on the usability and security of password based user
play

On the Usability and Security of Password-Based User Authentication - PowerPoint PPT Presentation

Jul 01, 2023 •277 likes •619 views

On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis Defense, Bochum, Germany, May 29, 2019 User Authentication Competing requirements of security and usability . [1] Common Factors: Knowledge ( Password ,

  1. On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis Defense, Bochum, Germany, May 29, 2019

  2. User Authentication Competing requirements of security and usability . [1] Common Factors: Knowledge ( Password , PIN) Biometrics (Fingerprint, Face) Possession (Security Key) Reinforced by: 2-Factor Authentication Risk-based Authentication 3 [Ref. 1] Joseph Bonneau et al.: The Quest to Replace Passwords : Bochum , May 29, 2019 | Thesis Defense ‘19 A Framework for Comparative Evaluation of Web Authentication Schemes. (SP '12)

  3. Passwords Are Not Dead Primary means of authentication on the Web. [2] • Accounts: ~ 24 • Passwords: 6-8 Memorability Issues Coping Weak Reused Passwords Passwords 5 Bochum , May 29, 2019 | Thesis Defense ‘19 [Ref. 2] Sarah Pearman et al.: Let's Go in For a Closer Look: Observing Passwords in Their Natural Habitat . (CCS ‘17)

  4. Overview Thesis Password Password Mobile Management Strength Authentication CCS 16 CCS 18, SP 19 USEC 17, USEC 19, CCS 19* Password Password Access Recovery Reuse Control PW 15, NDSS 17, USEC 19 CCS 18 USENIX Sec. 18 Workshops : Rate-Limiting, Semantics of Passwords, Strength Meter 6 [*] Under review Bochum , May 29, 2019 | Thesis Defense ‘19

  5. Overview Today Password Password Mobile Management Strength Authentication CCS 16 CCS 18, SP 19 USEC 17, USEC 19, CCS 19* Password Password Access Recovery Reuse Control PW 15, NDSS 17, USEC 19 CCS 18 USENIX Sec. 18 Workshops : Rate-Limiting, Semantics of Passwords, Strength Meter 7 [*] Under review Bochum , May 29, 2019 | Thesis Defense ‘19

  6. Outline Reuse Notifications Strength Meter Introduction 8 Bochum , May 29, 2019 | Thesis Defense ‘19

  7. How Users Choose Passwords • Well-defined process • Misconceptions in mental model “Adding ‘!’ to the end instantly makes it secure.” [3] • Estimating strength not easy 9 [Ref. 3] Ur et al.: “I Added ‘!’ at the End to Make It Secure” : Observing Password Creation in the Lab. (SOUPS ‘15) Bochum , May 29, 2019 | Thesis Defense ‘19

  8. Estimating the Strength of a Password is Tough “Adding ‘!’ to the end instantly makes it secure.” [3] Password 1: Password 2: iloveyou88 ieatkale88 Options : A. Password 1 is stronger B. Password 2 is stronger C. They are equally strong 10 [Ref. 3] Ur et al.: “I Added ‘!’ at the End to Make It Secure” : Observing Password Creation in the Lab. (SOUPS ‘15) Bochum , May 29, 2019 | Thesis Defense ‘19

  9. Estimating the Strength of a Password is Tough “Adding ‘!’ to the end instantly makes it secure.” [3] Password 1: Password 2: > iloveyou88 ieatkale88 Guess Number: Guess Number: 1.5 x 10 4 3.1 x 10 9 12 [Ref. 3] Ur et al.: “I Added ‘!’ at the End to Make It Secure” : Observing Password Creation in the Lab. (SOUPS ‘15) Bochum , May 29, 2019 | Thesis Defense ‘19

  10. Support Users in Choosing Secure Passwords St Strength Meter 13 Bochum , May 29, 2019 | Thesis Defense ‘19

  11. But They Are Not Always Accurate 14 Bochum , May 29, 2019 | Thesis Defense ‘19

  12. How to Measure Accuracy? Reference Strength Meter 123456 Ranking Ranking 15 Bochum , May 29, 2019 | Thesis Defense ‘19

  13. LUDS-based Meter: Strong Password1 L: U: D: S: 17 Bochum , May 29, 2019 | Thesis Defense ‘19

  14. Password “Strength” Reference : Guess number Meter : ??? . Meter Example Text Weak, Medium, Strong Colors Red, Orange, Green Percentages 42% Scores 1-5 Time 12 d, 9h, 47m Entropy 82 bits Guess number 1 018 291 guesses 18 Bochum , May 29, 2019 | Thesis Defense ‘19

