Improving user authentication on the web: Protected login, strong sessions, and identity federation

Client authentication on the web has remained in the internet-equivalent of the stone ages for the last two decades. Instead of adopting modern public-key-based authentication mechanisms, we seem to be stuck with traditional methods like passwords and cookies. These authentication methods are vulnerable to a wide range of attacks from simple password reuse to strong man-in-the-middle attackers that can inject themselves into the middle of encrypted communication channels.;While many potential solutions have been proposed to sole the issues with the use of passwords and cookies for web authentication, most have failed to take hold. This lack of adoption stems from two issues.;First, traditional password based authentication provides a very simple user experience. Any new technique must not increase user friction during login and provide a reasonable user experience. Secondly, a new authentication technique must not be difficult to implement in existing browsers and web applications or deploy to users.;This thesis presents three techniques that provide protection against strong attackers while providing a low friction user experience.;The first, Origin Bound Certificates, is a session hardening technique that cryptographically binds the user's authentication cookie to the TLS channel the cookie is presented over. This technique protects a user's session against strong attackers, requires no additional user interaction, requires little (or no) modification to existing web applications, and is compatible with existing data center infrastructure like TLS terminators.;The second, Opportunistic Cryptographic Identity Assertions, is a technique in which the web browsers communicates with a user's cell phone in order to establish it as an opportunistic second factor in the initial login operation. This technique provides security assurances comparable or greater than conventional two factor authentication (i.e. phishing and password reuse prevention) while offering a simple user experience.;Finally, I discuss a new federated login system that makes use of a new browser provided construct called the PostKey API. This interface allows the browser to create a cross certification that asserts ownership of client side keys to a trusted third party. The these cross certifications can be verified by an identity provider and used to harden existing federated login protocols as well as to create a new federation protocol that is resistant to man-in-the-middle attacks and leaked authentication tokens and provides relying parties with the means the better secure communication with the user.