Authentication for Humans

Rachna DhamijaSIMS, UC Berkeley

rachna@sims.berkeley.edu

DIMACS Workshop on Usable Privacy and Security Software

July 7, 2004

Talk Outline

Machines Authenticating Users– Déjà Vu User Study- Using Images for Authentication

Users Authenticating Remote Servers– Interfaces for website authentication

Password Usability and Security

Simple and meaningful passwords- Memorable, but easier to guess

Complex passwords- Strong, but hard to remember

Advantages of passwords– Cheap and easy to implement– We develop muscle memory

Previous Solutions

Stronger password hashing & storage Proactive password cracking Enforce system policies Better user education and training

– Significant non compliance rate by users

We try to address the fundamental problem:

Recall is hard

Picture recognition is easier

Humans have a vast memory for pictures

– 2560 photos for a few seconds: 90% recognition [Standing, Conezio, Haber]

– 10,000 photos: 66% recognition after 2 days [Standing]

– 200 random photos: >90% after 1-3 months [Weinshal/Kirkpatrik, CHI2004]

Fractions of a second is enough to remember

Picture recognition is easier than verbal recognition

Picture recognition is easier than picture recall

– Harder to recall semantics or to redraw picture

– But picture recall is better than verbal recall

Déjà Vu Design Goals

Base security on human strengthsRecognition over recall

Prevent weak passwords

Prevent password sharing

No biometrics or tokens

Authentication through Images

Choose image portfolio

Challenge set = portfolio + decoys

Photos and Random Art

Random Art

Algorithm:seed -> pseudo-random number generator-> random expression tree maps pixels to RGB ->random art

Choose Image Portfolio

Portfolio Training

Challenge

Portfolio Creation Screen

Login Screen

Attacks

Brute Force– optimal portfolio and challenge depends on security– 5 image portfolio/25 challenge set = 53,130 combinations

Measures against shoulder surfers: – hide image selection– distort images

Measures against Intersection Attack:– Always show same challenge set– Multi-stage authentication

Experiment Design Target population = general computer users

20 participants (11 males + 9 females, expert/novice)

Initialization

PIN (4 digits)

Password (6 char.)

Art portfolio (5/100)

Photo portfolio (5/100)

Login

PIN

Password

Art (5/25)

Photo (5/25)

Repeat login after one week

Task order randomized

Portfolio creation- same images but random order

Portfolio login- random images and random order

Task Completion Time

0

10

20

30

40

50

60

70

Create Login session 1 Login session 2

Time (seconds)

PIN

Passw ord

Art

Photo

Unlimited time & attempts

Does not include failed logins

Error Rate

0

2

4

6

8

Session 1 Session 2

# Failed Logins

PINPasswordArtPhoto

Session 1: no unrecoverable errors made with portfolios

Session 2: significantly less failed logins with portfolios

(all users remembered 4/5 images on first attempt)

More Results

It’s easier than it looks

Text vs. image portfolios– Passwords/PINS faster to create & login– Users reported that photos easier than PINs– More users forgot their user names than portfolios!

Art vs. photos– Photos easier to remember, but easier to guess

• Gender, race, interests were a factor in choice– People choose similar photos; art is individual– Art descriptions vary, hard to describe

• How hard are they to communicate? Spouse-proof?

Conclusions in this study

Recognition-based authentication– More reliable long term than passwords, PINs– Easier, more pleasant to use– Random Art portfolios are harder to predict

than passwords or real images

Applications – Where text input is hard, limited observation

(e.g., ATM, PDA, pen-based devices)– Infrequently used high availability passwords

Future Work

Long term studies– Frequency of use– Multiple portfolios and changes– Portfolio communication & prediction study– Cued recall of text passwords

Image Generation & Distortion– Image generation and distortion techniques– What is the space of images are distinguishable, memorable?

Strengthen against attack, improve login times, allow non-perfect probabilistic recognition

Talk Outline

Machines Authenticating Users– Déjà Vu User Study

Users Authenticating Remote Servers– Interfaces for website authentication

Challenge