improving usable authentication
DESCRIPTION
This talk has a summary of the research (up to 2011) that my team has been doing in improving the usability of various forms of authentication. OneTRANSCRIPT
©2
00
9 C
arn
eg
ie M
ello
n U
niv
ers
ity :
1
Improving Usable Authentication
Jason [email protected]
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
2Problems with Passwords
• People forget passwords– Special characters, length, change every
4 weeks => wasted time, helpdesk costs– NYTimes site 100k readers forget
password, 15% of “new” users are old– Beverage company: 30% help desk calls
password-related, cost $900k / yr
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
3
Problems with Passwords
• People fall for phishing attacks– Estimated 0.4% of Internet users per year– Loss of corporate secrets, customer data,
financial info
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
4
Passwords Also Don’t Scale Up
• Passwords good if you only have a few• But passwords aren’t scaling as
devices and services become pervasive– Laptop, mobile phone, VPN, email (x2), Wii
Fit, WiFi, ATM, PDFs, and dozens of web sites
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
5Coping Mechanisms Cause Problems
• People cope by using weak passwords– RockYou: Top 20 passwords used in 2.6%
accounts
• People cope by reusing passwords– Breach on social networking site means
breach on your site too– Ex. HBGary CEO used same password for
email, iPad, Twitter, LinkedIn
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
6
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
7
Past Work: Use Your Illusion
• Problem: – Hard to remember passwords– Picture-based approaches are memorable
but easy to guess
• Solution:– Use blurred pictures
to balance security with usability
– User tests have shownhigh memorability andhard to guess
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
8
Ongoing Research Projects
• WebTicket– Cheap printable tokens
for a reliable way to log in
• Casual Authentication– Modulate level of authentication needed
based on prior probability that it’s me• Ex. Probability of me in Brazil is very low• Ex. Probability of me at home is high
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
9
WebTicket
• Originated from discussion of elderly– Not only couldn’t remember password,
couldn’t remember what web site to go to
• Not trying to solve authentication for power users– Gaw and Felten found undergrads had
3.3 passwords for 7.8 accounts– In our diary study, people had 11.4
accounts and often reused passwords
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
10
How WebTicket Works
• Browser plug-in forcreating new accounts– Strong passwords are assigned– Users do not know their passwords
• Print out ticket– Ticket is encrypted to work
only with specific computer(s)– QRCode: URL, username, password
• To login, show ticket to webcam– Can’t fall for phishing attacks
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
11
Logging In with WebTicket
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
12
WebTicket
• Design:– Very cheap (paper + printer + webcam)– Compatible with existing systems– Easy to deploy– Easy to teach: treat it like a house key
• Weaknesses:– Not meant for commonly used passwords– Tickets can get damaged or lost– Need to store main encryption key
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
13
WebTicket
• Surprises: – Our strong password generator only
worked for 76% of web sites– Ex. some sites don’t allow symbols or
certain symbols
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
14
WebTicket User Study
• Two studies, 55 people total– Tested for phishing attacks in study #2– Two conditions: password and WebTicket
• Experiment– Create a few accounts– Login to a few sites– Come back a week later, login again
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
15
WebTicket Study Results
• 1/4 of people using passwords could not login again a week later– Didn’t restrict what passwords people used
• Login time for WebTicket slower at first, faster a week later
• WebTicket perceived as easier and faster• Simulated phishing attack
– All in password condition fell for it– 30% of people using WebTicket did
(though data still encrypted)
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
16
Ongoing and Future Work
• Mobile phone version to scale up– A strong password manager– Can’t fall for phish too
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
17
Ongoing Work
• Can encode more data in the ticket– QR Codes can hold 3k of data– Ex. “Login only if in Cylab office or home”– Ex. “Login only if parents at home”– Ex. “Login only if between 5-8pm”– Ex. “Notify parents when you login”– Ex. Include face biometric data
• Field deployment of WebTicket
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
18
Casual Authentication
• Observation:– Level of authentication needed
is the same regardless of context
• Idea:– Use commodity sensors + behavioral
analysis to estimate prior probabilities (cheap multi-factor authentication)
– Modulate level of authentication needed• In likely situations, make logins fast• In unlikely situations, make it reliable
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
19
Example Scenarios
• Scenario 1 – Mobile device– Prior probability of me being in my office is
high, make authentication fast– Prior probability of me being in Brazil is
low, so make authentication reliable
• Scenario 2 – Home– Wake up in morning, go to computer– Weight sensor in chair, height sensor
via Kinect, mobile device nearby– Use face recognition to login (fast)
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
20
Example Passive Factors
• Cheap, invisible, multi-factor• Examples for mobile scenario
– Location– IP address– WiFi MAC address– Bluetooth / devices nearby (smartphone)– Tilt (how you hold device)
• Examples for work/home scenario– Kinect for Height and Body shape– Weight sensors– Gait (how you walk)
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
21
Example Active Factors
• Passwords• Biometrics• Multiple secret questions• Email verification
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
22
Examples of Location Context
• Personal frequency to that place– Analysis of 20 people’s GPS locations– 66.2% of time spent at home– 20.2% - Work– 6.3% - Some third place
• Where people login– Diary study of 20 people over 2 weeks– Home accounted for 59.2% of logins– Work accounted for 25.1% of logins– Public places, school, other: infrequent
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
23
Examples of Location Context
• Location entropy– Concept taken from ecology– Number of unique people seen in a place– Approximates public vs private
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
24
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
25
Other Kinds of Location Info
• Personal location info– Personal frequency– Mobility
• Place info– Going beyond behavior analytics of
people to include analytics of places– Churn – same people or different?– Transience – amount of time spent– Burst – Regularity of people seen
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
26
Current Plan of Research
• Systematically evaluate passive factors• Develop and evaluate threat models• Techniques for integrating prior
probabilities• Develop and deploy prototypes
– Mobile case– Work/Home
• Evaluate security and usability– Ease of use, time to login– False accept rates, expert analysis
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
27
Long-term Opportunities
• Starting with casual authentication for devices– Could be extended in future to
password managers as well
• Could be part of trusted computing base in future– Custom chips for secure sensing– Support for server-side authentication too
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
28
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
29
Threat Model (Ideal)
No differencewith regular
authentication
No differencewith regular
authentication
Could possiblymimic passive
factors, would alsoneed active factors
?
Little LotsL
ittl
eL
ots
Knowledge of securityK
no
wle
dg
e o
f U
ser
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
30
Other Approaches
• Two-factor authentication– Cost– Requires server support
• Password managers– Can still fall for phishing– No guarantee of strong password
• Biometrics– Marios’ talk next– False positives / false negatives
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
31
Diary Study
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
32
Diary Study
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
33
Diary Study
• Where people login
Place %
Home 59.2%
Office 25.1%
Public place 6.9%
School 6.2%
Other 2.4%
©2
01
1 C
arn
eg
ie M
ello
n U
niv
ers
ity :
34
Our Diary Study of Passwords
• 20 participants over 2 weeks– Had participants rank importance of account– 5 means very concerned if someone else
could obtain access to an account