SlideShare a Scribd company logo
1 of 15
Download to read offline
Technische Universität München

Visual Authentication
A Secure Single Step Authentication for User Authorization

Luis Roalter 1, Matthias Kranz 2, Andreas Möller 1, Stefan Diewald 1,
Tobias Stockinger 2, Marion Koelle 2, Patrick Lindemann 2
1 Technische

Universität München
2 Universität Passau
December 5th 2013

Mobile and Ubiquitous Multimedia (MUM 2013), Luleå, Sweden
Technische Universität München

mobile & usable
security
for interaction with
public terminals
05.12.2013

MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization

2
Technische Universität München

Current Situation

username 1
password 1

username 2
password 2

username 3
password 3

username 4
password 4

Different credentials

username 5
password 5

05.12.2013

username 6
password 6

username 8
password 8

MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization

image source: http://commons.wikimedia.org/wiki/File:Singapore_Road_Signs_-_Restrictive_Sign_-_Stop_-_Security_Check.svg

3
Technische Universität München

Federated Authentication: Single Sign-On (SSO)
Related Work
• 

Sign in once to use all services

• 

Single, familiar login mask for
different services, e.g.
–  “Sign in with Facebook”
–  “Sign in with Google”

• 

One username, one password

• 

Improved user experience

Optional: two-factor authentication
with side channel, e.g. mobile phone

05.12.2013

MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization

4
Technische Universität München

Increased Security: Multi-Factor Authentication
Related Work

05.12.2013

MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization

image source: Microsoft Office Online Clipart Gallery

5
Technische Universität München

Problems in the Context of Mobile and Usable Security
• 

• 

Security-centered issues
–  Access credentials can be stolen, e .g.
•  man-in-the-middle attack
•  shoulder surfing
•  phishing
as the terminal usually does not authenticate towards the user
–  Trust relationship towards the device might be limited, even if the device
can prove its identity, e.g. if it is a shared device
à lack of trust, reluctant to use services, …
Device-centered issues
–  Limited capabilities of the input device (e.g. no keyboard)
–  Limited ergonomics (e.g. wall-mounted device)
–  hygiene concerns
à time-consuming, uncomfortable, …

05.12.2013

MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization

6
Technische Universität München

Proposal: Usable Security with Single Step Authentication
sessionID: xyz

05.12.2013

MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization

image source: Microsoft Office Online Clipart Gallery

7
Technische Universität München

Proposal: Additional Benefits of the Mobile Authenticator
•  User-enabled Session Management
-  Remote session logout
-  Session transfer between systems
•  Maintenance of profile and personal
information
à Transparency to the user (full information)
•  Without mobile authenticator app:
can be used with a web-based interface

05.12.2013

MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization

8
Technische Universität München

Example Use Case: Room Reservation and Access
• 

Tablet PC as digital door sign for meeting rooms

• 

Provides resource-centred information and access
(e.g. seeing when rooms are occupied or available)

• 

Use case:
Book a room through the public display
–  Need for authentication & authorization
(accounting - who reserved the room?)
–  Single Sign-On with QR code & mobile
(no credentials to type on public display
–  Allows physical room access & usage
(remotely controlled digital door lock)

05.12.2013

MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization

9
Technische Universität München

Example Use Case: How does it work?
User is scanning a QR code with smartphone
(containing a session token, SID), data sent to IdP
with user credentials (user name & password)
Case 1: Authenticator app installed
•  Credentials (which were previously
stored in app once) and session token
are sent to the service
•  The user is authenticated in one step
Case 2: No authenticator app installed
•  Redirection to a web page where
credentials are entered (securely on
mobile device)
•  The URI is recognized by the tablet and
authenticates the user
05.12.2013

MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization

10
Technische Universität München

Example Use Case: Initial User Study with “Room Access”
• 

Initial user survey with the prototype system (room access)
–  20 participants (18 males, 2 females) aged between 20 and 64 years
–  (non-balanced, non-representative, not providing statistically usable results)

• 

RQ1: Do users have security concerns when entering
personal credentials on a public display?
–  Participants agreed that they have security concerns entering personal
information on a publicly exposed display
–  Avg. 3.8 on 5-step Likert-Scale (fully disagree = 1, fully agree = 5), SD=1.3

