Account Recovery – Authentication's Dirty Secret?

Slides:



Advertisements
Similar presentations
Computer Ethics Ms. Scales. Computer Ethics Ethics  the right thing to do Acceptable Use Policy  A set of rules and guidelines that are set up to regulate.
Advertisements

Home Research II Instructional Technology Program East Stroudsburg University Yvette Raven.
Students’ online profiles for employability and community Frances Chetwynd, Karen Kear, Helen Jefferis and John Woodthorpe The Open University.
13: Unlucky for some? …or how to test your WLAN passwords to make sure that it’s the hacker who is “unlucky” Ian Hughes Wireless Security Consultant
ICT Curriculum Evening – an introduction to Wizkid.
Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.
User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.
PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,
Internet Safety and Kids Ms. Lee’s Classroom Computers are NOT bad Computers can be used to help kids learn and play. They can be used safely, if parents.
August 15 click! 1 Basics Kitsap Regional Library.
E-safety Parental Guide “You wouldn't let your child wander around the streets of London alone, yet millions of children are surfing the internet on their.
Notes to Teachers At the time we embedded the links in these lessons, they all worked. If they don’t, you can google the website, find the link, open it.
Identity Theft By: Chelsea Thompson. What is identity theft? The crime of obtaining the personal or financial information of another person for the purpose.
Personal Safety Unit - Level 7. The Internet is not anonymous. Your address, screen name, and password serve as barriers between you and others.
Impacts of the use of IT -Social network sites This is a site that lets you post messages, upload pictures and stories on your own personal page. You can.
Threat to I.T Security By Otis Powers. Hacking Hacking is a big threat to society because it could expose secrets of the I.T industry that perhaps should.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Thomas Jenkins.
Suggested grade levels 7-12 Students will explore strategies that promote personal safety when using the texting-based social network, Twitter.
Using A presentation of the Elmhurst Public Library.
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
ISPAB Panel on Usable Security Mary Frances Theofanos - NIST Ellen Cram Kowalczyk - Microsoft.
LEARNING AREA 1 : INFORMATION AND COMMUNICATION TECHNOLOGY PRIVACY AUTHENTICATION VERIFICATION.
Todays’ Agenda Private vs. Personal Information Take out your notebook and copy the following information. Private information – information that can be.
7/10/20161 Computer Security Protection in general purpose Operating Systems.
Mail Password Recovery Find a place to fix Password recovery issue Gmail, MSN, Hotmail and Outlook.
Unit 4 Protecting Your Information Section C. Chapter 1, Slide 2Starting Out with Visual Basic 3 rd EditionIntroduction to ComputersUnit 4C – Protecting.
Communicating safely and appropriately online. Why do we need passwords?
Challenge/Response Authentication
How To Register on HROCMMS
Debra Mann Reference Librarian Innisfil Public Library
PASSWORD SECURITY A Melbourne Athenaeum Library
How to be Kind Online A guide for children aged 7+
Communicating safely and appropriately online
Creating your online identity
Keeping Children Safe Online
CANADA’S ANTI-SPAM LEGISLATION (CASL)
Fraud Protection.
Social Media Security: Understanding how to keep yourself safe.
Fraud protection.
Class Name: Online Safety & Privacy Basics
Unit 4 IT Security.
Challenge/Response Authentication
Ways to protect yourself against hackers
Password Management Limit login attempts Encrypt your passwords
Social Network Website for USEP
How to build a good reputation online
WRITE MARKETING COPY and EXECUTE TARGETED S
Working to Keep our Children Safe in a World Filled with Technology
Dial +1(505) Quickly Gmail Password Recover.
Dial +1(505) Quickly Gmail Password Recovery.
STOP. THINK. CONNECT. Online Safety Quiz.
Data Collection in MTM Choosing the right method for survey data collection.
2016 Annual CPNI Training CPNI & PI Awareness Beth Slough,
Fun gym Cambridge Nationals R001.
Fun gym Cambridge Nationals R001.
How to use the Going Abroad blog
Setting up an online account
UNIT 4 – Identifying People With Data
Introduction to Computers
Basics HURY DEPARTMENT OF COMPUTER SCIENCE M.TEJASWINI.
The main cause for that are the famous phishing attacks, in which the attacker directs users to a fake web page identical to another one and steals the.
What is BankMobile? A process to select how to receive student refunds and student payroll payments It is fast, secure, and convenient. Go to:
E - safety How e-safe are you?.
UNIT 4 – Identifying People With Data
Internet Safety – Social Media
Online Safety: Rights and Responsibilities
Computer Security Protection in general purpose Operating Systems
Putting a face to a name: students’ use of profiles in VLE forums
Wolves of the Internet: Where do fraudsters hunt for data online?
Founded in 2002, Credit Abuse Resistance Education (CARE) educates high school and college students on the responsible use of credit and other fundamentals.
Presentation transcript:

Account Recovery – Authentication's Dirty Secret? Mike Just University of Edinburgh 28 May 2009

Managing Online Presence Many accounts Different interfaces Too much information Too many passwords Frequent updates A challenge to effectively manage 28 May 2009

28 May 2009

Why so many Accounts? I do different things with different people Used for Storing information Sharing information Receiving information Communicating information Collaborating with others Learning, Teaching, Living Used with colleagues, friends, family, ... 28 May 2009

What do Accounts want from Me? Information, information, information Why? Help me store, share, communicate, … Improve my online experience Ensure controlled access to my account Market to me, e.g. advertise Share my information with others Usability Security Privacy 28 May 2009

Account Properties Security Usability Privacy Stop “bad guys” Security Help for yourself Control “good guys” Usability Privacy Protection vs Control vs Convenience ... 28 May 2009

Identification and Authentication Registration Identification Initialize Authentication Initialize Recovery Regular Authentication Account Recovery 28 May 2009

Identification and Authentication Registration Identification Initialize Authentication Initialize Recovery If required, user will identify themselves to register Required by banks, work accounts, etc. Identification may rely on shared information, e.g. financial Information might rely upon third-party info, e.g. credit bureaus Typical Internet sites don't require identification GoogleMail, Hotmail, Facebook, Twitter Only ensure that only you can authenticate later Regular Authentication Account Recovery 28 May 2009

Identification and Authentication Registration Identification Initialize Authentication Initialize Recovery User chooses 'User Identifier' and authentication credential Typically a password To be used for 'Regular Authentication' Policy often establishes 'password rules' Regular Authentication Account Recovery 28 May 2009

Identification and Authentication Registration Identification Initialize Authentication Initialize Recovery If required, user will submit information for later recovery Used in case of forgotten password Often comprised of a set of challenge questions and answers Alternatively, user could be required to (re-)identify Assumes there is shared information for identification Can be costly if initial identification was in-person Regular Authentication Account Recovery 28 May 2009

Identification and Authentication Registration Identification Initialize Authentication Initialize Recovery Identifier and credential (e.g. password) used routinely for authentication Policy may require periodic update of credential, e.g., monthly Regular Authentication Account Recovery 28 May 2009

Identification and Authentication Registration Identification Initialize Authentication Initialize Recovery If regular authentication credential is “lost” or “forgotten”, user can still recover their account Often important to retrieve stored information User asked to answer one or more of their challenge questions Alternatively, might re-identify May also have to follow a re-directed email Regular Authentication Account Recovery 28 May 2009

Account Recovery with Challenge Questions Source: http://xkcd.com/565/ 28 May 2009

Account Recovery with Challenge Questions “What is my Mother's Maiden Name?” “What was the name of my first pet?” “What was the name of my first school?” “Who is my favourite actor?” “Where did I spend my honeymoon?” 28 May 2009

Account Recovery with Challenge Questions Authentication Credentials 'Something You Have' 'Something You Know' Access card Smartcard Mobile 'Something You Already Know' 'Something You Memorize' 'Something You Are' Passwords PINs Images Challenge questions Images Fingerprints Iris/retinal scan Facial scan 28 May 2009

