ThPlA：阈值无密码认证变得可用和可扩展

IF 8 1区计算机科学 Q1 COMPUTER SCIENCE, THEORY & METHODS

IEEE Transactions on Information Forensics and Security Pub Date : 2025-09-08 DOI:10.1109/TIFS.2025.3607255

Qianwen Gao;Yuan Lu;Kunpeng Bai;Zhenfeng Zhang;Yichi Tu

{"title":"ThPlA：阈值无密码认证变得可用和可扩展","authors":"Qianwen Gao;Yuan Lu;Kunpeng Bai;Zhenfeng Zhang;Yichi Tu","doi":"10.1109/TIFS.2025.3607255","DOIUrl":null,"url":null,"abstract":"Passwordless user authentication schemes with FIDO as the standard have been widely deployed in web applications. Users use hardware tokens to store their identity credentials (i.e., signing keys) and implement strong authentication through a challenge-response mechanism, avoiding the security risks associated with traditional password-based authentication. Distributed Web services can greatly alleviate the system reliability problem caused by single points of failure, and thus have received increasing attention and research. In distributed systems, resources are distributed across multiple servers, and users must interact with them (or a subset of them in thresholding) to obtain network services. User authentication among the distributed (threshold) systems also poses a challenge: how to ensure security and ease of use at the same time? In particular, users need to authenticate to multiple servers when accessing distributed services, and in the case of using FIDO authentication, users need to authenticate to each server using challenge-response authentication, which will greatly reduce the user experience. In this work, we propose the concept named <italic>Threshold Passwordless Authentication (ThPlA) to address this issue. ThPlA allows users to authenticate to a <italic>t-of-<italic>n thresholding system. ThPlA is designed to be compatible with existing FIDO tokens and requires no extra hardware modifications; the user only needs to interact with the hardware token once during an authentication session; and on the service side, the servers do not need to communicate with each other. ThPlA is based on the component named <italic>Non-interactive Threshold Nonce Generation (NI-ThNG), which extends the two-party challenge-response mechanism to <italic>t-of-<italic>n settings. We provide a formal definition of ThPlA and NI-ThNG and give practical constructions. We also provide a performance evaluation of ThPlA and NI-ThNG, respectively. Our experimental results show that the schemes are efficient and practical for real-world applications, even in large-scale distributed systems.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"20 ","pages":"9700-9715"},"PeriodicalIF":8.0000,"publicationDate":"2025-09-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"ThPlA: Threshold Passwordless Authentication Made Usable and Scalable\",\"authors\":\"Qianwen Gao;Yuan Lu;Kunpeng Bai;Zhenfeng Zhang;Yichi Tu\",\"doi\":\"10.1109/TIFS.2025.3607255\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Passwordless user authentication schemes with FIDO as the standard have been widely deployed in web applications. Users use hardware tokens to store their identity credentials (i.e., signing keys) and implement strong authentication through a challenge-response mechanism, avoiding the security risks associated with traditional password-based authentication. Distributed Web services can greatly alleviate the system reliability problem caused by single points of failure, and thus have received increasing attention and research. In distributed systems, resources are distributed across multiple servers, and users must interact with them (or a subset of them in thresholding) to obtain network services. User authentication among the distributed (threshold) systems also poses a challenge: how to ensure security and ease of use at the same time? In particular, users need to authenticate to multiple servers when accessing distributed services, and in the case of using FIDO authentication, users need to authenticate to each server using challenge-response authentication, which will greatly reduce the user experience. In this work, we propose the concept named <italic>Threshold Passwordless Authentication (ThPlA) to address this issue. ThPlA allows users to authenticate to a <italic>t-of-<italic>n thresholding system. ThPlA is designed to be compatible with existing FIDO tokens and requires no extra hardware modifications; the user only needs to interact with the hardware token once during an authentication session; and on the service side, the servers do not need to communicate with each other. ThPlA is based on the component named <italic>Non-interactive Threshold Nonce Generation (NI-ThNG), which extends the two-party challenge-response mechanism to <italic>t-of-<italic>n settings. We provide a formal definition of ThPlA and NI-ThNG and give practical constructions. We also provide a performance evaluation of ThPlA and NI-ThNG, respectively. Our experimental results show that the schemes are efficient and practical for real-world applications, even in large-scale distributed systems.\",\"PeriodicalId\":13492,\"journal\":{\"name\":\"IEEE Transactions on Information Forensics and Security\",\"volume\":\"20 \",\"pages\":\"9700-9715\"},\"PeriodicalIF\":8.0000,\"publicationDate\":\"2025-09-08\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IEEE Transactions on Information Forensics and Security\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://ieeexplore.ieee.org/document/11153573/\",\"RegionNum\":1,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, THEORY & METHODS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Information Forensics and Security","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/11153573/","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}

