Opportunistic protected login: Next step in traditional password based user authentication

Password based authentication faces security related threats from phishing, server compromise and man-inthe-middle attack. Despite the poor security, it has been the primary method of user authentication on web since a decade now. This paper is a systematic review of a proposal, by Czeskis et al., which aims to provide opportunistic protected login for user authentication, for web services without changing user experience. This proposal involves using a personal device, other then the machine on which user is accessing the service, as a second factor authentication device. In addition, this solution involves using public key cryptography to provide secure channel, between client and server, to which authentication tokens can be attached. The solution aims not only to make first login secure but also prevent user from phishing and certain variants of man-in-the-middle attack. In addition to discussing the proposal, this paper is an effort at evaluating the assumptions, threat model and assembling open problems related to proposal. Keywords-Communication system security; Information security; Authentication;