The Emperor is Now Clothed: A Secure Governance Framework for Web User Authentication through Password Managers

Ali Cherry; Kostas Barmpis; Siamak F. Shahandashti

doi:10.1007/978-981-97-8801-9_12

The Emperor is Now Clothed: A Secure Governance Framework for Web User Authentication through Password Managers

Ali Cherry, Kostas Barmpis, Siamak F. Shahandashti

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Existing approaches to facilitate the interaction between password managers and web applications fall short of providing adequate functionality and mitigation strategies against prominent attacks. HTML Autofill is not sufficiently expressive, Credential Management API does not support browser extension password managers, and other proposed solutions do not conform to established user mental models. In this paper, we propose Berytus, a browser-based governance framework that mediates the interaction between password managers and web applications. Two APIs are designed to support Berytus acting as an orchestrator between password managers and web applications. An implementation of the framework in Firefox is developed that fully supports registration and authentication processes. As an orchestrator, Berytus is able to authenticate web applications and facilitate authenticated key exchange between web applications and password managers, which as we show, can provide effective mitigation strategies against phishing, cross-site scripting, inline code injection (e.g., by a malicious browser extension), and TLS proxy in the middle attacks, whereas existing mitigation strategies such as Content Security Policy and credential tokenisation are only partially effective. The framework design also provides desirable functional properties such as support for multi-step, multi-factor, and custom authentication schemes. We provide a comprehensive security and functionality evaluation and discuss possible future directions.

Original language	English
Title of host publication	Information and Communications Security
Subtitle of host publication	26th International Conference, ICICS 2024
Editors	Sokratis Katsikas, Christos Xenakis, Costas Lambrinoudakis, Christos Kalloniatis
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	233-252
Number of pages	20
ISBN (Print)	9789819788002
DOIs	https://doi.org/10.1007/978-981-97-8801-9_12
Publication status	Published - 28 Aug 2024
Event	26th International Conference on Information and Communications Security, ICICS 2024 - Mytilene, Greece Duration: 26 Aug 2024 → 28 Aug 2024

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	15057 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	26th International Conference on Information and Communications Security, ICICS 2024
Country/Territory	Greece
City	Mytilene
Period	26/08/24 → 28/08/24

Bibliographical note

© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2025. This is an author-produced version of the published paper. Uploaded in accordance with the University’s Research Publications and Open Access policy.

Keywords

Password Managers
Password Manager Security
HTML Autofill
User Authentication
Web Authentication

Access to Document

10.1007/978-981-97-8801-9_12

CBS24-Berytus-Password-Manager-Governance-Framework
© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2025. This is an author-produced version of the published paper. Uploaded in accordance with the University’s Research Publications and Open Access policy.
Accepted author manuscript, 957 KBLicence: CC BY

Cite this

Cherry, A., Barmpis, K., & Shahandashti, S. F. (2024). The Emperor is Now Clothed: A Secure Governance Framework for Web User Authentication through Password Managers. In S. Katsikas, C. Xenakis, C. Lambrinoudakis, & C. Kalloniatis (Eds.), Information and Communications Security: 26th International Conference, ICICS 2024 (pp. 233-252). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 15057 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-981-97-8801-9_12

Cherry, Ali ; Barmpis, Kostas ; Shahandashti, Siamak F. / The Emperor is Now Clothed : A Secure Governance Framework for Web User Authentication through Password Managers. Information and Communications Security: 26th International Conference, ICICS 2024. editor / Sokratis Katsikas ; Christos Xenakis ; Costas Lambrinoudakis ; Christos Kalloniatis. Springer Science and Business Media Deutschland GmbH, 2024. pp. 233-252 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{4572bbbeb42941b68471c28bf8f77edd,

title = "The Emperor is Now Clothed: A Secure Governance Framework for Web User Authentication through Password Managers",

abstract = "Existing approaches to facilitate the interaction between password managers and web applications fall short of providing adequate functionality and mitigation strategies against prominent attacks. HTML Autofill is not sufficiently expressive, Credential Management API does not support browser extension password managers, and other proposed solutions do not conform to established user mental models. In this paper, we propose Berytus, a browser-based governance framework that mediates the interaction between password managers and web applications. Two APIs are designed to support Berytus acting as an orchestrator between password managers and web applications. An implementation of the framework in Firefox is developed that fully supports registration and authentication processes. As an orchestrator, Berytus is able to authenticate web applications and facilitate authenticated key exchange between web applications and password managers, which as we show, can provide effective mitigation strategies against phishing, cross-site scripting, inline code injection (e.g., by a malicious browser extension), and TLS proxy in the middle attacks, whereas existing mitigation strategies such as Content Security Policy and credential tokenisation are only partially effective. The framework design also provides desirable functional properties such as support for multi-step, multi-factor, and custom authentication schemes. We provide a comprehensive security and functionality evaluation and discuss possible future directions.",

keywords = "Password Managers, Password Manager Security, HTML Autofill, User Authentication, Web Authentication",

author = "Ali Cherry and Kostas Barmpis and Shahandashti, {Siamak F.}",

note = "{\textcopyright} The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2025. This is an author-produced version of the published paper. Uploaded in accordance with the University{\textquoteright}s Research Publications and Open Access policy. ; 26th International Conference on Information and Communications Security, ICICS 2024 ; Conference date: 26-08-2024 Through 28-08-2024",

