use your illusion: secure authentication usable anywhere
DESCRIPTION
Use Your Illusion: Secure Authentication Usable Anywhere. Eiji Hayashi Nicolas Christin Rachna Dhamija Adrian Perrig Carnegie Mellon CyLab Japan. Key Concept: Distortion. Original Picture. Distorted Picture. You can recognize a baby now because you know the original picture. - PowerPoint PPT PresentationTRANSCRIPT
Use Your Illusion:Secure Authentication Usable Anywhere
Eiji HayashiNicolas Christin
Rachna DhamijaAdrian Perrig
Carnegie Mellon CyLab Japan
Key Concept: Distortion
You can recognize a baby nowbecause you know the original picture
Distorted Picture Original Picture
Use Your Illusion
Graphical Authentication
• Passfaces• Pass Points• DAS (Draw-A-Secret)• Déjà vu
Passfaces• Faces are used as a graphical portfolio
• Preference could be a limitation
Cited from “On User Choice in Graphical Password Schemes”, Darren Daivis et. al, 2004
Pass Points• Use “a sequence of clicks” as a shared
secret
• There are hot spots
Cited from “Authentication Usin Graphical Passwords: Basic Results”, Susan Wiednbeck et. al, 2004
Most Straightforward Way
• Choose graphical portfolio from a set of pictures
Graphical Portfolio • If a user can choose whatever
graphical portfolio…
• If system assigns portfoliorandomly…
Fundamental Tradeoff
Secu
rity
Memorability
“Use Your Illusion”1. Allow users to take/choose pictures by
themselves2. Distort the pictures3. Assign the distorted pictures as graphical
portfolio
“Use Your Illusion”1. Allow users to take/choose pictures by
themselves2. Distort the pictures3. Assign the Distorted pictures as graphical
token
Secu
rity
Memorability
Requirements for Distortion • One-way
• Discarding precise shapes and colors
• Preserving rough shapes and colors
Oil Painting Filter• Choose RGB values which appears most
frequently in a neighborhood
0 50 100 150 200 2500
10
20
30
40
50
60
Oil Painting Filter
Distortion Level• If high, difficult to guess
but difficult to memorize
• If low, easy to memorizebut easy to guess
Distortion Level• Two parameters affect distortion level
–If too high, not usable
–If too low, not secure
Secu
rity
Memorability
Low-Fidelity Test
Most distorted
Least distorted
Low-Fidelity Test
Low-Fidelity Test
Low-Fidelity Test
Low-Fidelity Test
Low-Fidelity Test
Low-Fidelity Test
It’s a dog!!
Low-Fidelity Test
Difficult to guessw/o knowing original picture
Low-Fidelity Test
Can’t recognize a dog
Low-Fidelity Test
Easy to recognizew/ knowing original picture
Low-Fidelity Test
Satisfiesrequirements
Prototype• Implemented on Nokia’s cell-phone for
usability test
• Also implemented on the web
Prototype
Demo
Usability Test
• 45 participants and for 1 week
• 54 participants and for 4 weeks
1st Usability Test• 45 participants were divided into 3 groups
– Self-selected, Non-distorted– Self-selected, distorted (Use Your Illusion)– Imposed, highly-distorted
Self-selected, Non-distorted
Self-selected, Distorted
Imposed, Highly-distorted
ProcedureDate Task
Before the 1st day Take 3 pictures
The 1st day Memorize portfolio
Practice
Authenticate
2 days after Authenticate
1 week after Authenticate
Fill out questionnaires
Success RateThe 1st
day2 days after
1 week after
Self-selected,
Non-distorted
100%
(15)
100%
(15)
100%
(15)
Self-selected,
Distorted
100%
(15)
100%
(15)
100%
(15)
Imposed,
Highly-distorted
93.3%
(14)
73.3%
(11)
73.3%
(11)
Authentication Time (Mean)
Imposed,Highly-distorted
Self-selected,Distorted
Self-selected,Non-distorted
Process of Memorization• Participants assign meanings to distorted pictures• Assigning meanings helps memorization
Mountain Sea Moai statue
2nd Usability Test• 54 participants were divided into 3 groups
– Self-selected, Non-distorted– Self-selected, Distorted– Imposed, Distorted
• Authenticate– On the 1st day– 2 days after– 1 week after– 4 weeks after
Imposed, Distorted
Success RateThe 1st
day2 days after
1 week after
4 weeks
after
Self-selected,
Non-distorted
100%
(18)
100%
(18)
100%
(18)
100%
(18)
Self-selected,
Distorted
100%
(18)
100%
(18)
100%
(18)
100%
(18)
Imposed,
Distorted
100%
(18)
89%
(16)
94%
(17)
89%
(16)
Authentication Time (Mean)
Imposed,DistortedSelf-selected,
Distorted
Self-selected, Non-distorted
Tolerance against Guessing Attack
• Original pictures are vulnerable
• Distorted pictures are more tolerant
Future Work• Detailed usability test
• Long term test
• Find an optimal distortion
• Investigate a metric evaluating distortion level
Use Your Illusion• Use distorted pictures as a portfolio• As memorable as non-distorted pictures• More memorable than imposed (highly-)
distorted pictures• Fits human memorization process• More tolerant to guessing attack
Thank you for listening
Prototype is available onhttp://arima.okoze.net/illusion/Please try it!