Is it too late for PAKE?

The most common web authentication technique in use today is password authentication via an HTML form, where a user types her password directly into a web page from the site to which she wishes to authenticate herself. The problem with this approach is that it relies on the user to determine when it is safe to enter her password. To resist phishing and other social engineering attacks, a user must rely on the browser’s security indicators and warning messages, e.g., the URL bar and the site’s SSL certificate, to authenticate the website and determine when it is safe to enter her password. Unfortunately, studies suggest that many users habitually click through SSL certificate warnings [7, 18] and misunderstand or ignore browser security indicators [5, 9, 17]. We revisit the idea of applying Password Authenticated Key Exchange (PAKE) [1, 2, 3, 4, 10, 12, 13] protocols to web authentication. A PAKE protocol is a cryptographic protocol that allows two parties who share knowledge of a password to mutually authenticate each other and establish a shared key, without explicitly revealing the password in the process. One hope of using PAKE protocols for web authentication is to help make it easier for users to authenticate websites and reduce the attack surface of social engineering attacks against their accounts. With a PAKE protocol, if a user mistakenly attempts to authenticate herself to a phisher, the protocol will fail, but the user’s password will remain safe. Since the phisher does not know the user’s password, the phisher will not be able to successfully complete the protocol, and the browser can alert the user of the failure. Goals and contributions. In this paper, we perform a systematic investigation of various practical issues and challenges in deploying PAKE for web authentication. Although many PAKE protocols have been proposed, there is little momentum for integrating PAKE protocols into web authentication. We investigate two categories of issues: 1) security issues related to user interface (UI) design, and 2) deployment and integration hurdles. The primary threat model we consider is an attacker who uses phishing or other