year = "2024",

month = aug,

day = "28",

doi = "10.1007/978-981-97-8801-9_12",

language = "English",

isbn = "9789819788002",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "233--252",

editor = "Sokratis Katsikas and Christos Xenakis and Costas Lambrinoudakis and Christos Kalloniatis",

booktitle = "Information and Communications Security",

address = "Germany",

}

Cherry, A, Barmpis, K & Shahandashti, SF 2024, The Emperor is Now Clothed: A Secure Governance Framework for Web User Authentication through Password Managers. in S Katsikas, C Xenakis, C Lambrinoudakis & C Kalloniatis (eds), Information and Communications Security: 26th International Conference, ICICS 2024. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 15057 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 233-252, 26th International Conference on Information and Communications Security, ICICS 2024, Mytilene, Greece, 26/08/24. https://doi.org/10.1007/978-981-97-8801-9_12

The Emperor is Now Clothed: A Secure Governance Framework for Web User Authentication through Password Managers. / Cherry, Ali; Barmpis, Kostas ; Shahandashti, Siamak F.
Information and Communications Security: 26th International Conference, ICICS 2024. ed. / Sokratis Katsikas; Christos Xenakis; Costas Lambrinoudakis; Christos Kalloniatis. Springer Science and Business Media Deutschland GmbH, 2024. p. 233-252 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 15057 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - The Emperor is Now Clothed

T2 - 26th International Conference on Information and Communications Security, ICICS 2024

AU - Cherry, Ali

AU - Barmpis, Kostas

AU - Shahandashti, Siamak F.

N1 - © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2025. This is an author-produced version of the published paper. Uploaded in accordance with the University’s Research Publications and Open Access policy.

PY - 2024/8/28

Y1 - 2024/8/28

N2 - Existing approaches to facilitate the interaction between password managers and web applications fall short of providing adequate functionality and mitigation strategies against prominent attacks. HTML Autofill is not sufficiently expressive, Credential Management API does not support browser extension password managers, and other proposed solutions do not conform to established user mental models. In this paper, we propose Berytus, a browser-based governance framework that mediates the interaction between password managers and web applications. Two APIs are designed to support Berytus acting as an orchestrator between password managers and web applications. An implementation of the framework in Firefox is developed that fully supports registration and authentication processes. As an orchestrator, Berytus is able to authenticate web applications and facilitate authenticated key exchange between web applications and password managers, which as we show, can provide effective mitigation strategies against phishing, cross-site scripting, inline code injection (e.g., by a malicious browser extension), and TLS proxy in the middle attacks, whereas existing mitigation strategies such as Content Security Policy and credential tokenisation are only partially effective. The framework design also provides desirable functional properties such as support for multi-step, multi-factor, and custom authentication schemes. We provide a comprehensive security and functionality evaluation and discuss possible future directions.

AB - Existing approaches to facilitate the interaction between password managers and web applications fall short of providing adequate functionality and mitigation strategies against prominent attacks. HTML Autofill is not sufficiently expressive, Credential Management API does not support browser extension password managers, and other proposed solutions do not conform to established user mental models. In this paper, we propose Berytus, a browser-based governance framework that mediates the interaction between password managers and web applications. Two APIs are designed to support Berytus acting as an orchestrator between password managers and web applications. An implementation of the framework in Firefox is developed that fully supports registration and authentication processes. As an orchestrator, Berytus is able to authenticate web applications and facilitate authenticated key exchange between web applications and password managers, which as we show, can provide effective mitigation strategies against phishing, cross-site scripting, inline code injection (e.g., by a malicious browser extension), and TLS proxy in the middle attacks, whereas existing mitigation strategies such as Content Security Policy and credential tokenisation are only partially effective. The framework design also provides desirable functional properties such as support for multi-step, multi-factor, and custom authentication schemes. We provide a comprehensive security and functionality evaluation and discuss possible future directions.

KW - Password Managers

KW - Password Manager Security

KW - HTML Autofill

KW - User Authentication

KW - Web Authentication

UR - http://www.scopus.com/inward/record.url?scp=85215296914&partnerID=8YFLogxK

U2 - 10.1007/978-981-97-8801-9_12

DO - 10.1007/978-981-97-8801-9_12

M3 - Conference contribution

AN - SCOPUS:85215296914

SN - 9789819788002

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 233

EP - 252

BT - Information and Communications Security

A2 - Katsikas, Sokratis

A2 - Xenakis, Christos

A2 - Lambrinoudakis, Costas

A2 - Kalloniatis, Christos

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 26 August 2024 through 28 August 2024

ER -

Cherry A, Barmpis K , Shahandashti SF. The Emperor is Now Clothed: A Secure Governance Framework for Web User Authentication through Password Managers. In Katsikas S, Xenakis C, Lambrinoudakis C, Kalloniatis C, editors, Information and Communications Security: 26th International Conference, ICICS 2024. Springer Science and Business Media Deutschland GmbH. 2024. p. 233-252. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-981-97-8801-9_12

The Emperor is Now Clothed: A Secure Governance Framework for Web User Authentication through Password Managers

Abstract

Publication series

Conference

Bibliographical note

Keywords

Access to Document

Other files and links

Cite this