Presentation is loading. Please wait.

Presentation is loading. Please wait.

Graphical Passwords with Integrated Trustworthy Interface TIPPI Workshop June 19, 2006 Patricia Lareau V P Product Management.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Graphical Passwords with Integrated Trustworthy Interface TIPPI Workshop June 19, 2006 Patricia Lareau V P Product Management."— Presentation transcript:

1 Graphical Passwords with Integrated Trustworthy Interface TIPPI Workshop June 19, 2006 Patricia Lareau V P Product Management

2 Authentication Design Goals Consider Security and Usability

3 Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1.800.682.0604 Security Requirements Usability Security Randomly assigned Unique to the application Robust against known attacks Simple Reliable – no fallback needed Not sharable casually or easily Lacks social vulnerabilities Useable anywhere Two-way AuthN

4 Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1.800.682.0604 Usability Requirements Graphical User Interface Intuitive to use No user rules Independent of user’s aptitude, training or attentiveness No on-going training EASY to use Portable Fun! Usability Security

5 Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1.800.682.0604 Successful AuthN is Both or Neither Design Leverages: Secret Interface Protocol UsabilitySecurity

6 Passfaces Meets the Challenge Secure and Usable

7 The Secret Based on Cognitive Science

8 Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1.800.682.0604 The Brain Deals with Faces Differently than Any Other Image Face recognition is a dedicated process which is different from general object recognition. Source: Face Recognition: A Literature Survey. National Institute of Standards and Technology

9 Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1.800.682.0604 In the Beginning… Science has proven that we are genetically predisposed with a unique talent. We all have the innate ability to easily recognize human faces. There was a time that recognizing another's face could mean LIFE or DEATH. Today that need is not so great, but the ability is still there. There is a special place in the brain dedicated to facial recognition and facial recognition only. Thinking Outside of the Box Approach…. “Let’s Authenticate the Person”

10 Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1.800.682.0604 Recall vs. Recognize You must RECALL a passwordYou simply RECOGNIZE a face Remember High School ….What kind of test did your prefer? Fill in the Blank Multiple Choice 1 2 3 g f w y

11 Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1.800.682.0604 We Never Forget a Face “Haven’t used Passfaces in 6 months. I decided to take another look at it and, amazingly, I logged right in!” In one major government installation, there have been no forgotten Passfaces in over three years. The more its used, the easier it gets. Think about how many people you already recognize. Why wouldn’t you remember your Passfaces?

12 Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1.800.682.0604 Our approach Familiarize the user with a randomly-selected set of faces and check if they can recognize them when they see them again It’s as easy as recognizing an old friend

13 Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1.800.682.0604 Authentication Session The secret is Random Easy to recognize but Difficult to describe/share No “cribsheets” needed Always Available Intuitive - Independent of user age, language or education Not socially vulnerable

14 The Interface Reinforce the Design Objectives

15 Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1.800.682.0604 How Passfaces Works Users Are Assigned a Set of 5* Passfaces User Interface Library of Faces * Typical implementation – 3 to 7 possible as standard

16 Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1.800.682.0604 How Passfaces Works 5 Passfaces are Associated with 40 associated decoys Passfaces are presented in five 3 by 3 matrices each having 1 Passface and 8 decoys

17 Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1.800.682.0604 New Users are Familiarized with their Passfaces Users enroll with a 2 to 4 minute familiarization process Using instant feedback, encouragement, and simple dialogs, users are trained until they can easily recognize their Passfaces The process is optimized and presented like an easy game Let’s Practice Action Click On Your Passface It’s Moving (There is only One on this Page)

18 Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1.800.682.0604 Familiarization Puts Cookies in the Brain Like a mindprint or brain cookie But, unlike fingerprints, Passfaces require no special hardware And, unlike browser cookies, Passfaces authenticate the actual user

19 Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1.800.682.0604 Authentication Session The interface… Graphical Self-prompting User cannot choose or reuse NO burden of recall 3X3 grid Ergonomic Maps to keypad, phone, pinpad More entropy than a user chosen secret

20 The Protocol Maximize Defenses – Maximize Usability

21 Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1.800.682.0604 Grid set is random per user Grids need not be secret but must be correct AUTHENTICATION IS NOT POSSIBLE WITHOUT PRESENTATION OF CORRECT GRIDS Mutual Authentication is implicit- user attentiveness unnecessary Phishing today is stopped Phishing tomorrow is hard work Blacklisting is possible Configuration Data John Doe sparky123

22 Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1.800.682.0604 Grid Presentation Multiple Grids Random display within grid Familiar order of grids for user comfort Library Use Thousands of random sets available Shoulder surfing deterrent Anti phishing strategies Mutual AuthN enhanced

23 Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1.800.682.0604 A New Class of Authentication Passfaces represents a new, 4 th class of authentication: Cognometrics Recognition-Based Authentication

