The Battle Against Phishing: Dynamic Security Skins Rachna Dhamija and J.D. Tygar U.C. Berkeley.
User Authentication Rachna Dhamija Human Centered Computing Course December 6, 1999 Image...
-
date post
19-Dec-2015 -
Category
Documents
-
view
219 -
download
2
Transcript of User Authentication Rachna Dhamija Human Centered Computing Course December 6, 1999 Image...
![Page 1: User Authentication Rachna Dhamija Human Centered Computing Course December 6, 1999 Image Recognition in.](https://reader031.fdocuments.in/reader031/viewer/2022032704/56649d3f5503460f94a18384/html5/thumbnails/1.jpg)
User Authentication
Rachna DhamijaHuman Centered Computing Course
December 6, 1999
Image Recognition in
![Page 2: User Authentication Rachna Dhamija Human Centered Computing Course December 6, 1999 Image Recognition in.](https://reader031.fdocuments.in/reader031/viewer/2022032704/56649d3f5503460f94a18384/html5/thumbnails/2.jpg)
Security systems human factors?
Passwords multiple long strings
Problem
![Page 3: User Authentication Rachna Dhamija Human Centered Computing Course December 6, 1999 Image Recognition in.](https://reader031.fdocuments.in/reader031/viewer/2022032704/56649d3f5503460f94a18384/html5/thumbnails/3.jpg)
Replace text w/ images? Replace recall w/ recognition Portfolio “Random Art” & Real Images
A solution
![Page 4: User Authentication Rachna Dhamija Human Centered Computing Course December 6, 1999 Image Recognition in.](https://reader031.fdocuments.in/reader031/viewer/2022032704/56649d3f5503460f94a18384/html5/thumbnails/4.jpg)
“Vast, almost limitless memory” for pictures [Haber]
Recognition Fraction of a sec to remember & recognize [Intraub, Pavio
& Codes] 2560 photos for few seconds 90 % recognition rate
[Standing, Conezio & Haber] 10,000 photos 2 days, 66% recognized [Standing]
Recall recall semantics or sketch “pictures are not only recognized better but are also
recalled better than words” [Standing]
Visual Memory
![Page 5: User Authentication Rachna Dhamija Human Centered Computing Course December 6, 1999 Image Recognition in.](https://reader031.fdocuments.in/reader031/viewer/2022032704/56649d3f5503460f94a18384/html5/thumbnails/5.jpg)
Target population = general computer users novice/expert users few passwords/multiple passwords
10 (+20) people interviewed about behavior 10 – 40+ instances vs. 1-7 actual passwords names, phone numbers, fav movies, ~6 char tools: majority wrote them down, 2 PIM minimum effort, never change them ability to share is a feature people hate passwords but prefer them to alternatives
Task Analysis
![Page 6: User Authentication Rachna Dhamija Human Centered Computing Course December 6, 1999 Image Recognition in.](https://reader031.fdocuments.in/reader031/viewer/2022032704/56649d3f5503460f94a18384/html5/thumbnails/6.jpg)
10 20 30 40 50 60 70 80 90 1001 1.0E+01 2.0E+01 3.0E+01 4.0E+01 5.0E+01 6.0E+01 7.0E+01 8.0E+01 9.0E+01 1.0E+022 4.5E+01 1.9E+02 4.4E+02 7.8E+02 1.2E+03 1.8E+03 2.4E+03 3.2E+03 4.0E+03 5.0E+033 1.2E+02 1.1E+03 4.1E+03 9.9E+03 2.0E+04 3.4E+04 5.5E+04 8.2E+04 1.2E+05 1.6E+054 2.1E+02 4.8E+03 2.7E+04 9.1E+04 2.3E+05 4.9E+05 9.2E+05 1.6E+06 2.6E+06 3.9E+065 2.5E+02 1.6E+04 1.4E+05 6.6E+05 2.1E+06 5.5E+06 1.2E+07 2.4E+07 4.4E+07 7.5E+076 2.1E+02 3.9E+04 5.9E+05 3.8E+06 1.6E+07 5.0E+07 1.3E+08 3.0E+08 6.2E+08 1.2E+097 1.2E+02 7.8E+04 2.0E+06 1.9E+07 1.0E+08 3.9E+08 1.2E+09 3.2E+09 7.5E+09 1.6E+108 4.5E+01 1.3E+05 5.9E+06 7.7E+07 5.4E+08 2.6E+09 9.4E+09 2.9E+10 7.8E+10 1.9E+119 1.0E+01 1.7E+05 1.4E+07 2.7E+08 2.5E+09 1.5E+10 6.5E+10 2.3E+11 7.1E+11 1.9E+12
10 1.0E+00 1.8E+05 3.0E+07 8.5E+08 1.0E+10 7.5E+10 4.0E+11 1.6E+12 5.7E+12 1.7E+13
Selection Size (# of images)
Portfolio Size
10 26 36 52 62 964 1.0E+04 4.6E+05 1.7E+06 7.3E+06 1.5E+07 8.5E+075 1.0E+05 1.2E+07 6.0E+07 3.8E+08 9.2E+08 8.2E+096 1.0E+06 3.1E+08 2.2E+09 2.0E+10 5.7E+10 7.8E+117 1.0E+07 8.0E+09 7.8E+10 1.0E+12 3.5E+12 7.5E+138 1.0E+08 2.1E+11 2.8E+12 5.3E+13 2.2E+14 7.2E+159 1.0E+09 5.4E+12 1.0E+14 2.8E+15 1.4E+16 6.9E+17
10 1.0E+10 1.4E+14 3.7E+15 1.4E+17 8.4E+17 6.6E+19
Password Length
Character Set
Security: Brute Force Attack
4 Digit PIN = 5 out of 20 images
6 char password =
10 out of 55
BUT most passwords require
< brute force!
