DOCSLIB.ORG

Phd Thesis-Fatma Abdullah AL Maqbali: Strengthening Password

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Phd Thesis-Fatma Abdullah AL Maqbali: Strengthening Password Strengthening Password-Based Authentication Submitted by Fatma Abdullah Amer AL Maqbali for the degree of Doctor of Philosophy of the Royal Holloway, University of London 2019 Declaration I, Fatma Abdullah Amer AL Maqbali, hereby declare that this thesis and the work presented in it is entirely my own. Where I have consulted the work of others, this is always clearly stated. Signed. .(Fatma Abdullah Amer AL Maqbali) Date: i To my husband Nasser, my daughter Azzahraa, and my father. ii Abstract Authenticating humans to computers remains problematic despite decades of effort. Password-based authentication remains extremely common, in spite of its widely known shortcomings, and this seems likely to continue. Hence improving the security of pass- word use is a topic of huge practical importance | this observation provides the mo- tivation for the work described in this thesis. We focus in particular on two topics, namely password generators and password recovery. Password generators provide site-specific passwords on demand, facilitating the use of site-specific and complex passwords; they are an alternative to password managers that avoid storing passwords long-term. We proposed a general model for such sys- tems, and critically examine options for instantiating this model, including all those previously proposed. The model has also been used to help design a new scheme, Au- toPass, intended to incorporate the best features of the prior art whilst also addressing many of the most serious shortcomings of existing systems through use of novel tech- niques. AutoPass is specified in detail, and a prototype implementation is described. The prototype has been user-trialled to test its usability and security. Because passwords are very widely used for user authentication, most websites us- ing passwords also implement password recovery to allow users to re-establish a shared secret if the existing value is forgotten; however, use of such a fall-back creates addi- tional vulnerabilities. We present a model for such systems, and use this to analyse existing approaches. This leads naturally to a set of recommendations for system im- plementation. Many password recovery systems involve sending a special email to the user, e.g. containing a secret link, in which case security will depend on the email being acted upon correctly; unfortunately, such emails are not always well-designed and can introduce vulnerabilities. To understand better this serious practical issue, we surveyed password recovery emails for 50 of the top English language websites and investigated their design, structure and content. We found that many well-known web services, including Facebook, Dropbox, and Microsoft, suffer from recovery email design, struc- ture and content issues. This study enabled us to formulate recommendations for the design of such emails. iii Acknowledgements The research in this thesis would not have been possible to complete without the encouragement of many people. It is a delight to acknowledge all those who have supported me over the last four years. I am sincerely and heartily grateful to Professor Chris J. Mitchell, my PhD super- visor, for his endless support, guidance, motivation, patience and immense knowledge throughout my PhD study and related research. His guidance helped me throughout the time spent in performing the research for and writing up of this thesis. I could not have imagined having a better supervisor for my PhD study. I cannot find words to express my heartfelt thanks to my soul mate, my workmate, my best friend, and my husband, Nasser, for his continued and unfailing love, support and understanding before and during our study of PhD degree. He is always been the one for me to lean on at all times. I owe thanks to my lovely daughter, Azzahraa who is the pride and joy of my life. Having her during my PhD gave me strength and helped me to be more efficient. I wholeheartedly thank my late father, Abdullah Amer AL Maqbali who could not see this thesis completed and who always believed in me, supported me in every decision I made and every step I took to ensure that I reach where I want to be. He was always keen to know what I was doing and how I was proceeding. I miss his smile of joy whenever a significant moment was reached. A very special gratitude goes to my aunties Moza and Saleema who have always been on my side throughout my journey. I would particularly like to thank Dr Wanpeng Li who dedicated his free time voluntarily to develop the AutoPass extension which is an important part of the thesis. I am profoundly appreciative to my colleagues, Ms Angela Heeler, Mr Gaetan Pradel, Mr Zhaoyi Fan, Dr Wanpeng Li, Ms Zhang Xiao, Mr