Strengthening Password-Based Web Authentication Through Multiple Supplementary Mechanisms

User authentication is one of the primary mechanisms that protects online accounts from break-in by attackers. Password-based authentication is currently the most widespread form of user authentication, but has many well-documented usability and security drawbacks. As an increasing number of consumer, financial, governmental, and other organizations move towards offering services online, users are burdened with creating and managing increasingly large portfolios of online accounts; this increased user burden exacerbates the drawbacks of password-based authentication. This thesis contributes to the reinforcement of password-based authentication by pursuing parallel mechanisms that improve security without further burdening users---this is a prominent avenue of improvement, given the continued dominance of password authentication. To that end, our contributions achieve three broad goals. First, we identify, develop, and evaluate device fingerprinting mechanisms for use alongside passwords, and offer guidance on their use, to enhance the security of password-based web authentication. Second, we expand on the concept of mimicry resistance, a dimension that has thus far been overlooked in the design and study of web authentication schemes. We develop a comprehensive methodology for evaluating the mimicry resistance of web authentication schemes and provide guidance on how to combine multiple schemes alongside password authentication to maximize the benefits gained. Third, we perform a comprehensive analysis and evaluation of a broad range of single sign-on (SSO) schemes, which reduce password fatigue by allowing users to access a multitude of online services through a single master password. We identify design properties of SSO schemes and develop an evaluation framework that highlights their benefits and drawbacks, revealing trade-offs between different designs. These three contributions encompass complementary approaches that can be used together to improve online security with minimal impact on usability.