On Countering Online Dictionary Attacks with Login Histories and Humans-in-the-Loop
Automated Turing Tests (ATTs), also known as human-in-the-loop techniques, were recently employed in a login protocol to protect against online password-guessing attacks. The authors present modifications providing a new history-based login protocol with ATTs, which uses failed-login counts. Analysis indicates that the new protocol offers opportunities for improved security and user friendliness (fewer ATTs to legitimate users) and greater flexibility (e.g., allowing protocol parameter customization for particular situations and users). They also note that other protocols involving ATTs are susceptible to minor variations of well-known middle-person attacks.