SSL/TLS session-aware user authentication revisited

Man-in-the-middle (MITM) attacks pose a serious threat to SSL/TLS-based e-commerce applications. In Oppliger R, Hauser R, Basin D [SSL/TLS session-aware user authentication – or how to effectively thwart the man-in-the-middle. Computer Communications August 2006;29(12):2238–46] and Oppliger R, Hauser R, Basin D [SSL/TLS session-aware user authentication. IEEE Computer March 2008;41(3) 59-65], we introduced the notion of SSL/TLS session-aware user authentication to protect SSL/TLS-based e-commerce applications against MITM attacks and we proposed an implementation based on impersonal authentication tokens. In this paper, we present a number of extensions of the basic idea. These include multi-institution tokens, possibilities for changing the PIN, and different ways of making several popular and widely deployed user authentication systems SSL/TLS session-aware.