• 

RQ2: Do users have security concerns when using the smartphone-based
visual authentication system in conjunction with a public display?
–  Participants agreed that they have security concerns in the smartphonebased authentication approach
–  Avg. 2.3 on 5-step Likert-Scale (fully disagree = 1, fully agree = 5), SD=1.4

05.12.2013

MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization

11
Technische Universität München

Summary and Discussion
Proposed approach for “mobile usable security” providing user-friendly multifactor authentication in a public-private device scenario, addressing
•  input modalities and device
(replacing potentially non-convenient input methods, hygiene aspects, …)
•  security issues
(SSO with side-channel authentication, prohibiting shoulder surfing, phishing
attacks, potential to de-authenticate sessions remotely, trusted …)
•  usability aspects
(less error-prone, faster, more convenient, …)
Open Issues
•  Multiple identity providers require pre-established trust relationships
•  Network connection for side-channel/multi-factor authentication needed
•  Shift of responsibility to the user (non-expert in security issues)
•  Device-to-device communication problems (visible lighting, (audible) noise, …)
05.12.2013

MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization

12
Technische Universität München

Outlook and Future Work
• 

• 

• 

Technical enhancement
–  Pluggable Authentication Module (QR code-based PAM module) for PC login
–  Transfer of running sessions and their contexts between terminals
Usability evaluation and user study
–  Acceptance and usability tests
•  in a real-world deployment
•  w.r.t. long-term effects on usable security
–  Investigation of novel applications and domains and scenario-specific
potentials (public displays, distributed environments, internet of things)
Security evaluation
–  Resistance to man-in-the-middle/replay attacks
–  Simulate different hacking scenarios
–  Creation of an overall security concept
–  Extended information (e.g. WLAN AP scan, GPS, etc. to detect “fakes”)

05.12.2013

MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization

13
Technische Universität München

Thank you very much for your kind attention!
Questions?

?
?
Contact:
Luis Roalter (roalter@tum.de)
Matthias Kranz (matthias.kranz@uni-passau.de)
05.12.2013

MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization

14
Technische Universität München

Citation Information
• 

Please cite this work as follows:
L. Roalter, M. Kranz, A. Möller, S. Diewald, T. Stockinger, M. Koelle, P. Lindemann: Visual
Authentication - A Secure Single Step Authentication for User Authorization. In: Proceedings of the
12th International Conference on Mobile and Ubiquitous Multimedia (MUM 2013), Luleå, Sweden,
2013

• 

Please use the following BibTex file:
@inproceedings{MUM2013Roalter,

author = {Roalter, Luis and Kranz, Matthias and M"{o}ller, Andreas and Diewald,
Stefan and Stockinger, Tobias and Koelle, Marion and Lindemann, Patrick},

title = {Visual Authentication – A Secure Single Step Authentication for User
Authorization},

booktitle = {Proceedings of the 12th International Conference on Mobile and Ubiquitous
Multimedia},

series = {MUM '13},

year = {2013},

location = {Luleaa, Sweden},

publisher = {ACM},

address = {New York, NY, USA},

} "

05.12.2013

MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization

15

More Related Content

Similar to Visual Authentication - A Secure Single Step Authentication for User Authorization

CyberSecurity-Forum-2010-Mario Hoffmann
CyberSecurity-Forum-2010-Mario HoffmannCyberSecurity-Forum-2010-Mario Hoffmann
CyberSecurity-Forum-2010-Mario Hoffmann
segughana
 
Cyber Tekes Safety and Security programme 2013
Cyber Tekes Safety and Security programme 2013Cyber Tekes Safety and Security programme 2013
Cyber Tekes Safety and Security programme 2013
Turvallisuus2013
 
GADISA GEMECHUGOOD POWERPOINT .pptx @here
GADISA GEMECHUGOOD POWERPOINT .pptx @hereGADISA GEMECHUGOOD POWERPOINT .pptx @here
GADISA GEMECHUGOOD POWERPOINT .pptx @here
gadisagemechu1
 
