Loxin – A Universal Solution to Password-Free Login

As the easiest and cheapest way of authenticating an end user, password based approach has been consistently chosen by implementers of every new computer or mobile device based web service. Unfortunately, the explosive growth of web applications has made it impossible for users to manage dozens of passwords for accessing different web services. The situation is even worse considering the potential application of massively parallel computational devices such as general purpose GPUs and FPGA arrays for efficient password cracking. Hence, from a usability viewpoint, passwords have reached the end of their useful life. Motivated by a number of recent industry initiatives for online authentication, we present Loxin, an innovative and universal solution for password-free login. Loxin aims to improve on passwords with respect to both usability and security. Loxin takes advantages of popular push message services on mobile devices and enables users to access multiple web services using preowned identities such as email addresses in the system together with few taps on their mobile devices. In particular, the Loxin server cannot generate users’ login credentials for web access, thereby eliminating the potential risk of server compromise. The security analysis shows that Loxin is resistant to the most common attacks on web services such as replay attacks, manin-the-middle attacks, and server compromise attacks. The application of the Loxin security framework to the recent MintChip Challenge demonstrates the power of Loxin for building a real-world password-free mobile payment solution.