Improving Usable Authentication
Upcoming SlideShare
Loading in...5

Improving Usable Authentication



This talk has a summary of the research (up to 2011) that my team has been doing in improving the usability of various forms of authentication. One

This talk has a summary of the research (up to 2011) that my team has been doing in improving the usability of various forms of authentication. One



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Improving Usable Authentication Improving Usable Authentication Presentation Transcript

  • ©2009CarnegieMellonUniversity:1 Improving Usable Authentication Jason Hong
  • ©2011CarnegieMellonUniversity:2 Problems with Passwords • People forget passwords – Special characters, length, change every 4 weeks => wasted time, helpdesk costs – NYTimes site 100k readers forget password, 15% of “new” users are old – Beverage company: 30% help desk calls password-related, cost $900k / yr
  • ©2011CarnegieMellonUniversity:3 Problems with Passwords • People fall for phishing attacks – Estimated 0.4% of Internet users per year – Loss of corporate secrets, customer data, financial info
  • ©2011CarnegieMellonUniversity:4 Passwords Also Don’t Scale Up • Passwords good if you only have a few • But passwords aren’t scaling as devices and services become pervasive – Laptop, mobile phone, VPN, email (x2), Wii Fit, WiFi, ATM, PDFs, and dozens of web sites
  • ©2011CarnegieMellonUniversity:5 Coping Mechanisms Cause Problems • People cope by using weak passwords – RockYou: Top 20 passwords used in 2.6% accounts • People cope by reusing passwords – Breach on social networking site means breach on your site too – Ex. HBGary CEO used same password for email, iPad, Twitter, LinkedIn
  • ©2011CarnegieMellonUniversity:6
  • ©2011CarnegieMellonUniversity:7 Past Work: Use Your Illusion • Problem: – Hard to remember passwords – Picture-based approaches are memorable but easy to guess • Solution: – Use blurred pictures to balance security with usability – User tests have shown high memorability and hard to guess
  • ©2011CarnegieMellonUniversity:8 Ongoing Research Projects • WebTicket – Cheap printable tokens for a reliable way to log in • Casual Authentication – Modulate level of authentication needed based on prior probability that it’s me • Ex. Probability of me in Brazil is very low • Ex. Probability of me at home is high
  • ©2011CarnegieMellonUniversity:9 WebTicket • Originated from discussion of elderly – Not only couldn’t remember password, couldn’t remember what web site to go to • Not trying to solve authentication for power users – Gaw and Felten found undergrads had 3.3 passwords for 7.8 accounts – In our diary study, people had 11.4 accounts and often reused passwords
  • ©2011CarnegieMellonUniversity:10 How WebTicket Works • Browser plug-in for creating new accounts – Strong passwords are assigned – Users do not know their passwords • Print out ticket – Ticket is encrypted to work only with specific computer(s) – QRCode: URL, username, password • To login, show ticket to webcam – Can’t fall for phishing attacks
  • ©2011CarnegieMellonUniversity:11 Logging In with WebTicket
  • ©2011CarnegieMellonUniversity:12 WebTicket • Design: – Very cheap (paper + printer + webcam) – Compatible with existing systems – Easy to deploy – Easy to teach: treat it like a house key • Weaknesses: – Not meant for commonly used passwords – Tickets can get damaged or lost – Need to store main encryption key
  • ©2011CarnegieMellonUniversity:13 WebTicket • Surprises: – Our strong password generator only worked for 76% of web sites – Ex. some sites don’t allow symbols or certain symbols
  • ©2011CarnegieMellonUniversity:14 WebTicket User Study • Two studies, 55 people total – Tested for phishing attacks in study #2 – Two conditions: password and WebTicket • Experiment – Create a few accounts – Login to a few sites – Come back a week later, login again
  • ©2011CarnegieMellonUniversity:15 WebTicket Study Results • 1/4 of people using passwords could not login again a week later – Didn’t restrict what passwords people used • Login time for WebTicket slower at first, faster a week later • WebTicket perceived as easier and faster • Simulated phishing attack – All in password condition fell for it – 30% of people using WebTicket did (though data still encrypted)