Continuous and Transparent User Identity Verification for Secure Internet Ser...
Continuous and Transparent User Identity Verification for Secure Internet Ser...Continuous and Transparent User Identity Verification for Secure Internet Ser...
Continuous and Transparent User Identity Verification for Secure Internet Ser...
1crore projects
 
Building a Distributed Secure System on Multi-Agent Platform Depending on the...
Building a Distributed Secure System on Multi-Agent Platform Depending on the...Building a Distributed Secure System on Multi-Agent Platform Depending on the...
Building a Distributed Secure System on Multi-Agent Platform Depending on the...
CSCJournals
 
Beyond security testing
Beyond security testingBeyond security testing
Beyond security testing
Cu Nguyen
 

Similar to Visual Authentication - A Secure Single Step Authentication for User Authorization (20)

Implications of GDPR for IoT Big Data Security and Privacy Fabric
Implications of GDPR for IoT Big Data Security and Privacy FabricImplications of GDPR for IoT Big Data Security and Privacy Fabric
Implications of GDPR for IoT Big Data Security and Privacy Fabric
 
Online Signature Authentication by Using Mouse Behavior
Online Signature Authentication by Using Mouse Behavior Online Signature Authentication by Using Mouse Behavior
Online Signature Authentication by Using Mouse Behavior
 
ARCHITECTURE OF A IDENTITY BASED FIREWALL SYSTEM
ARCHITECTURE OF A IDENTITY BASED FIREWALL SYSTEMARCHITECTURE OF A IDENTITY BASED FIREWALL SYSTEM
ARCHITECTURE OF A IDENTITY BASED FIREWALL SYSTEM
 
CyberSecurity-Forum-2010-Mario Hoffmann
CyberSecurity-Forum-2010-Mario HoffmannCyberSecurity-Forum-2010-Mario Hoffmann
CyberSecurity-Forum-2010-Mario Hoffmann
 
Transparent Developmental Biometric Based System Protect User Reauthenticatio...
Transparent Developmental Biometric Based System Protect User Reauthenticatio...Transparent Developmental Biometric Based System Protect User Reauthenticatio...
Transparent Developmental Biometric Based System Protect User Reauthenticatio...
 
Witdom overview 2016
Witdom overview 2016Witdom overview 2016
Witdom overview 2016
 
Cyber Tekes Safety and Security programme 2013
Cyber Tekes Safety and Security programme 2013Cyber Tekes Safety and Security programme 2013
Cyber Tekes Safety and Security programme 2013
 
In Processes We Trust: Privacy and Trust in Business Processes
In Processes We Trust: Privacy and Trust in Business ProcessesIn Processes We Trust: Privacy and Trust in Business Processes
In Processes We Trust: Privacy and Trust in Business Processes
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architectures
 
NIS.docx
NIS.docxNIS.docx
NIS.docx
 
GADISA GEMECHUGOOD POWERPOINT .pptx @here
GADISA GEMECHUGOOD POWERPOINT .pptx @hereGADISA GEMECHUGOOD POWERPOINT .pptx @here
GADISA GEMECHUGOOD POWERPOINT .pptx @here
 
Survey on cloud computing security techniques
Survey on cloud computing security techniquesSurvey on cloud computing security techniques
Survey on cloud computing security techniques
 
Kx3518741881
Kx3518741881Kx3518741881
Kx3518741881
 
Continuous and Transparent User Identity Verification for Secure Internet Ser...
Continuous and Transparent User Identity Verification for Secure Internet Ser...Continuous and Transparent User Identity Verification for Secure Internet Ser...
Continuous and Transparent User Identity Verification for Secure Internet Ser...
 
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...
 
AN ENHANCED USER AUTHENTICATION FRAMEWORK IN CLOUD COMPUTING
AN ENHANCED USER AUTHENTICATION FRAMEWORK IN CLOUD COMPUTINGAN ENHANCED USER AUTHENTICATION FRAMEWORK IN CLOUD COMPUTING
AN ENHANCED USER AUTHENTICATION FRAMEWORK IN CLOUD COMPUTING
 
Building a Distributed Secure System on Multi-Agent Platform Depending on the...
Building a Distributed Secure System on Multi-Agent Platform Depending on the...Building a Distributed Secure System on Multi-Agent Platform Depending on the...
Building a Distributed Secure System on Multi-Agent Platform Depending on the...
 
