Authentication Shutter: Alternative Countermeasure Against Password Reuse Attack by Availability Control

A mass attack to web services using leaked account information has been done in recent years. The causes of the attack are information leakage and use of a same password among multiple services. Available measures to the attack are mainly using an alternative authentication method such as two-factor authentication or one-time password. Such measures put an additional operation load or credential management on users, and may also impose additional management costs to users or service providers for dedicated devices. These issues limit the applicability of such measures to only parts of various services. Therefore, I propose an alternative measure against the attack by using the concept of shutters in car garages. The proposed scheme is referred as the "authentication shutter". In this scheme, a legitimate user can control the availability of user authentication directly. This means that, even if an attacker has a valid user ID and password, if a legitimate user sets the user authentication as unavailable, an attacker cannot pass user authentication. I explain the basic idea and how to implement the scheme as a web system, and also discuss about the usability and security of the scheme.