Towards incorporating honeywords in n‐session recording attack resilient unaided authentication services

Abstract

Unaided authentication services provide the flexibility to login without being dependent on any external hardware. n-Session recording attack resilient unaided authentication services (n-SRRUASs) are known for setting high security standards against different client side threats. However, because of their authentication procedure, the authors have identified that these services cope poorly with handling the server side issues. Though modern days’ research heavily depends on the honeywords (or fake passwords) as a countermeasure of server side threats, they have shown that the honeywords cannot be directly applied to n-SRRUAS. The authors’ analysis shows that the idea of incorporating the honeywords directly into an n-SRRUAS is particularly difficult as it prevents the system from storing passwords after applying password-based key derivation function or in the form of a hashed string. In this study, they have proposed few generic principles for incorporating the honeywords into n-SRRUAS and show that the proposed principles are sufficient for incorporating the honeywords into any n-SRRUAS. Furthermore, with the help of an existing n-SRRUAS, they have shown that the proposed idea is truly implementable in practice to fill the existing gap.