Strengthening Network Security with Decoy-Based Authentication
Coach Name
Jordi Bosch i Garcia
EU Organization
KU Leuven University (Belgium)
Members
- Mathy Vanhoef
US Organization
AltaLabs (SoundVision Technologies, USA)
Members
- Jeff Hansen
Project Overview
DecoyAuth introduces a breakthrough in network authentication by integrating decoy passwords into secure login systems. The project developed a zero-knowledge authentication protocol that supports multiple simultaneous passwords or tokens — a design that enhances both usability and security.
In this system, decoy passwords act as reverse honeypots: if a stolen or leaked password is used, it immediately signals a potential security breach. Beyond its security benefits, DecoyAuth allows for fine-grained user management — enabling each user or device in a Wi-Fi network to have a unique password without compromising performance or privacy.
Through collaboration between KU Leuven and AltaLabs, DecoyAuth bridges academic innovation and industry practice, setting a new benchmark for privacy-preserving and decentralized authentication in wireless networks.
Methods and approaches
Protocol Design and Cryptographic Innovation
DecoyAuth extends the Dragonfly zero-knowledge protocol to accept multiple real and decoy authentication tokens. The project implemented and optimized the design in both Python and C, achieving support for over 50 simultaneous passwords with minimal computational overhead.
Real-World Integration and Standardization
The protocol was successfully integrated into Linux’s open-source Wi-Fi stack (wpa_supplicant and hostapd) and presented to the Wi-Fi Alliance and academic experts at the PAKE’25 Workshop. This ensures both technical feasibility and alignment with future IETF/IEEE standardization efforts.
Key Achievements
Zero-Knowledge Protocol Design
Designed a zero-knowledge protocol that integrates decoy and real authentication tokens.
Open-Source Implementation
Published an open-source reference implementation in both Python and C.
Wi-Fi Integration
Integrated DecoyAuth into Wi-Fi authentication protocols, demonstrating end-to-end functionality.
Technical Whitepaper Release
Released a detailed whitepaper on protocol design and Wi-Fi integration.
Scientific & Industry Validation
Presented at PAKE’25 Workshop (Luxembourg) and Wi-Fi Alliance Meeting (USA) for expert and industry validation.
Public Repository Launch
Established a public GitHub repository to share code, documentation, and benchmarking data.
Impact & Results
Cybersecurity Impact
DecoyAuth delivers a new layer of cybersecurity for authentication systems by detecting credential misuse before it causes damage. Its dual-password system provides both proactive breach detection and user-based network control, making it highly valuable for enterprise and IoT environments.
Scientific & Societal Impact
The project’s scientific impact lies in advancing zero-knowledge cryptography and informing ongoing standardization in Wi-Fi security. On a societal level, it supports a safer, more resilient digital ecosystem aligned with NGI’s mission for a trustworthy Internet.
Publications and Open-Source Contributions
- GitHub repository: github.com/DistriNet/decoyauth
- Academic presentation: “Supporting Multiple Passwords in WPA3: Use Cases and Initial Proposals”, PAKE’25 Workshop, Luxembourg
- Industry presentation: Wi-Fi Alliance Meeting, March 2025
- Open-source integrations with:
Future directions
KU Leuven and AltaLabs plan to continue collaboration on standardizing DecoyAuth within the IEEE 802.11 ecosystem and further optimizing the protocol for large-scale deployment. The team aims to secure new EU–US funding to expand testing and adoption in enterprise and IoT networks.