Authentication

1
Authentication
2
Definitions

• Identification - a claim about identity
• Who or what I am (global or local)
• Authentication - confirming that claims are true
• I am who I say I am
• I have a valid credential
• Authorization - granting permission based on a
  valid claim
• Now that I have been validated, I am allowed to
  access certain resources or take certain actions
• Access control system - a system that
  authenticates users and gives them access to
  resources based on their authorizations
• Includes or relies upon an authentication
  mechanism
• May include the ability to grant course or
  fine-grained authorizations, revoke or delegate
  authorizations

Slides modified from Lorrie Cranor, CMU
3
Building blocks of authentication

• Factors
• Something you know (or recognize)
• Something you have
• Something you are
• Mechanisms
• Text-based passwords
• Graphical passwords
• Hardware tokens
• Public key crypto protocols
• Biometrics

4
Two factor systems

• Two factors are better than one
• Especially two factors from different categories
• Question What are some examples of two-factor
  authentication?

5
Evaluation

• Accessibility
• Memorability
• Depth of processing, retrieval, meaningfulness
• Security
• Predictability, abundance, disclosure,
  crackability, confidentiality
• Cost
• Environmental considerations
• Range of users, frequency of use, type of access,
  etc.

6
Typical password advice
7
Typical password advice

• Pick a hard to guess password
• Dont use it anywhere else
• Change it often
• Dont write it down
• Do you?

Bank b3aYZ Amazon aa66x! Phonebill
p2ta1
8
Problems with Passwords

• Selection
• Difficult to think of a good password
• Passwords people think of first are easy to guess
• Memorability
• Easy to forget passwords that arent frequently
  used
• Difficult to remember secure passwords with a
  mix of upper lower case letters, numbers, and
  special characters
• Reuse
• Too many passwords to remember
• A previously used password is memorable
• Sharing
• Often unintentional through reuse
• Systems arent designed to support the way people
  work together and share information

9
How Long does it take to Crack a Password?

• Brute force attack
• Assuming 100,000 encryption operations per second
• FIPS Password Usage
• 3.3.1 Passwords shall have maximum lifetime of 1
  year

Password Length
http//geodsoft.com/howto/password/cracking_passwo
rds.htmhowlong
10
The Password Quiz

• What is your score?
• Do you agree with each piece of advice?
• What is most common problem in the class?
• Any bad habits not addressed?

11
Check your password
https//www.google.com/accounts/EditPasswd
http//www.securitystats.com/tools/password.php
Question Why dont all sites do this?
12
Text-based passwords

• Random (system or user assigned)
• Mnemonic
• Challenge questions (semantic)
• Anyone ever had a system assigned random
  password? Your experience?

13
Mnemonic Passwords
Four
F
Four
score
s
and
a
and
years
y
,
,
seven
s
seven
ago
a
our
o
Fathers
F
First letter of each word (with punctuation)
4sasya,oF
4sa7ya,oF
4s7ya,oF
Source Cynthia Kuo, SOUPS 2006
14
The Promise?

• Phrases help users incorporate different
  character classes in passwords
• Easier to think of character-for-word
  substitutions
• Virtually infinite number of phrases
• Dictionaries do not contain mnemonics

Source Cynthia Kuo, SOUPS 2006
15
Memorability of Password Study

• Goal
• examine effects of advice on password selection
  in real world
• Method experiment
• independent variables?
• Advice given
• Dependent variables?
• Attacks, length, requests, memorability survey

16
Study, cont.

• Conditions
• Comparison
• Control
• Random password
• Passphrase (mnemonic)
• Students randomly assigned
• Attacks performed one month later
• Survey four months later

17
Results

• All conditions longer password than comparison
  group
• Random passphrase conditions had significantly
  fewer successful attacks
• Requests for password the same
• Random group kept written copy of password for
  much longer than others
• Non-compliance rate of 10
• What are the implications?
• What are the strengths of the study? Weaknesses?

18
Mnemonic password evaluation

• Mnemonic passwords are not a panacea, but are an
  interesting option
• No comprehensive dictionary today
• May become more vulnerable in future
• Users choose music lyrics, movies, literature,
  and television
• Attackers incentivized to build dictionaries
• Publicly available phrases should be avoided!
• C. Kuo, S. Romanosky, and L. Cranor. Human
  Selection of Mnemonic Phrase-Based Passwords. In
  Proceedings of the 2006 Symposium On Usable
  Privacy and Security, 12-14 July 2006,
  Pittsburgh, PA.

Source Cynthia Kuo, SOUPS 2006
19
Password keeper software

• Run on PC or handheld
• Only remember one password
• How many use one of these?
• Advantages?
• Disadvantages?

20
Forgotten password mechanism

• Email password or magic URL to address on file
• Challenge questions
• Why not make this the normal way to access
  infrequently used sites?

