Usable Authentication Research with the MVP Framework Robert Biddle Carleton University, Ottawa Sonia Chiasson, Chris Deschamps, Elizabeth Stobert, Max Hlywa, Nick Wright, Bruna Machado Freitas, Alain Forget, Andrew Patrick Biddle: MVP1

Agenda Usable Security and Authentication MVP Framework MVP Authentication Schemes MVP Management MVP Recent Research Results Dalhousie Action Items References: – Graphical Passwords: Learning from first 12 years – The MVP Framework Web-Based Framework – Biddle: MVP2

Usable Security Saltzer and Schroeder, 1975: “It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly. Also, to the extent that the user’s mental image of his protection goals matches the mechanisms he must use, mistakes will be minimized. If he must translate his image of his protection needs into a radically different specification language, he will make errors.” Cranor and Garfinkel, 2005: “secure systems that people can use.” Biddle3

Usable Security Challenges Security is a Secondary Task – Avoided or evaded if inconvenient Security has the “Barn Door” Property – Brief exposure can cause permanent damage Security has a complex language – Encryption, public/private keys, phishing, … Security is poorly understood by users – Users do not understand consequences of insecure actions, assume they are not at risk, underestimate attackers’ abilities Biddle4

Research Methods Human Factors Principles Usability Evaluation Methods Experiment and Field Study Design Ethical Procedures for Human Participants Quantitative Analysis and Statistical Inference Qualitative Study and Data Analysis Reporting Results, Graphical Data Presentation Biddle5

Authentication and Credentials Something You Have Can be Lost or Stolen Something You Are Hard to Change; Privacy Loss Something You Know Hard to Recall; Guessed or Captured rosebud 6Biddle

Threats to Passwords Guessing – Online (Web-Robots) or Offline (Access to DB) – Single-User (Targeted) of Multi-User (Any User) – Exhaustive or Dictionary Capture – Shoulder-Surfing (by eye or by video) – Social Engineering (incl. phishing) – Malware (keyloggers etc.) Biddle7

The Password Problem Passwords should be: – Easy to Remember, but – Difficult to Guess For multiple passwords! Sometimes with rules! Different rules for each password! And compulsory regular changes! Biddle: MVP8

Theoretical Password Space The number of possible passwords that a scheme allows. Therefore, the number of passwords an attacker must guess to ensure success. Therefore, an expected value function for each attacker guess. IF all passwords are equally likely. Biddle: MVP9

Theoretical Password Space: E.g. PassPoints Password Space Biddle: MVP10

Effective Password Space The number of passwords people are likely to actually choose. But it’s not one space: it’s a curve. So… Matt Weir: reusablesec.blogspot.com Biddle: MVP11

MVP: Multiple Versatile Passwords Framework for Empirical Research on Usable Knowledge-Based Authentication Basic idea: allow new kinds of password schemes within an ecologically valid setting Real sites, real usage Passwords used in context, secondary task Biddle: MVP12

Site password input redirects to MVP MVP selects scheme based on userid Scheme runs, logging all events Result is rendered as text password to site Biddle: MVP13

MVP in Use Button instead of “Enter Password” field Pop-up Window with selected Scheme Biddle: MVP14

MVP Schemes: Text Pure user-chosen text User-chosen text with rules – Length, required chars, denied chars, etc. Assigned random text – Length, alphabet Multiple word text – Number of words, chosen or assigned, lists Biddle: MVP15

MVP Schemes: Recognition Like PassFaces – Number of panels – Images per panel – Image sets Faces Houses Objects Biddle: MVP16

MVP Schemes: Graphical Recall Like Draw-a-Secret – Grid size Biddle: MVP17

MVP Schemes: Click-Based Passpoints – 5 Points on Image – Tolerance areas – Can vary: Number of Clicks Image Sets Biddle: MVP18

MVP Schemes: Click Based Cued-Click Points – Like Passpoints, but 1-click per image – Each click selects next image – Number of images parameter Biddle: MVP19

MVP Schemes: Click Based Persuasive Cued Click Points – Like CCP, but with random viewport Biddle: MVP20

MVP Schemes: Other 2 nd gen DAS, PP, CCP, PCCP, Recognition Text Recognition PassTiles Family GridSure CYOA More??? Biddle: MVP21

MVP Website Engine Plugins Wordpress – Blog Engine with many other plugins, e.g. voting, eCommerce, photo-sharing etc. phpBB – Generalizable Bulletin Board osCommerce – eCommerce web-store system Drupal – Content Management System Biddle: MVP22

MVP Wordpress Admin MVP Plugin, Registration Plugin, Timeout Biddle: MVP23

MVP System Management Control Panel – f(username, system): Scheme Log – Time, System, User, Mode, Event, Data Booking and Questionnaires Registration and Notification Validation and Verification Etc. Biddle: MVP24

MVP Username Management By name pattern – E.g. dal (Between Subjects Group 1) Campusblog: scheme=textrules, cond=alphaonly Photos: scheme=textrules, cond=alphaonly DailyNews: scheme=textrules, cond=alphaonly – E.g. dal (Between Subjects Group 2) Campusblog: scheme=recognition, cond=faces Photos: scheme=recognition, cond=faces DailyNews: scheme=recognition, cond=faces – E.g. dal (Within Subjects) Campusblog: scheme=recognition, cond=faces Photos: scheme=textrules, cond=alphaonly DailyNews: scheme=textassigned, cond=az09-6 Cornerstore: scheme=textrules, cond=alphaonly By name assignment Biddle: MVP25

MVP Log Time: Timestamp to 1 second System: Name of website User: Username Scheme: Scheme Condition: subscheme Mode: create, enter, login Event: specific to mode Data: specific to event Biddle: MVP26

MVP Sites, Schemes, Studies

Comparing Password Schemes Criteria: – Memorability – Entry Time – Learnability – Perception of Value – Affective Appeal Measurements: – How to measure each? – How to compare each? Biddle: MVP28

Max Hlywa: In Recognition-Based GPs, are Faces the most Memorable Images? Hylwa co-supervised by Andrew Patrick.

No

Also, they’re slow.

Bruna Machado Freitas: How do people really use Draw-A-Secret?

Not well. Favour Similar Squares Favour Simple Shapes Favour Password Reuse Misunderstand Encoding 1 unique password61% 2 unique passwords18% 3 unique passwords21%

Nick Wright: Are Text Recognition Passwords More Memorable than Text Recall? Wright co-supervised by Andrew Patrick.

Elizabeth Stobert: Are assigned graphical passwords memorable?

Dal Action Items Populate sites: – dal2, dal3, dal4 – Choose name, theme, content Choose two schemes: – With exact specifics, numbers, images etc Choose research plan: – Consider password space – Consider research question: E.g. Effect of schemes, sizes, images, etc. – Consider criteria: Memorability, entry time, appeal, etc. – Consider metrics: How to evaluate criteria Biddle: MVP36

Usable Authentication Research with the MVP Framework Robert Biddle Carleton University, Ottawa Sonia Chiasson, Chris Deschamps, Elizabeth Stobert, Max Hlywa, Nick Wright, Bruna Machado Freitas, Alain Forget, Andrew Patrick Biddle: MVP37