Abstract: The increasing scale of the Web gives rise to issues such as “password fatigue”, “phishing” and “brute force attack”, and brings great challenges to the currently dominant password-based web identity authentication mechanism. In this paper, we propose a new web identity authentication mechanism by introducing a module named “Trusted User Agent” in the authentication process, which is compatible with the current password-based mechanism. Specifically, the user account information is automatically generated, stored, and directly sent to the server of its destination website for authentication by its user agent. The server then authorizes the corresponding terminal after successful authentication. This forms a secure closed authentication loop. A system based on this mechanism has been developed on the platforms of Android, iOS, and Chrome. Analyses and user studies have proven that its security, usability, and deployablility are superior to the current password-based mechanism.

Key words: Web identity, Web identity authentication, Web identity management, trusted user agent, password fatigue, brute force attack, phishing

摘要： 当前网络身份认证过程中最常用的就是基于“用户名密码”的传统登录机制.然而，随着网络规模的急剧增加，单一用户拥有的网络身份数目也在急速增多，网络身份也面临着包括“密码疲劳”、“钓鱼”和“撞库”等在内的严重网络安全问题.因此如何安全且有效地创建并管理用户的网络身份成为当前网络发达的社会形态下一个非常具有价值的研究方向.提出了可信用户代理的概念，并以此为基础提出一种创新的、但兼容传统“用户名密码”机制的网络身份注册、登录认证及管理机制.其中，用户的网络身份信息由其用户代理自动创建、存储并直接发送至其目的网站服务器端进行认证，认证成功后授权给用户的上网终端.这样形成一个包含用户、用户代理、上网终端及服务器等多方的安全闭合的身份认证环路.用户无需记忆众多复杂的“用户名密码”，避免了“密码疲劳”；自动随机生成不同的复杂账号和密码可以规避被“撞库”的风险；无需在上网终端输入身份信息，大大降低网络身份信息被钓鱼网站窃取的风险，从而实现了既安全又方便地使用和管理网络身份的目标.在Android，iOS，Chrome平台上开发了名为“登录易”的实用系统，实现了该机制.理论分析及用户实测证明了其安全性、可用性及可部署性均优于传统机制，减少并尽量消除了目前互联网身份认证对“用户名密码”需要人工输入的依赖.

关键词: 网络身份, 网络身份认证, 网络身份管理, 可信用户代理, 密码疲劳, 撞库攻击, 钓鱼攻击