CAREER: Cryptographic Tools for Usable Human Authentication

Password authentication is a common source of frustration for users and a constant source of security vulnerabilities. Users struggle with the burdensome task of creating and remembering passwords for multiple different accounts and frequently cope by selecting weak (low-entropy) passwords and reusing the same password across multiple accounts. Over the past decade data breaches at many prominent organizations have exposed billions of these low-entropy passwords to the dangerous threat of offline brute-force attacks.

Despite their shortcomings passwords continue to be the most widely adopted form of authentication. The goal of the project is to develop cryptographic tools to improve the security and usability of human authentication, especially password authentication.

The project investigates new combinatorial techniques to design and analyze memory hard functions, a cryptographic primitive which can be used to protect low-entropy secrets such as passwords and biometrics against brute-force attacks. The project develops stronger memory hard functions and analyzes the concrete security of prior memory hard functions such as SCRYPT, Argon2 and DRSample.

The project adapts tools from statistics and game theory to better understand the distribution over user chosen passwords and predict how password attackers will behave. The investigators study how password defenses can be tuned based on this distribution to optimally protect user accounts against attackers. Finally, the project develops mechanisms to help users (gradually) memorize stronger passwords and to help users securely manage multiple passwords without requiring users to memorize independent passwords for every account.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.