Device-enhanced password-based threshold single-sign-on authentication

Publication Type

Journal Article

Publication Date

2-2025

Abstract

Password-based threshold single-sign-on authentication (PbTA) allows multiple identity servers to in a threshold manner authenticate a user and issue a token, with which the user accesses relevant services. We analyze existing PbTA schemes and reveal a potential threat: vulnerability against perpetual credential leakage, in which “perpetual” adversaries could perpetually attempt to compromise long-lived credential databases maintained by identity servers. Compromising a threshold number of credential databases enables the adversaries to launch offline dictionary guessing attacks (DGA) or illegally obtain users’ tokens. To address these issues, we first propose a basic device-enhanced PbTA scheme (DE-PbTA), where an auxiliary device collaborates with identity servers in hardening a user’s password during authentication, such that perpetual adversaries cannot learn the password from compromised credentials via offline DGA. Using the hardened password, a private key can be derived to decrypt ciphertexts from identity servers for token construction, which protects the user’s tokens against perpetual adversaries. Then, we extend basic DE-PbTA to support dynamic usage of multiple devices, where a user can actively choose $t^{\prime } $ devices out of $n^{\prime } $ for authentication. Provable security and high efficiency of the basic/enhanced DE-PbTA scheme are demonstrated by comprehensive analysis and experimental evaluations.

Discipline

Information Security

Publication

IEEE Transactions on Information Forensics and Security

Volume

20

First Page

1

Last Page

16

ISSN

1556-6013

Identifier

10.1109/TIFS.2025.3539955

Publisher

Institute of Electrical and Electronics Engineers

Additional URL

https://doi.org/10.1109/TIFS.2025.3539955

This document is currently not available here.

Share

COinS