  15. Simulation Dataset Passwords Count Password 1 044 164 123456 176 120 password 88 076 12345678 78 720 111111 ... … 356 charlie22 356 mickey7 … … 1 ~!@#!?~!@ 19 Bochum , May 29, 2019 | Thesis Defense ‘19

  16. Simulate Common Errors Observed in Real-World Meters Monotonic Transformations Quantization Reference Meter Disturbances Random sampling 20 Bochum , May 29, 2019 | Thesis Defense ‘19

  17. After: Quantized Output Reference Meter 63 40 19 30 Weak 9 20 Medium 3 20 Good 2 10 Strong 1 10 … … (Count) (Bin) 22 Bochum , May 29, 2019 | Thesis Defense ‘19

  18. Result: Compare Ranking Recommendation: Large-Scale Comparison • Compare relative ranking only 81 implementations • • Academia Weight passwords by importance • Websites Weighted and ranked metrics • PW Manager (e.g., weighted Spearman correlation) • Operating Systems • Previous Work What can we do with this information? password-meter-comparison.org 24 Bochum , May 29, 2019 | Thesis Defense ‘19

  19. Outline Reuse Notifications Strength Meter Introduction 25 Bochum , May 29, 2019 | Thesis Defense ‘19

  20. 26 Bochum , May 29, 2019 | Thesis Defense ‘19

  21. Reuse Attacks? Email Cracked SHA-1 Hiking91 jenny@gmail.com R0cky!17 joe oe@mail il.com ILoveBananas! john@hotmail.com 1 guess can be ... ... enough! I used “ R0cky!17 ” everywhere! Email Secure Argon2i Hash joe@mail.com $argon2i$v=19$m=4096,… … … 27 Bochum , May 29, 2019 | Thesis Defense ‘19

  22. 28 Bochum , May 29, 2019 | Thesis Defense ‘19

  23. “Stolen From Another Site” 29 Bochum , May 29, 2019 | Thesis Defense ‘19

  24. Study 1: Previously Sent Notifications Understanding Feelings Actions Perceptions Effectiveness Delivery Method Legitimacy MTurk, 15min, 180 respondents, $2.50 30 Bochum , May 29, 2019 | Thesis Defense ‘19

  25. “You've got e - mail! ... shall I deal with it now?” Concerning and a priority (83% very high or high) 31 Bochum , May 29, 2019 | Thesis Defense ‘19

  26. “Should I worry?” 32 Bochum , May 29, 2019 | Thesis Defense ‘19

  27. “Something happened and you need to click ‘OK’ to get on with things.” [6] What may have caused you to receive this notification? [Multi select] 60% Account hacked 21% New device (false alarm) 21% Data breach 19% Reuse 33 [Ref. 6] by Johnathan Nightingale – Firefox Software Engineer at Mozilla; [Img 1.] Guy Fawkes by Carlotta Rosi - thecirqle.com Bochum , May 29, 2019 | Thesis Defense ‘19

  28. Call a Spade a Spade! Don’t mention reuse Allude to reuse 0 - 4% 48 - 56% respondents respondents listed reuse as a cause for receiving this notification. 34 Bochum , May 29, 2019 | Thesis Defense ‘19

  29. Incomplete Mental Models “The chances of someone guessing that I use the same password are still incredibly low.” (R171) Current password-reuse notifications: cause concern explain the situation 36 Bochum , May 29, 2019 | Thesis Defense ‘19

  30. Study 2: Components of Notifications Delivery Medium Pus ush / In In-App / Em Email il Incident Unr Unrelated / Ou Our / - Account Activity No o sus suspicious / Sus Suspicious s / - Remediation Cr Create ne new / Recommend Other Accounts Cha Change all all / - Extra Actions MTurk, 588 Respondents Ena Enable 2F 2FA + + Manager / - 37 Bochum , May 29, 2019 | Thesis Defense ‘19

  31. … Unhealthy Behavior What would you do about it? What would your new password be? 90% Change it 68% Modified password 6% Keep it the same 13% Reused password 4% Don’t know 11% Use manager/browser 6% Other 2% Completely new 39 Bochum , May 29, 2019 | Thesis Defense ‘19

  32. Incomplete Mental Models “The hack wasn't specific to this company so it doesn't worry me.” (R69) After seeing a reuse notification, users would change password … but ineffectively have incomplete mental models 41 Bochum , May 29, 2019 | Thesis Defense ‘19

  33. Mockup 42 Bochum , May 29, 2019 | Thesis Defense ‘19

  34. Conclusion Reuse Notifications Passwords Strength Meter 43 Bochum , May 29, 2019 | Thesis Defense ‘19

Recommend

Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security

Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security

Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security Browser SSL Password Encryption warnings schemes usability IT Security 40M consumer 153M end user Thousands of credit cards credentials

785 views • 39 slides
Authentication Using Graphical Password: Effects of Increased Security on Usability William M.

