MondayAuth2
Humans – The Weakest Link?
• Identification by ID document/passport
• Authentication by signature
In the beginning
•Identification
•Authentication
•Authorisation
What’s the difference?
Identification
On the Internet, nobody knows you’re a dog
Enrol Authenticate Close Account
Replace
Identifier
Authenticator Stages
Process
I am John
Claim Identity
Authenticator
Prove Identity
Authorised
Access
•What you know
•What you hold
•What you are
Types….
•Memorability
•Guessability
•Observability
•Recordability
Judging an Authentication
Mechanism (Security)
Data
Knowledge
Information
Wisdom
Add Meaning
Understanding of
Application
Knowledge
in Action
E
X
P
E
R
IE
N
C
E
What you Know (DIKW)
Data
Information
Knowledge
& Skills
PA
S
S
W
O
R
D
G
U
ID
A
N
C
E
NONSENSE “STRONG” PASSWORD
MEANINGFUL “WEAK”
PASSWORD USER
DRIVE
TO
AVOID
FORGETTING
Problems with “What You
Know”
• Human Aspects
– Hard to remember
– Hard to create
– Take time to type in
• Security:
– Guessability
– Observability
– Recordability
More Problems
• No agreement as to “strong password”
requirements
• They don’t tell users much, and they
display instructions in the wrong place
Memorability
• How do they cope?
– Write them down
– Ask others to share
– Use other passwords that have been written
down
– Use the same password for multiple systems
– Use a variation of their own name or the system
name
– Use “common” passwords
– Use weak passwords
FACT: People can’t remember all
their passwords
• Was also holding the password to an
encrypted file written on a piece of paper,
the government has disclosed.
• “Much of the material is encrypted.
However, among the unencrypted
documents … was a piece of paper that
included the password for decrypting one of
the encrypted files on the external hard drive
recovered from the claimant.”
David Miranda
Guessability
Who are you protecting yourself against
when you choose a password?
– Hacker?
– Ex-partner?
– Family member?
Observability
Prince William & Passwords….
• The stronger the password, the easier it is to
see what the password is if you watch
someone
• Keyloggers are easy to install
• The sounds of your typing leak your
password
Actually….
SpiPhone: How someone
could use an iPhone to find
out what you are typing on
your computer
• it can decipher vibrations to record what is
being typed on a nearby computer
keyboard
• Working with dictionaries comprising about
58,000 words, the system reached word-
recovery rates as high as 80 percent.
•
Technical
Hacker
Camera Equipped
Observer
Mobile
Environment Worker
INFORMATION
LEAKAGE RISK
DATA
LOSS
RISK
Working on the Move
Recordability
OUCH!
Beijing 2008 London 2012
© Copyright Showeet.com
So what passwords are
people choosing?
Common Passwords
• How many are there?
– 10 000
• People can define their own. Which ones do
they use?
PINS
Statistically, one third of all codes
can be guessed by trying just 61
distinct combinations!
Passwords – Epic Fail
• Guessability
–Poor!
• Observability
–Poor!
• Recordability
–Poor!
• Memorability
–????
Even if we obey all the rules…..
• Passwords have to be stored somewhere
• Some developers don’t do this properly
• Sony: Hacker breaks into Sony Playstation
and steals passwords and user details. (April
2011) – 100 Million People’s accounts
compromised
58
Challenge Questions
Cueblots (McBryan & Renaud)
What you hold
• On it’s own not an
authenticator!
• Biometric/PIN
• Probs:
– Cost
– Reader Requirement & Cost
– Cannot be used remotely
Biometrics
• Instead of what I know, what I am
–Physiological
•Or the way I behave (because
humans are unique)
–Behavioural
Performance
• FAR
• FRR
• EER
• FTE
• FTC
• Template Capacity
Physiological
Behavioural
As old as civilization
• Hand-prints that accompanied cave
paintings from over 30,000 years ago are
thought to have been signatures.
• The early Egyptians used body
measurements to ensure people were
who they said they were.
• Fingerprints date back to the late
1800s.
Bertillon (1882)
Fingerprints
• Divides print into loops, whorls and arch
• Calculates minutiae points (ridge
endings)
• Finger Placement
• Dirt, grime, wounds, age, missing fingers
• Spoof!
Ear Biometrics
• Ears are remarkably consistent
• Passive
• No cosmetics, emotions, colour changes
(graying hair)
• Smaller than the face (faster processing)
• No problem with glasses
• Hair & Earrings
• In 1998 an ear print left on a window led
to the conviction of Mark Dallagher for
murdering a 94-year-old woman.
• Overturned in January 2004
– Flawed evidence
– subjective opinion of an ear expert.
