Association for Computing Machinery
Passwords continue to prevail on the web as the primary method for user authentication despite their well-known security and usability drawbacks. Password managers offer some improvement without requiring server-side changes. In this paper, the authors evaluate the security of dual-possession authentication, an authentication approach offering encrypted storage of passwords and theft-resistance without the use of a master password. They further introduce Tapas, a concrete implementation of dual-possession authentication leveraging a desktop computer and a Smartphone. Tapas require no server-side changes to websites, no master password, and protect all the stored passwords in the event either the primary or secondary device (e.g., computer or phone) is stolen.