Account Recovery with Challenge Questions Palin hack required zip code, DOB, and 1 question (where you met your significant other) It took two days for the name of the anonymous advertiser to be posted on a chat room on the Internet. First, someone tried the gmail password recovery service and found out that the "security questions" it asked were in Russian. Then, someone else noticed that gmail reveals the domain to which the password recovery message are sent. The personalized domain name was registered to a prominent Russian business executive, wealthy and single. The privacy commissioner's office expressed concern about a game that has found its way onto the micro-blogging site: combining your first pet's name with the first street you lived on to discover your porn star alter ego. 28 May 2009

Account Recovery with Challenge Questions Ubiquitous use of challenge question authentication Very little published research as to whether it's Usable Secure Privacy-friendly For remainder of this presentation Recent research results Best practices for challenge question authentication 28 May 2009

Challenge Questions – Usability Three criteria to assess usability Applicability How widely applicable is the given question? Memorability How easy is it for the user to recall the answer? Repeatability How accurately can the answer be replayed, without syntactic or semantic ambiguity? What was your first pet's name? What was my high school locker combination? Street vs Avenue Favourites 28 May 2009

Challenge Questions – Security Increasing Information for Attacker Answer alphabet and distribution, common answer sets Questions, distributions of likely answers User account, published data, social networks, friends, family, ... Attack Modes Blind Guess Focused Guess Observation Answer Guess 28 May 2009

Challenge Questions – Security Three criteria to assess security Length of answers Helpful when dynamically assessing user answers Can't force longer answers, but can ask multiple questions Size of answer space Can “filter out” obviously small questions Can measure others Too few possibilities! What's my favourite colour? What's my best friend's last name? Only 105 in US (2000) 28 May 2009

Challenge Questions – Security Observability of answers Subjective assessment Known to friends or family? Obtainable by strangers? Public records, social networks, physically observable, ... Recall earlier web examples 28 May 2009

Challenge Questions – Privacy Is the information being asked, sensitive? Intimate experiences Some questions might be particularly sensitive to one culture, more than others Religion, politics, relationships, … Can be difficult to balance between information that is private (known only to a user), personal (memorable to user), but not sensitive 28 May 2009

Other Considerations Number of questions to ask Recent research suggests more than one question/answer required More `entropy' for an attacker to have to guess Can also help to increase difficulty of Observation attack User might register 3-4 questions and answers, and is required to answer at least 2 questions at authentication For Government of Canada solution, users registered 3 questions and answers, and were asked all 3 at recovery 28 May 2009

Other Considerations ... To '*' or not to '*' What was my first school's name? ************ What was my first school's name? St. James IV Use of '*' can limit effectiveness of “shoulder surfing” attacks But, use of '*' can make entering of answer difficult If we assume that questions are rarely used (only for recovery), then shoulder surfing may be less of a concern For Government of Canada solution, we did not use '*'s, and opted for improved usability whereby users see what they type 28 May 2009

Other Considerations ... Normalization of answers Is the answer “John Carter” = “john carter” = “johncarter”? Is the answer “St. James” = “St James”? Unlike with passwords, capitalization and punctuation locations are very predictable with answers Thus offering little to improve security Recent research shows users have difficulty with consistent capitalization For Government of Canada solution, answers were normalized to remove capitalization and punctuation 28 May 2009

Other Considerations ... System-generated versus user-generated questions Users can choose unique, secure questions However, users will also often choose very insecure questions For Government of Canada solution, we used one system- generated question, and two user-generated questions Complementary security measures Email a recovery link to the user 28 May 2009

Conclusion When passwords are forgotten, we rely upon known information to authenticate A risky proposition, since this information is often more widely known than we would like Usability – Security – Privacy Best practices required 28 May 2009

Further Information Other presentations, research publications, at http://homepages.inf.ed.ac.uk/mjust/KBA.html Email: mike.just@ed.ac.uk 28 May 2009

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.