©2009CarnegieMellonUniversity:1
Computer Human Interaction:
Mobility, Privacy, and Security
Jason Hong
jasonh@cs.cmu.edu
©2011CarnegieMellonUniversity:2
Two Major Research Thrusts
• Streamlining Authentication
– How to simplify and strengthen
...
©2011CarnegieMellonUniversity:3
Too many passwords!!!
©2011CarnegieMellonUniversity:4
Problems with Passwords
• People forget passwords
• Susceptible to social engineering
• Pe...
©2011CarnegieMellonUniversity:5
WebTicket
• Cheap printable tokens
for a reliable way to log in
• Browser plug-in for
crea...
©2011CarnegieMellonUniversity:6
Logging In with WebTicket
©2011CarnegieMellonUniversity:7
WebTicket
• Design:
– Very cheap (paper + printer + webcam)
– Compatible with existing sys...
©2011CarnegieMellonUniversity:8
WebTicket User Study
• Three studies, 59 people total
– Study 1: Lab study
– Study 2: Lab ...
©2011CarnegieMellonUniversity:9
WebTicket Study Results
• 1/4 of people using passwords could
not login again a week later...
©2011CarnegieMellonUniversity:10
Ongoing and Future Work
• Mobile phone version to scale up
– A strong password manager
– ...
©2011CarnegieMellonUniversity:11
Ongoing Work
• Can encode 3k data with QR codes
– Ex. “Login only if in Cylab office or h...
©2011CarnegieMellonUniversity:12
Casual Authentication
• Use commodity sensors + behavioral
models for cheap, passive, mul...
©2011CarnegieMellonUniversity:13
Example Scenarios
• Scenario 1 – Mobile device
– If in office is high, make login fast
– ...
©2011CarnegieMellonUniversity:14
Casual Authentication
• Location as a passive factor
– (a) Diary study with 20 people
– (...
©2011CarnegieMellonUniversity:15
• Location entropy
– Concept taken from ecology
– Number of unique people seen in a place...
©2011CarnegieMellonUniversity:16
©2011CarnegieMellonUniversity:17
Using Location Data
• Characterizing individuals
– Personal frequency
– Personal mobility...
©2011CarnegieMellonUniversity:18
Ongoing Work
• Evaluating passive factors
• Developing threat models
– How well person kn...
©2011CarnegieMellonUniversity:19
Understanding Human Behavior
at Very Large Scales
• Capabilities of today’s mobile device...
©2011CarnegieMellonUniversity:20
• Insert graph here
• Describe entropy
©2011CarnegieMellonUniversity:21
Entropy Related to Location Privacy
©2011CarnegieMellonUniversity:22
Results of Location Analysis
• Entropy related to location privacy
– Fewer concerns in “p...
©2011CarnegieMellonUniversity:23
Augmented Social Graph
©2011CarnegieMellonUniversity:24
Augmented Social Graph
©2011CarnegieMellonUniversity:25
Augmented Social Graph
• Online social network information +
smartphone communication
– I...
©2011CarnegieMellonUniversity:26
Potential Scenarios
• Secure invitations
– Who is this person friending me?
– How do my f...
©2011CarnegieMellonUniversity:27
Summary
• WebTicket
– Printable tokens to login
• Casual authentication
– Use sensor data...
Upcoming SlideShare
Loading in...5
×

Computer Human Interaction: Mobility, Privacy, and Security, for Cylab Partners Meeting Sep2011

121

Published on

This talk was for the Cylab partners meeting in 2011. I gave an overview of research my colleagues and I are doing in streamlining authentication as well as understanding human behavior at large scales.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
121
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Images are from Paul Adam’s talk
  • Images are from Paul Adam’s talk
  • Images are from Paul Adam’s talk
  • Computer Human Interaction: Mobility, Privacy, and Security, for Cylab Partners Meeting Sep2011