Authentication Using Graphical Password: Effects of Increased Security on Usability William M.

Authentication Using Graphical Password: Effects of Increased Security on Usability William M. Martin Aaron G. Cass March 3, 2018 Introduction 01 Human Computer Interface Security (HCIsec) 02 Password Problem 03 Graphical User

633 views • 31 slides
Password-Based Cryptography: Strong Security from Weak Secrets Anja Lehmann IBM Research

Password-Based Cryptography: Strong Security from Weak Secrets Anja Lehmann IBM Research

Password-Based Cryptography: Strong Security from Weak Secrets Anja Lehmann IBM Research Zurich based on joint work with Jan Camenisch, Anna Lysyanskaya & Gregory Neven ROADMAP Password-Based Authentication How to make password

1.43k views • 43 slides
Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this

Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this

5/25/2019 Network Security Topic 3: User Authentication Topic 3: User Authentication 1 Reading for this Lecture 5/25/2019 Password Topic 3: User Authentication Password strength Salt_(cryptography) Password cracking

1.03k views • 75 slides
Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1

Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1

PAKE Game-based Security Universal Composability LAKE Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1 David Pointcheval Ecole Normale Sup erieure Game-based Security 2 Universal

927 views • 10 slides
1 1 11/17/09 2 2 11/17/09 The SiteKey. This is not a graphical password system. ...and I'm

1 1 11/17/09 2 2 11/17/09 The SiteKey. This is not a graphical password system. ...and I'm

11/17/09 1 1 11/17/09 2 2 11/17/09 The SiteKey. This is not a graphical password system. ...and I'm pretty sure it doesn't work. 3 3 11/17/09 - basic outline -problems with password usability and security -how various graphical

1.55k views • 86 slides
USABILITY INTRODUCTION USABILITY AND USER INTERFACE DESIGN TO BE PREPARED FOR THIS CLASS YOU

USABILITY INTRODUCTION USABILITY AND USER INTERFACE DESIGN TO BE PREPARED FOR THIS CLASS YOU

USABILITY INTRODUCTION USABILITY AND USER INTERFACE DESIGN TO BE PREPARED FOR THIS CLASS YOU WILL HAVE WORKED THROUGH THE LYNDA.COM UX-1 SECTION. FOR THIS CLASS USABILITY WHAT is Usability? WHY is Usability important? USER

611 views • 21 slides
Key management Password hashing CS 161: Computer Security Prof. Raluca Ada Popa Oct 4, 2016

Key management Password hashing CS 161: Computer Security Prof. Raluca Ada Popa Oct 4, 2016

Key management Password hashing CS 161: Computer Security Prof. Raluca Ada Popa Oct 4, 2016 Key management on whiteboard Password hashing in these slides Announcement Project 2 part 1 due today Passwords Tension between usability and

166 views • 16 slides
Password hashing CS 161: Computer Security Prof. Raluca Ada Popa Feb 19, 2018 Announcement

Password hashing CS 161: Computer Security Prof. Raluca Ada Popa Feb 19, 2018 Announcement

Password hashing CS 161: Computer Security Prof. Raluca Ada Popa Feb 19, 2018 Announcement Project 2 to be released Thursday Midterm grades announced at end of week Passwords Tension between usability and security choose random and choose

528 views • 20 slides
Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Phd course on Formal modelling and analysis of interactive systems Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone United Nations University International Institute for Software Technology

1.76k views • 109 slides
-: U ser M an ual :- 1. First the office user after receiving their user id and password from

-: U ser M an ual :- 1. First the office user after receiving their user id and password from

-: U ser M an ual :- 1. First the office user after receiving their user id and password from their respective districts must visit www.wbppms.gov.in. 2. In the web portal click on either Get Started or Signin in the upper right