![Page 7: User Authentication Rachna Dhamija Human Centered Computing Course December 6, 1999 Image Recognition in.](https://reader031.fdocuments.in/reader031/viewer/2022032704/56649d3f5503460f94a18384/html5/thumbnails/7.jpg)
Benefits Images easier to remember
less errors change more frequently good for infrequently used passwords?
Images esp Random Art is hard to describe
Vulnerabilities “shoulder surfing” attack “intersection” attack
Security Analysis (cont)
![Page 8: User Authentication Rachna Dhamija Human Centered Computing Course December 6, 1999 Image Recognition in.](https://reader031.fdocuments.in/reader031/viewer/2022032704/56649d3f5503460f94a18384/html5/thumbnails/8.jpg)
Task: create portfolio & login People can remember images! (4-10) Photos/art – 50/50 preference & time Wanted to view portfolio during creation Must be simple and fast (no click through screens) Horizontal layout for quick scanning
Lo-fi Prototype
![Page 9: User Authentication Rachna Dhamija Human Centered Computing Course December 6, 1999 Image Recognition in.](https://reader031.fdocuments.in/reader031/viewer/2022032704/56649d3f5503460f94a18384/html5/thumbnails/9.jpg)
![Page 10: User Authentication Rachna Dhamija Human Centered Computing Course December 6, 1999 Image Recognition in.](https://reader031.fdocuments.in/reader031/viewer/2022032704/56649d3f5503460f94a18384/html5/thumbnails/10.jpg)
![Page 11: User Authentication Rachna Dhamija Human Centered Computing Course December 6, 1999 Image Recognition in.](https://reader031.fdocuments.in/reader031/viewer/2022032704/56649d3f5503460f94a18384/html5/thumbnails/11.jpg)
Create 4 “passwords”PIN (4 digits)Password (6 char.)Art portfolio (5/100)Photo portfolio (5/100)
LoginPINPasswordArt (5/25)Photo (5/25)
Task order- 50% did Art first Image order Repeat login after 1 week!
Experiment Design
![Page 12: User Authentication Rachna Dhamija Human Centered Computing Course December 6, 1999 Image Recognition in.](https://reader031.fdocuments.in/reader031/viewer/2022032704/56649d3f5503460f94a18384/html5/thumbnails/12.jpg)
Test MeasuresTask Completion Time
(20 users, same day)
0
20
40
60
80
create login
Tasks
Tim
e (s
eco
nd
s) PIN
Pass
Art
Photo
Does not include uncompleted tasks
sev1: minorsev2: major, recoverablesev3: major, unrecoverable
No unrecoverable errors made with portfolios
Number and Severity of Errors(20 users, same day)
0
1
2
3
4
5
1 2 3
Severity
Nu
mb
er o
f E
rro
rs
PIN
Pass
Art
Photo
![Page 13: User Authentication Rachna Dhamija Human Centered Computing Course December 6, 1999 Image Recognition in.](https://reader031.fdocuments.in/reader031/viewer/2022032704/56649d3f5503460f94a18384/html5/thumbnails/13.jpg)
Comfort Level Create portfolio - @#$% Login portfolio - wow
Text vs. images Passwords/PINS faster to create/logon Photos easier to remember than PINS (short term)
Art vs. photos Photos easier to remember, schemes, more personal People chose similar photos, but not art
Interface issues Scrolling is bad, one screen, thumbnails, single-click Lack of feedback
# picked so far, which picked?? how to give feedback securely?
More Results
![Page 14: User Authentication Rachna Dhamija Human Centered Computing Course December 6, 1999 Image Recognition in.](https://reader031.fdocuments.in/reader031/viewer/2022032704/56649d3f5503460f94a18384/html5/thumbnails/14.jpg)
1 image selected
Changes to next version show # selected
hide selected images
smaller images
![Page 15: User Authentication Rachna Dhamija Human Centered Computing Course December 6, 1999 Image Recognition in.](https://reader031.fdocuments.in/reader031/viewer/2022032704/56649d3f5503460f94a18384/html5/thumbnails/15.jpg)
Potential for use where text input is hard, limited observation
(e.g., ATM, PDA) infrequent, high availability passwords
Future Directions Self created images
authenticate: recreate or recognize
Conclusions
Random Art + Text Sharing & collaboration Other human abilities?
![Page 16: User Authentication Rachna Dhamija Human Centered Computing Course December 6, 1999 Image Recognition in.](https://reader031.fdocuments.in/reader031/viewer/2022032704/56649d3f5503460f94a18384/html5/thumbnails/16.jpg)
Houston JP. Fundamentals of learning and memory. 4th ed. Florida: Harcourt Brace Jovanovich; 1991.
Ralph Norman Haber. How we remember what we see. Scientific American, 222(5):104-112, May 1970.
Lionel Standing. Learning 10,000 pictures. Quarterly Journal of Experimental Psychology, 25:207-222, 1973.
Lionel Standing, Jerry Conezio, and Ralph Norman Haber. Perception and memory for pictures: Single-trial learning of 2500 visual stimuli. Psychonomic Science, 19(2):73-74, 1970.
Helene Intraub. Presentation rate and the representation of briefly glimpsed pictures in memory. Journal of Experimental Psychology: Human Learning and Memory, 6(1):1-12, 1980.
Hash Visualization: A New Technique to Improve Real-World Security, Adrian Perrig and Dawn Song, in Proceedings of the 1999 International Workshop on Cryptographic Techniques and E-Commerce (CryTEC '99)
References