Authentication and access control overview

1
Authentication and access control overview

• March 20, 2007

2
Outline

• Definitions
• Authentication
• Factors
• Evaluation
• Examples
• Focus on password problems and alternatives
• Access control
• Case study Convenient SecureID
• Case study Website mutual authentication

3
Definitions

• Identification - a claim about identity
• Who or what I am (global or local)
• Authentication - confirming that claims are true
• I am who I say I am
• I have a valid credential
• Authorization - granting permission based on a
  valid claim
• Now that I have been validated, I am allowed to
  access certain resources or take certain actions
• Access control system - a system that
  authenticates users and gives them access to
  resources based on their authorizations
• Includes or relies upon an authentication
  mechanism
• May include the ability to grant course or
  fine-grained authorizations, revoke or delegate
  authorizations

4
Building blocks of authentication

• Factors
• Something you know (or recognize)
• Something you have
• Something you are
• Two factors are better than one
• Especially two factors from different categories
• What are some examples of each of these factors?
• What are some examples of two-factor
  authentication?

5
Authentication mechanisms

• Text-based passwords
• Graphical passwords
• Hardware tokens
• Public key crypto protocols
• Biometrics

6
Evaluation

• Accessibility
• Memorability
• Security
• Cost
• Environmental considerations

7
Typical password advice
8
Typical password advice

• Pick a hard to guess password
• Dont use it anywhere else
• Change it often
• Dont write it down
• So what do you do when every web site you visit
  asks for a password?

9
Bank b3aYZ Amazon aa66x! Phonebill
p2ta1
10
(No Transcript)
11
Problems with Passwords

• Selection
• Difficult to think of a good password
• Passwords people think of first are easy to guess
• Memorability
• Easy to forget passwords that arent frequently
  used
• Difficult to remember secure passwords with a
  mix of upper lower case letters, numbers, and
  special characters
• Reuse
• Too many passwords to remember
• A previously used password is memorable
• Sharing
• Often unintentional through reuse
• Systems arent designed to support the way people
  work together and share information

12
Mnemonic Passwords
Four
F
Four
score
s
and
a
and
years
y
,
,
seven
s
seven
ago
a
our
o
Fathers
F
First letter of each word (with punctuation)
4sasya,oF
4sa7ya,oF
4s7ya,oF
Source Cynthia Kuo, SOUPS 2006
13
The Promise?

• Phrases help users incorporate different
  character classes in passwords
• Easier to think of character-for-word
  substitutions
• Virtually infinite number of phrases
• Dictionaries do not contain mnemonics

Source Cynthia Kuo, SOUPS 2006
14
The Problem?

• Goodness of mnemonic passwords unknown
• Yan et al. compared regular, mnemonic, and
  randomly generated passwords
• Used standard (non-mnemonic) dictionary
• Effectively evaluated whether mnemonic passwords
  contained dictionary words

Source Cynthia Kuo, SOUPS 2006
15
Mnemonic password evaluation

• Mnemonic passwords are not a panacea for password
  creation
• No comprehensive dictionary today
• May become more vulnerable in future
• Many people start to use them
• Attackers incentivized to build dictionaries
• Publicly available phrases should be avoided!
• C. Kuo, S. Romanosky, and L. Cranor. Human
  Selection of Mnemonic Phrase-Based Passwords. In
  Proceedings of the 2006 Symposium On Usable
  Privacy and Security, 12-14 July 2006,
  Pittsburgh, PA.

Source Cynthia Kuo, SOUPS 2006
16
Password keeper software

• Run on PC or handheld
• Only remember one password

17
Single sign-on

• Login once to get access to all your passwords

18
Biometrics
19
Graphical passwords
20
Forgotten password mechanism

• Email password or magic URL to address on file
• Challenge questions
• Why not make this the normal way to access
  infrequently used sites?

21
Types of access control

• Discretionary access control
• Distributed, dynamic, users set access rules for
  resources they own and can delegate access to
  others
• Role-based access control
• Centralized admin assigns users to roles and sets
  access rules based on roles
• And many others that vary discretionary/mandatory,
  centralized/distributed, granularity, grouping

22
Access control usability problems

• Admins, large organizations understanding large
  access control policies
• Someone in marketing changed a policy and now we
  cant figure out why people in sales no longer
  have access to a document
• Who has access to this document anyway?
• End users creating and understanding policies
• Examples File system permissions, Grey,
  Perspective, privacy rules
• Home users want to share some files with some
  other users, but dont want to share everything

23
Convenient SecureID

• What problems do these approaches solve?
• What problems do they create?

Sources http//worsethanfailure.com/Articles/Secu
rity_by_Oblivity.aspx http//fob.webhop.net/
24
Browser-based mutual authentication

• Chris Drakes Magic Bullet proposal
• http//lists.w3.org/Archives/Public/public-usable-
  authentication/2007Mar/0004.html
• User gets ID, password (or alternative), image,
  hotspot at enrollment
• Before user is allowed to login they are asked to
  confirm URL and SSL cert and click buttons
• Then login box appears and user enters username
  and password (or alternative)
• Server displays set of images, including users
  image (or if user entered incorrect password,
  random set of images appear)
• User finds their image and clicks on hotspot
• Image manipulation can help prevent replay
  attacks
• What problems does this solve?
• What problems doesnt it solve?
• What kind of testing is needed