Provably Secure Browser-Based User-Aware Mutual Authentication Over TLS
The standard solution for user authentication on the Web is to establish a TLS-based secure channel in server authenticated mode and run a protocol on top of TLS where the user enters a password in an HTML form. However, as many studies point out, the average Internet user is unable to identify the server based on a X.509 certificate so that impersonation attacks (e.g., phishing) are feasible. The authors tackle this problem by proposing a protocol that allows the user to identify the server based on human perceptible authenticators (e.g., picture, voice). They prove the security of this protocol by refining the game-based security model of Bellare and Rogaway and present a proof of concept implementation.