©2009CarnegieMellonUniversity:1
Improving Usable
Authentication
Jason Hong
jasonh@cs.cmu.edu
©2011CarnegieMellonUniversity:2
Problems with Passwords
• People forget passwords
– Special characters, length, change eve...
©2011CarnegieMellonUniversity:3
Problems with Passwords
• People fall for phishing attacks
– Estimated 0.4% of Internet us...
©2011CarnegieMellonUniversity:4
Passwords Also Don’t Scale Up
• Passwords good if you only have a few
• But passwords aren...
©2011CarnegieMellonUniversity:5
Coping Mechanisms Cause Problems
• People cope by using weak passwords
– RockYou: Top 20 p...
©2011CarnegieMellonUniversity:6
©2011CarnegieMellonUniversity:7
Past Work: Use Your Illusion
• Problem:
– Hard to remember passwords
– Picture-based appro...
©2011CarnegieMellonUniversity:8
Ongoing Research Projects
• WebTicket
– Cheap printable tokens
for a reliable way to log i...
©2011CarnegieMellonUniversity:9
WebTicket
• Originated from discussion of elderly
– Not only couldn’t remember password,
c...
©2011CarnegieMellonUniversity:10
How WebTicket Works
• Browser plug-in for
creating new accounts
– Strong passwords are as...
©2011CarnegieMellonUniversity:11
Logging In with WebTicket
©2011CarnegieMellonUniversity:12
WebTicket
• Design:
– Very cheap (paper + printer + webcam)
– Compatible with existing sy...
©2011CarnegieMellonUniversity:13
WebTicket
• Surprises:
– Our strong password generator only
worked for 76% of web sites
–...
©2011CarnegieMellonUniversity:14
WebTicket User Study
• Two studies, 55 people total
– Tested for phishing attacks in stud...
©2011CarnegieMellonUniversity:15
WebTicket Study Results
• 1/4 of people using passwords could
not login again a week late...
©2011CarnegieMellonUniversity:16
Ongoing and Future Work
• Mobile phone version to scale up
– A strong password manager
– ...
©2011CarnegieMellonUniversity:17
Ongoing Work
• Can encode more data in the ticket
– QR Codes can hold 3k of data
– Ex. “L...
©2011CarnegieMellonUniversity:18
Casual Authentication
• Observation:
– Level of authentication needed
is the same regardl...
©2011CarnegieMellonUniversity:19
Example Scenarios
• Scenario 1 – Mobile device
– Prior probability of me being in my offi...
©2011CarnegieMellonUniversity:20
Example Passive Factors
• Cheap, invisible, multi-factor
• Examples for mobile scenario
–...
©2011CarnegieMellonUniversity:21
Example Active Factors
• Passwords
• Biometrics
• Multiple secret questions
• Email verif...
©2011CarnegieMellonUniversity:22
Examples of Location Context
• Personal frequency to that place
– Analysis of 20 people’s...
©2011CarnegieMellonUniversity:23
Examples of Location Context
• Location entropy
– Concept taken from ecology
– Number of ...
©2011CarnegieMellonUniversity:24
©2011CarnegieMellonUniversity:25
Other Kinds of Location Info
• Personal location info
– Personal frequency
– Mobility
• P...
©2011CarnegieMellonUniversity:26
Current Plan of Research
• Systematically evaluate passive factors
• Develop and evaluate...
©2011CarnegieMellonUniversity:27
Long-term Opportunities
• Starting with casual authentication for
devices
– Could be exte...
©2011CarnegieMellonUniversity:28
©2011CarnegieMellonUniversity:29
Threat Model (Ideal)
No difference
with regular
authentication
No difference
with regular...
©2011CarnegieMellonUniversity:30
Other Approaches
• Two-factor authentication
– Cost
– Requires server support
• Password ...
©2011CarnegieMellonUniversity:31
Diary Study
©2011CarnegieMellonUniversity:32
Diary Study
©2011CarnegieMellonUniversity:33
Diary Study
• Where people login
Place %
Home 59.2%
Office 25.1%
Public place 6.9%
School...
©2011CarnegieMellonUniversity:34
Our Diary Study of Passwords
• 20 participants over 2 weeks
– Had participants rank impor...
Upcoming SlideShare
Loading in...5
×