Mohammed Shafiul Alam Khan, and my husband Nasser for the friendly atmosphere they have created for our reading group, and for the invaluable feedback and insightful ideas I got from them. I would like to show my gratitude to my siblings: Amur, Wafa, Maryam, Noof, Suleiman, Mohammed, Majed, Ashwaq, Ayman, Areem and Turkey. I am very grateful to my mother Shaika AL Maqbali, my step-mother Shaika AL Maqbali, my mother-in-law Suad Al-Fannah, my father-in-law Mohammed Al-Fannah and all my relatives and friends. Finally, I owe sincere and earnest thankfulness to Allah who gave me the blessing to have amazing people in my life and for giving me the strength to do my PhD. iv Contents 1 Introduction1 1.1 Passwords...................................1 1.2 Managing Passwords.............................2 1.3 Contributions.................................3 1.4 Joint Work..................................4 1.5 List of Publications..............................4 1.6 Structure of Thesis..............................5 I Background7 2 User Authentication8 2.1 Introduction..................................8 2.1.1 Identification and Authentication..................8 2.1.2 User Authentication to Computers.................9 2.1.3 User Authentication Model..................... 11 2.2 The User Authentication Lifecycle..................... 13 2.2.1 The Main Steps............................ 13 2.2.2 Registration.............................. 13 2.2.3 Performing Authentication..................... 13 2.2.4 Account Maintenance........................ 14 2.2.5 Account Closure........................... 14 2.3 Passwords: Use and Vulnerabilities..................... 15 2.3.1 Setting up a Password........................ 15 2.3.2 Using Passwords........................... 15 2.3.3 Password Vulnerabilities....................... 17 2.3.4 Verifying Passwords......................... 17 2.4 Password Managers.............................. 18 2.5 Password Generators............................. 22 v 2.6 Password Recovery.............................. 22 2.7 Conclusions.................................. 23 3 Password Generators 24 3.1 Introduction.................................. 24 3.2 A Definition................................. 24 3.3 Previous Work................................ 25 3.4 A Taxonomy................................. 33 3.5 Shortcomings of Existing Techniques.................... 34 3.6 Conclusions.................................. 35 4 Password Recovery 36 4.1 Introduction.................................. 36 4.2 Previous Work................................ 37 4.3 Issues with Password Recovery....................... 41 4.4 Conclusions.................................. 42 II Password Generation 43 5 Password Generators: Old Ideas and New 44 5.1 Introduction.................................. 44 5.2 The Model.................................. 45 5.2.1 Operation............................... 45 5.2.2 Registration and Configuration................... 46 5.3 Components of the Model.......................... 46 5.3.1 Inputs to Password Generation................... 46 5.3.2 Generating the Password...................... 47 5.3.3 Password Output and Use...................... 49 5.3.4 Approaches to Implementation................... 49 5.4 Assessing the Options............................ 50 5.4.1 Inputs................................. 50 5.4.2 Generating the Password...................... 51 5.4.3 User Interface Operation....................... 52 5.4.4 Implementation............................ 52 5.4.5 Other Issues.............................. 53 5.5 Improving System Operation........................ 54 5.5.1 Novel Types of Configuration Data................. 54 5.5.2 Use of A Server............................ 55 vi 5.6 Conclusions.................................. 56 6 AutoPass: An Automatic Password Generator 57 6.1 Introduction.................................. 57 6.2 AutoPass: High-level Specification..................... 58 6.3 AutoPass: Detailed Specification...................... 59 6.3.1 Structure............................... 59 6.3.2 Operation............................... 59 6.3.3 Stored Data.............................. 63 6.3.4 Use of PRML............................. 64 6.3.5 Password Offsets........................... 65 6.4 Details of Operation............................. 66 6.4.1 Application Installation....................... 66 6.4.2 Operational Sessions......................... 68 6.4.3 Use with a Website.......................... 70 6.5 Other Aspects................................. 72 6.6 Security Evaluation.............................. 73 6.6.1 Trust Relationships......................... 73 6.6.2 Threat Model............................. 73 6.6.3 Security Properties.......................... 74 6.6.4 Security from An Attacker Perspective............... 75 6.7 Addressing Shortcomings.........................