    1. 1. ©2009CarnegieMellonUniversity:1 Computer Human Interaction: Mobility, Privacy, and Security Jason Hong jasonh@cs.cmu.edu
    2. 2. ©2011CarnegieMellonUniversity:2 Two Major Research Thrusts • Streamlining Authentication – How to simplify and strengthen authentication using sensor data? • Understanding Human Behavior at Large Scales – What can we infer about people and places based on lots of sensor data?
    3. 3. ©2011CarnegieMellonUniversity:3 Too many passwords!!!
    4. 4. ©2011CarnegieMellonUniversity:4 Problems with Passwords • People forget passwords • Susceptible to social engineering • People re-use passwords • Passwords tend to be weak in practice
    5. 5. ©2011CarnegieMellonUniversity:5 WebTicket • Cheap printable tokens for a reliable way to log in • Browser plug-in for creating new accounts – Strong passwords are assigned • Print out ticket – Ticket is encrypted to work only with specific computer(s) – QRCode: URL, user name, password
    6. 6. ©2011CarnegieMellonUniversity:6 Logging In with WebTicket
    7. 7. ©2011CarnegieMellonUniversity:7 WebTicket • Design: – Very cheap (paper + printer + webcam) – Compatible with existing systems – Easy to deploy – Easy to teach: treat it like a house key • Weaknesses: – Not meant for commonly used passwords – Tickets can get damaged or lost – Need to store main encryption key – Scale (about 15 accounts on average)
    8. 8. ©2011CarnegieMellonUniversity:8 WebTicket User Study • Three studies, 59 people total – Study 1: Lab study – Study 2: Lab study (phishing too) – Study 3: Field trial • Experiment – Two conditions: password and WebTicket – Create a few new accounts – Login to a few sites – Come back a week later, login again
    9. 9. ©2011CarnegieMellonUniversity:9 WebTicket Study Results • 1/4 of people using passwords could not login again a week later – Didn’t restrict what passwords people used • Login time for WebTicket slower at first, faster a week later • WebTicket perceived as easier and faster • Simulated phishing attack – All in password condition fell for it – 30% of people using WebTicket did (though data still encrypted)
    10. 10. ©2011CarnegieMellonUniversity:10 Ongoing and Future Work • Mobile phone version to scale up – A strong password manager – Can’t fall for phish too
    11. 11. ©2011CarnegieMellonUniversity:11 Ongoing Work • Can encode 3k data with QR codes – Ex. “Login only if in Cylab office or home” – Ex. “Login only if between 5-8pm” – Ex. “Login only if parents at home” – Ex. “Notify parents when you login” – Ex. Include face biometric data
    12. 12. ©2011CarnegieMellonUniversity:12 Casual Authentication • Use commodity sensors + behavioral models for cheap, passive, multi-factor authentication • Modulate level of authentication needed – In likely situations, make logins fast – In unlikely situations, make it reliable
    13. 13. ©2011CarnegieMellonUniversity:13 Example Scenarios • Scenario 1 – Mobile device – If in office is high, make login fast – If in Brazil, make login reliable – Location, IP address, WiFi MAC, Bluetooth devices nearby, tilt • Scenario 2 – Home – Wake up in morning, go to computer – Weight sensor in chair, height sensor via Kinect, mobile devices nearby – Use face recognition to login (fast)
    14. 14. ©2011CarnegieMellonUniversity:14 Casual Authentication • Location as a passive factor – (a) Diary study with 20 people – (b) Location traces of 30 people (a) Where people login (Hayashi and Hong, CHI 2011) (b) Where people spend time (Amini et al, Mobisys 2011)
    15. 15. ©2011CarnegieMellonUniversity:15 • Location entropy – Concept taken from ecology – Number of unique people seen in a place – Approximates public vs private • Locaccino data – 489 participants – 2.8m location sightings Characterizing Places
    16. 16. ©2011CarnegieMellonUniversity:16
    17. 17. ©2011CarnegieMellonUniversity:17 Using Location Data • Characterizing individuals – Personal frequency – Personal mobility pattern • Characterizing places – Entropy – number of unique people – Churn – same people or different – Transience – amount of time spent – Burst – regularity of people seen • Building models of people and places
    18. 18. ©2011CarnegieMellonUniversity:18 Ongoing Work • Evaluating passive factors • Developing threat models – How well person knows you – How skilled a hacker they are • Developing prototypes – Mobile case – Work/Home • Evaluating security and usability – Ease of use, time to login – False accept rates, expert analysis
    19. 19. ©2011CarnegieMellonUniversity:19 Understanding Human Behavior at Very Large Scales • Capabilities of today’s mobile devices – Location, sound, proximity, motion – Call logs, SMS logs, pictures • We can now analyze real-world social networks and human behaviors at unprecedented fidelity and scale
    20. 20. ©2011CarnegieMellonUniversity:20 • Insert graph here • Describe entropy
    21. 21. ©2011CarnegieMellonUniversity:21 Entropy Related to Location Privacy
    22. 22. ©2011CarnegieMellonUniversity:22 Results of Location Analysis • Entropy related to location privacy – Fewer concerns in “public” places (Toch et al, Ubicomp 2010) • Can predict Facebook friendships based on co-location patterns – Not just frequency, but also where – 92% accuracy (Cranshaw et al, Ubicomp 2010) • Can predict number of friends based on mobility patterns – Go out often and to high entropy places
    23. 23. ©2011CarnegieMellonUniversity:23 Augmented Social Graph
    24. 24. ©2011CarnegieMellonUniversity:24 Augmented Social Graph
    25. 25. ©2011CarnegieMellonUniversity:25 Augmented Social Graph • Online social network information + smartphone communication – Infer tie strength, roles, groups
    26. 26. ©2011CarnegieMellonUniversity:26 Potential Scenarios • Secure invitations – Who is this person friending me? – How do my friends know her? • Communication triage • Configuration of privacy policies – Tie strength strongly correlated with what personal info people willing to share (Wiese et al, Ubicomp 2011) – Communication and co-location can be used to predict tie strength • Depression / Leadership
    27. 27. ©2011CarnegieMellonUniversity:27 Summary • WebTicket – Printable tokens to login • Casual authentication – Use sensor data and models to characterize people and places – Modulate level of authentication based on situation • Understanding behavior at large scales – Opportunity to instrument the world – Augmented social graph
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×