Improving Usable Authentication

148

Published on

This talk has a summary of the research (up to 2011) that my team has been doing in improving the usability of various forms of authentication. One

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
148
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Improving Usable Authentication

  1. 1. ©2009CarnegieMellonUniversity:1 Improving Usable Authentication Jason Hong jasonh@cs.cmu.edu
  2. 2. ©2011CarnegieMellonUniversity:2 Problems with Passwords • People forget passwords – Special characters, length, change every 4 weeks => wasted time, helpdesk costs – NYTimes site 100k readers forget password, 15% of “new” users are old – Beverage company: 30% help desk calls password-related, cost $900k / yr
  3. 3. ©2011CarnegieMellonUniversity:3 Problems with Passwords • People fall for phishing attacks – Estimated 0.4% of Internet users per year – Loss of corporate secrets, customer data, financial info
  4. 4. ©2011CarnegieMellonUniversity:4 Passwords Also Don’t Scale Up • Passwords good if you only have a few • But passwords aren’t scaling as devices and services become pervasive – Laptop, mobile phone, VPN, email (x2), Wii Fit, WiFi, ATM, PDFs, and dozens of web sites
  5. 5. ©2011CarnegieMellonUniversity:5 Coping Mechanisms Cause Problems • People cope by using weak passwords – RockYou: Top 20 passwords used in 2.6% accounts • People cope by reusing passwords – Breach on social networking site means breach on your site too – Ex. HBGary CEO used same password for email, iPad, Twitter, LinkedIn
  6. 6. ©2011CarnegieMellonUniversity:6
  7. 7. ©2011CarnegieMellonUniversity:7 Past Work: Use Your Illusion • Problem: – Hard to remember passwords – Picture-based approaches are memorable but easy to guess • Solution: – Use blurred pictures to balance security with usability – User tests have shown high memorability and hard to guess
  8. 8. ©2011CarnegieMellonUniversity:8 Ongoing Research Projects • WebTicket – Cheap printable tokens for a reliable way to log in • Casual Authentication – Modulate level of authentication needed based on prior probability that it’s me • Ex. Probability of me in Brazil is very low • Ex. Probability of me at home is high
  9. 9. ©2011CarnegieMellonUniversity:9 WebTicket • Originated from discussion of elderly – Not only couldn’t remember password, couldn’t remember what web site to go to • Not trying to solve authentication for power users – Gaw and Felten found undergrads had 3.3 passwords for 7.8 accounts – In our diary study, people had 11.4 accounts and often reused passwords
  10. 10. ©2011CarnegieMellonUniversity:10 How WebTicket Works • Browser plug-in for creating new accounts – Strong passwords are assigned – Users do not know their passwords • Print out ticket – Ticket is encrypted to work only with specific computer(s) – QRCode: URL, username, password • To login, show ticket to webcam – Can’t fall for phishing attacks
  11. 11. ©2011CarnegieMellonUniversity:11 Logging In with WebTicket
  12. 12. ©2011CarnegieMellonUniversity:12 WebTicket • Design: – Very cheap (paper + printer + webcam) – Compatible with existing systems – Easy to deploy – Easy to teach: treat it like a house key • Weaknesses: – Not meant for commonly used passwords – Tickets can get damaged or lost – Need to store main encryption key
  13. 13. ©2011CarnegieMellonUniversity:13 WebTicket • Surprises: – Our strong password generator only worked for 76% of web sites – Ex. some sites don’t allow symbols or certain symbols
  14. 14. ©2011CarnegieMellonUniversity:14 WebTicket User Study • Two studies, 55 people total – Tested for phishing attacks in study #2 – Two conditions: password and WebTicket • Experiment – Create a few accounts – Login to a few sites – Come back a week later, login again
  15. 15. ©2011CarnegieMellonUniversity:15 WebTicket Study Results • 1/4 of people using passwords could not login again a week later – Didn’t restrict what passwords people used • Login time for WebTicket slower at first, faster a week later • WebTicket perceived as easier and faster • Simulated phishing attack – All in password condition fell for it – 30% of people using WebTicket did (though data still encrypted)
  16. 16. ©2011CarnegieMellonUniversity:16 Ongoing and Future Work • Mobile phone version to scale up – A strong password manager – Can’t fall for phish too
