Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004
Talk Outline Machines Authenticating Users –Déjà Vu User Study- Using Images for Authentication Users Authenticating Remote Servers –Interfaces for website authentication
Password Usability and Security Simple and meaningful passwords - Memorable, but easier to guess Complex passwords - Strong, but hard to remember Advantages of passwords –Cheap and easy to implement –We develop muscle memory
Previous Solutions Stronger password hashing & storage Proactive password cracking Enforce system policies Better user education and training –Significant non compliance rate by users We try to address the fundamental problem: Recall is hard
Picture recognition is easier Humans have a vast memory for pictures –2560 photos for a few seconds: 90% recognition [Standing, Conezio, Haber] –10,000 photos: 66% recognition after 2 days [Standing] –200 random photos: >90% after 1-3 months [Weinshal/Kirkpatrik, CHI2004] Fractions of a second is enough to remember Picture recognition is easier than verbal recognition Picture recognition is easier than picture recall –Harder to recall semantics or to redraw picture –But picture recall is better than verbal recall
Déjà Vu Design Goals Base security on human strengths Recognition over recall Prevent weak passwords Prevent password sharing No biometrics or tokens
Authentication through Images Choose image portfolio Challenge set = portfolio + decoys Photos and Random Art
Random Art Algorithm: seed -> pseudo-random number generator-> random expression tree maps pixels to RGB -> random art
Choose Image Portfolio
Portfolio Training
Challenge
Portfolio Creation Screen
Login Screen
Attacks Brute Force –optimal portfolio and challenge depends on security –5 image portfolio/25 challenge set = 53,130 combinations Measures against shoulder surfers: –hide image selection –distort images Measures against Intersection Attack: –Always show same challenge set –Multi-stage authentication
Experiment Design Target population = general computer users 20 participants (11 males + 9 females, expert/novice) Initialization PIN (4 digits) Password (6 char.) Art portfolio (5/100) Photo portfolio (5/100) Login PIN Password Art (5/25) Photo (5/25) Repeat login after one week Task order randomized Portfolio creation- same images but random order Portfolio login- random images and random order
Task Completion Time Unlimited time & attempts Does not include failed logins
Error Rate Session 1: no unrecoverable errors made with portfolios Session 2: significantly less failed logins with portfolios (all users remembered 4/5 images on first attempt)
More Results It’s easier than it looks Text vs. image portfolios –Passwords/PINS faster to create & login –Users reported that photos easier than PINs –More users forgot their user names than portfolios! Art vs. photos –Photos easier to remember, but easier to guess Gender, race, interests were a factor in choice –People choose similar photos; art is individual –Art descriptions vary, hard to describe How hard are they to communicate? Spouse-proof?
Conclusions in this study Recognition-based authentication –More reliable long term than passwords, PINs –Easier, more pleasant to use –Random Art portfolios are harder to predict than passwords or real images Applications –Where text input is hard, limited observation (e.g., ATM, PDA, pen-based devices) –Infrequently used high availability passwords
Future Work Long term studies –Frequency of use –Multiple portfolios and changes –Portfolio communication & prediction study –Cued recall of text passwords Image Generation & Distortion –Image generation and distortion techniques –What is the space of images are distinguishable, memorable? Strengthen against attack, improve login times, allow non- perfect probabilistic recognition
Talk Outline Machines Authenticating Users –Déjà Vu User Study Users Authenticating Remote Servers –Interfaces for website authentication
Challenge