Presentation is loading. Please wait.

Presentation is loading. Please wait.

Account Recovery – Authentication's Dirty Secret?

Published byArline Park Modified over 5 years ago

Similar presentations

Presentation on theme: "Account Recovery – Authentication's Dirty Secret?"— Presentation transcript:

1 Account Recovery – Authentication's Dirty Secret?
Mike Just University of Edinburgh 28 May 2009

2 Managing Online Presence
Many accounts Different interfaces Too much information Too many passwords Frequent updates A challenge to effectively manage 28 May 2009

3 28 May 2009

4 Why so many Accounts? I do different things with different people
Used for Storing information Sharing information Receiving information Communicating information Collaborating with others Learning, Teaching, Living Used with colleagues, friends, family, ... 28 May 2009

5 What do Accounts want from Me?
Information, information, information Why? Help me store, share, communicate, … Improve my online experience Ensure controlled access to my account Market to me, e.g. advertise Share my information with others Usability Security Privacy 28 May 2009

6 Account Properties Security Usability Privacy
Stop “bad guys” Security Help for yourself Control “good guys” Usability Privacy Protection vs Control vs Convenience ... 28 May 2009

7 Identification and Authentication
Registration Identification Initialize Authentication Initialize Recovery Regular Authentication Account Recovery 28 May 2009

8 Identification and Authentication
Registration Identification Initialize Authentication Initialize Recovery If required, user will identify themselves to register Required by banks, work accounts, etc. Identification may rely on shared information, e.g. financial Information might rely upon third-party info, e.g. credit bureaus Typical Internet sites don't require identification Googl , Hotmail, Facebook, Twitter Only ensure that only you can authenticate later Regular Authentication Account Recovery 28 May 2009

9 Identification and Authentication
Registration Identification Initialize Authentication Initialize Recovery User chooses 'User Identifier' and authentication credential Typically a password To be used for 'Regular Authentication' Policy often establishes 'password rules' Regular Authentication Account Recovery 28 May 2009

10 Identification and Authentication
Registration Identification Initialize Authentication Initialize Recovery If required, user will submit information for later recovery Used in case of forgotten password Often comprised of a set of challenge questions and answers Alternatively, user could be required to (re-)identify Assumes there is shared information for identification Can be costly if initial identification was in-person Regular Authentication Account Recovery 28 May 2009

11 Identification and Authentication
Registration Identification Initialize Authentication Initialize Recovery Identifier and credential (e.g. password) used routinely for authentication Policy may require periodic update of credential, e.g., monthly Regular Authentication Account Recovery 28 May 2009

12 Identification and Authentication
Registration Identification Initialize Authentication Initialize Recovery If regular authentication credential is “lost” or “forgotten”, user can still recover their account Often important to retrieve stored information User asked to answer one or more of their challenge questions Alternatively, might re-identify May also have to follow a re-directed Regular Authentication Account Recovery 28 May 2009

13 Account Recovery with Challenge Questions
Source: 28 May 2009

14 Account Recovery with Challenge Questions
“What is my Mother's Maiden Name?” “What was the name of my first pet?” “What was the name of my first school?” “Who is my favourite actor?” “Where did I spend my honeymoon?” 28 May 2009

15 Account Recovery with Challenge Questions
Authentication Credentials 'Something You Have' 'Something You Know' Access card Smartcard Mobile 'Something You Already Know' 'Something You Memorize' 'Something You Are' Passwords PINs Images Challenge questions Images Fingerprints Iris/retinal scan Facial scan 28 May 2009

16 Account Recovery with Challenge Questions
Palin hack required zip code, DOB, and 1 question (where you met your significant other) It took two days for the name of the anonymous advertiser to be posted on a chat room on the Internet. First, someone tried the gmail password recovery service and found out that the "security questions" it asked were in Russian. Then, someone else noticed that gmail reveals the domain to which the password recovery message are sent. The personalized domain name was registered to a prominent Russian business executive, wealthy and single. The privacy commissioner's office expressed concern about a game that has found its way onto the micro-blogging site: combining your first pet's name with the first street you lived on to discover your porn star alter ego. 28 May 2009

17 Account Recovery with Challenge Questions
Ubiquitous use of challenge question authentication Very little published research as to whether it's Usable Secure Privacy-friendly For remainder of this presentation Recent research results Best practices for challenge question authentication 28 May 2009

18 Challenge Questions – Usability
Three criteria to assess usability Applicability How widely applicable is the given question? Memorability How easy is it for the user to recall the answer? Repeatability How accurately can the answer be replayed, without syntactic or semantic ambiguity? What was your first pet's name? What was my high school locker combination? Street vs Avenue Favourites 28 May 2009

19 Challenge Questions – Security
Increasing Information for Attacker Answer alphabet and distribution, common answer sets Questions, distributions of likely answers User account, published data, social networks, friends, family, ... Attack Modes Blind Guess Focused Guess Observation Answer Guess 28 May 2009

20 Challenge Questions – Security
Three criteria to assess security Length of answers Helpful when dynamically assessing user answers Can't force longer answers, but can ask multiple questions Size of answer space Can “filter out” obviously small questions Can measure others Too few possibilities! What's my favourite colour? What's my best friend's last name? Only 105 in US (2000) 28 May 2009

21 Challenge Questions – Security
Observability of answers Subjective assessment Known to friends or family? Obtainable by strangers? Public records, social networks, physically observable, ... Recall earlier web examples 28 May 2009

