An Online User Authentication Scheme for Web-Based services

Online user authentication using secure protocol is required by most web-based services. User authentication is mostly carried out by sending a pair of username and password to the server, since most users have not a certificate. Some attacks just rely on this fact, such as phishing attacks. In the paper, we discuss the issue of online user authentication and propose a method for online user authentication employing trusted computing technology. We describe a browser extension scheme, which transparently produces a certificate for each user, improving web authentication security and defending against password phishing and other attacks. Since the scheme combines the password entered by the user, the password associated with private key protected by trusted platform module, and user certificate provided by trusted computing platform, thieving only the password at web will not have an affect on user security. And no changes on the server side are required in the scheme. The proposed approach could be proved to protect against phishing attacks.