Authentication

Authentication is about determining that an entity, such as a person, has a desired property, such as knowing a password. The goal of authentication is ensuring that the system knows who is interacting with it and can therefore make later decisions, such as access control decisions, with confidence.

Slides

2025 Slides

• 02-Authentication
• 03-Authentication
• 03-Phishing

Recommended Reading

• Security in Computing - Chapter 2.1 and 2.2
• Video 17 minutes: What’s wrong with your pa$$w0rd?

News

• Exclusive: how the Atlantic’s Jeffrey Goldberg got added to the White House Signal group chat
• Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years by Brian Krebs

Laws, regulations, and guidance

• NIST SP 800-63-4 Section 3.1.1.
• NIST proposes barring some of the most nonsensical password rules by Dan Goodin (arsTechnica)
• Password administration for system owners by the National Cyber Security Center of the United Kingdom - one of the first countries to officially advocate for user-friendly password rules

Research

• Joseph Bonneau. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. In Proceedings of IEEE SP 2012.
• Blase Ur, Felicia Alfieri, Maung Aung, Lujo Bauer, Nicolas Christin, Jessica Colnago, Lorrie Faith Cranor, Henry Dixon, Pardis Emami Naeini, Hana Habib, Noah Johnson, William Melicher. Design and Evaluation of a Data-Driven Password Meter In Proceedings of CHI 2017.
• Florian Mathis, John H. Williamson, Kami Vaniea, Mohamed Khamis (2020). RubikAuth: Fast and Secure Authentication in Virtual Reality. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems.
• Ur, Blase, et al. “How does your password measure up? The effect of strength meters on password creation.” 21st USENIX security symposium (USENIX Security 12). 2012.

Random Fun Stuff

• * The password game - Simple game that keeps giving you new harder, more crazy, password rules as you progress.