The quest to replace passwords
Evangelos MarkatosBased on a paper by
Joseph Bonneau, Cormac Herley,Paul C. van Oorschot, and Frank Stajanod
What is the problem
• Passwords have been around for too long– Original developed for time-sharing systems– 10-100 users – no Internet
• We need to replace them• Why?– Easy to break (most usual password: 12345678)– Difficult to remember
• esp. if you have several of them
– Easy to lose • Phishing
What to do?
• Replace passwords• With what? – Biometrics (fingerprints)
• Iris scanners, fingerprint scanners
– Graphics passwords • If you can not say it, DRAW it
– Cognitive passwords– Point-and-click passwords – One Time Passwords
• Electronic OTPs, paper copies, etc.
A survey
• This paper is a survey – Surveys all password categories – Explains • Advantages • Disadvantages • Compares them
– Three dimensions: • Usability• Deployability • Security
Usability
• Do you need to remember something?• Scalable?– What if you have 10’s – 100’s of accounts?
• Do you need to carry aything? • Easy to learn?• Efficient to use?• What happens if it is lost?
Deployability
• What is the cost per user?• Is it compatible – with current servers?– With current browsers?
• Is it mature?• Is it propriatory?
Security
• What if the attacker is looking over your shoulder?
• Is it resilient to random guessing?– Throttled – un-throttled
• Resilient to internal observation?– Keyboard loggers?
• Resilient to leaks?• Resilient to phishing?
Encrypted Password Managers: Mozilla
• What is it? • Firefox offers to remember all your passwords– One time overhead to set it up – Never type a password again!
• Firefox remembers it
– What if I have two devices? • Firefox can sync everything in the cloud
– What if I access the web from an Internet Café?• Do I want to sync all my passwords with the Café’s browser? •
Single sign on!
• Use one password to log in everywhere• Single sign on• Great idea!• Is it easier than passwords?– Yes
• Easier Deployment as well!• Is it safer than passwords?– Not really… – See next paper as well
Graphical passwords
• People are better at remembering images– Rather than words!
• Draw your password!• Well, actually – Draw lines, or – Choice points in an image
• Sounds simple…• What if you have lots of passwords?– Lots of drawings….
Cognitive authentication
• Do not sent your password to the server• What?• Just prove to the server that you know it• Why?– No phisher will be able to find it!– No man-in-the middle will be able to intercept it
Cognitive authentication II
• How do you prove that you know the password? • Say that the password is 10,33,52,74• The server sends you a vector v[0:100]• You reply with the contents of
– v[10], v[33], v[52], v[74]• Each time you want to log in you get a different vector• Each time you reply with different numbers
– Always you send the v[10], v[33], v[52], v[74]• Example:
– If v[i] == I, you send 10, 33, 52, 74– If v[i] == i+1, you send 11, 34, 53, 75
Cognitive authentication III
• Resistant to monitoring– No password is being sent– Each time a different “proof” of password
knowledge is being sent • Resistant to guessing? – Not really
Paper Token
• Write (one-time) passwords on a piece of paper – The server asks for the password – And something written on the paper – (something you have and something you know)
• Difficult to deploy – Need to send the papers to users
• What if you have many accounts? • What if someone steals/copies the paper?
Hardware tokens
• OTPs– One-time passwords
• Little devices – Press a button – Get an OTP
• The server asks for – The regular password – The OTP– (something you know and something you have)
• In 2011 all RSA seeds were stolen– All OTPs had to be replaced
Biometrics
• Fingerprint scanners • Iris scanners • Great!• Fingerprint scanners – Can be spoofed – Fingerprints can be lifted from glass surfaces
• Costly ($$$) – Fingerprint readers have a cost
Mobile phone based
• Use two devices to authenticate – the computer (as usual) – The mobile phone
• Flow chart:– User selects site on mobile phone– Mobile phone talks to the web browser on the computer – Mobile phone authenticates with the bank– The browser authenticates with the bank
• The attacker – Needs both the passwords and the mobile phone
Mobile phone based II
• Security – Although if there is malware both on the phone
and the computer …• Deployability • Usability – Can be used for a subset of sites • E.g. banks
What if the computer is compromised?
• What if you use a public terminal?– Would you give it your password? – Could keyboard loggers steal it?
• Solution: – SSO + paper OTP + proxy
• There is a proxy between the client and the server – The proxy has all passwords – The proxy gives the user a set of OTPs – The OTPs are in a piece of paper that the user has
What if the computer is compromised? II
• Flowchart– The user asks the proxy to authenticate her to a
web server – The proxy asks for the OTP– The proxy authenticates the user to the web
server • + it works• - deployment ….
Conclusion
• No method is perfect• No method is clearly better than passwords – Along all three dimensions
• Several methods complement/strengthen passwords
• Passwords may be around for a few more years…
Top Related