Your SlideShare is downloading. ×
Improving Usable Authentication
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Improving Usable Authentication


Published on

This talk has a summary of the research (up to 2011) that my team has been doing in improving the usability of various forms of authentication. One

This talk has a summary of the research (up to 2011) that my team has been doing in improving the usability of various forms of authentication. One

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. ©2009CarnegieMellonUniversity:1 Improving Usable Authentication Jason Hong
  • 2. ©2011CarnegieMellonUniversity:2 Problems with Passwords • People forget passwords – Special characters, length, change every 4 weeks => wasted time, helpdesk costs – NYTimes site 100k readers forget password, 15% of “new” users are old – Beverage company: 30% help desk calls password-related, cost $900k / yr
  • 3. ©2011CarnegieMellonUniversity:3 Problems with Passwords • People fall for phishing attacks – Estimated 0.4% of Internet users per year – Loss of corporate secrets, customer data, financial info
  • 4. ©2011CarnegieMellonUniversity:4 Passwords Also Don’t Scale Up • Passwords good if you only have a few • But passwords aren’t scaling as devices and services become pervasive – Laptop, mobile phone, VPN, email (x2), Wii Fit, WiFi, ATM, PDFs, and dozens of web sites
  • 5. ©2011CarnegieMellonUniversity:5 Coping Mechanisms Cause Problems • People cope by using weak passwords – RockYou: Top 20 passwords used in 2.6% accounts • People cope by reusing passwords – Breach on social networking site means breach on your site too – Ex. HBGary CEO used same password for email, iPad, Twitter, LinkedIn
  • 6. ©2011CarnegieMellonUniversity:6
  • 7. ©2011CarnegieMellonUniversity:7 Past Work: Use Your Illusion • Problem: – Hard to remember passwords – Picture-based approaches are memorable but easy to guess • Solution: – Use blurred pictures to balance security with usability – User tests have shown high memorability and hard to guess
  • 8. ©2011CarnegieMellonUniversity:8 Ongoing Research Projects • WebTicket – Cheap printable tokens for a reliable way to log in • Casual Authentication – Modulate level of authentication needed based on prior probability that it’s me • Ex. Probability of me in Brazil is very low • Ex. Probability of me at home is high
  • 9. ©2011CarnegieMellonUniversity:9 WebTicket • Originated from discussion of elderly – Not only couldn’t remember password, couldn’t remember what web site to go to • Not trying to solve authentication for power users – Gaw and Felten found undergrads had 3.3 passwords for 7.8 accounts – In our diary study, people had 11.4 accounts and often reused passwords
  • 10. ©2011CarnegieMellonUniversity:10 How WebTicket Works • Browser plug-in for creating new accounts – Strong passwords are assigned – Users do not know their passwords • Print out ticket – Ticket is encrypted to work only with specific computer(s) – QRCode: URL, username, password • To login, show ticket to webcam – Can’t fall for phishing attacks
  • 11. ©2011CarnegieMellonUniversity:11 Logging In with WebTicket
  • 12. ©2011CarnegieMellonUniversity:12 WebTicket • Design: – Very cheap (paper + printer + webcam) – Compatible with existing systems – Easy to deploy – Easy to teach: treat it like a house key • Weaknesses: – Not meant for commonly used passwords – Tickets can get damaged or lost – Need to store main encryption key
  • 13. ©2011CarnegieMellonUniversity:13 WebTicket • Surprises: – Our strong password generator only worked for 76% of web sites – Ex. some sites don’t allow symbols or certain symbols
  • 14. ©2011CarnegieMellonUniversity:14 WebTicket User Study • Two studies, 55 people total – Tested for phishing attacks in study #2 – Two conditions: password and WebTicket • Experiment – Create a few accounts – Login to a few sites – Come back a week later, login again
  • 15. ©2011CarnegieMellonUniversity:15 WebTicket Study Results • 1/4 of people using passwords could not login again a week later – Didn’t restrict what passwords people used • Login time for WebTicket slower at first, faster a week later • WebTicket perceived as easier and faster • Simulated phishing attack – All in password condition fell for it – 30% of people using WebTicket did (though data still encrypted)
