Title: Empirical Measurements of the Security, Privacy, and Usability of Website Password Authentication Workflows

Date: Tuesday, July 23, 2024.

Time:  12pm – 2pm EST.

Location: Coda C1115 Druid Hills and Zoom meeting (ID: 986 5441 4573   Passcode: 841338)

Suood AlRoomi

Ph.D. Candidate in Computer Science

School of Cybersecurity and Privacy

Georgia Institute of Technology

Committee:

Dr. Frank Li (Advisor), School of Cybersecurity and Privacy, Georgia Institute of Technology

Dr. Paul Pearce, School of Cybersecurity and Privacy, Georgia Institute of Technology

Dr. Mustaque Ahamad, School of Cybersecurity and Privacy, Georgia Institute of Technology

Dr. Cecilia Testart, School of Cybersecurity and Privacy, Georgia Institute of Technology

Dr. Douglas Blough, School of Electrical and Computer Engineering, Georgia Institute of Technology

Abstract:

In an era where digital interactions are integral to daily life, the security and privacy of online authentication mechanisms are crucial for protecting user data and maintaining trust in web services. Passwords, though decades old, remain the most common form of authentication and are likely to stay ubiquitous. Therefore, the web ecosystem’s security depends on how users and websites handle passwords and manage authentication. Researchers have extensively explored user behavior with passwords, offering insights into how websites should handle authentication and leading to significant updates in modern guidelines. 

A significant gap remains in understanding how websites handle authentication and whether they adhere to best practices. This dissertation aims to bridge that gap through large-scale empirical measurements of website authentication practices. I develop measurement techniques to systematically evaluate websites’ authentication policies and implementation decisions and apply them at scale to assess their authentication workflows. 

I reveal the disparity between modern recommendations and real-world implementations. My studies show that while guidelines inform policy decisions, barriers prevent adopting recent recommendations, highlighting the need for education and outreach efforts. Further, I found poor policy decisions aligning with the default configurations of web software, which often compromise security, privacy, or usability. Updating these defaults to match modern guidelines could significantly reduce vulnerabilities and promote best practices. Moreover, incorporating security features such as blocking common passwords and rate limiting could significantly enhance the security of websites, as many are found lacking these defenses. I also identify concerning practices in authentication workflows, such as insecure communication, misconfigured HTTPS deployments, and mixed content vulnerabilities. While TLS deployment has improved, work remains to migrate all sensitive resources to HTTPS. Standardized authentication workflows with centralized security controls and outreach efforts can further mitigate inconsistencies and improve authentication security.