S OUND -P ROOF : U SABLE T WO -F ACTOR A UTHENTICATION B ASED ON A MBIENT S OUND Nikolaos Karapanos, Claudio marforio, Claudio Soriente and Srdjan Capkun.

Slides:

Advertisements

Similar presentations

Information Security Domains Computer Operations Security By: Shafi Alassmi Instructor: Francis G. Date: Sep 22, 2010.

Advertisements

Smartphone-based authorization system Advisor: Dr. Wenjun Zeng - Professor Presenter: Yilihamujiang, Ailiyasijiang Zhou, Guanlong Al-Sinani, H. S. (2011).

AUTHENTICATION AND KEY DISTRIBUTION

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

A mobile single sign-on system Master thesis 2006 Mats Byfuglien.

User-centric Handling of Identity Agent Compromise Daisuke Mashima Dr. Mustaque Ahamad Swagath Kannan College of Computing Georgia Institute of Technology.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Security and Privacy Issues in Wireless Communication By: Michael Glus, MSEE EEL

CMPE208 Presentation Terminal Access Controller Access Control System Plus (TACACS+) By MARVEL (Libing, Bhavana, Ramya, Maggie, Nitin)

OIRA / IT November 2014 Instructor Course Evaluation (ICE) Instructors’ Manual.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Analysis of the Communication between Colluding Applications on Modern Smartphones Claudio Marforio 1, Hubert Ritzdorf 1, Aurélien Francillon 2, Srdjan.

Mobile phone based environment control/security system Christopher Carroll B.E. Electronic and Computer Engineering.

SSH: An Internet Protocol By Anja Kastl IS World Wide Web Standards.

Mobile Mobile OS and Application Team: Kwok Tak Chi Law Tsz Hin So Ting Wai.

Dr. Sarbari Gupta Electrosoft Services Tel: (703) Security Characteristics of Cryptographic.

Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

Figure 1.1 Interaction between applications and the operating system.

Firefox 2 Feature Proposal: Remote User Profiles TeamOne August 3, 2007 TeamOne August 3, 2007.

Unit 28- Website Development Assignment 1- THEORY P3

1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.

 An electrical device that sends or receives radio or television signals through electromagnetic waves.

OWASP Mobile Top 10 Why They Matter and What We Can Do

The Study of Security and Privacy in Mobile Applications Name: Liang Wei

Hsu-Chen Cheng, *Wen-Wei Liao, Tian-Yow Chi, Siao-Yun Wei

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

Security and Usability of Password Based User Authentication Systems Hatim Alsuwat Sami Alsuwat.

Enforcing Concurrent Logon Policies with UserLock.

TrustOTP: Smartphone as One-Time Password Token

11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 UNDERSTANDING USER ACCOUNTS  Local user accounts  stored in the Security.

Michael McDonnell GIAC Certified Intrusion Analyst Creative Commons License: You are free to share and remix but you must provide.

Figures – Chapter 14. Figure 14.1 System layers where security may be compromised.

University of Palestine Faculty of Applied Engineering and Urban Planning Software Engineering Department Prepared By Ahmed Obaid Wassim Salem Supervised.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.

User Interface Toolkit Mechanisms For Securing Interface Elements Franziska Roesner, James Fogarty, Tadayoshi Kohno Computer Science & Engineering DUB.

Electronic data collection system eSTAT in Statistics Estonia: functionality, authentication and further developments issues 4th June 2007 Maia Ennok,

Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin

0 1 WHAT KEEPS USERS AWAY? 2 47% 46% 43% 39% 40% 50% 45% 34% 21% 15% 20% 19% 13% 26% 20% 12% I fear that my account information will be viewed by an unauthorized.

What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

Class 6 Distributed Systems CIS 755: Advanced Computer Security Spring 2015 Eugene Vasserman

Leave Me Alone: App- level Protection Against Runtime Information Gathering on Android NAN ZHANG, KAN YUAN, MUHAMMAD NAVEED†, XIAOYONG ZHOU AND XIAOFENG.

Ch. 7 -Attacking Session Management Latasha A. Gibbs CSCE 813 – Internet Security, Fall 2012 College of Engineering and Computing University of South Carolina.

Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.

Focus On Bluetooth Security Presented by Kanij Fatema Sharme.

Wireless and Mobile Security

FriendFinder Location-aware social networking on mobile phones.

February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.

Multiparty Access Control for Online Social Networks : Model and Mechanisms.

VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.

Threshold password authentication against guessing attacks in Ad hoc networks Authors: Zhenchuan Chai, Zhenfu Cao, Rongxing Lu Sources: Ad Hoc Networks,

Internet Privacy Define PRIVACY? How important is internet privacy to you? What privacy settings do you utilize for your social media sites?

FIREWALLS Created and Presented by: Dawn Blitch & Fredda Hutchinson.

Secure Software Confidentiality Integrity Data Security Authentication

Instructor Course Evaluation (ICE)

KUCOIN SUPPORT NUMBER Kucoin is a cryptocurrency exchange.Kucoin exchange charged reasonably and lower fees than many other exchanges.

Ways to Secure CMS Websites. The most widely used Content Management Systems are Wordpress, Joomla and Drupal as per statistics. The highest CMS platforms.

Taewan kang, Kevin huangfu

A mobile single sign-on system

Welcome and thank you for choosing SharkGate

WWW安全國立暨南國際大學資訊管理學系陳彥錚.

Patient Access to Electronic Medical Records

Presentation transcript:

S OUND -P ROOF : U SABLE T WO -F ACTOR A UTHENTICATION B ASED ON A MBIENT S OUND Nikolaos Karapanos, Claudio marforio, Claudio Soriente and Srdjan Capkun Institute of Information Security ETH Zurich Presenter: Rongdong Chai

Weakness Password-Only authentication sometimes is weak Password => The word helping hacker pass your account

Helpless? You Attacker

What to do 2 factor-authentication – Is it a good solusion? Protect online accounts when password leaked Require extra steps to log in – SMS – Portable device – Online code

Related Work Traditional 2FA – Hardware tokens – Software tokens Reduced-Interaction 2FA – Short-range Radio Communication – Near-ultrasound – Location Information – Other sensors

Assumptions Attacker gained username and password Attacker goal => authenticate to servers Attacker wins if s/he convice servers that s/he hold the second authentication.

Assumptions User phone CANNOT be compromised Compromised phone = password-only authentication(one factor) User computer CANNOT be compromised Man-In-The-Browser attack -> hijack user’s session => defeat any 2FA mechanism

Ignore Co-located attacker Man-In-The-Middle adversary [29] On the effective prevention of TLS man-in-the-middle attacks in web applications Give me your phone or you die!

Important Background One-thrid Octave Bands – Roughly 20Hz – 20kHz – 10-> 1/3; 1->1/2 Cross-correlation – Standard measurement of two time series

Sound-Proof Architecture Similarity Computation Block

Sound-Proof Overview

Sound-Proof Weakness Quiet Environment – User-made noise Co-located Attacks – Secure phone-computer channel – User-phone interaction

Implementation Web Server and Browser Software Token Time Synchronization Run-time Overload

Evaluation Important Parameters – Average power threshold – Highest clock difference experienced – Cross-correlation threshold – Contiguous octave bounds

FRR/FAR with τ C

FRR/FAR in different cases

Environment Impact on FRR

User Activity

Phone Position

Phone Model

Computer

User Study Goal: -- evaluate Sound-Proof -- compare with Google 2FA User unaware of the difference System Usability Scale(SUS) score

Results Demographics SUS Scores Login Time Failure Rates Post-test Questionnaire

Addition Software and Hardware Requirements Other Browsers Privacy Quiet Environments Fallback to Code-based 2FA Failed Login Attempts and Throttling Login Evidence Continuous Authentication Alternative Devices Logins from the Phone Comparative Analysis

Contributions Propose Sound-Proof Prototype for both Android and iOS Conduct user study

Conclusion 2FA mechanism – Sound-Proof Work even in pocket/purse More usable than Google 2FA Prefer to use Foster large-scale adoption

Quiz Questions What will the author do if the ambient sound is too low? What are the 2 reasons that makes the majority of users to choose Sound-Proof? Is Sound-Proof 100% secure? Why?

Thank You!