Load more

Recommended publications
  • Keeper Security G2 Competitive Comparison Report
    Keeper Security G2 Competitive Comparison Report Keeper is the leading cybersecurity platform for preventing password-related data breaches and cyberthreats. This report is based on ratings and reviews from real G2 users. Keeper vs. Top Competitors: User Satisfaction Ratings See how Keeper wins in customer satisfaction based on the ratings in the below G2 categories. Keeper LastPass Dashlane 1Password 93% 85% Ease of Use 92% 91% 92% 82% Mobile App Usability 82% 88% 93% 83% Ease of Setup 89% 88% 95% 92% Meets Requirements 94% 94% 91% 82% Quality of Support 89% 90% 0% 20% 40% 60% 80% 100% See the full reports: Keeper vs. LastPass Keeper vs. Dashlane Keeper vs. 1Password G2 Grid: Keeper Listed as a Leader G2 scores products and vendors based on reviews gathered from the user community, as well as data aggregated from online sources and social networks. Together, these scores are mapped on the G2 Grid, which you can use to compare products. As seen on the grid, Keeper is currently rated as a “Leader,” scoring highly in both market presence and satisfaction. Contenders Leaders Market Presence Market Niche High Performers Satisfaction View the Expanded Grid Keeper User Reviews & Testimonials See what G2 users have to say about their experience with Keeper. Best password manager on the market “Keeper was the first password manager I could find that supported the U2F hardware keys that we use and this was a non-negotiable requirement at the time and still is. The support is really excellent and above expectations - On all my questions and concerns, I have received a reply within an hour and I am situated in Southern Africa.
    [Show full text]
  • Privacy Handout by Bill Bowman & Katrina Prohaszka
    Privacy Handout By Bill Bowman & Katrina Prohaszka RECOMMENDED PROGRAM SETTINGS 2 WEB BROWSER SETTINGS 2 WINDOWS 10 4 SMARTPHONES & TABLETS 4 EMAIL 5 SOCIAL MEDIA SETTINGS 5 Instagram 5 TikTok 6 Twitter 6 Snapchat 7 Venmo 7 Facebook 8 RECOMMENDED PRIVACY TOOLS 10 WEB BROWSERS 10 SEARCH ENGINES 10 VIRTUAL PRIVATE NETWORKS (VPNS) 10 ANTI-VIRUS/ANTI-MALWARE 10 PASSWORD MANAGERS 11 TWO-FACTOR AUTHENTICATION 11 ADDITIONAL PRIVACY RESOURCES 12 1 RECOMMENDED PRIVACY TOOLS WEB BROWSERS ● Tor browser -- https://www.torproject.org/download/ (advanced users) ​ ​ ● Brave browser -- https://brave.com/ ​ ● Firefox -- https://www.mozilla.org/en-US/exp/firefox/ ​ ● Chrome & Microsoft Edge (Chrome-based) - Not recommended unless additional settings are changed SEARCH ENGINES ● DuckDuckGo -- https://duckduckgo.com/ ​ ● Qwant -- https://www.qwant.com/?l=en ​ ● Swisscows -- https://swisscows.com/ ​ ● Google -- Not private, uses algorithm based on your information VIRTUAL PRIVATE NETWORKS (VPNS) ● NordVPN -- https://nordvpn.com/ ​ ● ExpressVPN -- https://www.expressvpn.com/ ​ ● 1.1.1.1 -- https://1.1.1.1/ ​ ● Firefox VPN -- https://vpn.mozilla.org/ ​ ● OpenVPN -- https://openvpn.net/ ​ ● Sophos VPN -- https://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx ANTI-VIRUS/ANTI-MALWARE ● Malwarebytes -- https://www.malwarebytes.com/ ​ ● Symantec -- https://securitycloud.symantec.com/cc/#/landing ​ ● CCleaner -- https://www.ccleaner.com/ ​ ● ESET -- https://www.eset.com/us/ ​ ● Sophos -- https://home.sophos.com/en-us.aspx ​ ● Windows Defender -- https://www.microsoft.com/en-us/windows/comprehensive-security (built-in to ​ Windows 10) 2 PASSWORD MANAGERS ● Lastpass -- https://www.lastpass.com/ ​ ● KeePass -- https://keepass.info/ ​ ● KeeWeb -- https://keeweb.info/ ​ ● Dashlane -- https://www.dashlane.com/ ​ TWO-FACTOR AUTHENTICATION ● Authy -- https://authy.com/ ​ ● Built-in two-factor authentication (some emails like Google mail, various social media, etc.