  17. 17. ©2011CarnegieMellonUniversity:17 Ongoing Work • Can encode more data in the ticket – QR Codes can hold 3k of data – Ex. “Login only if in Cylab office or home” – Ex. “Login only if parents at home” – Ex. “Login only if between 5-8pm” – Ex. “Notify parents when you login” – Ex. Include face biometric data • Field deployment of WebTicket
  18. 18. ©2011CarnegieMellonUniversity:18 Casual Authentication • Observation: – Level of authentication needed is the same regardless of context • Idea: – Use commodity sensors + behavioral analysis to estimate prior probabilities (cheap multi-factor authentication) – Modulate level of authentication needed • In likely situations, make logins fast • In unlikely situations, make it reliable
  19. 19. ©2011CarnegieMellonUniversity:19 Example Scenarios • Scenario 1 – Mobile device – Prior probability of me being in my office is high, make authentication fast – Prior probability of me being in Brazil is low, so make authentication reliable • Scenario 2 – Home – Wake up in morning, go to computer – Weight sensor in chair, height sensor via Kinect, mobile device nearby – Use face recognition to login (fast)
  20. 20. ©2011CarnegieMellonUniversity:20 Example Passive Factors • Cheap, invisible, multi-factor • Examples for mobile scenario – Location – IP address – WiFi MAC address – Bluetooth / devices nearby (smartphone) – Tilt (how you hold device) • Examples for work/home scenario – Kinect for Height and Body shape – Weight sensors – Gait (how you walk)
  21. 21. ©2011CarnegieMellonUniversity:21 Example Active Factors • Passwords • Biometrics • Multiple secret questions • Email verification
  22. 22. ©2011CarnegieMellonUniversity:22 Examples of Location Context • Personal frequency to that place – Analysis of 20 people’s GPS locations – 66.2% of time spent at home – 20.2% - Work – 6.3% - Some third place • Where people login – Diary study of 20 people over 2 weeks – Home accounted for 59.2% of logins – Work accounted for 25.1% of logins – Public places, school, other: infrequent
  23. 23. ©2011CarnegieMellonUniversity:23 Examples of Location Context • Location entropy – Concept taken from ecology – Number of unique people seen in a place – Approximates public vs private
  24. 24. ©2011CarnegieMellonUniversity:24
  25. 25. ©2011CarnegieMellonUniversity:25 Other Kinds of Location Info • Personal location info – Personal frequency – Mobility • Place info – Going beyond behavior analytics of people to include analytics of places – Churn – same people or different? – Transience – amount of time spent – Burst – Regularity of people seen
  26. 26. ©2011CarnegieMellonUniversity:26 Current Plan of Research • Systematically evaluate passive factors • Develop and evaluate threat models • Techniques for integrating prior probabilities • Develop and deploy prototypes – Mobile case – Work/Home • Evaluate security and usability – Ease of use, time to login – False accept rates, expert analysis
  27. 27. ©2011CarnegieMellonUniversity:27 Long-term Opportunities • Starting with casual authentication for devices – Could be extended in future to password managers as well • Could be part of trusted computing base in future – Custom chips for secure sensing – Support for server-side authentication too
  28. 28. ©2011CarnegieMellonUniversity:28
  29. 29. ©2011CarnegieMellonUniversity:29 Threat Model (Ideal) No difference with regular authentication No difference with regular authentication Could possibly mimic passive factors, would also need active factors ? Little LotsLittleLots Knowledge of securityKnowledgeofUser
  30. 30. ©2011CarnegieMellonUniversity:30 Other Approaches • Two-factor authentication – Cost – Requires server support • Password managers – Can still fall for phishing – No guarantee of strong password • Biometrics – Marios’ talk next – False positives / false negatives
  31. 31. ©2011CarnegieMellonUniversity:31 Diary Study
  32. 32. ©2011CarnegieMellonUniversity:32 Diary Study
  33. 33. ©2011CarnegieMellonUniversity:33 Diary Study • Where people login Place % Home 59.2% Office 25.1% Public place 6.9% School 6.2% Other 2.4%
  34. 34. ©2011CarnegieMellonUniversity:34 Our Diary Study of Passwords • 20 participants over 2 weeks – Had participants rank importance of account – 5 means very concerned if someone else could obtain access to an account
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×