21
Challenge Questions

• Question and answer pairs
• Issues
• Privacy asking for personal info
• Security how difficult are they to guess and
  observe?
• Usability answerable? how memorable? How
  repeatable?
• What challenge questions have you seen?
• Purpose?

22
Challenge questions

• How likely to be guessed?
• How concerned should we be about
• Shoulder surfing?
• Time to enter answers?
• A knowledgeable other person?
• Privacy?

23
Graphical Passwords

• We are much better at remembering pictures than
  text
• User enters password by clicking on on the screen
• Choosing correct set of images
• Choosing regions in a particular image
• Potentially more difficult to attack (no
  dictionaries)
• Anyone ever used one?

24
Schemes

• Choose a series of images
• Random1
• Passfaces2
• Visual passwords (for mobile devices)3
• Provide your own images

• R. Dhamija and A. Perrig, "Deja Vu A User Study
  Using Images for Authentication," in Proceedings
  of 9th USENIX Security Symposium, 2000.
• http//www.realuser.com/
• W. Jansen, et al, "Picture Password A Visual
  Login Technique for Mobile Devices," National
  Institute of Standards and Technology Interagency
  Report NISTIR 7030, 2003.

25
Schemes

• Click on regions of image
• Blonders original idea click on predefined
  regions 1
• Passlogix click on items in order 2
• Passpoints click on any point in order 3

• G. E. Blonder, "Graphical passwords," in Lucent
  Technologies, Inc., Murray Hill, NJ, U. S.
  Patent, Ed. United States, 1996.
• http//www.passlogix.com/
• S. Wiedenbeck, et al. "Authentication using
  graphical passwords Basic results," in
  Human-Computer Interaction International (HCII
  2005). Las Vegas, NV, 2005.

26
Schemes

• Freeform
• Draw-a-Secret (DAS)
• I. Jermyn, et al. "The Design and Analysis of
  GraphicalPasswords," in Proceedings of the 8th
  USENIX SecuritySymposium, 1999.
• Signature drawing

27
Theoretical Comparisons

• Advantages
• As memorable or more than text
• As large a password space as text passwords
• Attack needs to generate mouse output
• Less vulnerable to dictionary attacks
• More difficult to share

• Disadvantages
• Time consuming
• More storage and communication requirements
• Shoulder surfing an issue
• Potential interference if becomes widespread

See a nice discussion in Suo and Zhu. Graphical
Passwords A Survey, in the Proceedings of the
21st Annual Computer Security Applications
Conference, December 2005.
28
How do they really compare?

• Many studies of various schemes
• Faces vs. Story
• Method experiment
• independent participant race and sex, faces or
  story
• Dependent types of items chosen, liklihood of
  attack
• Real passwords used to access grades, etc.
• Also gathered survey responses
• Results
• we are highly predictable, particularly for faces
• Attacker could have succeeded with 1 or 2 guesses
  for 10 of males!
• Implications?

29
Other examples

• Passpoints predictable too!
• Can predict or discover hot spots to launch
  attacks.

Julie Thorpe and P.C. van Oorschot. Human-Seeded
Attacks and Exploiting Hot-Spots in Graphical
Passwords, in Proceedings of 16th USENIX Security
Symposium, 2007.
30
Other uses of images

• CAPTCHA differentiate between humans and
  computers
• Use computer generated image to guarantee
  interaction coming from a human
• An AI-hard problem

Luis von Ahn, Manuel Blum, Nicholas Hopper and
John Langford. CAPTCHA Using Hard AI Problems
for Security, In Advances in Cryptology,
Eurocrypt 2003.
31
More food for thought

• How concerned should we be about the weakest
  link/worse case user?
• Do we need 100 compliance for good passwords?
  How do we achieve?
• What do you think of bugmenot
• Is it possible to have authorization without
  identification?

32
Project Groups

• 3 groups of 4, 1 group of 3
• Form your group by the END of class next week
• Preliminary user study of privacy or security
  application, mechanism, or concerns
• Deliverables
• Idea
• Initial plan 5 points
• Plan 20 points
• Report 20 points
• Presentation 5 points

33
Project Ideas

• Start with a question or problem
• Why dont more people encrypt their emails?
• How well does product X work for task Y?
• What personal information do people expect to be
  protected?
• Flip through chapters in the book papers
• Follow up on existing study
• Examine your own product/research/idea
• Examine something you currently find frustrating,
  interesting, etc.

34
Ideas?
35
A Look Ahead

• Next week User studies
• pay attention to the method of study in your
  readings
• ALSO observation assignment
• Two weeks rest of authentication
• ALSO project ideas due

36
Next weeks assignment

• Observe people using technology
• Public place, observe long enough for multiple
  users
• Take notes on what you see
• Think about privacy and security, but observe and
  note everything
• Write up a few paragraphs describing your
  observations
• Dont forget IRB certification