The most common mechanism for online authenti- cation is the username-password. Majority of e- commerce applications are designed to provide pass- word authentication via an HTML form, with the assumption that the user needs to determine if it is safe to enter the password. In order to avoid phish- ing attacks, the user is expected to distinguish be- tween a phishing and a genuine website by checking the browser security indicators. Alternative authentication models suggest using images for authentication, introducing variations of Password Authenticated Key Exchange (PAKE) pro- tocols into TLS, using digital objects as passwords. Some authentication models suggest sending one- time password (OTP) tokens out-of-band to the user. Most computer users have too many passwords and keep forgetting them. Common issue for all authen- tication models is how to restore a legitimate user access to their account without authentication, i.e. password reset. In this paper, we investigate current password based authentication models and review their impact on phishing. We investigate two categories of issues 1) deployment obstacles for the \u27stronger\u27 authenti- cation models, and 2) security issues created by the number of passwords user needs to memorize
