visual authentication - a secure single step authentication for user authorization

Technische Universität München

Visual Authentication A Secure Single Step Authentication for User Authorization

Luis Roalter 1, Matthias Kranz 2, Andreas Möller 1, Stefan Diewald 1, Tobias Stockinger 2, Marion Koelle 2, Patrick Lindemann 2

1 Technische Universität München

2 Universität Passau

December 5th 2013 Mobile and Ubiquitous Multimedia (MUM 2013), Luleå, Sweden


05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 2

mobile & usable security

for interaction with public terminals


Current Situation

MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 3

Different credentials

username 1 password 1







05.12.2013 image source: http://commons.wikimedia.org/wiki/File:Singapore_Road_Signs_-_Restrictive_Sign_-_Stop_-_Security_Check.svg


Federated Authentication: Single Sign-On (SSO) Related Work •  Sign in once to use all services

•  Single, familiar login mask for different services, e.g. –  “Sign in with Facebook” –  “Sign in with Google”

•  One username, one password

•  Improved user experience

Optional: two-factor authentication with side channel, e.g. mobile phone

MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 4 05.12.2013



Increased Security: Multi-Factor Authentication Related Work

image source: Microsoft Office Online Clipart Gallery


Problems in the Context of Mobile and Usable Security •  Security-centered issues

–  Access credentials can be stolen, e .g. •  man-in-the-middle attack •  shoulder surfing •  phishing

as the terminal usually does not authenticate towards the user –  Trust relationship towards the device might be limited, even if the device

can prove its identity, e.g. if it is a shared device à lack of trust, reluctant to use services, …

•  Device-centered issues –  Limited capabilities of the input device (e.g. no keyboard) –  Limited ergonomics (e.g. wall-mounted device) –  hygiene concerns à time-consuming, uncomfortable, …



Proposal: Usable Security with Single Step Authentication


lösung:single step, nur den code scannen: baut usability in sso ein? genau, und hat zusätzlich noch die sicherheit von 2-step, da ja 2 geräte involviert sind

sessionID: xyz

05.12.2013 image source: Microsoft Office Online Clipart Gallery


Proposal: Additional Benefits of the Mobile Authenticator


•  User-enabled Session Management -  Remote session logout

-  Session transfer between systems

•  Maintenance of profile and personal information

à Transparency to the user (full information)

•  Without mobile authenticator app: can be used with a web-based interface

05.12.2013


Example Use Case: Room Reservation and Access

•  Tablet PC as digital door sign for meeting rooms

•  Provides resource-centred information and access (e.g. seeing when rooms are occupied or available)

•  Use case: Book a room through the public display –  Need for authentication & authorization

(accounting - who reserved the room?) –  Single Sign-On with QR code & mobile

(no credentials to type on public display –  Allows physical room access & usage

(remotely controlled digital door lock)



Example Use Case: How does it work?


Case 1: Authenticator app installed

Case 2: No authenticator app installed •  Redirection to a web page where

credentials are entered (securely on mobile device)

•  The URI is recognized by the tablet and authenticates the user

User is scanning a QR code with smartphone (containing a session token, SID), data sent to IdP with user credentials (user name & password)

•  Credentials (which were previously stored in app once) and session token are sent to the service

•  The user is authenticated in one step

05.12.2013


Example Use Case: Initial User Study with “Room Access”

•  Initial user survey with the prototype system (room access) –  20 participants (18 males, 2 females) aged between 20 and 64 years –  (non-balanced, non-representative, not providing statistically usable results)

•  RQ1: Do users have security concerns when entering personal credentials on a public display? –  Participants agreed that they have security concerns entering personal

information on a publicly exposed display –  Avg. 3.8 on 5-step Likert-Scale (fully disagree = 1, fully agree = 5), SD=1.3

•  RQ2: Do users have security concerns when using the smartphone-based visual authentication system in conjunction with a public display? –  Participants agreed that they have security concerns in the smartphone-

based authentication approach –  Avg. 2.3 on 5-step Likert-Scale (fully disagree = 1, fully agree = 5), SD=1.4



Summary and Discussion

Proposed approach for “mobile usable security” providing user-friendly multi-factor authentication in a public-private device scenario, addressing •  input modalities and device

(replacing potentially non-convenient input methods, hygiene aspects, …) •  security issues

(SSO with side-channel authentication, prohibiting shoulder surfing, phishing attacks, potential to de-authenticate sessions remotely, trusted …)

•  usability aspects (less error-prone, faster, more convenient, …)

Open Issues •  Multiple identity providers require pre-established trust relationships •  Network connection for side-channel/multi-factor authentication needed •  Shift of responsibility to the user (non-expert in security issues) •  Device-to-device communication problems (visible lighting, (audible) noise, …)



Outlook and Future Work

•  Technical enhancement –  Pluggable Authentication Module (QR code-based PAM module) for PC login –  Transfer of running sessions and their contexts between terminals

•  Usability evaluation and user study –  Acceptance and usability tests

•  in a real-world deployment •  w.r.t. long-term effects on usable security

–  Investigation of novel applications and domains and scenario-specific potentials (public displays, distributed environments, internet of things)

•  Security evaluation –  Resistance to man-in-the-middle/replay attacks –  Simulate different hacking scenarios –  Creation of an overall security concept –  Extended information (e.g. WLAN AP scan, GPS, etc. to detect “fakes”)




Thank you very much for your kind attention! Questions?

? ? Contact: Luis Roalter ([email protected]) Matthias Kranz ([email protected])

05.12.2013


Citation Information

•  Please cite this work as follows: L. Roalter, M. Kranz, A. Möller, S. Diewald, T. Stockinger, M. Koelle, P. Lindemann: Visual Authentication - A Secure Single Step Authentication for User Authorization. In: Proceedings of the 12th International Conference on Mobile and Ubiquitous Multimedia (MUM 2013), Luleå, Sweden, 2013

•  Please use the following BibTex file: @inproceedings{MUM2013Roalter, author = {Roalter, Luis and Kranz, Matthias and M\"{o}ller, Andreas and Diewald, Stefan and Stockinger, Tobias and Koelle, Marion and Lindemann, Patrick}, title = {Visual Authentication – A Secure Single Step Authentication for User Authorization}, booktitle = {Proceedings of the 12th International Conference on Mobile and Ubiquitous Multimedia}, series = {MUM '13}, year = {2013}, location = {Lule\aa, Sweden}, publisher = {ACM}, address = {New York, NY, USA}, } "


visual authentication - a secure single step authentication for user authorization

Technology

user credentials user

user authorization2

user authorization4

user authorization6

user authorization8

user authorization9

user authorization10

single sign