ROSTAM: A passwordless web single sign-on solution mitigating server breaches and integrating credential manager and federated identity systems.

COMPUTER passwords; IDENTITY management systems; PASSWORD software; WEB-based user interfaces; TRUST

The challenge of achieving passwordless user authentication is real given the prevalence of web applications that keep asking passwords. Complicating this issue further, in an enterprise environment, a single sign-on (SSO) service is often maintained but not all applications can be integrated with it. We envision a passwordless future which provides a frictionless and trustworthy online experience for users by integrating credential management and federated identity systems. In this regard, our implementation ROSTAM offers a dashboard that presents all applications the user can access with a single click after a passwordless SSO. The security of web passwords on the credential manager is ensured with a Master Key, rather than a Master Password, so that encrypted passwords can remain secure even if stolen from the server. We propose and implement novel techniques for synchronization (pairing) and recovery of this Master Key. We compare our solution to previous work using different evaluation frameworks, demonstrating that our hybrid solution combines the benefits of credential management and federated identity systems. • Introduces passwordless SSO with secure credential management. • Enhances security and privacy with a client-side Master Key encryption scheme. • Features novel Master Key sync and recovery techniques. • Outperforms widely adopted solutions in usability, security and privacy. [ABSTRACT FROM AUTHOR]

Copyright of Computers & Security is the property of Pergamon Press - An Imprint of Elsevier Science and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)