24 Thank you! Questions? Patricia Lareau V P Product Management patricia.lareau@passfaces.com 805.544.1138

25 Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1.800.682.0604 Authentication Risks Mitigation Options Risk written down Inadvertent Exposure shared multiple applications Social Engineering phishing pharming phoning Malware keylogging screen scraping etc. session hijacking Fallback to Personal Information procedure vulnerabilities user habituation static data (not sustainable) Other guessing capture OTP tokens smartcard calculators crypto-cookies PIN/TAN sheets virtual keypads “secret” images “trusted” logos/symbols user training SMS OTP phone OTP real-time risk assessment IP address blacklisting database protection

26 Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1.800.682.0604 Passfaces as Primary Factor Mitigation Options Inadvertent Exposure shared multiple applications Social Engineering phishing pharming phoning Malware key logging screen scraping etc. Risk Fallback to Personal Information attack on procedure user habituation not sustainable Other guessing Transmission protocols real-time risk assessment IP address blacklisting database protection can’t be written down capture session hijacking can’t be written down can’t be scraped difficult to share unique to application immune to phishing immune to pharming can’t be spoken can’t be logged attack on procedure never forgotten can be changed not guessable

27 Passfaces Corporation ■ 175 Admiral Cochrane Drive ■ Annapolis, Maryland 21401 ■ 1.800.682.0604 Random Delivery of Grids

Download ppt "Graphical Passwords with Integrated Trustworthy Interface TIPPI Workshop June 19, 2006 Patricia Lareau V P Product Management."

Similar presentations

MFA for Business Banking – Security Questions with 2nd Request Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.

MFA for Business Banking – Security Questions with 2nd Request Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.
MFA for Business Banking – Security Questions with Reset Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.

MFA for Business Banking – Security Questions with Reset Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
WTG New Technology Corp Passfaces Corp About the companies WTG New Technology Corporation (NewTech) is a technology transfer company specializing in the.

WTG New Technology Corp Passfaces Corp About the companies WTG New Technology Corporation (NewTech) is a technology transfer company specializing in the.
The quest to replace passwords Evangelos Markatos Based on a paper by Joseph Bonneau,Cormac Herley, Paul C. van Oorschot, and Frank Stajanod.

The quest to replace passwords Evangelos Markatos Based on a paper by Joseph Bonneau,Cormac Herley, Paul C. van Oorschot, and Frank Stajanod.
Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
Stephen Crick Business Development Manager Tokenless™ Authentication.

Stephen Crick Business Development Manager Tokenless™ Authentication.
Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.

Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.
ByPass A platform to evaluate Android authentication techniques Payas Gupta & Sarah Smith.

ByPass A platform to evaluate Android authentication techniques Payas Gupta & Sarah Smith.
Security Security comes in three forms. 1.Encryption – making data and information transmitted by one person unintelligible to anyone other than the intended.

Security Security comes in three forms. 1.Encryption – making data and information transmitted by one person unintelligible to anyone other than the intended.
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
15 Tactical Improvements to IT Security Virtual Keyboard, Two Factor Authentication, Active Confirmation and FAA Access to CPS Online Ganesh Reddy.

15 Tactical Improvements to IT Security Virtual Keyboard, Two Factor Authentication, Active Confirmation and FAA Access to CPS Online Ganesh Reddy.
Neuroscience Meets Cryptography: Designing Crypto Primitives Secure Against Rubber Hose Attacks A Paper by Hristo Bojinov, Daniel Sanchez, Paul Reber,

Neuroscience Meets Cryptography: Designing Crypto Primitives Secure Against Rubber Hose Attacks A Paper by Hristo Bojinov, Daniel Sanchez, Paul Reber,
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Use Your Illusion: Secure Authentication Usable Anywhere Eiji Hayashi Nicolas Christin Rachna Dhamija Adrian Perrig Carnegie Mellon CyLab Japan.

Use Your Illusion: Secure Authentication Usable Anywhere Eiji Hayashi Nicolas Christin Rachna Dhamija Adrian Perrig Carnegie Mellon CyLab Japan.
Next Generation Two Factor Authentication. Laptop Home / Other Business PC Hotel / Cyber Café / Airport Smart Phone / Blackberry 21 st Century Remote.

Next Generation Two Factor Authentication. Laptop Home / Other Business PC Hotel / Cyber Café / Airport Smart Phone / Blackberry 21 st Century Remote.
Internet Authentication Based on Personal History – A Feasibility Test Ann Nosseir, Richard Connor, Mark Dunlop University of Strathclyde Computer and.

Internet Authentication Based on Personal History – A Feasibility Test Ann Nosseir, Richard Connor, Mark Dunlop University of Strathclyde Computer and.
Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.

Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.
Trustworthy User Interface Design: Dynamic Security Skins Rachna Dhamija and J.D. Tygar University of California, Berkeley TIPPI Workshop June 13, 2005.

Trustworthy User Interface Design: Dynamic Security Skins Rachna Dhamija and J.D. Tygar University of California, Berkeley TIPPI Workshop June 13, 2005.
Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S09761197.

Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S

Similar presentations

Ads by Google