22 Challenge Questions – Privacy
Is the information being asked, sensitive? Intimate experiences Some questions might be particularly sensitive to one culture, more than others Religion, politics, relationships, … Can be difficult to balance between information that is private (known only to a user), personal (memorable to user), but not sensitive 28 May 2009

23 Other Considerations Number of questions to ask
Recent research suggests more than one question/answer required More `entropy' for an attacker to have to guess Can also help to increase difficulty of Observation attack User might register 3-4 questions and answers, and is required to answer at least 2 questions at authentication For Government of Canada solution, users registered 3 questions and answers, and were asked all 3 at recovery 28 May 2009

24 Other Considerations ... To '*' or not to '*'
What was my first school's name? ************ What was my first school's name? St. James IV Use of '*' can limit effectiveness of “shoulder surfing” attacks But, use of '*' can make entering of answer difficult If we assume that questions are rarely used (only for recovery), then shoulder surfing may be less of a concern For Government of Canada solution, we did not use '*'s, and opted for improved usability whereby users see what they type 28 May 2009

25 Other Considerations ... Normalization of answers
Is the answer “John Carter” = “john carter” = “johncarter”? Is the answer “St. James” = “St James”? Unlike with passwords, capitalization and punctuation locations are very predictable with answers Thus offering little to improve security Recent research shows users have difficulty with consistent capitalization For Government of Canada solution, answers were normalized to remove capitalization and punctuation 28 May 2009

26 Other Considerations ... System-generated versus user-generated questions Users can choose unique, secure questions However, users will also often choose very insecure questions For Government of Canada solution, we used one system- generated question, and two user-generated questions Complementary security measures a recovery link to the user 28 May 2009

27 Conclusion When passwords are forgotten, we rely upon known information to authenticate A risky proposition, since this information is often more widely known than we would like Usability – Security – Privacy Best practices required 28 May 2009

28 Further Information Other presentations, research publications, at
28 May 2009

Download ppt "Account Recovery – Authentication's Dirty Secret?"

Similar presentations

Computer Ethics Ms. Scales. Computer Ethics Ethics  the right thing to do Acceptable Use Policy  A set of rules and guidelines that are set up to regulate.

Computer Ethics Ms. Scales. Computer Ethics Ethics  the right thing to do Acceptable Use Policy  A set of rules and guidelines that are set up to regulate.
Home Research II - 2008 Instructional Technology Program East Stroudsburg University Yvette Raven.

Home Research II Instructional Technology Program East Stroudsburg University Yvette Raven.
Students’ online profiles for employability and community Frances Chetwynd, Karen Kear, Helen Jefferis and John Woodthorpe The Open University.

Students’ online profiles for employability and community Frances Chetwynd, Karen Kear, Helen Jefferis and John Woodthorpe The Open University.
13: Unlucky for some? …or how to test your WLAN passwords to make sure that it’s the hacker who is “unlucky” Ian Hughes Wireless Security Consultant

13: Unlucky for some? …or how to test your WLAN passwords to make sure that it’s the hacker who is “unlucky” Ian Hughes Wireless Security Consultant
ICT Curriculum Evening – an introduction to Wizkid.

ICT Curriculum Evening – an introduction to Wizkid.
Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.

Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.
User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.

User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.
PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,

PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,
Internet Safety and Kids Ms. Lee’s Classroom Computers are NOT bad Computers can be used to help kids learn and play. They can be used safely, if parents.

Internet Safety and Kids Ms. Lee’s Classroom Computers are NOT bad Computers can be used to help kids learn and play. They can be used safely, if parents.
August 15 click! 1 Email Basics Kitsap Regional Library.

August 15 click! 1 Basics Kitsap Regional Library.
E-safety Parental Guide “You wouldn't let your child wander around the streets of London alone, yet millions of children are surfing the internet on their.

E-safety Parental Guide “You wouldn't let your child wander around the streets of London alone, yet millions of children are surfing the internet on their.
Notes to Teachers At the time we embedded the links in these lessons, they all worked. If they don’t, you can google the website, find the link, open it.

Notes to Teachers At the time we embedded the links in these lessons, they all worked. If they don’t, you can google the website, find the link, open it.
Identity Theft By: Chelsea Thompson. What is identity theft? The crime of obtaining the personal or financial information of another person for the purpose.

Identity Theft By: Chelsea Thompson. What is identity theft? The crime of obtaining the personal or financial information of another person for the purpose.
Personal Safety Unit - Level 7. The Internet is not anonymous. Your e-mail address, screen name, and password serve as barriers between you and others.

Personal Safety Unit - Level 7. The Internet is not anonymous. Your address, screen name, and password serve as barriers between you and others.
Impacts of the use of IT -Social network sites This is a site that lets you post messages, upload pictures and stories on your own personal page. You can.

Impacts of the use of IT -Social network sites This is a site that lets you post messages, upload pictures and stories on your own personal page. You can.
Threat to I.T Security By Otis Powers. Hacking Hacking is a big threat to society because it could expose secrets of the I.T industry that perhaps should.

Threat to I.T Security By Otis Powers. Hacking Hacking is a big threat to society because it could expose secrets of the I.T industry that perhaps should.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Thomas Jenkins.

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Thomas Jenkins.
Suggested grade levels 7-12 Students will explore strategies that promote personal safety when using the texting-based social network, Twitter.

Suggested grade levels 7-12 Students will explore strategies that promote personal safety when using the texting-based social network, Twitter.
Using E-mail A presentation of the Elmhurst Public Library.

Using A presentation of the Elmhurst Public Library.
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.

Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.

Similar presentations

Ads by Google