Tapas: Design, Implementation, and Usability Evaluation of a Password Manager

Passwords continue to prevail on the web as the primary method for user authentication despite their well-known security and usability drawbacks. Password managers offer some improvement without requiring server-side changes. In this paper, the authors evaluate the security of dual-possession authentication, an authentication approach offering encrypted storage of passwords and theft-resistance without the use of a master password. They further introduce Tapas, a concrete implementation of dual-possession authentication leveraging a desktop computer and a Smartphone. Tapas require no server-side changes to websites, no master password, and protect all the stored passwords in the event either the primary or secondary device (e.g., computer or phone) is stolen.

Resource Details

Provided by:
Association for Computing Machinery