Extended Visual Cryptography Using Watermarking
Extended Visual Cryptography Using WatermarkingExtended Visual Cryptography Using Watermarking
Extended Visual Cryptography Using Watermarking
 
Beyond security testing
Beyond security testingBeyond security testing
Beyond security testing
 
Survey on cloud computing security techniques
Survey on cloud computing security techniquesSurvey on cloud computing security techniques
Survey on cloud computing security techniques
 

More from Distributed Multimodal Information Processing Group

Towards a Holistic Approach for Mobile Application Development in Intelligent...
Towards a Holistic Approach for Mobile Application Development in Intelligent...Towards a Holistic Approach for Mobile Application Development in Intelligent...
Towards a Holistic Approach for Mobile Application Development in Intelligent...
Distributed Multimodal Information Processing Group
 
MobiDics: Cooperative Mobile e-Learning for Teachers
MobiDics: Cooperative Mobile e-Learning for TeachersMobiDics: Cooperative Mobile e-Learning for Teachers
MobiDics: Cooperative Mobile e-Learning for Teachers
Distributed Multimodal Information Processing Group
 

More from Distributed Multimodal Information Processing Group (16)

Experimental Evaluation of User Interfaces for Visual Indoor Navigation
Experimental Evaluation of User Interfaces for Visual Indoor NavigationExperimental Evaluation of User Interfaces for Visual Indoor Navigation
Experimental Evaluation of User Interfaces for Visual Indoor Navigation
 
Mit mobilem Lernen zur erweiterten Methodenkompetenz
Mit mobilem Lernen zur erweiterten MethodenkompetenzMit mobilem Lernen zur erweiterten Methodenkompetenz
Mit mobilem Lernen zur erweiterten Methodenkompetenz
 
Investigating Self-Reporting Behavior in Long-Term Studies
Investigating Self-Reporting Behavior in Long-Term StudiesInvestigating Self-Reporting Behavior in Long-Term Studies
Investigating Self-Reporting Behavior in Long-Term Studies
 
Decision-Point Panorama-Based Indoor Navigation
Decision-Point Panorama-Based Indoor NavigationDecision-Point Panorama-Based Indoor Navigation
Decision-Point Panorama-Based Indoor Navigation
 
The Smartphone as Mobile Authorization Proxy
The Smartphone as Mobile Authorization ProxyThe Smartphone as Mobile Authorization Proxy
The Smartphone as Mobile Authorization Proxy
 
Towards a Holistic Approach for Mobile Application Development in Intelligent...
Towards a Holistic Approach for Mobile Application Development in Intelligent...Towards a Holistic Approach for Mobile Application Development in Intelligent...
Towards a Holistic Approach for Mobile Application Development in Intelligent...
 
GymSkill - A Personal Trainer for Physical Exercises
GymSkill - A Personal Trainer for Physical ExercisesGymSkill - A Personal Trainer for Physical Exercises
GymSkill - A Personal Trainer for Physical Exercises
 
DriveAssist – A V2X-Based Driver Assistance System for Android
DriveAssist – A V2X-Based Driver Assistance System for Android DriveAssist – A V2X-Based Driver Assistance System for Android
DriveAssist – A V2X-Based Driver Assistance System for Android
 
Distributed Networks within ROS: Challenges and Possibilities
Distributed Networks within ROS: Challenges and PossibilitiesDistributed Networks within ROS: Challenges and Possibilities
Distributed Networks within ROS: Challenges and Possibilities
 
Tool Support for Prototyping Interfaces
Tool Support for Prototyping InterfacesTool Support for Prototyping Interfaces
Tool Support for Prototyping Interfaces
 
Update Behavior in App Markets and Security Implications: A Case Study in Goo...
Update Behavior in App Markets and Security Implications: A Case Study in Goo...Update Behavior in App Markets and Security Implications: A Case Study in Goo...
Update Behavior in App Markets and Security Implications: A Case Study in Goo...
 
