{"id":"https://openalex.org/W4416549546","doi":"https://doi.org/10.1145/3719027.3765195","title":"Passwords and FIDO2 Are Meant To Be Secret: A Practical Secure Authentication Channel for Web Browsers","display_name":"Passwords and FIDO2 Are Meant To Be Secret: A Practical Secure Authentication Channel for Web Browsers","publication_year":2025,"publication_date":"2025-11-19","ids":{"openalex":"https://openalex.org/W4416549546","doi":"https://doi.org/10.1145/3719027.3765195"},"language":"en","primary_location":{"id":"doi:10.1145/3719027.3765195","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3719027.3765195","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3719027.3765195","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["arxiv","crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://dl.acm.org/doi/pdf/10.1145/3719027.3765195","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5070464111","display_name":"Anuj Gautam","orcid":"https://orcid.org/0009-0003-9503-558X"},"institutions":[{"id":"https://openalex.org/I75027704","display_name":"University of Tennessee at Knoxville","ror":"https://ror.org/020f3ap87","country_code":"US","type":"education","lineage":["https://openalex.org/I75027704"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Anuj Gautam","raw_affiliation_strings":["University of Tennessee, Knoxville, TN, USA"],"raw_orcid":"https://orcid.org/0009-0003-9503-558X","affiliations":[{"raw_affiliation_string":"University of Tennessee, Knoxville, TN, USA","institution_ids":["https://openalex.org/I75027704"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5037445921","display_name":"Tarun Yadav","orcid":"https://orcid.org/0000-0002-7592-4537"},"institutions":[{"id":"https://openalex.org/I100005738","display_name":"Brigham Young University","ror":"https://ror.org/047rhhm47","country_code":"US","type":"education","lineage":["https://openalex.org/I100005738"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Tarun Yadav","raw_affiliation_strings":["Brigham Young University, Provo, UT, USA"],"raw_orcid":"https://orcid.org/0000-0002-7592-4537","affiliations":[{"raw_affiliation_string":"Brigham Young University, Provo, UT, USA","institution_ids":["https://openalex.org/I100005738"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5081357717","display_name":"Garrett Smith","orcid":"https://orcid.org/0000-0003-4796-9735"},"institutions":[{"id":"https://openalex.org/I100005738","display_name":"Brigham Young University","ror":"https://ror.org/047rhhm47","country_code":"US","type":"education","lineage":["https://openalex.org/I100005738"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Garrett Smith","raw_affiliation_strings":["Brigham Young University, Provo, UT, USA"],"raw_orcid":"https://orcid.org/0000-0003-4796-9735","affiliations":[{"raw_affiliation_string":"Brigham Young University, Provo, UT, USA","institution_ids":["https://openalex.org/I100005738"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5081604096","display_name":"Kent Seamons","orcid":"https://orcid.org/0000-0002-1482-492X"},"institutions":[{"id":"https://openalex.org/I100005738","display_name":"Brigham Young University","ror":"https://ror.org/047rhhm47","country_code":"US","type":"education","lineage":["https://openalex.org/I100005738"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Kent Seamons","raw_affiliation_strings":["Brigham Young University, Provo, UT, USA"],"raw_orcid":"https://orcid.org/0000-0002-1482-492X","affiliations":[{"raw_affiliation_string":"Brigham Young University, Provo, UT, USA","institution_ids":["https://openalex.org/I100005738"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5090929608","display_name":"Scott Ruoti","orcid":"https://orcid.org/0000-0002-6917-4186"},"institutions":[{"id":"https://openalex.org/I75027704","display_name":"University of Tennessee at Knoxville","ror":"https://ror.org/020f3ap87","country_code":"US","type":"education","lineage":["https://openalex.org/I75027704"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Scott Ruoti","raw_affiliation_strings":["University of Tennessee, Knoxville, TN, USA"],"raw_orcid":"https://orcid.org/0000-0002-6917-4186","affiliations":[{"raw_affiliation_string":"University