  • ©2011CarnegieMellonUniversity:16 Ongoing and Future Work • Mobile phone version to scale up – A strong password manager – Can’t fall for phish too
  • ©2011CarnegieMellonUniversity:17 Ongoing Work • Can encode more data in the ticket – QR Codes can hold 3k of data – Ex. “Login only if in Cylab office or home” – Ex. “Login only if parents at home” – Ex. “Login only if between 5-8pm” – Ex. “Notify parents when you login” – Ex. Include face biometric data • Field deployment of WebTicket
  • ©2011CarnegieMellonUniversity:18 Casual Authentication • Observation: – Level of authentication needed is the same regardless of context • Idea: – Use commodity sensors + behavioral analysis to estimate prior probabilities (cheap multi-factor authentication) – Modulate level of authentication needed • In likely situations, make logins fast • In unlikely situations, make it reliable
  • ©2011CarnegieMellonUniversity:19 Example Scenarios • Scenario 1 – Mobile device – Prior probability of me being in my office is high, make authentication fast – Prior probability of me being in Brazil is low, so make authentication reliable • Scenario 2 – Home – Wake up in morning, go to computer – Weight sensor in chair, height sensor via Kinect, mobile device nearby – Use face recognition to login (fast)
  • ©2011CarnegieMellonUniversity:20 Example Passive Factors • Cheap, invisible, multi-factor • Examples for mobile scenario – Location – IP address – WiFi MAC address – Bluetooth / devices nearby (smartphone) – Tilt (how you hold device) • Examples for work/home scenario – Kinect for Height and Body shape – Weight sensors – Gait (how you walk)
  • ©2011CarnegieMellonUniversity:21 Example Active Factors • Passwords • Biometrics • Multiple secret questions • Email verification
  • ©2011CarnegieMellonUniversity:22 Examples of Location Context • Personal frequency to that place – Analysis of 20 people’s GPS locations – 66.2% of time spent at home – 20.2% - Work – 6.3% - Some third place • Where people login – Diary study of 20 people over 2 weeks – Home accounted for 59.2% of logins – Work accounted for 25.1% of logins – Public places, school, other: infrequent
  • ©2011CarnegieMellonUniversity:23 Examples of Location Context • Location entropy – Concept taken from ecology – Number of unique people seen in a place – Approximates public vs private
  • ©2011CarnegieMellonUniversity:24
  • ©2011CarnegieMellonUniversity:25 Other Kinds of Location Info • Personal location info – Personal frequency – Mobility • Place info – Going beyond behavior analytics of people to include analytics of places – Churn – same people or different? – Transience – amount of time spent – Burst – Regularity of people seen
  • ©2011CarnegieMellonUniversity:26 Current Plan of Research • Systematically evaluate passive factors • Develop and evaluate threat models • Techniques for integrating prior probabilities • Develop and deploy prototypes – Mobile case – Work/Home • Evaluate security and usability – Ease of use, time to login – False accept rates, expert analysis
  • ©2011CarnegieMellonUniversity:27 Long-term Opportunities • Starting with casual authentication for devices – Could be extended in future to password managers as well • Could be part of trusted computing base in future – Custom chips for secure sensing – Support for server-side authentication too
  • ©2011CarnegieMellonUniversity:28
  • ©2011CarnegieMellonUniversity:29 Threat Model (Ideal) No difference with regular authentication No difference with regular authentication Could possibly mimic passive factors, would also need active factors ? Little LotsLittleLots Knowledge of securityKnowledgeofUser
  • ©2011CarnegieMellonUniversity:30 Other Approaches • Two-factor authentication – Cost – Requires server support • Password managers – Can still fall for phishing – No guarantee of strong password • Biometrics – Marios’ talk next – False positives / false negatives
  • ©2011CarnegieMellonUniversity:31 Diary Study
  • ©2011CarnegieMellonUniversity:32 Diary Study
  • ©2011CarnegieMellonUniversity:33 Diary Study • Where people login Place % Home 59.2% Office 25.1% Public place 6.9% School 6.2% Other 2.4%
  • ©2011CarnegieMellonUniversity:34 Our Diary Study of Passwords • 20 participants over 2 weeks – Had participants rank importance of account – 5 means very concerned if someone else could obtain access to an account