Password-based authentication – Entity Authentication

5.4 Password-based authentication

Password-based authentication is arguably the most common way used to authenticate humans to electronic devices. An average internet user has about 70 to 80 passwords to identify themself to websites they visit and services they use [130].

Most existing password schemes use time-invariant passwords. The user initially chooses a string of characters, typically short enough so they can memorize it. From this point in time onward, that password is associated with the user ID, for instance, the username or the email address entered during registration.

The password is a secret shared between the user and the electronic system. Hence, from a cryptographic perspective, password-based authentication is a symmetric mechanism (it is based on a common secret) that provides unilateral authentication. The authentication is unilateral because the user authenticates themself to the system, but the system – an electronic device or a web service – does not authenticate itself to the user. Note, however, that in most instances of password-based authentication, a secure channel is created between user and server via TLS before the user sends their password, and this includes server authentication.

To access the electronic system, the user enters their user ID and password. The user ID is the claimed identity, and the password is the evidence to prove that claim. The system looks up the given user ID and checks whether the password provided by the user matches the password stored (in whichever form) on the system. The fact that the user knows the password – which is established by the user revealing the password to the system – is accepted by the system as proof of the user’s identity. As a result, the system grants the user access to certain system resources, such as a computer account or web service.

In its most basic form, password-based authentication therefore takes the form depicted in Figure 5.3. The claimant sends their identity to the verifying system, along with a matching password. The system then checks whether the provided password indeed belongs to the claimed identity. Based on the result of this check, the system grants certain rights to the claimant. For example, after a successful login at amazon.com, you get the right to inspect your previous orders. This is called authorization and can be seen as an advanced kind of security service built on top of entity authentication.

Figure 5.3: Working principle of password-based authentication

Note, however, that there are important questions left open in this scheme: how do we protect the password on its way from the user to system? How is the password stored at the system’s site in a secure way? We will return to these questions shortly, but first, a bit of history.