Your SlideShare is downloading. ×
Improving Usable Authentication
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Improving Usable Authentication


Published on

This talk has a summary of the research (up to 2011) that my team has been doing in improving the usability of various forms of authentication. One

This talk has a summary of the research (up to 2011) that my team has been doing in improving the usability of various forms of authentication. One

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. ©2009CarnegieMellonUniversity:1 Improving Usable Authentication Jason Hong
  • 2. ©2011CarnegieMellonUniversity:2 Problems with Passwords • People forget passwords – Special characters, length, change every 4 weeks => wasted time, helpdesk costs – NYTimes site 100k readers forget password, 15% of “new” users are old – Beverage company: 30% help desk calls password-related, cost $900k / yr
  • 3. ©2011CarnegieMellonUniversity:3 Problems with Passwords • People fall for phishing attacks – Estimated 0.4% of Internet users per year – Loss of corporate secrets, customer data, financial info
  • 4. ©2011CarnegieMellonUniversity:4 Passwords Also Don’t Scale Up • Passwords good if you only have a few • But passwords aren’t scaling as devices and services become pervasive – Laptop, mobile phone, VPN, email (x2), Wii Fit, WiFi, ATM, PDFs, and dozens of web sites
  • 5. ©2011CarnegieMellonUniversity:5 Coping Mechanisms Cause Problems • People cope by using weak passwords – RockYou: Top 20 passwords used in 2.6% accounts • People cope by reusing passwords – Breach on social networking site means breach on your site too – Ex. HBGary CEO used same password for email, iPad, Twitter, LinkedIn
  • 6. ©2011CarnegieMellonUniversity:6
  • 7. ©2011CarnegieMellonUniversity:7 Past Work: Use Your Illusion • Problem: – Hard to remember passwords – Picture-based approaches are memorable but easy to guess • Solution: – Use blurred pictures to balance security with usability – User tests have shown high memorability and hard to guess
  • 8. ©2011CarnegieMellonUniversity:8 Ongoing Research Projects • WebTicket – Cheap printable tokens for a reliable way to log in • Casual Authentication – Modulate level of authentication needed based on prior probability that it’s me • Ex. Probability of me in Brazil is very low • Ex. Probability of me at home is high
  • 9. ©2011CarnegieMellonUniversity:9 WebTicket • Originated from discussion of elderly – Not only couldn’t remember password, couldn’t remember what web site to go to • Not trying to solve authentication for power users – Gaw and Felten found undergrads had 3.3 passwords for 7.8 accounts – In our diary study, people had 11.4 accounts and often reused passwords
  • 10. ©2011CarnegieMellonUniversity:10 How WebTicket Works • Browser plug-in for creating new accounts – Strong passwords are assigned – Users do not know their passwords • Print out ticket – Ticket is encrypted to work only with specific computer(s) – QRCode: URL, username, password • To login, show ticket to webcam – Can’t fall for phishing attacks
  • 11. ©2011CarnegieMellonUniversity:11 Logging In with WebTicket
  • 12. ©2011CarnegieMellonUniversity:12 WebTicket • Design: – Very cheap (paper + printer + webcam) – Compatible with existing systems – Easy to deploy – Easy to teach: treat it like a house key • Weaknesses: – Not meant for commonly used passwords – Tickets can get damaged or lost – Need to store main encryption key
  • 13. ©2011CarnegieMellonUniversity:13 WebTicket • Surprises: – Our strong password generator only worked for 76% of web sites – Ex. some sites don’t allow symbols or certain symbols
  • 14. ©2011CarnegieMellonUniversity:14 WebTicket User Study • Two studies, 55 people total – Tested for phishing attacks in study #2 – Two conditions: password and WebTicket • Experiment – Create a few accounts – Login to a few sites – Come back a week later, login again
  • 15. ©2011CarnegieMellonUniversity:15 WebTicket Study Results • 1/4 of people using passwords could not login again a week later – Didn’t restrict what passwords people used • Login time for WebTicket slower at first, faster a week later • WebTicket perceived as easier and faster • Simulated phishing attack – All in password condition fell for it – 30% of people using WebTicket did (though data still encrypted)
