Researchers from the University of Alabama at Birmingham, along with the University of California at Irvine, offered new options to increase password security against hacking.
"There have been many attacks on servers that store passwords lately, such as the breaches at PayPal and LinkedIn," said Nitesh Saxena, associate professor in the Department of Computer and Information Sciences at UAB.
Many people use the same few uncomplicated passwords repeatedly, making them easy to remember. Passwords are typically stored on servers in a hashed form.
Two-factor authentication schemes, such as Google Authenticator, or hardware tokens, such as RSA SecureID, use a second device to generate a temporary personal identification number, or PIN, that the user must enter along with their password.
Also Read
But current two-factor schemes present the same vulnerabilities to server hacks as password-only authentication, Saxena said.
"If someone hacks into the server, they could learn the passwords via an offline dictionary attack," he said.
"Learning the passwords wouldn't compromise the second authentication factor, but the user might be using that same password elsewhere.
Researchers proposed and tested four two-factor schemes that require servers to store a randomised hash of the passwords and a second device, such as the user's security token or smartphone, to store a corresponding secret code.
They present these schemes at several levels of computer system bandwidth, effectively turning four schemes into 13 security options.
"Rather than requiring the user to enter both their password and a PIN generated by an app, the user could enter a password, and their smartphone could automatically send a PIN over a Bluetooth connection or through a simple QR code," Saxena said.
"With each of our proposals, you get a high level of security with the same or better level of usability than the current two-factor authentication schemes," researchers said.