enabling different services to employ heterogeneous systems. Finally, we employ password decoys to protect users that share a password across services.

Short Biography
Elias Athanasopoulos is an assistant professor in Computer Science with the University of Cyprus. He received his BSc in Physics from the University of Athens and his Ph.D. in Computer Science from the University of Crete. Before joining University of Cyprus, he was an assistant professor with Vrije Universiteit Amsterdam. His research interests are systems security and privacy. Elias is a Microsoft Research PhD Scholar and he has interned with Microsoft Research in Cambridge. Elias is also a Marie Curie fellow with Columbia University and FORTH. He has several publications in IEEE Security and Privacy, ACM CCS, Usenix Security and ATC, NDSS, and EuroSys.