  • 16. ©2011CarnegieMellonUniversity:16 Ongoing and Future Work • Mobile phone version to scale up – A strong password manager – Can’t fall for phish too
  • 17. ©2011CarnegieMellonUniversity:17 Ongoing Work • Can encode more data in the ticket – QR Codes can hold 3k of data – Ex. “Login only if in Cylab office or home” – Ex. “Login only if parents at home” – Ex. “Login only if between 5-8pm” – Ex. “Notify parents when you login” – Ex. Include face biometric data • Field deployment of WebTicket
  • 18. ©2011CarnegieMellonUniversity:18 Casual Authentication • Observation: – Level of authentication needed is the same regardless of context • Idea: – Use commodity sensors + behavioral analysis to estimate prior probabilities (cheap multi-factor authentication) – Modulate level of authentication needed • In likely situations, make logins fast • In unlikely situations, make it reliable
  • 19. ©2011CarnegieMellonUniversity:19 Example Scenarios • Scenario 1 – Mobile device – Prior probability of me being in my office is high, make authentication fast – Prior probability of me being in Brazil is low, so make authentication reliable • Scenario 2 – Home – Wake up in morning, go to computer – Weight sensor in chair, height sensor via Kinect, mobile device nearby – Use face recognition to login (fast)
  • 20. ©2011CarnegieMellonUniversity:20 Example Passive Factors • Cheap, invisible, multi-factor • Examples for mobile scenario – Location – IP address – WiFi MAC address – Bluetooth / devices nearby (smartphone) – Tilt (how you hold device) • Examples for work/home scenario – Kinect for Height and Body shape – Weight sensors – Gait (how you walk)
  • 21. ©2011CarnegieMellonUniversity:21 Example Active Factors • Passwords • Biometrics • Multiple secret questions • Email verification
  • 22. ©2011CarnegieMellonUniversity:22 Examples of Location Context • Personal frequency to that place – Analysis of 20 people’s GPS locations – 66.2% of time spent at home – 20.2% - Work – 6.3% - Some third place • Where people login – Diary study of 20 people over 2 weeks – Home accounted for 59.2% of logins – Work accounted for 25.1% of logins – Public places, school, other: infrequent
  • 23. ©2011CarnegieMellonUniversity:23 Examples of Location Context • Location entropy – Concept taken from ecology – Number of unique people seen in a place – Approximates public vs private
  • 24. ©2011CarnegieMellonUniversity:24
  • 25. ©2011CarnegieMellonUniversity:25 Other Kinds of Location Info • Personal location info – Personal frequency – Mobility • Place info – Going beyond behavior analytics of people to include analytics of places – Churn – same people or different? – Transience – amount of time spent – Burst – Regularity of people seen
  • 26. ©2011CarnegieMellonUniversity:26 Current Plan of Research • Systematically evaluate passive factors • Develop and evaluate threat models • Techniques for integrating prior probabilities • Develop and deploy prototypes – Mobile case – Work/Home • Evaluate security and usability – Ease of use, time to login – False accept rates, expert analysis
  • 27. ©2011CarnegieMellonUniversity:27 Long-term Opportunities • Starting with casual authentication for devices – Could be extended in future to password managers as well • Could be part of trusted computing base in future – Custom chips for secure sensing – Support for server-side authentication too
  • 28. ©2011CarnegieMellonUniversity:28
  • 29. ©2011CarnegieMellonUniversity:29 Threat Model (Ideal) No difference with regular authentication No difference with regular authentication Could possibly mimic passive factors, would also need active factors ? Little LotsLittleLots Knowledge of securityKnowledgeofUser
  • 30. ©2011CarnegieMellonUniversity:30 Other Approaches • Two-factor authentication – Cost – Requires server support • Password managers – Can still fall for phishing – No guarantee of strong password • Biometrics – Marios’ talk next – False positives / false negatives
  • 31. ©2011CarnegieMellonUniversity:31 Diary Study
  • 32. ©2011CarnegieMellonUniversity:32 Diary Study
  • 33. ©2011CarnegieMellonUniversity:33 Diary Study • Where people login Place % Home 59.2% Office 25.1% Public place 6.9% School 6.2% Other 2.4%
  • 34. ©2011CarnegieMellonUniversity:34 Our Diary Study of Passwords • 20 participants over 2 weeks – Had participants rank importance of account – 5 means very concerned if someone else could obtain access to an account