408 views • 9 slides
Topics L1: usability L2: user-centered

Topics L1: usability L2: user-centered

Topics L1: usability L2: user-centered design, user & task analysis L3: MVC, observer, view hierarchy L4: component, stroke & pixel models, redraw, double-

310 views • 5 slides
Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe

Introduction Security-usability threat model Security and usability evaluation Summary Security and Usability: Analysis and Evaluation Ronald Kainda, Ivan Flechais, and A.W. Roscoe Oxford University Computing Laboratory Availability,

829 views • 23 slides
Design for Security Serena Chen | @Sereeena | OReilly Velocity 2018 Usability Security

Design for Security Serena Chen | @Sereeena | OReilly Velocity 2018 Usability Security

Design for Security Serena Chen | @Sereeena | OReilly Velocity 2018 Usability Security Good user experience design and good security cannot exist without each other Everyone deserves to be secure without being experts We need to

1.34k views • 112 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 24: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science & Engineering

219 views • 5 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 25: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science & Engineering

419 views • 4 slides
Outline Tor experiences and challenges (contd) Usability and security CSci 5271

Outline Tor experiences and challenges (contd) Usability and security CSci 5271

Outline Tor experiences and challenges (contd) Usability and security CSci 5271 Announcements intermission Introduction to Computer Security Usability and Voting combined slides Usable security example areas Stephen McCamant Elections

305 views • 8 slides
Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password

Authentication Authentication Overview Registration User sends username and password Validate password strength Store salted hash of the password Authentication User sends username/password Retrieve the stored salted

359 views • 20 slides
Perceived Usability Usefulness and measurement James R. Lewis, PhD, CHFP Distinguished User

Perceived Usability Usefulness and measurement James R. Lewis, PhD, CHFP Distinguished User

Perceived Usability Usefulness and measurement James R. Lewis, PhD, CHFP Distinguished User Experience Researcher jim@measuringu.com What is Usability? Earliest known (so far) modern use of term usability Refrigerator ad from

475 views • 35 slides
Human-Computer Interaction Termin 7: Usability Evaluation MMI/SS06 1 Process to develop User

Human-Computer Interaction Termin 7: Usability Evaluation MMI/SS06 1 Process to develop User

Human-Computer Interaction Termin 7: Usability Evaluation MMI/SS06 1 Process to develop User centered design interactive systems such that usability will be maximized. scenario, user what is task analysis guidelines wanted principles

585 views • 21 slides
Multi-Instance Security and its Application to Password- Based Cryptography Stefano Tessaro MIT

Multi-Instance Security and its Application to Password- Based Cryptography Stefano Tessaro MIT

Multi-Instance Security and its Application to Password- Based Cryptography Stefano Tessaro MIT Joint work with Mihir Bellare (UC San Diego) Thomas Ristenpart (Univ. of Wisconsin) Scenario: File encryption Want to store data in encrypted

1.37k views • 116 slides
GESTURE-BASED USER AUTHENTICATION FOR MOBILE DEVICES Dennis Guse Quality and Usability Labs, TU

GESTURE-BASED USER AUTHENTICATION FOR MOBILE DEVICES Dennis Guse Quality and Usability Labs, TU

GESTURE-BASED USER AUTHENTICATION FOR MOBILE DEVICES Dennis Guse Quality and Usability Labs, TU Berlin 1 AUTHENTICATION ON MOBILE DEVICES Mobile Devices Interaction style Limitations 2 GESTURE-BASED USER AUTHENTICATION Personalized

239 views • 13 slides
A Usability Study and Critique of Two Password Managers Robert Biddle Presenter: Chi-Tsong Su

A Usability Study and Critique of Two Password Managers Robert Biddle Presenter: Chi-Tsong Su

A Usability Study and Critique of Two Password Managers Robert Biddle Presenter: Chi-Tsong Su A Mysterious Letter A man got a kick out of turning simple things into mysteries when composing a letter, though he was not good at all at writing.

417 views • 19 slides
WEP/WPA2 WiFi Password Security & Exploiting IP Based Surveillance Cameras By Basiru

WEP/WPA2 WiFi Password Security & Exploiting IP Based Surveillance Cameras By Basiru

WEP/WPA2 WiFi Password Security & Exploiting IP Based Surveillance Cameras By Basiru Mohammed Rajkumar Ramadhin Alexander Martin Introduction With growing advancement in the "Internet of Things" we must take a look at the

468 views • 29 slides

More recommend