Download - Presenter: Shary Johana Llanos Antonio
![Page 1: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/1.jpg)
It’s no secretMeasuring the security and reliability of
authentication via ‘secret’ questionsBy Schechter, Brush and Egelman ® 2009
Presenter: Shary Johana Llanos Antonio
![Page 2: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/2.jpg)
![Page 3: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/3.jpg)
Outline• Motivation• Introduction• Background• Study• Comparing Algorithms• Results• Discussion and Conclusion
![Page 4: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/4.jpg)
Goals
• Quantify the security and reliability of personal authentication questions.
• Examine the vulnerability of these questions to statistical guessing attacks.
![Page 5: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/5.jpg)
Outline• Motivation• Introduction• Background• Study• Comparing Algorithms• Results• Discussion and Conclusion
![Page 6: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/6.jpg)
Introduction• This work ran a study about how all four (4) of the most popular webmail providers rely on personal questions as the secondary authentication secrets used to reset account passwords.
![Page 7: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/7.jpg)
• 17% Partner Guess• 13% Guess in 5 attempts using statistical guessing
• For user written Q&A, 15% Guessable within 5 tries without knowledge of the victim
Introduction
![Page 8: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/8.jpg)
Outline• Motivation• Introduction• Background• Study• Comparing Algorithms• Results• Discussion and Conclusion
![Page 9: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/9.jpg)
Sarah Palin’s email hacked
• Sarah Palin’s Yahoo! Mail account was hacked in Sep 2008 via her secret question
• First secret question was... “where did you meet your spouse?”
• Second question was... “what is your birthdate?”
![Page 10: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/10.jpg)
Outline• Motivation• Introduction• Background• Study• Comparing Algorithms• Results• Discussion and Conclusion
![Page 11: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/11.jpg)
Study• Authors ran a user study for those questions used by all four top webmail providers.
• Prior studies concluded:33-39% of their answers guessed by spouses, family and close friends and that Participants forgot 20-22% of their own answers within 3 months
![Page 12: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/12.jpg)
Secret Questions Online
![Page 13: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/13.jpg)
Study
• Total participants: 130 in 4 groups.
• 64 male, 66 females.• 3 groups(116 persons) were active Hotmail users.
• Each participant invited a partner.
![Page 14: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/14.jpg)
Recruitment
![Page 15: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/15.jpg)
Limitations• Awards
– They offered two prizes (an XBOX 360
and a Zune digital music player) and
gave participants a virtual lottery
ticket for each question they both
answered and later recalled.
![Page 16: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/16.jpg)
Limitations• Authors anticipated participants might1. try to increase their chance of recalling their answers by providing the same answer for all questions
– They added a rule that eliminated rewards for recalling the same answer numerous times
2. Participants might record their answers
– They did not inform participants that we would follow-up to test their recollections in the future.
![Page 17: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/17.jpg)
Outline• Motivation• Introduction• Background• Study• Comparing Algorithms• Results• Discussion and Conclusion
![Page 18: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/18.jpg)
Answer comparison algorithms
• equality– an artifact in their study: the Illume survey software they used to collect the answers fails to store carriage returns
• substring– treated a guess as valid if it contained a substring that matched the original answer
• distance– Levenshtein edit distance algorithm
![Page 19: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/19.jpg)
Answer comparison algorithms (cont.)
• distance algorithm:– reduced the cost of transpositions of two characters (‘swapped’‘sawpped’) from two to one
– They allowed one error (an edit distance cost of one) for every five characters in the original answer
• Change from substring to distance:– reduces the number of answers forgotten (not recalled within 5 attempts) by 2.5% (11.3% reduction)
– increased the percentage of answers guessed by participants’ partners by 1.4% (6.8% relative increase)
![Page 20: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/20.jpg)
![Page 21: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/21.jpg)
Closely analysis
• The trade-off was well worth it:
• In 34 of the 40 cases where a guess was
treated as incorrect by the substring
algorithm but correct by the distance
algorithm (80%), the guessing partner
clearly knew the correct answer.
• The difference was a one character typing
error that an attacker could easily fix
with a second guess.
![Page 22: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/22.jpg)
Outline• Motivation• Introduction• Background• Study• Comparing Algorithms• Results• Discussion and Conclusion
![Page 23: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/23.jpg)
23
Results
![Page 24: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/24.jpg)
Real-world memorability results
• Resetting Hotmail passwords needs– An correct answer to a personal question & correct answer to zip code
• Only 43 out of 99 (43%) reported participants were able to successfully provide the correct answer to their personal question and zip code, the rest 57%:– 75% unable to answer their personal question
– 31% unable to recall the zip code
![Page 25: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/25.jpg)
Real-world memorability results
– 31% unable to recall the zip code– A surprising 13% of participants suspected that the reason they could not answer their personal question was because they had intentionally provided a bogus answer when setting up their account.
![Page 26: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/26.jpg)
Main results• The results for all questions used by the top four webmail services (as of March, 2008) are summarized in Table 4.– Willingness to answer
• “not willing”, “unknown”, and “don’t have one”– Reliability (memorability)– Security against statistical guessing
• An answer is deemed vulnerable to this attack if it is among the five most popular answers provided by other participants (excluding the participant’s partner)
– Security against guessing by acquaintance
![Page 27: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/27.jpg)
Results analysis• Google’s questions performed the best since the overall guess rate was just 4%.
• Questions with answers that participants found easiest to recall appeared to be those that their partners found easiest to guess.
• A non-parametric Kendall test, examining the correlation between the fraction of answers recalled for each question and the fraction guessed by participants’ partners, indicates a strong correlation,
![Page 28: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/28.jpg)
The security of user-written questions
2. Vulnerable with no personal knowledge other than geographic region(31 of 127, 24%)i. Answer can be found via simple web search (2, 2%)
What’s your favorite cookie at Panera Bakery?ii.Answer space <= 5 (11, 8%), <= 10 (15, 12%) & <= 25 (18, 14%)
How many children do I have?What is my blood type?
iii.Answer high on easily searchable popularity lists, top 5 (6, 5%), top 25 (11, 7%)Favorite Food What sports team would you love to see lose
3. Vulnerable to coworkers, clients, or family members (32 of 127, 25%)
![Page 29: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/29.jpg)
Outline• Motivation• Introduction• Background• Study• Comparing Algorithms• Results• Discussion and Conclusion
![Page 30: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/30.jpg)
Discussions• Improving questions to reduce vulnerability to
statistical guessing attacks:– responses could be penalized in proportion to their popularity
– reduce the proportion of popular answers: rejecting answers that exceed a certain threshold of popularity (e.g. 1%)
• Alternative backup authenticators– authentication via a code sent to an alternate email address – not viable for users’ primary email accounts
– mobile phones – frequently shared, lost, and stolen
– User-selected trustees vouch for the identity of the user.
![Page 31: Presenter: Shary Johana Llanos Antonio](https://reader036.vdocument.in/reader036/viewer/2022081515/56816743550346895ddbf6c6/html5/thumbnails/31.jpg)
Conclusions• Question?