Secure Client-Managed Authentication: A Passport-Free Solution

This paper presents a novel authentication service that enforces security by assisting the management of the overwhelming and constantly increasing collections of user identifiers and passwords. As the number of these authentication credentials (i.e., userid and password) increases, maintaining and recalling them on demand becomes a challenge. Studies show that users typically choose the same easy-to-guess password for multiple services and store it unprotected. This behavior implies that credential leaks within poorly protected services can compromise or disrupt better protected critical services.

The new secure client-managed authentication service proposed in this paper is suitable for a large spectrum of applications, including Internet Services and network management services. Our main contributions are (1) the delegation of credential management to a local secure agent while keeping the users in control of their credentials, (2) a three-level user control of credential release, and (3) generality, i.e., allowing secure credential release to authorized server applications without requiring client application or operating system modifications. Offering a key differentiation to centralized solutions such as Microsoft Passport, our authentication service empowers users to control the release of their identity and related credentials on demand. We compare the performances of our prototype (fully functioning implementation) to those of a conventional user authentication service and we show that our prototype is faster and easier to use.

By: Reiner Sailer, James Giles, Anca Dracinschi Sailer

Published in: RC23193 in 2004


This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.


Questions about this service can be mailed to .