Amnesia Project Tackles Password SecurityApp Splits Up Information Needed to Generate Full Password
There's no lack of enthusiasm for trying to change the way we log into services. The weaknesses of passwords are well known, ranging from poor password choices to reusing the same ones over and over. There aren't a lot of good alternatives that can easily supplant the current system, so we're stuck with trying to raise the authentication fence a bit higher in hopes of improving security.
A former undergraduate student in the computer science department at the College of William and Mary thinks he's come up with a more secure system. He recently presented his peer-reviewed research paper at the 36th IEEE International Conference on Distributed Computing Systems in Nara, Japan.
Luren Wang's project, called Amnesia, isn't perfect, but it eliminates the weakness of password vaults.
His system is a password manager without a vault. Password managers are helpful in that they aid in creating and storing complex passwords, but most store those passwords in an encrypted vault. Often, that vault is protected by a master password. All accounts are compromised if the master password is stolen.
Luren Wang's project, called Amnesia, isn't perfect, but it eliminates the weakness of password vaults. It's a generative password manager that uses a combination of information from different sources to reconstruct a password.
Amnesia uses a secret, 256-bit value that is stored in a table on a user's phone. When a user needs a password for a website, the phones passes the secret token to the Amnesia server, which combines it with other secrets stored on the server to construct the password and sends it back to the computer.
"The information that generates the passwords is decentralized, so there's no one point of failure," says Wang, who is now studying for a master's degree in machine learning at Columbia University.
Still a Research Project
Rick Redman of the security consultancy KoreLogic, who reviewed Wang's paper, says the idea of a secret token sent from the phone could be used to augment one-time passcodes sent by SMS, used by many two-factor authentication schemes.
"This is a nice touch," Redman says. "This idea could easily be incorporated into other phone-based 2FA software products that are already well-vetted and tested."
Redman advised that an organization would probably want to host its own Amnesia server rather than relying on cloud providers to host one as suggested in Wang's paper.
One big advantage to Amnesia is that it doesn't require website operators to make any modifications to their login systems while increasing security. In order to compromise a password, an attacker would have to compromise both the Amnesia server and a person's phone. That's far from impossible, but still increases the security around the passwords.
If someone's phone is stolen or lost, the Amnesia master password can be used to set up a new phone. If the Amnesia server is compromised, there's not enough information to successfully steal someone's passwords.
"Though the attackers are able to compromise either the user's smartphone or the master password of the password manager, we assume they cannot compromise both the smartphone and the master password without the user noticing and taking reactive measures," the paper notes.
Areas of Concern
Still, there are other avenues of attack, such as if someone's computer has become infected with a keylogger. Also, the storage of the phone-side secret could be stronger, Redman says. Changing passwords can also be tricky, as generative password managers rely on static information to deliver a password. Wang's paper outlines other potential problems, such as a compromised HTTPS connection and a breach of an Amnesia server, which, while not divulging full passwords, could present social engineering opportunities for an attacker.
It's also not quite as convenient as a password manager, such as LastPass, which quickly autofills stored passwords. With Amnesia, users have to perform an extra click to request a password. A notification of the request pops up on the phone with an IP address, which the user has to approve before it is processed. But it's still easier that two-factor authentication, which often requires a six-digit code to be submitted.
Amnesia is still in the realm of a research project and isn't product ready, Wang says. But a prototype of Amnesia for Android was built, although Wang admits the code wasn't that smooth. Testing of Amnesia with users went well, with the primary complaint of an "ugly UI," he says.