Is it too late for PAKE?

Password Authenticated Key Exchange (PAKE) is a class of cryptographic protocols that allow two parties sharing a password to authenticate each other without explicitly revealing the password in the process. PAKE protocols offer a potential improvement over current web authentication practices, e.g., HTML form-based password authentication, but there has been little progress towards integrating PAKE into web browsers and servers. In this paper, we report the results of a systematic investigation of various practical issues and challenges in deploying PAKE for web authentication. We examine three categories of issues: 1) security issues related to UI design; 2) security issues related to the browsers same origin policy; and 3) potential hurdles to deployment. We propose potential solutions for some problems and identify areas for future work.

Citation

Engler, J.; Karlof, C.; Shi, E.; Song, D. PAKE-based web authentication: the good, the bad and the hurdles. IEEE Web 2.0 Security and Privacy Workshop; 2009 May 21; Oakland, CA.