Accountable Authentication with Privacy Protection: The Larch System for Universal Login
Emma Dauterman, Danny Lin, Henry Corrigan-Gibbs, and David Mazières
Materials
Abstract
Credential compromise is hard to detect and hard
to mitigate. To address this problem, we present
larch, an accountable authentication framework
with strong security and privacy properties. Larch
protects user privacy while ensuring that the
larch log server correctly records every
authentication. Specifically, an attacker who
compromises a user's device cannot authenticate
without creating evidence in the log, and the log
cannot learn which web service (relying party) the
user is authenticating to. To enable fast
adoption, larch is backwards-compatible with
relying parties that support FIDO2, TOTP, and
password-based login. Furthermore, larch does not
degrade the security and privacy a user already
expects: the log server cannot authenticate on
behalf of a user, and larch does not allow relying
parties to link a user across accounts. We
implement larch for FIDO2, TOTP, and
password-based login. Given a client with four
cores and a log server with eight cores, an
authentication with larch takes 150ms for FIDO2,
91ms for TOTP, and 74ms for passwords (excluding
preprocessing, which takes 1.23s for TOTP).