Hand Biometric
Hand Geometry
•Geometry of users hands
•More reliable than fingerprinting
• Balance in performance and
usability
•Very large scanners
•Arthritis
• Jewellery
•Growing children
Iris Recognition
• Scans unique pattern of iris
• Iris is colored and visible from far
• No touch required
• Overcomes retinal scanner issues
• Contact lenses an issue?
• Intrusive
• Expense
Face Recognition
• User faces camera
• Neutral expression required
• Appropriate lighting and position
• Algorithms for processing
Boston
Bombing
• Systems are only as good as the data they’re
given to work with
• Despite having an array of photos of the suspects,
the system couldn’t come up with a match
• facial recognition isn’t an instantaneous, magical
process
• Facial recognition and other biometric and image
processing technologies (gait recognition) helped
by retailers’ own computerized surveillance
systems.
Face Recognition
• User faces camera
• Neutral expression required
• Appropriate lighting and position
• Algorithms for processing
• Expression
• Spoof
• Tougher Usability
http://www.sciencedaily.com/releases/2
008/09/080904102751.htm
DNA
• Unique – cheaper to sequence than ever
before
• Twins?
“With identical twins, even if you sequenced
their whole genome you wouldn’t find
difference,” forensic scientist Bob Gaensslen
told ABC News at the time. More recent
research shows that this isn’t the case, but
teasing out the difference can be expensive —
in the Marseilles case, police were told that
such a test would cost £850,000.
Behavioural Biometrics
• Authorship – did the person write this or
draw this?
• Computer usage:
– Interaction with mice, keyboards which are
distinct and different from others
•Mouse movements
• Keystroke dynamics
– Strategies, knowledge or skill used during
interaction with software
• Email behaviour
Voice Recognition
•Speech input
–Frequency
–Duration
–Cadence
•Neutral tone
•User friendly
Disadvantages
• Local acoustics
• Background noise
•Device quality
• Illness , emotional behavior
• Time consuming enrollment
• Large processing template
• Spoof
What Traits make something
suitable as a biometric?
• Universality
• Uniqueness
• Permanence
•Measurability
• Performance
• Acceptability
• Circumvention
Alternative
Authentication
HUMAN-CENTRED SECURITY
Two Factor Authentication
• Not 2 passwords!
• 2 different types
Alternative
Authentication
Mechanisms
How Memory is Assessed
•Recall Based
•Cued-Recall Based
•Recognition Based
Blonder (1997)
PassClick -mininova labs
PassClick (157090 people)
Jermyn (2000): Draw a Secret
Drawmetric
User needs to redraw an image in the same
stroke order
Sketch Based Recall
• Shortcomes?
– Dictionary attack
– Symmetric drawings
– Three strokes only
• Restrictions?
https://docs.google.com/viewer?url=http://w
ww.usenix.org/events/woot10/tech/full_paper
s/Aviv.pdf
Recognition-Based Graphical
Authentication
Passfaces
• 5 Passfaces are Associated with 40 associated
decoys
• Passfaces are presented in five 3 by 3 matrices
each having 1 Passface and 8 distractors
Snags
• People are good
with FAMILIAR
faces
A B C
D E F
G H J
A B C
D E F
G H J
A B C
D E F
G H J
A B C
D E F
G H J
Facelock
Handwing
Visuo-biometric
User recognises his or her own handwritten
PIN, postal code and doodle
Handwing – stage 2
Handwing – stage 2
DynaHand (Olsen & Renaud)
What about Chipping Humans?
Necessary & Sufficient
Authentication
•We don’t always need a
password
•We don’t always need a “strong”
password
• Match the risk level to the
stringency requirement
Assur
ance
Description Verification Type Protection
Requirements
1 Little confidence No
verification
Identity only None
2 Self service apps Little
verification
Single factor 3 times lockout
3 High confidence
– access
restricted data
Stringent
verification
Multifactor Cryptographic
techniques
4 Very high
confidence –
highly restricted
data
In-person
registration
Multifactor
& hardware
Cryptographic
techniques
• Ease of Use
• Convenience
– To Enrol
– To Authenticate
– To Replace
Judging an Authentication Mechanism
(User Experience)
Concerns?
• Privacy
• Moving the vulnerability to the human
• How cancelled?
• How well is the data protected?
• Who will gain access?
• What it will be linked to?
Multimodal Biometrics
• Independent evidence
• Deals with missing biometrics
• Harder to spoof
• Challenge-Response possible
• Good performance
Problem Solving
• An ATM manufacturer has approached
you to ask you to determine whether
they could incorporate an alternative
authentication mechanism into their
ATM machine to be used in an old age
home
• Acceptability & Usability NB!
• I’ll randomly choose group(s) to:
–sell your solution to me
• Come up with a personalised password
scheme for your grandmother which ensures
that
– Passwords are memorable
– Yet strong (unpredictable)
– Is easy enough for your grandmother to use
Discussion Topics