引用次数: 0

摘要

以FIDO为标准的无密码用户认证方案在web应用中得到了广泛的应用。用户使用硬件令牌存储其身份凭证（即签名密钥），并通过挑战-响应机制实现强身份验证，避免了传统基于密码的身份验证相关的安全风险。分布式Web服务可以极大地缓解单点故障带来的系统可靠性问题，因此受到越来越多的关注和研究。在分布式系统中，资源分布在多个服务器上，用户必须与它们（或它们的一个子集）交互才能获得网络服务。分布式（阈值）系统中的用户身份验证也提出了一个挑战：如何同时确保安全性和易用性？特别是用户在访问分布式服务时需要对多台服务器进行身份验证，而在使用FIDO身份验证的情况下，用户需要对每台服务器进行身份验证，这将大大降低用户体验。在这项工作中，我们提出了阈值无密码认证（ThPlA）的概念来解决这个问题。ThPlA允许用户通过t-of-n阈值系统进行身份验证。ThPlA被设计为与现有的FIDO令牌兼容，不需要额外的硬件修改；在身份验证会话期间，用户只需要与硬件令牌交互一次；在服务端，服务器之间不需要相互通信。该pla基于名为非交互式阈值Nonce生成（NI-ThNG）的组件，该组件将双方挑战响应机制扩展到t-of-n设置。给出了ThPlA和NI-ThNG的形式化定义，并给出了具体的构造。我们还分别对ThPlA和NI-ThNG进行了性能评估。实验结果表明，该方案在实际应用中是有效和实用的，即使在大规模分布式系统中也是如此。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

ThPlA: Threshold Passwordless Authentication Made Usable and Scalable

Passwordless user authentication schemes with FIDO as the standard have been widely deployed in web applications. Users use hardware tokens to store their identity credentials (i.e., signing keys) and implement strong authentication through a challenge-response mechanism, avoiding the security risks associated with traditional password-based authentication. Distributed Web services can greatly alleviate the system reliability problem caused by single points of failure, and thus have received increasing attention and research. In distributed systems, resources are distributed across multiple servers, and users must interact with them (or a subset of them in thresholding) to obtain network services. User authentication among the distributed (threshold) systems also poses a challenge: how to ensure security and ease of use at the same time? In particular, users need to authenticate to multiple servers when accessing distributed services, and in the case of using FIDO authentication, users need to authenticate to each server using challenge-response authentication, which will greatly reduce the user experience. In this work, we propose the concept named Threshold Passwordless Authentication (ThPlA) to address this issue. ThPlA allows users to authenticate to a t-of-n thresholding system. ThPlA is designed to be compatible with existing FIDO tokens and requires no extra hardware modifications; the user only needs to interact with the hardware token once during an authentication session; and on the service side, the servers do not need to communicate with each other. ThPlA is based on the component named Non-interactive Threshold Nonce Generation (NI-ThNG), which extends the two-party challenge-response mechanism to t-of-n settings. We provide a formal definition of ThPlA and NI-ThNG and give practical constructions. We also provide a performance evaluation of ThPlA and NI-ThNG, respectively. Our experimental results show that the schemes are efficient and practical for real-world applications, even in large-scale distributed systems.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

IEEE Transactions on Information Forensics and Security 工程技术-工程：电子与电气

CiteScore

14.40

自引率

7.40%

发文量

234

审稿时长

6.5 months

期刊介绍： The IEEE Transactions on Information Forensics and Security covers the sciences, technologies, and applications relating to information forensics, information security, biometrics, surveillance and systems applications that incorporate these features