    [Show full text]
  • Online Security and Privacy
    Security & Privacy Guide Security and Privacy Guide When thinking about security and privacy settings you should consider: What do you want to protect? Who do you want to protect it from? Do you need to protect it? How bad are the consequences if you fail to protect it? How much trouble are you prepared to go to? These questions should be asked whilst considering what information you are accessing (which websites), how you are accessing the information, (what device you are using) and where you are accessing the information (at home, work, public place). Security & Privacy When looking at your Digital Security you are protecting your information against malicious attacks and malware. (Malware is software intentionally designed to cause damage to a computer). Digital Privacy is different as you are deciding what information you are prepared to share with a website or App (or its third party partners) that you are already using. Permission to share this information can be implicit once you start using a website or App. Some websites or Apps will allow you to control how they use your information. Security Physical access: How secure is the device you are using? Is it kept in a locked building, at home, or do you use it when you are out and about? Does anyone else have access to the device? Do you require a passcode or password to unlock your device? Virtual access: Have you updated your IOS software (on an iPad) or installed the latest anti-virus software on your device? Most devices will prompt you when an update is available.
    [Show full text]
  • Password Managers an Overview
    Peter Albin Lexington Computer and Technology Group March 13, 2019 Agenda One Solution 10 Worst Passwords of 2018 Time to Crack Password How Hackers Crack Passwords How Easy It Is To Crack Your Password How Do Password Managers Work What is a Password Manager Why use a Password Manager? Cloud Based Password Managers Paid Password Managers Free Password Managers How to Use LastPass How to Use Dashlane How to Use Keepass Final Reminder References March 13, 2019 2 One Solution March 13, 2019 3 10 Worst Passwords of 2018 1. 123456 2. password 3. 123456789 4. 12345678 5. 12345 6. 111111 7. 1234567 8. sunshine 9. qwerty 10. iloveyou March 13, 2019 4 Time to Crack Password March 13, 2019 5 Time to Crack Password March 13, 2019 6 Time to Crack Password March 13, 2019 7 Time to Crack Password Time to crack password "security1" 1600 1400 1200 1000 Days 800 Days 600 400 200 0 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 Year March 13, 2019 8 How Hackers Crack Passwords https://youtu.be/YiRPt4vrSSw March 13, 2019 9 How Easy It Is To Crack Your Password https://youtu.be/YiRPt4vrSSw March 13, 2019 10 How Do Password Managers Work https://youtu.be/DI72oBhMgWs March 13, 2019 11 What is a Password Manager A password manager will generate, retrieve, and keep track of super-long, crazy-random passwords across countless accounts for you, while also protecting all your vital online info—not only passwords but PINs, credit-card numbers and their three-digit CVV codes, answers to security questions, and more … And to get all that security, you’ll only need to remember a single password March 13, 2019 12 Why use a Password Manager? We are terrible at passwords We suck at creating them the top two most popular remain “123456” and “password” We share them way too freely We forget them all the time We forget them all the time A password manager relieves the burden of thinking up and memorizing unique, complex logins—the hallmark of a secure password.
