authentication for humans rachna dhamija sims, uc berkeley [email protected] dimacs workshop...
Post on 22-Dec-2015
215 views
TRANSCRIPT
Authentication for Humans
Rachna DhamijaSIMS, UC Berkeley
DIMACS Workshop on Usable Privacy and Security Software
July 7, 2004
Talk Outline
Machines Authenticating Users– Déjà Vu User Study- Using Images for Authentication
Users Authenticating Remote Servers– Interfaces for website authentication
Password Usability and Security
Simple and meaningful passwords- Memorable, but easier to guess
Complex passwords- Strong, but hard to remember
Advantages of passwords– Cheap and easy to implement– We develop muscle memory
Previous Solutions
Stronger password hashing & storage Proactive password cracking Enforce system policies Better user education and training
– Significant non compliance rate by users
We try to address the fundamental problem:
Recall is hard
Picture recognition is easier
Humans have a vast memory for pictures
– 2560 photos for a few seconds: 90% recognition [Standing, Conezio, Haber]
– 10,000 photos: 66% recognition after 2 days [Standing]
– 200 random photos: >90% after 1-3 months [Weinshal/Kirkpatrik, CHI2004]
Fractions of a second is enough to remember
Picture recognition is easier than verbal recognition
Picture recognition is easier than picture recall
– Harder to recall semantics or to redraw picture
– But picture recall is better than verbal recall
Déjà Vu Design Goals
Base security on human strengthsRecognition over recall
Prevent weak passwords
Prevent password sharing
No biometrics or tokens
Authentication through Images
Choose image portfolio
Challenge set = portfolio + decoys
Photos and Random Art
Random Art
Algorithm:seed -> pseudo-random number generator-> random expression tree maps pixels to RGB ->random art
Attacks
Brute Force– optimal portfolio and challenge depends on security– 5 image portfolio/25 challenge set = 53,130 combinations
Measures against shoulder surfers: – hide image selection– distort images
Measures against Intersection Attack:– Always show same challenge set– Multi-stage authentication
Experiment Design Target population = general computer users
20 participants (11 males + 9 females, expert/novice)
Initialization
PIN (4 digits)
Password (6 char.)
Art portfolio (5/100)
Photo portfolio (5/100)
Login
PIN
Password
Art (5/25)
Photo (5/25)
Repeat login after one week
Task order randomized
Portfolio creation- same images but random order
Portfolio login- random images and random order
Task Completion Time
0
10
20
30
40
50
60
70
Create Login session 1 Login session 2
Time (seconds)
PIN
Passw ord
Art
Photo
Unlimited time & attempts
Does not include failed logins
Error Rate
0
2
4
6
8
Session 1 Session 2
# Failed Logins
PINPasswordArtPhoto
Session 1: no unrecoverable errors made with portfolios
Session 2: significantly less failed logins with portfolios
(all users remembered 4/5 images on first attempt)
More Results
It’s easier than it looks
Text vs. image portfolios– Passwords/PINS faster to create & login– Users reported that photos easier than PINs– More users forgot their user names than portfolios!
Art vs. photos– Photos easier to remember, but easier to guess
• Gender, race, interests were a factor in choice– People choose similar photos; art is individual– Art descriptions vary, hard to describe
• How hard are they to communicate? Spouse-proof?
Conclusions in this study
Recognition-based authentication– More reliable long term than passwords, PINs– Easier, more pleasant to use– Random Art portfolios are harder to predict
than passwords or real images
Applications – Where text input is hard, limited observation
(e.g., ATM, PDA, pen-based devices)– Infrequently used high availability passwords
Future Work
Long term studies– Frequency of use– Multiple portfolios and changes– Portfolio communication & prediction study– Cued recall of text passwords
Image Generation & Distortion– Image generation and distortion techniques– What is the space of images are distinguishable, memorable?
Strengthen against attack, improve login times, allow non-perfect probabilistic recognition
Talk Outline
Machines Authenticating Users– Déjà Vu User Study
Users Authenticating Remote Servers– Interfaces for website authentication