  • 16. ©2011CarnegieMellonUniversity:16 Ongoing and Future Work • Mobile phone version to scale up – A strong password manager – Can’t fall for phish too
  • 17. ©2011CarnegieMellonUniversity:17 Ongoing Work • Can encode more data in the ticket – QR Codes can hold 3k of data – Ex. “Login only if in Cylab office or home” – Ex. “Login only if parents at home” – Ex. “Login only if between 5-8pm” – Ex. “Notify parents when you login” – Ex. Include face biometric data • Field deployment of WebTicket
  • 18. ©2011CarnegieMellonUniversity:18 Casual Authentication • Observation: – Level of authentication needed is the same regardless of context • Idea: – Use commodity sensors + behavioral analysis to estimate prior probabilities (cheap multi-factor authentication) – Modulate level of authentication needed • In likely situations, make logins fast • In unlikely situations, make it reliable
  • 19. ©2011CarnegieMellonUniversity:19 Example Scenarios • Scenario 1 – Mobile device – Prior probability of me being in my office is high, make authentication fast – Prior probability of me being in Brazil is low, so make authentication reliable • Scenario 2 – Home – Wake up in morning, go to computer – Weight sensor in chair, height sensor via Kinect, mobile device nearby – Use face recognition to login (fast)
  • 20. ©2011CarnegieMellonUniversity:20 Example Passive Factors • Cheap, invisible, multi-factor • Examples for mobile scenario – Location – IP address – WiFi MAC address – Bluetooth / devices nearby (smartphone) – Tilt (how you hold device) • Examples for work/home scenario – Kinect for Height and Body shape – Weight sensors – Gait (how you walk)
  • 21. ©2011CarnegieMellonUniversity:21 Example Active Factors • Passwords • Biometrics • Multiple secret questions • Email verification
  • 22. ©2011CarnegieMellonUniversity:22 Examples of Location Context • Personal frequency to that place – Analysis of 20 people’s GPS locations – 66.2% of time spent at home – 20.2% - Work – 6.3% - Some third place • Where people login – Diary study of 20 people over 2 weeks – Home accounted for 59.2% of logins – Work accounted for 25.1% of logins – Public places, school, other: infrequent
  • 23. ©2011CarnegieMellonUniversity:23 Examples of Location Context • Location entropy – Concept taken from ecology – Number of unique people seen in a place – Approximates public vs private
  • 24. ©2011CarnegieMellonUniversity:24
  • 25. ©2011CarnegieMellonUniversity:25 Other Kinds of Location Info • Personal location info – Personal frequency – Mobility • Place info – Going beyond behavior analytics of people to include analytics of places – Churn – same people or different? – Transience – amount of time spent – Burst – Regularity of people seen
  • 26. ©2011CarnegieMellonUniversity:26 Current Plan of Research • Systematically evaluate passive factors • Develop and evaluate threat models • Techniques for integrating prior probabilities • Develop and deploy prototypes – Mobile case – Work/Home • Evaluate security and usability – Ease of use, time to login – False accept rates, expert analysis
  • 27. ©2011CarnegieMellonUniversity:27 Long-term Opportunities • Starting with casual authentication for devices – Could be extended in future to password managers as well • Could be part of trusted computing base in future – Custom chips for secure sensing – Support for server-side authentication too
  • 28. ©2011CarnegieMellonUniversity:28
  • 29. ©2011CarnegieMellonUniversity:29 Threat Model (Ideal) No difference with regular authentication No difference with regular authentication Could possibly mimic passive factors, would also need active factors ? Little LotsLittleLots Knowledge of securityKnowledgeofUser
  • 30. ©2011CarnegieMellonUniversity:30 Other Approaches • Two-factor authentication – Cost – Requires server support • Password managers – Can still fall for phishing – No guarantee of strong password • Biometrics – Marios’ talk next – False positives / false negatives
  • 31. ©2011CarnegieMellonUniversity:31 Diary Study
  • 32. ©2011CarnegieMellonUniversity:32 Diary Study
  • 33. ©2011CarnegieMellonUniversity:33 Diary Study • Where people login Place % Home 59.2% Office 25.1% Public place 6.9% School 6.2% Other 2.4%
  • 34. ©2011CarnegieMellonUniversity:34 Our Diary Study of Passwords • 20 participants over 2 weeks – Had participants rank importance of account – 5 means very concerned if someone else could obtain access to an account