MobiliNet: A Social Network for Optimized Mobility
MobiliNet: A Social Network for Optimized MobilityMobiliNet: A Social Network for Optimized Mobility
MobiliNet: A Social Network for Optimized Mobility
 
Gamification-supported Exploration of Natural User Interfaces
Gamification-supported Exploration of Natural User InterfacesGamification-supported Exploration of Natural User Interfaces
Gamification-supported Exploration of Natural User Interfaces
 
MobiDics: Cooperative Mobile e-Learning for Teachers
MobiDics: Cooperative Mobile e-Learning for TeachersMobiDics: Cooperative Mobile e-Learning for Teachers
MobiDics: Cooperative Mobile e-Learning for Teachers
 
A Mobile Indoor Navigation System Interface Adapted to Vision-Based Localization
A Mobile Indoor Navigation System Interface Adapted to Vision-Based LocalizationA Mobile Indoor Navigation System Interface Adapted to Vision-Based Localization
A Mobile Indoor Navigation System Interface Adapted to Vision-Based Localization
 
MobiMed: Comparing Object Identification Techniques on Smartphones
MobiMed: Comparing Object Identification Techniques on SmartphonesMobiMed: Comparing Object Identification Techniques on Smartphones
MobiMed: Comparing Object Identification Techniques on Smartphones
 

Recently uploaded

Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 

Recently uploaded (20)

Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
The UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, OcadoThe UX of Automation by AJ King, Senior UX Researcher, Ocado
The UX of Automation by AJ King, Senior UX Researcher, Ocado
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
THE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in  GERMANY for 2024: IPTVreelTHE BEST IPTV in  GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreel
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 

Visual Authentication - A Secure Single Step Authentication for User Authorization

