Graphical Passwords with Integrated Trustworthy Interface TIPPI Workshop June 19, 2006 Patricia Lareau V P Product Management.

Slides:

Advertisements

Similar presentations

MFA for Business Banking – Security Questions with 2nd Request Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.

Advertisements

MFA for Business Banking – Security Questions with Reset Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

WTG New Technology Corp Passfaces Corp About the companies WTG New Technology Corporation (NewTech) is a technology transfer company specializing in the.

The quest to replace passwords Evangelos Markatos Based on a paper by Joseph Bonneau,Cormac Herley, Paul C. van Oorschot, and Frank Stajanod.

Lecture 6 User Authentication (cont)

Stephen Crick Business Development Manager Tokenless™ Authentication.

Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.

ByPass A platform to evaluate Android authentication techniques Payas Gupta & Sarah Smith.

Security Security comes in three forms. 1.Encryption – making data and information transmitted by one person unintelligible to anyone other than the intended.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

15 Tactical Improvements to IT Security Virtual Keyboard, Two Factor Authentication, Active Confirmation and FAA Access to CPS Online Ganesh Reddy.

Neuroscience Meets Cryptography: Designing Crypto Primitives Secure Against Rubber Hose Attacks A Paper by Hristo Bojinov, Daniel Sanchez, Paul Reber,

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

Use Your Illusion: Secure Authentication Usable Anywhere Eiji Hayashi Nicolas Christin Rachna Dhamija Adrian Perrig Carnegie Mellon CyLab Japan.

Next Generation Two Factor Authentication. Laptop Home / Other Business PC Hotel / Cyber Café / Airport Smart Phone / Blackberry 21 st Century Remote.

Internet Authentication Based on Personal History – A Feasibility Test Ann Nosseir, Richard Connor, Mark Dunlop University of Strathclyde Computer and.

Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.

Trustworthy User Interface Design: Dynamic Security Skins Rachna Dhamija and J.D. Tygar University of California, Berkeley TIPPI Workshop June 13, 2005.

Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S

Delayed Password Disclosure Mutual Authentication to Fight Phishing Steve Myers Indiana University, Bloomington Joint work with: Markus Jakobsson Indiana.

Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.

1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.

Goal: Success for Your Students Effort is a Function of Success So How Do You Get More Effort from Students Without Requiring a Large Effort on Your Part.

RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.

Presented By: Andy Balderson – Product Manager Ethernet, Internet, Wireless or Fiber - Distribute your HMI Application Over IP Networks Farther ! The Web.

Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers.

Kok-Chie Daniel Pu - MSISPM. Wow... Daniel will be presenting a lecture on Graphical Passwords !!!

Pseudorandom Number Generators. Randomness and Security Many cryptographic protocols require the parties to generate random numbers. All the hashing algorithms.

Towards A User-Centric Identity-Usage Monitoring System - ICIMP Daisuke Mashima and Mustaque Ahamad College of Computing Georgia Institute of Technology.

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

E XPLORING USABILITY EFFECTS OF INCREASING SECURITY IN CLICK - BASED GRAPHICAL PASSWORDS Elizabeth StobertElizabeth Stobert, Alain Forget, Sonia Chiasson,

GRAPHICAL PASSWORD AUTHENTICATION PRESENTED BY SUDEEP KUMAR PATRA REGD NO Under the guidance of Mrs. Chinmayee Behera.

KAIST Web Wallet: Preventing Phishing Attacks by Revealing User Intentions Min Wu, Robert C. Miller and Greg Little Symposium On Usable Privacy and Security.

Recordkeeping for Good Governance Toolkit Digital Recordkeeping Guidance Funafuti, Tuvalu – June 2013.

Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

Empowering Education1 Product Presentation.

Process by which a system verifies the identity of a user wishes to access it. Authentication is essential for effective security.

Presented by: Lin Jie Authors: Xiaoyuan Suo, Ying Zhu and G. Scott. Owen.