    [Show full text]
  • HACK Enpass Password Manager
    1 / 2 HACK Enpass Password Manager Mar 23, 2021 — So, is this password manager right for you or your business? In our Enpass review, we'll take a closer look at everything this software has to offer.. Results 1 - 100 of 338 — TOTP is an algorithm that computes a one-time password from a shared secret ... codes to protect your online accounts from hackers (bad guys). ... code in my password manager, especially for password managers that can ... Segregate data using Multiple vaults Enpass facilitates you with an option to .... Jan 9, 2019 — Password manager company OneLogin was actually hacked, and the ... EnPass: Here's something unusual—a password manager that goes .... Use Enpass audit tools to identify weak, identical, and old passwords. Your password manager is your digital security best friend. You are using a password .... The Synology Disk Station Manager (DSM) is the Operating System (OS) that runs on your Synology unit. ... a prerequisite while using Enpass it is not really neccessary to me to sync with CloudStation. ... For iOS 13/12 users: Open the Settings app > Passwords & Accounts > Add Account > Other ... Mikrotik hack github.. We will send a One-time password (OTP) to your registered email address and ... set of Enpass users by letting them store their time based one time passwords of ... Hackers use credit card skimmers to obtain the magnetic stripe information of a ... Open Google Chrome and click the GateKeeper Password Manager Chrome .... Jun 16, 2021 — Using an online password manager? … Are they safe from hackers?? Use Enpass to securely organize everything at one place.
    [Show full text]
  • Ovum Market Radar: Password Management Tools
    Ovum Market Radar: Password Management Tools Improving cybersecurity by eliminating weak, reused, and compromised passwords Publication Date: 17 Aug 2019 | Product code: INT005-000010KEEPER Richard Edwards Ovum Market Radar: Password Management Tools Summary Catalyst Cybersecurity often depends on the choices made by individuals. Most of these individuals are conscientious when it comes to preserving the confidentiality, integrity, and availability of corporate systems and customer data. However, if we consider the ways in which passwords and account credentials are used and managed, we can easily see weaknesses in our cybersecurity defenses. Password management tools have entered the mainstream, with more than 70 apps competing for user attention in the Google Play Store alone. There’s also a good selection of products targeting teams, businesses, and enterprises. However, these products need to adapt and evolve to win new business, protect against new cybersecurity threats, and support the move toward a “password-less” enterprise. Ovum view Key findings from an Ovum survey of IT decision-makers and enterprise employees reveals that password management practices are out of date, overly reliant on manual processes, and highly dependent on employees “doing the right thing”. If the alarm bell isn’t ringing, it should be. Cybersecurity training and awareness programs are useful, but to keep the business safe and secure, employees across all roles and at all levels require tools and applications to help alleviate the burden and risks associated with workplace passwords, credentials, logins, and access codes. Key messages ▪ Passwords are for more than just the web. Credentials and passcodes are required for desktop applications, mobile apps, IT infrastructure, physical access, and more.
    [Show full text]
  • Password Managers
    Password Managers A Higher Education Information Security Council (HEISC) Resource JULY 2019 Password Managers What Is a Password Manager Tool? A password manager tool is software that helps users encrypt, store, and manage passwords. The tool also helps users create secure passwords and automatically log in to websites. Who Might Use a Password Manager Tool, and Why? Users should employ unique passwords for each website or system to help minimize the impact from the breach of one website or system; however, most users cannot remember a separate password for many sites and tend to reuse passwords or write them on a sticky note attached to their computer. Additionally, organizations may have passwords that need to be shared across teams and want a secure method to do so. Password manager tools allow users and teams to more securely manage many distinct passwords and automatically log them in to websites. The Benefits of Using a Password Manager Tool Password manager tools enable users to create and securely store unique passwords for websites, applications, and other systems without having to memorize or write them down. Risks to Consider When Using a Password Manager Tool Special care should be taken to secure the password tool, as it will grant access to all passwords. The “master” password that grants access to the tool should be very strong and unique, and multifactor authentication should be used if possible. Almost all modern commercial password managers allow users to implement some form of multifactor authentication. You will also need to decide whether you want your password management tool to store passwords locally or in the cloud.
