Seed-based authentication

摘要

Although web user authentication via username/password is widely used, this approach has many drawbacks. For example, users have to memorize textual passwords and to change the passwords frequently. Most importantly many users save their passwords in plain text that can potentially be exploited later. In this paper we proposed a new method for web applications to enhance user authentication that is less dependent on end users' memory. This new method incorporates Pseudo Random Numbers that are generated by a seed stemmed from a root file, such as an image file, managed by the user and shared with the authentication server. The Pseudo Random Numbers, generated upon user login, are then served as one-time passwords for server authentication. We described our design, implementation and experiments that tested the randomness of these one-time passwords in a real world scenario. We also discussed how the proposed scheme can withstand common attacks such as replay attacks, dictionary attacks, and the denial-of-service attacks.