  • 1. Technische Universität München Visual Authentication A Secure Single Step Authentication for User Authorization Luis Roalter 1, Matthias Kranz 2, Andreas Möller 1, Stefan Diewald 1, Tobias Stockinger 2, Marion Koelle 2, Patrick Lindemann 2 1 Technische Universität München 2 Universität Passau December 5th 2013 Mobile and Ubiquitous Multimedia (MUM 2013), Luleå, Sweden
  • 2. Technische Universität München mobile & usable security for interaction with public terminals 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 2
  • 3. Technische Universität München Current Situation username 1 password 1 username 2 password 2 username 3 password 3 username 4 password 4 Different credentials username 5 password 5 05.12.2013 username 6 password 6 username 8 password 8 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization image source: http://commons.wikimedia.org/wiki/File:Singapore_Road_Signs_-_Restrictive_Sign_-_Stop_-_Security_Check.svg 3
  • 4. Technische Universität München Federated Authentication: Single Sign-On (SSO) Related Work •  Sign in once to use all services •  Single, familiar login mask for different services, e.g. –  “Sign in with Facebook” –  “Sign in with Google” •  One username, one password •  Improved user experience Optional: two-factor authentication with side channel, e.g. mobile phone 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 4
  • 5. Technische Universität München Increased Security: Multi-Factor Authentication Related Work 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization image source: Microsoft Office Online Clipart Gallery 5
  • 6. Technische Universität München Problems in the Context of Mobile and Usable Security •  •  Security-centered issues –  Access credentials can be stolen, e .g. •  man-in-the-middle attack •  shoulder surfing •  phishing as the terminal usually does not authenticate towards the user –  Trust relationship towards the device might be limited, even if the device can prove its identity, e.g. if it is a shared device à lack of trust, reluctant to use services, … Device-centered issues –  Limited capabilities of the input device (e.g. no keyboard) –  Limited ergonomics (e.g. wall-mounted device) –  hygiene concerns à time-consuming, uncomfortable, … 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 6
  • 7. Technische Universität München Proposal: Usable Security with Single Step Authentication sessionID: xyz 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization image source: Microsoft Office Online Clipart Gallery 7
  • 8. Technische Universität München Proposal: Additional Benefits of the Mobile Authenticator •  User-enabled Session Management -  Remote session logout -  Session transfer between systems •  Maintenance of profile and personal information à Transparency to the user (full information) •  Without mobile authenticator app: can be used with a web-based interface 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 8
  • 9. Technische Universität München Example Use Case: Room Reservation and Access •  Tablet PC as digital door sign for meeting rooms •  Provides resource-centred information and access (e.g. seeing when rooms are occupied or available) •  Use case: Book a room through the public display –  Need for authentication & authorization (accounting - who reserved the room?) –  Single Sign-On with QR code & mobile (no credentials to type on public display –  Allows physical room access & usage (remotely controlled digital door lock) 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 9
  • 10. Technische Universität München Example Use Case: How does it work? User is scanning a QR code with smartphone (containing a session token, SID), data sent to IdP with user credentials (user name & password) Case 1: Authenticator app installed •  Credentials (which were previously stored in app once) and session token are sent to the service •  The user is authenticated in one step Case 2: No authenticator app installed •  Redirection to a web page where credentials are entered (securely on mobile device) •  The URI is recognized by the tablet and authenticates the user 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 10
  • 11. Technische Universität München Example Use Case: Initial User Study with “Room Access” •  Initial user survey with the prototype system (room access) –  20 participants (18 males, 2 females) aged between 20 and 64 years –  (non-balanced, non-representative, not providing statistically usable results) •  RQ1: Do users have security concerns when entering personal credentials on a public display? –  Participants agreed that they have security concerns entering personal information on a publicly exposed display –  Avg. 3.8 on 5-step Likert-Scale (fully disagree = 1, fully agree = 5), SD=1.3 •  RQ2: Do users have security concerns when using the smartphone-based visual authentication system in conjunction with a public display? –  Participants agreed that they have security concerns in the smartphonebased authentication approach –  Avg. 2.3 on 5-step Likert-Scale (fully disagree = 1, fully agree = 5), SD=1.4 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 11
  • 12. Technische Universität München Summary and Discussion Proposed approach for “mobile usable security” providing user-friendly multifactor authentication in a public-private device scenario, addressing •  input modalities and device (replacing potentially non-convenient input methods, hygiene aspects, …) •  security issues (SSO with side-channel authentication, prohibiting shoulder surfing, phishing attacks, potential to de-authenticate sessions remotely, trusted …) •  usability aspects (less error-prone, faster, more convenient, …) Open Issues •  Multiple identity providers require pre-established trust relationships •  Network connection for side-channel/multi-factor authentication needed •  Shift of responsibility to the user (non-expert in security issues) •  Device-to-device communication problems (visible lighting, (audible) noise, …) 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 12
  • 13. Technische Universität München Outlook and Future Work •  •  •  Technical enhancement –  Pluggable Authentication Module (QR code-based PAM module) for PC login –  Transfer of running sessions and their contexts between terminals Usability evaluation and user study –  Acceptance and usability tests •  in a real-world deployment •  w.r.t. long-term effects on usable security –  Investigation of novel applications and domains and scenario-specific potentials (public displays, distributed environments, internet of things) Security evaluation –  Resistance to man-in-the-middle/replay attacks –  Simulate different hacking scenarios –  Creation of an overall security concept –  Extended information (e.g. WLAN AP scan, GPS, etc. to detect “fakes”) 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 13
  • 14. Technische Universität München Thank you very much for your kind attention! Questions? ? ? Contact: Luis Roalter (roalter@tum.de) Matthias Kranz (matthias.kranz@uni-passau.de) 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 14
  • 15. Technische Universität München Citation Information •  Please cite this work as follows: L. Roalter, M. Kranz, A. Möller, S. Diewald, T. Stockinger, M. Koelle, P. Lindemann: Visual Authentication - A Secure Single Step Authentication for User Authorization. In: Proceedings of the 12th International Conference on Mobile and Ubiquitous Multimedia (MUM 2013), Luleå, Sweden, 2013 •  Please use the following BibTex file: @inproceedings{MUM2013Roalter,
 author = {Roalter, Luis and Kranz, Matthias and M"{o}ller, Andreas and Diewald, Stefan and Stockinger, Tobias and Koelle, Marion and Lindemann, Patrick},
 title = {Visual Authentication – A Secure Single Step Authentication for User Authorization},
 booktitle = {Proceedings of the 12th International Conference on Mobile and Ubiquitous Multimedia},
 series = {MUM '13},
 year = {2013},
 location = {Luleaa, Sweden},
 publisher = {ACM},
 address = {New York, NY, USA},
 } " 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 15