Automated Turing Tests (ATTs), also known as human-in-the-loop techniques, were recently employed in a login protocol by Pinkas and Sander (2002) to protect against online password-guessing attacks. We present modifications providing a new history-based login protocol with ATTs, which uses failed-login counts. Analysis indicates that the new protocol offers opportunities for improved security and user friendliness (fewer ATTs to legitimate users) and greater flexibility (e.g., allowing protocol parameter customization for particular situations and users). We also note that the Pinkas-Sander and other protocols involving ATTs are susceptible to minor variations of well-known middle-person attacks. We discuss complementary techniques to address such attacks, and to augment the security of the original protocol.

Additional Metadata
Keywords Mandatory human participation schemes, Online dictionary attacks, Password protocols, Relay attack, Usable security
Persistent URL dx.doi.org/10.1145/1178618.1178619
Journal ACM Transactions on Information and System Security
Citation
Van Oorschot, P, & Stubblebine, S. (Stuart). (2006). On countering online dictionary attacks with login histories and humans-in-the-loop. ACM Transactions on Information and System Security, 9(3), 235–258. doi:10.1145/1178618.1178619