Use Your Illusion: Secure Authentication Usable Anywhere Eiji Hayashi Nicolas Christin Rachna Dhamija Adrian Perrig Carnegie Mellon CyLab Japan
Use Your Illusion: Secure Authentication Usable Anywhere Eiji Hayashi Nicolas Christin Rachna Dhamija Adrian Perrig Carnegie Mellon CyLab Japan.
Dec 18, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Use Your Illusion:Secure Authentication Usable Anywhere
Eiji HayashiNicolas Christin
Rachna DhamijaAdrian Perrig
Carnegie Mellon CyLab Japan
Key Concept: Distortion
You can recognize a baby nowbecause you know the original picture
Distorted Picture Original Picture
Use Your Illusion
Graphical Authentication
• Passfaces• Pass Points• DAS (Draw-A-Secret)• Déjà vu
Passfaces• Faces are used as a graphical portfolio
• Preference could be a limitation
Cited from “On User Choice in Graphical Password Schemes”, Darren Daivis et. al, 2004
Pass Points• Use “a sequence of clicks” as a shared
secret
• There are hot spots
Cited from “Authentication Usin Graphical Passwords: Basic Results”, Susan Wiednbeck et. al, 2004
Most Straightforward Way
• Choose graphical portfolio from a set of pictures
Graphical Portfolio • If a user can choose whatever
graphical portfolio…
• If system assigns portfoliorandomly…
Fundamental Tradeoff
Secu
rity
Memorability
“Use Your Illusion”1. Allow users to take/choose pictures by
themselves2. Distort the pictures3. Assign the distorted pictures as graphical
portfolio
“Use Your Illusion”1. Allow users to take/choose pictures by
themselves2. Distort the pictures3. Assign the Distorted pictures as graphical
token
Secu
rity
Memorability
Requirements for Distortion • One-way
• Discarding precise shapes and colors
• Preserving rough shapes and colors
Oil Painting Filter• Choose RGB values which appears most
frequently in a neighborhood
0 50 100 150 200 2500
10
20
30
40
50
60
Oil Painting Filter
Distortion Level• If high, difficult to guess
but difficult to memorize
• If low, easy to memorizebut easy to guess
Distortion Level• Two parameters affect distortion level
–If too high, not usable
–If too low, not secure
Secu
rity
Memorability
Low-Fidelity Test
Most distorted
Least distorted
Low-Fidelity Test
Low-Fidelity Test
Low-Fidelity Test
Low-Fidelity Test
Low-Fidelity Test
Low-Fidelity Test
It’s a dog!!
Low-Fidelity Test
Difficult to guessw/o knowing original picture
Low-Fidelity Test
Can’t recognize a dog
Low-Fidelity Test
Easy to recognizew/ knowing original picture
Low-Fidelity Test
Satisfiesrequirements
Prototype• Implemented on Nokia’s cell-phone for
usability test
• Also implemented on the web
Prototype
Demo
Usability Test
• 45 participants and for 1 week
• 54 participants and for 4 weeks
1st Usability Test• 45 participants were divided into 3 groups
– Self-selected, Non-distorted– Self-selected, distorted (Use Your Illusion)– Imposed, highly-distorted
Self-selected, Non-distorted
Self-selected, Distorted
Imposed, Highly-distorted
ProcedureDate Task
Before the 1st day Take 3 pictures
The 1st day Memorize portfolio
Practice
Authenticate
2 days after Authenticate
1 week after Authenticate
Fill out questionnaires
Success RateThe 1st
day2 days after
1 week after
Self-selected,
Non-distorted
100%
(15)
100%
(15)
100%
(15)
Self-selected,
Distorted
100%
(15)
100%
(15)
100%
(15)
Imposed,
Highly-distorted
93.3%
(14)
73.3%
(11)
73.3%
(11)
Authentication Time (Mean)
Imposed,Highly-distorted
Self-selected,Distorted
Self-selected,Non-distorted
Process of Memorization• Participants assign meanings to distorted pictures• Assigning meanings helps memorization
Mountain Sea Moai statue
2nd Usability Test• 54 participants were divided into 3 groups
– Self-selected, Non-distorted– Self-selected, Distorted– Imposed, Distorted
• Authenticate– On the 1st day– 2 days after– 1 week after– 4 weeks after
Imposed, Distorted
Success RateThe 1st
day2 days after
1 week after
4 weeks
after
Self-selected,
Non-distorted
100%
(18)
100%
(18)
100%
(18)
100%
(18)
Self-selected,
Distorted
100%
(18)
100%
(18)
100%
(18)
100%
(18)
Imposed,
Distorted
100%
(18)
89%
(16)
94%
(17)
89%
(16)
Authentication Time (Mean)
Imposed,DistortedSelf-selected,
Distorted
Self-selected, Non-distorted
Tolerance against Guessing Attack
• Original pictures are vulnerable
• Distorted pictures are more tolerant
Future Work• Detailed usability test
• Long term test
• Find an optimal distortion
• Investigate a metric evaluating distortion level
Use Your Illusion• Use distorted pictures as a portfolio• As memorable as non-distorted pictures• More memorable than imposed (highly-)
distorted pictures• Fits human memorization process• More tolerant to guessing attack
Thank you for listening
Prototype is available onhttp://arima.okoze.net/illusion/Please try it!
Related Documents
