Abstract
As the easiest and cheapest way of authenticating an end user, password based authentication methods have been consistently chosen by almost every new cloud service. Unfortunately, the explosive growth of cloud services and web applications has made it impossible for users to manage dozens of passwords for accessing different cloud services. The situation is even worse considering the potential application of massively parallel computing devices such as GPU and ASIC for efficient password cracking. Hence, from a usability viewpoint, passwords may have reached the end of their useful life. Motivated by a number of recent industry initiatives for online authentication, we present Loxin, an innovative solution for password-less universal login. Loxin aims to improve on passwords with respect to both usability and security. Loxin takes advantages of push message services for mobile devices and enables users to access multiple cloud services by using pre-owned identities, such as email addresses, together with few taps on their mobile devices. In particular, the Loxin server cannot generate users' login credentials, thereby eliminating the potential risk of server compromises. Loxin is resistant to the most common attacks on cloud services such as replay attacks and man-in-the-middle attacks. We also discuss possible extensions for protecting Loxin from vendor lock-in and single point of failure, in order to ensure Loxin to be an open and stable authentication system. The application of the proposed Loxin security framework to the recent MintChip Challenge demonstrates the power of Loxin for building a real-world password-less mobile payment solution.
