We introduce UniAuth, a set of mechanisms for streamlining authentication to devices and web services. With UniAuth, a user first authenticates himself to his UniAuth client, typically his smartphone or wearable device. His client can then authenticate to other services on his behalf. In this paper, we focus on exploring the user experiences with an early iPhone prototype called Knock x Knock. To manage a variety of accounts securely in a usable way, Knock x Knock incorporates features not supported in existing password managers, such as tiered and location-aware lock control, authentication to laptops via knocking, and storing credentials locally while working with laptops seamlessly. In two field studies, 19 participants used Knock x Knock for one to three weeks with their own devices and accounts. Our participants were highly positive about Knock x Knock, demonstrating the desirability of our approach. We also discuss interesting edge cases and design implications.
6. 6
“every scheme does worse than
passwords on deployability”
[Bonneau 2012]
Bonneau, J., Herley, C., Oorschot, P.C.V., and Stajano, F. The Quest to Replace Passwords: A
Framework for Comparative Evaluation of Web Authentication Schemes. IEEE, 553–567.
23. 23
Location-Aware Tiered Access Control
Assign each credential to:
Secure
Standard
Quick
Balance usability and
security based on location
Eiji Hayashi et al. 2012. Goldilocks and the two mobile devices: going beyond all-or-
nothing access to a device's applications. SOUPS.
Eiji Hayashi et al. 2013. CASA: context-aware scalable authentication. SOUPS.
24. 24
Location-Aware Tiered Access Control
Trusted Locations Other Locations
Secure Need a master password
Locked after one access
Standard Need a master password
Locked when leaving
Need a master password
Locked after 3 min
Quick Automatically unlocked
Locked when leaving
Need a master password
Locked after 3 min
25. 25
Location-Aware Tiered Access Control
Trusted Locations Other Locations
Secure Need a master password
Locked after one access
Standard Need a master password
Locked when leaving
Need a master password
Locked after 3 min
Quick Automatically unlocked
Locked when leaving
Need a master password
Locked after 3 min
26. 26
Location-Aware Tiered Access Control
Trusted Locations Other Locations
Secure Need a master password
Locked after one access
Standard Need a master password
Locked when leaving
Need a master password
Locked after 3 min
Quick Automatically unlocked
Locked when leaving
Need a master password
Locked after 3 min
27. 27
Location-Aware Tiered Access Control
Trusted Locations Other Locations
Secure Need a master password
Locked after one access
Standard Need a master password
Locked when leaving
Need a master password
Locked after 3 min
Quick Automatically unlocked
Locked when leaving
Need a master password
Locked after 3 min
28. 28
Location-Aware Tiered Access Control
Trusted Locations Other Locations
Secure Need a master password
Locked after one access
Standard Need a master password
Locked when leaving
Need a master password
Locked after 3 min
Quick Automatically unlocked
Locked when leaving
Need a master password
Locked after 3 min
29. 29
Knock x Knock UIMP features
Examples:
• Unlock doors / bike locks / lockers
• Create an account automatically
• Update password periodically
• Reset all passwords by one click
• Receive account activity notifications
30. 30
Knock x Knock Implementation
UniAuth
Client
Online Service
UIMP
Master Password
UniAuth
Proxy BLE
Computer
Online Service Device
Smartphone
UIMPConventional
Login Form
45. 45
Three-Week Field Study
• First Session
• Setup Knock x Knock on their devices
• Add 5 existing accounts
• Delete passwords for these from their tools
• Try Knock x Knock for three weeks
• Weekly phone interview
• Second Session
• Post interview
46. 46
Participants
• 13 participants
• 19 to 42 years old (mean: 27)
• All of them except one use browser
password auto-fill feature
• One use KeePass
• One use 1Password
47. 47
Knock x Knock Usage
• 22 – 192 logins (mean:93.3, SD: 58.5)
• Participants with small numbers of logins did
not log out from their online accounts
Authentication to websites
Authentication to Mac
48. 48
Likert-Scale Eval (Security)
1: Very Negative and 5: Very Positive
Storing Credentials in iPhone
1 2 3 4 5
Knocking Mac to Unlock
Three Security Tiers
Location-Awareness
49. 49
Likert-Scale Eval (Usability)
1: Very Negative and 5: Very Positive
Storing Credentials in iPhone
1 2 3 4 5
Knocking Mac to Unlock
Three Security Tiers
Location-Awareness
63. 63
Example (Policy)
URI /Information/Authentication_Policy
Method GET
Argument -
Return Value Type (only support password in ver. 1.0)
Length
Lower case (true: allowed / false: not allowed)
Upper case (true: allowed / false: not allowed)
Numbers (true: allowed / false: not allowed)
Special characters (true: allowed / false: not allowed)
Minimum number of lower case letters
Minimum number of upper case letters
Minimum number of numbers
Minimum number of special characters
Update period
67. 67
Question:
How can we pair devices?
Answer:
I also assume that device paring is
done in a secure manner
68. 68
Question:
Can I use UniAuth on public
computers?