    [Show full text]
  • Stolen Identity Theft Flier
    Stolen!! What to do when ID Theft happens to you! Steps to take if your Protect Yourself identity is stolen! -Protect your mailbox -Be careful what ends up in the trash 1. Immediately report any suspicious credit card activity or -Protect your information on junk mail identity theft. -Invest in a safe or firebox 2. Create a file to stay organized -Use varying passwords online 3. Place security freezes on -Utilize password managers to keep your passwords Experian, Equifax, and complex and safe. TransUnion. 4. File identity theft report on- Password Managers line with the FTC: Lastpass, 1Password, Dashlane, Enpass, Keeper, www.identitytheft.gov LogMeOnce, RoboForm, Sticky Password 5. File a police report at your local police department. These steps will lower your chances of having your identity stolen. There isn’t anything out there that is a 100% guarantee, but increasing your protection is the 6. Keep copies of your identity first step. theft report and police report in a safe place. Thank you for attending today! If you have any ques- tions about today’s talk, please feel free to contact 7. Obtain a copy of your credit me. I’m happy to help! report from all three agencies. -Jen 8. With your credit report, review for fraudulent accounts, recent credit inquiries, Additional Resources addresses, and dispute if www.annualcreditreport.com | www.optoutprescreen.com www.creditkarma.com necessary. Jen Lee, Esq. Jen Lee Law, Inc. @jenleelaw Debt & Credit Strategy Attorney @debtlaw 925-586-6738 | jenleelaw.com | [email protected] LEGAL ADVERTISEMENT: This is just a basic overview and is not legal advice specific to your situation.
    [Show full text]
  • Reading Comprehension 2 Level 11
    READTHEORY Name________________ Date________________ • Readiing Comprehensiion 2 Level 11 Directions: Read the passage. Then answer the questions below. The average computer user has between 5 and 15 username/password combinations to log in to email accounts, social networking sites, discussion boards, news and entertainment sites, online stores, online banking accounts, or other websites. For people who use email or other internet applications at work, the number of required username/password combinations may surpass 30. Some of these accounts demand that you use a specific number of symbols and digits, while others require you to change your password every 60 days. When you add to this list the codes needed to access things like ATMs, home alarm systems, padlocks, or voicemail, the number of passwords becomes staggering. The feeling of frustration that results from maintaining a memorized list of login credentials has grown so prevalent that it actually has a name: password fatigue. Having to remember so many different passwords is irritating, but it can also be dangerous. Because it is virtually impossible to remember a unique password for each of these accounts, many people leave handwritten lists of usernames and passwords on or next to their computers. Others solve this problem by using the same password for every account or using extremely simple passwords. While these practices make it easier to remember login information, they also make it exponentially easier for thieves to hack into accounts. Single sign-on (SSO) authentication and password management software can help mitigate this problem, but there are drawbacks to both approaches. SSO authentication can be used for related, but independent software systems.
    [Show full text]
  • Elcomsoft Distributed Password Recovery Unlocks 1Password, Keepass, Lastpass and Dashlane Vaults
    Elcomsoft Distributed Password Recovery Unlocks 1Password, KeePass, LastPass and Dashlane Vaults Moscow, Russia – August 10, 2017 - ElcomSoft Co. Ltd. updates Distributed Password Recovery, enabling the recovery of master keys protecting encrypted vaults of four popular password managers: 1Password, KeePass, LastPass and Dashlane. By attacking a single master password, experts can gain access to the entire database containing all of the user’s saved passwords, authentication credentials and other highly sensitive information. Password managers’ protected vaults may contain images of user’s documents, various identity- related information, payment and loyalty card numbers. “We’re continuing our quest on expanding the types of passwords we can break”, says Vladimir Katalov, ElcomSoft CEO. “This time we are targeting four of the most popular password managers, allowing experts gaining access to protected vaults containing users’ authentication credentials, stored logins, passwords and forms to numerous resources. With today’s password managers this only requires breaking a single master password.” One Password to Rule Them All The idea behind all password management apps is simple: allowing users to securely store, organize and use passwords required to authenticate into various resources. As the user no longer has to remember the many different passwords, the use of password managers effectively cuts password re-use and stimulates the use of strong, unique passwords to protect different resources. Password managers can even automatically generate strong, random passwords that are unique per Web site or resource, rendering both dictionary and brute-force attacks ineffective. These passwords are stored in encrypted vaults, and can be only decrypted once the user enters their master password.