of Tennessee, Knoxville, TN, USA","institution_ids":["https://openalex.org/I75027704"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5070464111"],"corresponding_institution_ids":["https://openalex.org/I75027704"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":true,"cited_by_count":0,"citation_normalized_percentile":{"value":0.47647414,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"1859","last_page":"1873"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.5885000228881836,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.5885000228881836,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11800","display_name":"User Authentication and Security Systems","score":0.17759999632835388,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.08089999854564667,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/cross-site-scripting","display_name":"Cross-site scripting","score":0.8952999711036682},{"id":"https://openalex.org/keywords/password","display_name":"Password","score":0.7997000217437744},{"id":"https://openalex.org/keywords/scripting-language","display_name":"Scripting language","score":0.6334999799728394},{"id":"https://openalex.org/keywords/web-application","display_name":"Web application","score":0.46389999985694885},{"id":"https://openalex.org/keywords/authentication","display_name":"Authentication (law)","score":0.45820000767707825},{"id":"https://openalex.org/keywords/web-server","display_name":"Web server","score":0.44119998812675476},{"id":"https://openalex.org/keywords/server","display_name":"Server","score":0.43230000138282776}],"concepts":[{"id":"https://openalex.org/C39569185","wikidata":"https://www.wikidata.org/wiki/Q371199","display_name":"Cross-site scripting","level":5,"score":0.8952999711036682},{"id":"https://openalex.org/C109297577","wikidata":"https://www.wikidata.org/wiki/Q161157","display_name":"Password","level":2,"score":0.7997000217437744},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.7081000208854675},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7019000053405762},{"id":"https://openalex.org/C61423126","wikidata":"https://www.wikidata.org/wiki/Q187432","display_name":"Scripting language","level":2,"score":0.6334999799728394},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.46389999985694885},{"id":"https://openalex.org/C148417208","wikidata":"https://www.wikidata.org/wiki/Q4825882","display_name":"Authentication (law)","level":2,"score":0.45820000767707825},{"id":"https://openalex.org/C11392498","wikidata":"https://www.wikidata.org/wiki/Q11288","display_name":"Web server","level":3,"score":0.44119998812675476},{"id":"https://openalex.org/C93996380","wikidata":"https://www.wikidata.org/wiki/Q44127","display_name":"Server","level":2,"score":0.43230000138282776},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.38269999623298645},{"id":"https://openalex.org/C3847113","wikidata":"https://www.wikidata.org/wiki/Q2746524","display_name":"Password cracking","level":5,"score":0.36660000681877136},{"id":"https://openalex.org/C98705547","wikidata":"https://www.wikidata.org/wiki/Q3394687","display_name":"Password policy","level":4,"score":0.35100001096725464},{"id":"https://openalex.org/C2983909278","wikidata":"https://www.wikidata.org/wiki/Q6368","display_name":"Web browser","level":3,"score":0.34869998693466187},{"id":"https://openalex.org/C77714075","wikidata":"https://www.wikidata.org/wiki/Q5452017","display_name":"Firewall (physics)","level":5,"score":0.2703999876976013},{"id":"https://openalex.org/C59241245","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Web application security","level":4,"score":0.2687000036239624},{"id":"https://openalex.org/C2780385302","wikidata":"https://www.wikidata.org/wiki/Q367158","display_name":"Protocol (science)","level":3,"score":0.26579999923706055},{"id":"https://openalex.org/C113328881","wikidata":"https://www.wikidata.org/wiki/Q599809","display_name":"Dictionary