Answer:
You can check your password in a
UniAuth client (to be backward
compatible with current practice)
69. 69
Research Contributions
• Design and evaluation
• UniAuth protocol
• Probabilistic authentication framework (CASA)
• Provide a building block for more
natural human-computer interaction
70. 70
One More Lesson
Improve authentication to
a single service
Make the authentications to
multiple services easier
71. 71
One More Lesson
Build a framework that makes
multiple authentication easier
Make the authentications to
multiple services easier
88. 88
Half of applications have too
much/too little access control
Users using security lock
After Unlocking Split Always Available
[%]
89. 89
Half of applications have too
much/too little access control
After Unlocking Split Always Available
[%]
Too hard!
Users using security lock
OK
90. 90
None of Them Are Happy
After Unlocking Split Always Available
[%]
Users using security lock Users NOT using security lock
91. 91
FIDO Bootstrapping
• Service provider should support FIDO
• Third parties should provide FIDO
Servers
• Users should adopt FIDO Clients
Editor's Notes
User authentication a basis of current computer systems.
We cannot imagine a life without emails, facebook, amazon, or twitter. These services are relying on user authentication.
Virtually for all user authentication, we user usernames and passwords
As the number of password increases, they are becoming unmanagable.
Or to make it manageable, people adopt insecure practices. Such as using simple passwords, or reusing one password for multiple accounts.
And there are people who claim passwords are broken.
To address this problem, so many works have proposed ways to improve passwords and password alternatives. However, their adoptions are very limite
In 2012 Bonneau did an exhaustive analysis of password alternatives, and concluded that.
In these works, people focused on authentication scheme, how to login to websites. However there are so many task related to user authentication.
These are account management. If this account management is easy, people would use long, secure, and unique passwords for their accounts So, essentially, we built a management layer without modifying existing password-based authentication.
Then this system will be highly backward-compatible and addressed the deployability challenge. These address the existing challenges in password-based authentication.
Finally, this system can address forthcoming problem too. We are envisioning Internet of Things, where so many physical objects are connected to network.
In this setting, we need some sort of user identification or authentication to these objects. However, these objects do not have appropriate input capability for password-based authentication.
We also addressed this challenge by providing an API set that allows authentication to physical devices in addition to automated account management.
So our system uses password as backend, addresses management problem rather than trying to replace passwords, and provide API set for further improvements.
Here is the basic idea.
We let a client running on a smart device manage all credentials
A user only needs to authenticate to the client. So, he has to mange one client instead of many passwords.
For this authentication we can utilize sensors on the smart device to make it secure and usable.
Then, this client authenticates to online services, devices, and IoT using M2M protocol. So it scales.
Because the user does not have to memorize passwords, the client can use secure passwords.
Finally, if we store many account information in one client, user authentication to this client should be usable and secure. So, I also propose to use Context-Aware Scalable Authentication as an authentication scheme for this. This scheme authenticate users based on information collected by passive sensors, such as GPS or accelerometers to adjust security level of the authentication system.
And I call this entire framework as Unified Authentication Framework, UniAuth in short.
Then, this client authenticates to online services, devices, and IoT using M2M protocol. So it scales.
Because the user does not have to memorize passwords, the client can use secure passwords.
Knock x Knock essentially work as a password manager. It stores all credential of iPhone, and send the credential to Mac seamlessly over BLE.
One of the interesting feature in Knock x Knock is knock to unlock featue.
In Knock x Knock, sers can physically knock their Mac to log into it. Our application running on the Mac detects the knocking using a microphone and SVM classifier. When it detect knocking, it request a login password to iPhone. If a user’s iPhone is nearby, it sends password back, and the application on the Mac generates fake key events to auto-fill the password and log into the mac.
Knocking is very good as an indicator of login. It’s easy to detect using microphone or accelerometer. Also, it has a nice semantic meaning since we tends to knock something when start using it.
This can be expanded to authentication to other physical devices and/or IoT.
One of the novel features is location-aware tiered access control. Uses can assign each credential to one of the three tiers: secure, standard, and quick. Then, the system locks and unlocks these tiers separately using location information and a master password. To login to an account stored in a tier, the tier should be unlocked state.
This table shows how we balance security and usability differently in each tier.
This table shows how we balance security and usability differently in each tier.
This table shows how we balance security and usability differently in each tier.
This table shows how we balance security and usability differently in each tier.
This table shows how we balance security and usability differently in each tier.
Knock x Knock can also provide additional features if server-side supports UIMP. However no service supports UIMP now. So we evaluated these features using paper prototypes. Because time constrain, I cannot talk about details. But essentially participants were really positive about these features.
This graph shows the frequency of user authentication via Knock x Knock. Each bar represents a participant. Y-axis represents total number of authentication during three weeks. The white parts denote authentication to online services. The gray parts denote authentication to Mac.
