Password-based authentication is a common form of access control in Web services. For example, a Web service implementing a conventional password-based authentication scheme may require a user to provide a user name and password when the user registers a user account with the Web service. The Web site can then generate a hash value based on the password (e.g., using a one-way hash function) and can store the user name, the hash value, etc. in association with the user account. In response to receiving a user request to access the user account, the Web service may require the user to provide the user name and password to access the user account.
However, conventional password-based authentication schemes may not provide a user with adequate protection. For example, even if users choose long and complex passwords, an attacker can still compromise user accounts protected by passwords using a brute-force approach, a pre-constructed dictionary of potential passwords, etc. As another example, authentication schemes using one-way hash functions can be countered by the evolution of hardware which enables powerful password-cracking platforms. As yet another example, since users frequently reuse passwords for different services, an attacker that compromises a user password in one service (e.g., by breaking into the service and cracking all user passwords stored on the service) can use the user password to impersonate the user into a second service.
Therefore, new mechanisms for authenticating a user are desirable.