bootstrapping mobile pins using passwords
DESCRIPTION
Bootstrapping Mobile PINs Using Passwords. Markus Jakobsson Debin Liu Information Risk Management PayPal. A Bit about Authentication. Difficulty customizing settings. Difficulty authenticating. Short battery life. Lack of coverage. - PowerPoint PPT PresentationTRANSCRIPT
Bootstrapping Mobile PINs Using Passwords
Markus JakobssonDebin Liu
Information Risk ManagementPayPal
A Bit about Authentication
2
1 2 3 4 5
Short battery life
Slow Web connection
Lack of coverage
Poor voice quality
Small screen
size
Difficulty customizing
settings
Difficulty authenticating
Commercial Four-Letter Word
“Friction”
A Bit About Human Memory
Not so amazing
Common PIN
Your spouse’s birthday
Love/Hate
PINs
What will users see
Example User Mapping
“Blu2thRules” “2582”
Opportunistic Derivation
Access; Truncate; Map; Store
Special Characters
~1.5%Can be reduced
Special Phones
Need numeric pad
Strong password, weak PIN
“1234Brew$g”, “1begHELP”
Password change?
Dual Universes
Measuring Security
Raided Dropboxes
Entropy of Derived PINs
FSP (8359) SNP (2873) Malware (16192)0
2
4
6
8
10
12
1412
10.59.7
10.910
9.2
1.1 0.5 0.5
pwd4 EntropyPIN EntropyInformation Loss by Mapping
Data Sources (Size)
Info
rmat
ion
Ent
ropi
es
Special Characters
FSP (8359) SNP (2873) Malware (16192)0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00% 32.16%
11.14%
26.96%
1.44% 1.95%6.16%
Percentage of Passwords using Upper Case Letters
Percentage of Passwords using Special Characters
Data Sources (Size)
Perc
enta
ge
Imagine PIN Theft
02468
101214161820
ExperimentWhat is Joe’s PIN?
Joe uses a PIN to access his PayPal account from his phone. But he does not want to have to remember another number, and he does not want to reuse his banking PIN. So he uses PayPal’s new “password to PIN” feature so that he only has to remember his password. Joe’s password is “Blu2thrules”. Look at the screen-shot below and let us know what PIN he should enter.
Usability of Derived PINs25-subject Qualitative study
Successful but Slow 24%
Failed12%
Successful and Fas
t64%
Usability of Derived PINs100-subject Quantitative study
Likely Successful22%
Failed10%
Successful68%
Other things I pitch
Address web/app spoofing: www.SpoofKiller.com
Mobile-friendly passwords: www.fastword.meMobile malware detection: www.fatskunk.com
Etc: www.markus-jakobsson.com