    [Show full text]
  • A Security Analysis of Autofill on Ios and Android
    The Emperor’s New Autofill Framework: A Security Analysis of Autofill on iOS and Android Sean Oesch, Anuj Gautam, Scott Ruoti The University of Tennessee [email protected], [email protected], [email protected] Abstract—Password managers help users more effectively (P3) the filled credential will only be accessible to the manage their passwords, encouraging them to adopt stronger mapped app or web domain. [23]. passwords across their many accounts. In contrast to desktop On desktop environments, password managers are primarily systems where password managers receive no system-level support, mobile operating systems provide autofill frameworks implemented as ad-hoc browser extensions—i.e., the extension that are designed to integrate with password managers to individually implements all aspects of the autofill process provide secure and usable autofill for browsers and other apps without support from OS or browser autofill frameworks. installed on mobile devices. In this paper, we conduct the first While some desktop password managers correctly achieve P1 holistic security evaluation of such frameworks on iOS and and P2 [19], many have incorrect implementations that allow Android, examining whether they achieve substantive benefits over the ad-hoc desktop environment or become a problematic attackers to steal or phish users’ credentials [14], [22], [23], single point of failure. Our results find that while the [19], and none can fully implement P3 due to technical frameworks address several common issues (e.g., requiring user limitations of browser extension APIs [23], [19]. interaction before autofill), they also enforce insecure behavior In contrast to the situation on desktop, mobile operating and fail to provide the password managers implemented using systems provide system-wide autofill frameworks that attempt the frameworks with sufficient information to override this incorrect behavior.
    [Show full text]
  • Keeper Security Reimagines and Secures the Passwordless Future with Keeper SSO Connect™ Cloud
    ] Keeper Security Reimagines and Secures the Passwordless Future with Keeper SSO Connect™ Cloud Expanded Solution Eliminates IAM Security Gaps with Zero-Knowledge Encryption Model; Seamlessly Integrates With Any Identity Provider or Data Environment CHICAGO, IL, March 9, 2021 – Keeper Security, provider of the top-rated and industry-leading cybersecurity platform for preventing password-related data breaches and cyberattacks, today announced the release of Keeper SSO Connect™ Cloud, a fully-managed SAML 2.0 SaaS solution that can be seamlessly integrated with any identity provider, enabling organizations to significantly enhance and extend their Single Sign-on (SSO) deployments with an integrated zero-knowledge password encryption system. The new cloud deployment option is available as an alternative to Keeper’s existing SSO Connect on-premise solution. The COVID-19 pandemic severely weakened organizations’ security posture as they scrambled to deploy remote workforces. Many organizations have turned to SSO solutions to reduce password fatigue, minimize help desk tickets for lost passwords, and enhance security and efficiency. However, these solutions have security gaps, which Keeper SSO Connect addresses. “SSO provides great convenience for enterprise employees to access a handful of cloud applications with a single login. However, this leaves large security gaps for protecting the thousands of websites and services that employees use, in addition to other confidential information that needs to be protected in an encrypted vault.” said Craig Lurey, Keeper Co-Founder and CTO. “Keeper is the only enterprise password management solution that uses zero-knowledge encryption while at the same time providing a seamless login experience with any SAML 2.0 compatible identity provider.
    [Show full text]