The ease with which a malicious third party can obtain a user’s password when he or she logs into Internet sites (such as bank or email accounts) from an insecure computer creates a substantial security risk to private information and transactions. For example, a malicious administrator at a cybercafe, or a malicious user with sufficient access to install key loggers at a kiosk, can obtain users ’ passwords easily. Even when users do not trust the machines they are using, many of them are faced with the prospect of accessing their accounts with a single level of privilege. To address this problem, we propose a system based on two modes of authentication—default and restricted. Users can signal to the server whether they are in an untrusted environment so that the server can log them in under restricted privileges that allow them to perform basic actions that cause no serious damage if the session or their password is compromised. 1
To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.