Passwords continue to prevail on the web as the primary method for user authentication despite their well-known security and usability drawbacks. Password managers offer some improvement without requiring server-side changes. In this paper, we evaluate the security of dual-possession authentication, an authentication approach offering encrypted storage of passwords and theft-resistance without the use of a master password. We further introduce Tapas, a concrete implementation of dual-possession authentication leveraging a desktop computer and a smartphone. Tapas requires no server-side changes to websites, no master password, and protects all the stored passwords in the event either the primary or secondary device (e.g., computer or phone) is stolen. To evaluate the viability of Tapas as an alternative to traditional password managers, we perform a 30 participant user study comparing Tapas to two configurations of Firefox's built-in password manager. We found users significantly preferred Tapas. We then improve Tapas by incorporating feedback from this study, and reevaluate it with an additional 10 participants. Copyright 2012 ACM.

Additional Metadata
Keywords Password managers, Smartphones, Usable security
Persistent URL
Conference 28th Annual Computer Security Applications Conference, ACSAC 2012
McCarney, D. (Daniel), Barrera, D. (David), Clark, J. (Jeremy), Chiasson, S, & Van Oorschot, P. (2012). Tapas: Design, implementation, and usability evaluation of a password manager. Presented at the 28th Annual Computer Security Applications Conference, ACSAC 2012. doi:10.1145/2420950.2420964