Authentication for Humans.ppt

《Authentication for Humans.ppt》由会员分享，可在线阅读，更多相关《Authentication for Humans.ppt（22页珍藏版）》请在麦多课文档分享上搜索。

1、Authentication for Humans,Rachna Dhamija SIMS, UC Berkeley rachnasims.berkeley.eduDIMACS Workshop on Usable Privacy and Security Software July 7, 2004,Talk Outline,Machines Authenticating Users Dj Vu User Study- Using Images for AuthenticationUsers Authenticating Remote Servers Interfaces for websit

2、e authentication,Password Usability and Security,Simple and meaningful passwords - Memorable, but easier to guessComplex passwords - Strong, but hard to rememberAdvantages of passwords Cheap and easy to implement We develop muscle memory,Previous Solutions,Stronger password hashing & storage Proacti

3、ve password cracking Enforce system policies Better user education and training Significant non compliance rate by usersWe try to address the fundamental problem: Recall is hard,Picture recognition is easier,Humans have a vast memory for pictures 2560 photos for a few seconds: 90% recognition Standi

4、ng, Conezio, Haber 10,000 photos: 66% recognition after 2 days Standing 200 random photos: 90% after 1-3 months Weinshal/Kirkpatrik, CHI2004 Fractions of a second is enough to remember Picture recognition is easier than verbal recognition Picture recognition is easier than picture recall Harder to r

5、ecall semantics or to redraw picture But picture recall is better than verbal recall,Dj Vu Design Goals,Base security on human strengths Recognition over recallPrevent weak passwordsPrevent password sharingNo biometrics or tokens,Authentication through Images,Choose image portfolio Challenge set = p

6、ortfolio + decoys Photos and Random Art,Random Art,Algorithm: seed - pseudo-random number generator- random expression tree maps pixels to RGB - random art,Choose Image Portfolio,Portfolio Training,Challenge,Portfolio Creation Screen,Login Screen,Attacks,Brute Force optimal portfolio and challenge d

7、epends on security 5 image portfolio/25 challenge set = 53,130 combinationsMeasures against shoulder surfers: hide image selection distort images Measures against Intersection Attack: Always show same challenge set Multi-stage authentication,Experiment Design,Target population = general computer use

8、rs20 participants (11 males + 9 females, expert/novice),Initialization PIN (4 digits) Password (6 char.) Art portfolio (5/100) Photo portfolio (5/100),Login PIN Password Art (5/25) Photo (5/25),Repeat login after one weekTask order randomizedPortfolio creation- same images but random order Portfolio

9、 login- random images and random order,Task Completion Time,Unlimited time & attempts Does not include failed logins,Error Rate,Session 1: no unrecoverable errors made with portfolios Session 2: significantly less failed logins with portfolios (all users remembered 4/5 images on first attempt),More

10、Results,Its easier than it looksText vs. image portfolios Passwords/PINS faster to create art is individual Art descriptions vary, hard to describe How hard are they to communicate? Spouse-proof?,Conclusions in this study,Recognition-based authentication More reliable long term than passwords, PINs

11、Easier, more pleasant to use Random Art portfolios are harder to predict than passwords or real imagesApplications Where text input is hard, limited observation (e.g., ATM, PDA, pen-based devices) Infrequently used high availability passwords,Future Work,Long term studies Frequency of use Multiple p

12、ortfolios and changes Portfolio communication & prediction study Cued recall of text passwordsImage Generation & Distortion Image generation and distortion techniques What is the space of images are distinguishable, memorable?Strengthen against attack, improve login times, allow non-perfect probabilistic recognition,Talk Outline,Machines Authenticating Users Dj Vu User Study Users Authenticating Remote Servers Interfaces for website authentication,Challenge,