Painless Migration from Passwords to Two Factor Authentication

Ziqing Mao, Dinei Florencio, and Cormac Herley


In spite of growing frequency and sophistication

of attacks two factor authentication schemes have seen very

limited adoption in the US, and passwords remain the single

factor of authentication for most bank and brokerage accounts.

Clearly the cost benefit analysis is not as strongly in favor of

two factor as we might imagine. Upgrading from passwords

to a two factor authentication system usually involves a large

engineering effort, a discontinuity of user experience and a hard

key management problem. In this paper we describe a system

to convert a legacy password authentication server into a two

factor system. The existing password system is untouched, but is

cascaded with a new server that verifies possession of a smartphone

device. No alteration, patching or updates to the legacy

system is necessary. There are now two alternative authentication

paths: one using passwords alone, and a second using passwords

and possession of the trusted device. The bank can leave the

password authentication path available while users migrate to

the two factor scheme. Once migration is complete the passwordonly

path can be severed. We have implemented the system and

carried out two factor authentication against real accounts at

several major banks.


Publication typeInproceedings
Published inWIFS
PublisherIEEE SPS
> Publications > Painless Migration from Passwords to Two Factor Authentication