attack","level":3,"score":0.26159998774528503}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1145/3719027.3765195","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3719027.3765195","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3719027.3765195","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},{"id":"pmh:oai:arXiv.org:2509.02289","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2509.02289","pdf_url":"https://arxiv.org/pdf/2509.02289","source":{"id":"https://openalex.org/S4393918464","display_name":"ArXiv.org","issn_l":"2331-8422","issn":["2331-8422"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":null,"raw_type":"text"}],"best_oa_location":{"id":"doi:10.1145/3719027.3765195","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3719027.3765195","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3719027.3765195","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G3186886081","display_name":null,"funder_award_id":"CNS-1816929","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G6846245585","display_name":null,"funder_award_id":"CNS-2226404","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G7546349360","display_name":null,"funder_award_id":"CNS-2226404, CNS-1816929","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G8375141726","display_name":null,"funder_award_id":"2226404","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G8460880004","display_name":"SaTC: CORE: Small: Usable Key Management and Forward Secrecy for Secure Email","funder_award_id":"1816929","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"}],"funders":[{"id":"https://openalex.org/F4320306076","display_name":"National Science Foundation","ror":"https://ror.org/021nxhr62"}],"has_content":{"grobid_xml":true,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4416549546.pdf","grobid_xml":"https://content.openalex.org/works/W4416549546.grobid-xml"},"referenced_works_count":16,"referenced_works":["https://openalex.org/W1708992266","https://openalex.org/W1884689072","https://openalex.org/W1973926261","https://openalex.org/W2030112111","https://openalex.org/W2045591401","https://openalex.org/W2096982639","https://openalex.org/W2607361454","https://openalex.org/W2789934408","https://openalex.org/W2795336163","https://openalex.org/W3110204761","https://openalex.org/W3154021468","https://openalex.org/W3154905998","https://openalex.org/W4200043417","https://openalex.org/W4225001029","https://openalex.org/W4391724789","https://openalex.org/W4405181789"],"related_works":[],"abstract_inverted_index":{"Password":[0],"managers":[1],"provide":[2],"significant":[3],"security":[4],"benefits":[5],"to":[6,46,146],"users.":[7],"However,":[8],"malicious":[9,73,128],"client-side":[10],"scripts":[11],"and":[12,37,59,72,127],"browser":[13,58],"extensions":[14],"can":[15,43],"steal":[16],"passwords":[17,68],"after":[18],"the":[19,25,56,86,107,121],"manager":[20],"has":[21],"autofilled":[22],"them":[23],"into":[24,115],"web":[26,147],"page.":[27],"In":[28],"this":[29,112],"paper,":[30],"we":[31,92],"extend":[32],"prior":[33],"work":[34],"by":[35],"Stock":[36],"Johns,":[38],"showing":[39],"how":[40],"password":[41],"autofill":[42],"be":[44],"hardened":[45],"prevent":[47],"these":[48],"local":[49,104],"attacks.":[50],"We":[51,75,110],"implement":[52,111],"our":[53,64,79,94],"design":[54],"in":[55],"Firefox":[57],"conduct":[60],"experiments":[61],"demonstrating":[62,117],"that":[63,78,100,118],"defense":[65,99,114,131],"successfully":[66],"protects":[67,120],"from":[69],"XSS":[70,125],"attacks":[71,105,126],"extensions.":[74,129],"also":[76],"show":[77],"implementation":[80],"is":[81,132],"compatible":[82,133],"with":[83,134],"97%":[84],"of":[85],"Alexa":[87],"top":[88],"1000":[89],"websites.":[90],"Next,":[91],"generalize":[93],"design,":[95],"creating":[96],"a":[97,141],"second":[98,113],"prevents":[101],"recently":[102],"discovered":[103],"against":[106,124],"FIDO2":[108,122],"protocols.":[109],"Firefox,":[116],"it":[119,138],"protocol":[123],"This":[130],"all":[135],"websites,":[136],"though":[137],"does":[139],"require":[140],"small":[142],"change":[143],"(2-3":[144],"lines)":[145],"servers":[148],"implementing":[149],"FIDO2.":[150]},"counts_by_year":[],"updated_date":"2026-03-27T05:58:40.876381","created_date":"2025-10-10T00:00:00"}