Here is a result of Likert-scale evaluation by participants. Here 1 denotes very negative and 5 denotes very positive. In this box plot, red lines denotes medians, box represents 25 percentile to 75 parcentile, whiskers represent range except out layers, and red plus represent out-layers. In general, our participants were positive about security of Knock x Knock in terms of these four aspects.
Here is the same analysis on usability of the system . Again, our participants were very positive.
Now, just saying, our participants liked our system, is not that interesting. It’s more insightful why they liked it.
The first qualitative finding is that proximity affected perceived security significantly. Many people said that because passwords are stored in iPhones which were close to them they felt it was secure compared to storing them in computers or cloud, which are not as close as iPhone. I do agree that perceived security is different from real security. But it’s also true that people make decision of whether they use a system or not based on their perceived security. Thus it’s important to design a system with high perceived security to facilitate adoption.
Another reason is related to the availability. When users try a new system, they don’t know how reliable the system is. This negatively affect adoption of the system. In knock x Knock, users can see their passwords by typing their master passwords on their iPhone. So, as long as they have iPhones, thier batteries are charged, and they remember their passwords, they can log into their account by typing the password manually. Our participants had enough experience to estimate baseline availability is predictable. Many participants commented on this when describing why they liked Knock x Knock.
Finally, Knock x Knock provide a smooth transition to better authentication. This is what we think very good rather than our participants mentioned in the interview.
Our results demonstrated that our participants liked Knock x Knock. So, when we release the app, we can expect reasonable adoption. This is the first step. Then, after reasonable adoption of Knock x Knock, now, service providers have incentive to adopt UIMP, because people are already using UIMP compatible applications. This is the second step. Finally, after service provider adopt UIMP, we can replace password-based authenticaiton with more secure one such as asymetirc crypto without affecting user experience. Because, at this point, users are not touching passwords at all, changing it does not affect user experience. At this step, we can finally get rid of passwords.
Then, this client authenticates to online services, devices, and IoT using M2M protocol. So it scales.
Because the user does not have to memorize passwords, the client can use secure passwords.
Finally, if we store many account information in one client, user authentication to this client should be usable and secure. So, I also propose to use Context-Aware Scalable Authentication as an authentication scheme for this. This scheme authenticate users based on information collected by passive sensors, such as GPS or accelerometers to adjust security level of the authentication system.
And I call this entire framework as Unified Authentication Framework, UniAuth in short.
Before describing the details of the proposed solution, let me
UIMP is the name of the M2M protocol. It is designed as RESTful APIs that streamlines not only authentication but also credential management. The protocol consists of four sets of APIs. Because of time constrain I will give just a few examples here. For full specification, please refer my dissertation document.
Here is account creation API. This is very close to what we are doing using a HTML form.
This example is for twitter. But if a user want to create an account at amazon, amazon would need more information about the user and the API will send more information about the user.
Here is a login API. Again this is a direct translation of a HTML form. I chose direct translation to minimize server side modification. Server side already has a code to handle inputs from HTML forms. So if the API pass the same data, sever side can reuse the same code to handle it.
In addition to replacing existing interaction, UIMP also provides natural transition to make current user authentication better. Here is an example. This API essentially make password composition policy machine readable. Making it machine readable already have some benefit. Existing password managers have password generation features, but generating password that comply with various policies is challenging. This API make it simple.
Now, let me talk about an overview of UniAuth framework
In a conventional way, users are managing all account information such as user IDs and passwords
They may use variety of tools that support password management, such as sticky notes, auto fill features in web browsers, or password management applications.
However, still, users have to deal with accounts by themselves in many situations, such as password update, account creation, updating account information.
Because of this, when the number of services and devices increases, the users’ workload increases too.
I propose putting one client between the services and users, and let the client manage all account information.
Furthermore, to allow the client communicate with services and devices smoothly, I define a protocol, which is a set of APIs. Using the protocol, the client can not only manage authentication, but also other tasks related to account management, such as creating account, updating passwords, monitoring the account activities.
Finally, if we store many account information in one client, user authentication to this client should be usable and secure. So, I also propose to use Context-Aware Scalable Authentication as an authentication scheme for this. This scheme authenticate users based on information collected by passive sensors, such as GPS or accelerometers to adjust security level of the authentication system.
And I call this entire framework as Unified Authentication Framework, UniAuth in short.
Finally, if we store many account information in one client, user authentication to this client should be usable and secure. So, I also propose to use Context-Aware Scalable Authentication as an authentication scheme for this. This scheme authenticate users based on information collected by passive sensors, such as GPS or accelerometers to adjust security level of the authentication system.
And I call this entire framework as Unified Authentication Framework, UniAuth in short.
Now let’s look at how each participants categorized applications.
This graph shows the categorization on phones by participants using security locks.
The red parts denote the application in the available only after unlocking, the green parts shows the split category, and the blue parts denote the applications in always available.
Because those participants used security locks on their phones. They were happy about the red parts. The applications were protected when the devices were locked.
But, they were not happy about the blue parts. They wanted these application to be available even when the devices were locked. However, they had to unlock the devices to use these applications.