Credential compromise is hard to detect and hard to mitigate. To address this problem, we present larch, an accountable authentication framework with strong security and privacy properties. Larch protects user privacy while ensuring that the larch log server correctly records every authentication. Specifically, an attacker who compromises a user's device cannot authenticate without creating evidence in the log, and the log cannot learn which web service (relying party) the user is authenticating to. To enable fast adoption, larch is backwards-compatible with relying parties that support FIDO2, TOTP, and password-based login. Furthermore, larch does not degrade the security and privacy a user already expects: the log server cannot authenticate on behalf of a user, and larch does not allow relying parties to link a user across accounts. We implement larch for FIDO2, TOTP, and password-based login. Given a client with four cores and a log server with eight cores, an authentication with larch takes 150ms for FIDO2, 91ms for TOTP, and 74ms for passwords (excluding preprocessing, which takes 1.23s for TOTP).

翻译：凭证泄露难以检测且难以缓解。为解决此问题，我们提出Larch——一个具备强安全性和隐私保护特性的可问责认证框架。该框架在确保Larch日志服务器正确记录每次认证行为的同时保护用户隐私。具体而言，攻击者即便攻破用户设备，也无法在不于日志中留下证据的情况下完成认证，且日志服务器无法获知用户正在向哪个网络服务（依赖方）进行认证。为促进快速部署，Larch向后兼容支持FIDO2、TOTP及密码登录的依赖方。此外，Larch不会削弱用户已有的安全与隐私预期：日志服务器无法代表用户进行认证，且Larch不允许依赖方跨账户关联用户。我们针对FIDO2、TOTP及密码登录实现了Larch系统。在四核客户端与八核日志服务器的配置下，Larch完成认证所需时间分别为：FIDO2 150毫秒、TOTP 91毫秒、密码登录74毫秒（不计预处理时间，其中TOTP预处理耗时1.23秒）。