Step By Step Windows Server 2003 Installation Guide Step By Step Windows Server 2003 Installation Guide.

The Battle Against Phishing: Dynamic Security Skins Rachna Dhamija and J.D. Tygar U.C. Berkeley.

Passwords. Outline Objective Authentication How/Where Passwords are Used Why Password Development is Important Guidelines for Developing Passwords Summary.

Feedback #2 (under assignments) Lecture Code:

An Introduction to Software Engineering. Communication Systems.

1 Evolution and Revolution: Windows 7 and Desktop Virtualization How to Accelerate Migration to Windows 7 Miguel Sian, Sr. Enterprise Solutions Consultant.

Setting up/Managing Bank Personnel Intuit Financial Services University Business Financial Solutions Certification.

Ingredients of Information Security. - Who has access the asset? - Is the asset correct? - Is the asset accessible? …uncorrupted? …authentic?

Jawaharlal Nehru National College of Engineering, Shimoga – Department of Computer Science & Engineering Technical Seminar on, Under the guidance.

G53SEC 1 Authentication and Identification Who? What? Where?

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.

Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.

November 19, 2008 CSC 682 Do Strong Web Passwords Accomplish Anything? Florencio, Herley and Coskun Presented by: Ryan Lehan.

Train & Assess IT Office XP and Office 2003 Web-based Training and Assessment in a Single Product! New and Improved Enhancements Direct from Market and.

Shoulder-Surfing Safe Login in a Partially Observable Attacker Model (Short Paper) FC 2010 Toni Perković joint work with Mario Čagalj and Nitesh Saxena.

COEN 351 Authentication. Authentication is based on What you know Passwords, Pins, Answers to questions, … What you have (Physical) keys, tokens, smart-card.

CSCE 201 Identification and Authentication Fall 2015.

Yahoo Help Phone Number Get Instant Help.

Source NAT Configuration Example Alcatel-Lucent Security Products Configuration Example Series.

Engineering Secure Software. Taher El-Gamal, inventor of SSL Security professionals always struggle with the general public because usability always wins.

A l a d d I n. c o m Strong Authentication and Beyond Budai László, IT Biztonságtechnikai tanácsadó.

Authentication Schemes for Session Passwords using Color and Images

Introduction to Networking

Use Your Illusion: Secure Authentication Usable Anywhere

Setting up an online account

Riding Someone Else’s Wave with CSRF

The main cause for that are the famous phishing attacks, in which the attacker directs users to a fake web page identical to another one and steals the.

REU Summer Research in Computer Security

Password Awareness.

COEN 351 Authentication.

Presentation transcript:

Graphical Passwords with Integrated Trustworthy Interface TIPPI Workshop June 19, 2006 Patricia Lareau V P Product Management

Authentication Design Goals Consider Security and Usability

Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland ■ Security Requirements Usability Security Randomly assigned Unique to the application Robust against known attacks Simple Reliable – no fallback needed Not sharable casually or easily Lacks social vulnerabilities Useable anywhere Two-way AuthN

Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland ■ Usability Requirements Graphical User Interface Intuitive to use No user rules Independent of user’s aptitude, training or attentiveness No on-going training EASY to use Portable Fun! Usability Security

Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland ■ Successful AuthN is Both or Neither Design Leverages: Secret Interface Protocol UsabilitySecurity

Passfaces Meets the Challenge Secure and Usable

The Secret Based on Cognitive Science

Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland ■ The Brain Deals with Faces Differently than Any Other Image Face recognition is a dedicated process which is different from general object recognition. Source: Face Recognition: A Literature Survey. National Institute of Standards and Technology

Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland ■ In the Beginning… Science has proven that we are genetically predisposed with a unique talent. We all have the innate ability to easily recognize human faces. There was a time that recognizing another's face could mean LIFE or DEATH. Today that need is not so great, but the ability is still there. There is a special place in the brain dedicated to facial recognition and facial recognition only. Thinking Outside of the Box Approach…. “Let’s Authenticate the Person”

Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland ■ Recall vs. Recognize You must RECALL a passwordYou simply RECOGNIZE a face Remember High School ….What kind of test did your prefer? Fill in the Blank Multiple Choice g f w y

Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland ■ We Never Forget a Face “Haven’t used Passfaces in 6 months. I decided to take another look at it and, amazingly, I logged right in!” In one major government installation, there have been no forgotten Passfaces in over three years. The more its used, the easier it gets. Think about how many people you already recognize. Why wouldn’t you remember your Passfaces?

Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland ■ Our approach Familiarize the user with a randomly-selected set of faces and check if they can recognize them when they see them again It’s as easy as recognizing an old friend

Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland ■ Authentication Session The secret is Random Easy to recognize but Difficult to describe/share No “cribsheets” needed Always Available Intuitive - Independent of user age, language or education Not socially vulnerable

The Interface Reinforce the Design Objectives

Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland ■ How Passfaces Works Users Are Assigned a Set of 5* Passfaces User Interface Library of Faces * Typical implementation – 3 to 7 possible as standard

Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland ■ How Passfaces Works 5 Passfaces are Associated with 40 associated decoys Passfaces are presented in five 3 by 3 matrices each having 1 Passface and 8 decoys

Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland ■ New Users are Familiarized with their Passfaces Users enroll with a 2 to 4 minute familiarization process Using instant feedback, encouragement, and simple dialogs, users are trained until they can easily recognize their Passfaces The process is optimized and presented like an easy game Let’s Practice Action Click On Your Passface It’s Moving (There is only One on this Page)

Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland ■ Familiarization Puts Cookies in the Brain Like a mindprint or brain cookie But, unlike fingerprints, Passfaces require no special hardware And, unlike browser cookies, Passfaces authenticate the actual user

Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland ■ Authentication Session The interface… Graphical Self-prompting User cannot choose or reuse NO burden of recall 3X3 grid Ergonomic Maps to keypad, phone, pinpad More entropy than a user chosen secret

The Protocol Maximize Defenses – Maximize Usability

Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland ■ Grid set is random per user Grids need not be secret but must be correct AUTHENTICATION IS NOT POSSIBLE WITHOUT PRESENTATION OF CORRECT GRIDS Mutual Authentication is implicit- user attentiveness unnecessary Phishing today is stopped Phishing tomorrow is hard work Blacklisting is possible Configuration Data John Doe sparky123

Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland ■ Grid Presentation Multiple Grids Random display within grid Familiar order of grids for user comfort Library Use Thousands of random sets available Shoulder surfing deterrent Anti phishing strategies Mutual AuthN enhanced

Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland ■ A New Class of Authentication Passfaces represents a new, 4 th class of authentication: Cognometrics Recognition-Based Authentication

Thank you! Questions? Patricia Lareau V P Product Management

Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland ■ Authentication Risks Mitigation Options Risk written down Inadvertent Exposure shared multiple applications Social Engineering phishing pharming phoning Malware keylogging screen scraping etc. session hijacking Fallback to Personal Information procedure vulnerabilities user habituation static data (not sustainable) Other guessing capture OTP tokens smartcard calculators crypto-cookies PIN/TAN sheets virtual keypads “secret” images “trusted” logos/symbols user training SMS OTP phone OTP real-time risk assessment IP address blacklisting database protection

Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland ■ Passfaces as Primary Factor Mitigation Options Inadvertent Exposure shared multiple applications Social Engineering phishing pharming phoning Malware key logging screen scraping etc. Risk Fallback to Personal Information attack on procedure user habituation not sustainable Other guessing Transmission protocols real-time risk assessment IP address blacklisting database protection can’t be written down capture session hijacking can’t be written down can’t be scraped difficult to share unique to application immune to phishing immune to pharming can’t be spoken can’t be logged attack on procedure never forgotten can be changed not guessable

Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland ■ Random Delivery of Grids