Privacy-aware web authentication protocol with recovery and revocation

Abstract

Password-based authentication is the de facto standard for web services, usually linked to email addresses for account recovery. However, this scheme has several serious known drawbacks. We present a simple pseudonym authentication scheme for users to register and authenticate to online services, by using cryptographic key pairs stored in a mobile device. In contrast to other similar schemes, our proposal requires minimal user interaction, allows for easy account recovery and revocation, and requires no trusted third-party. We created a prototype to evaluate the proposal and concluded that it is viable and has good security, privacy, and usability properties.