Authenticating to an online service is usually done by providing a username and password in some protected form so that the server can verify that those credentials correspond to a registered identity authorised for access. For the average Internet user, managing one’s online identities is challenging. Nearly every password protected web service advises its users to come up with a sufficiently complex password, which is not to be used elsewhere. As the number of associations with online services increases, so too does the number of online identities that the user has to remember. Identity overload is one of the greatest challenges for Internet users. The result may be that the user reuses difficult passwords for those of his online accounts that protect high value information, and uses passwords that are easily remembered (and easily guessed) for the protection of lower value information.
The main goal of this thesis is to investigate local user-centric identity management and propose a simple, secure and user friendly authentication mechanism. The mechanism relies on an external offline personal authentication device called “OffPAD”, which acts as a trusted platform external to the terminal. From this device, the user may authenticate to services and manage his online identities. We argue that the approach of handling critical actions on an external secure device provides increased security and usability with regard to both the authentication process itself, as well as the storage and handling of identities.
The OffPAD device can be used to automatically authenticate its holder to any supported web service to which he or she is registered. We will present an extension of the HTTP Digest Access Authentication scheme that facilitates unobtrusive and automated authentication, while still adhering to password policies. We will look at how we can increase security and suggest improvements for modernizing the (ageing) digest authentication standard in particular, with regard to storage and handling of credentials. We will also discuss how identity management can be more user-centric, thus user friendly, alleviating the cognitive load of managing passwords.
HTTP Digest Access Authentication is used as the authentication scheme in every example and in the prototype implementation. It was selected for its simplicity, extendibility and abilities: especially its ability to function with both clear text and hashed user credentials at the endpoints.