bootstrapping mobile pins using passwords markus jakobsson debin liu information risk management...
TRANSCRIPT
Bootstrapping Mobile PINs Using Passwords
Markus JakobssonDebin Liu
Information Risk ManagementPayPal
A Bit about Authentication
2
1 2 3 4 5
Short battery life
Slow Web connection
Lack of coverage
Poor voice quality
Small screen
size
Difficulty customizing
settings
Difficulty authenticating
Commercial Four-Letter Word
“Friction”
A Bit About Human Memory
Not so amazing
Common PIN
Your spouse’s birthday
Love/Hate
PINs
What will users see
Example User Mapping
“Blu2thRules” “2582”
Opportunistic Derivation
Access; Truncate; Map; Store
Special Characters
~1.5%
Can be reduced
Special Phones
Need numeric pad
Strong password, weak PIN
“1234Brew$g”, “1begHELP”
Password change?
Dual Universes
Measuring Security
Raided Dropboxes
Entropy of Derived PINs
FSP (8359) SNP (2873) Malware (16192)0
2
4
6
8
10
12
14
12
10.59.7
10.910
9.2
1.10.5 0.5
pwd4 EntropyPIN EntropyInformation Loss by Mapping
Data Sources (Size)
Info
rmat
ion
En
trop
ies
Special Characters
FSP (8359) SNP (2873) Malware (16192)0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00% 32.16%
11.14%
26.96%
1.44% 1.95%
6.16%
Percentage of Passwords using Upper Case Letters
Percentage of Passwords using Special Characters
Data Sources (Size)
Per
cen
tage
Imagine PIN Theft
0
2
4
6
8
10
12
14
16
18
20
Experiment
What is Joe’s PIN?
Joe uses a PIN to access his PayPal account from his phone. But he does not want to have to remember another number, and he does not want to reuse his banking PIN. So he uses PayPal’s new “password to PIN” feature so that he only has to remember his password. Joe’s password is “Blu2thrules”. Look at the screen-shot below and let us know what PIN he should enter.
Usability of Derived PINs25-subject Qualitative study
Successful but Slow 24%
Failed12%
Successful and Fas
t64%
Usability of Derived PINs100-subject Quantitative study
Likely Successful22%
Failed10%
Successful68%
Other things I pitch
Address web/app spoofing: www.SpoofKiller.com
Mobile-friendly passwords: www.fastword.me
Mobile malware detection: www.fatskunk.com
Etc: www.markus-jakobsson.com