1 / 37

Usable Authentication Research with the MVP Framework

Usable Authentication Research with the MVP Framework. Robert Biddle Carleton University, Ottawa http:// hotsoft.carleton.ca Sonia Chiasson , Chris Deschamps , Elizabeth Stobert , Max Hlywa , Nick Wright, Bruna Machado Freitas , Alain Forget, Andrew Patrick. Agenda.

egan
Download Presentation

Usable Authentication Research with the MVP Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Usable Authentication Research with the MVP Framework Robert Biddle Carleton University, Ottawa http://hotsoft.carleton.ca Sonia Chiasson, Chris Deschamps, Elizabeth Stobert, Max Hlywa, Nick Wright, Bruna Machado Freitas, Alain Forget, Andrew Patrick

  2. Agenda • Usable Security and Authentication • MVP Framework • MVP Authentication Schemes • MVP Management • MVP Recent Research Results • Dalhousie Action Items • References: • Graphical Passwords: Learning from first 12 years • The MVP Framework Web-Based Framework • http://hotsoft.carleton.ca/~sonia/wordpress/publications/

  3. Usable Security • Saltzer and Schroeder, 1975: “It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly. Also, to the extent that the user’s mental image of his protection goals matches the mechanisms he must use, mistakes will be minimized. If he must translate his image of his protection needs into a radically different specification language, he will make errors.” • Cranorand Garfinkel, 2005:“secure systems that people can use.”

  4. Usable Security Challenges • Security is a Secondary Task • Avoided or evaded if inconvenient • Security has the “Barn Door” Property • Brief exposure can cause permanent damage • Security has a complex language • Encryption, public/private keys, phishing, … • Security is poorly understood by users • Users do not understand consequences of insecure actions, assume they are not at risk, underestimate attackers’ abilities

  5. Research Methods • Human Factors Principles • Usability Evaluation Methods • Experiment and Field Study Design • Ethical Procedures for Human Participants • Quantitative Analysis and Statistical Inference • Qualitative Study and Data Analysis • Reporting Results, Graphical Data Presentation

  6. Authentication and Credentials rosebud

  7. Threats to Passwords • Guessing • Online (Web-Robots) or Offline (Access to DB) • Single-User (Targeted) of Multi-User (Any User) • Exhaustive or Dictionary • Capture • Shoulder-Surfing (by eye or by video) • Social Engineering (incl. phishing) • Malware (keyloggers etc.)

  8. The Password Problem • Passwords should be: • Easy to Remember, but • Difficult to Guess • For multiple passwords! • Sometimes with rules! • Different rules for each password! • And compulsory regular changes!

  9. Theoretical Password Space • The number of possible passwords that a scheme allows. • Therefore, the number of passwords an attacker must guess to ensure success. • Therefore, an expected value function for each attacker guess. • IF all passwords are equally likely.

  10. Theoretical Password Space: E.g. PassPoints Password Space

  11. Effective Password Space • The number of passwords people are likely to actually choose. • But it’s not one space: it’s a curve. So… Matt Weir: reusablesec.blogspot.com

  12. MVP: Multiple Versatile Passwords • Framework for Empirical Research on Usable Knowledge-Based Authentication • Basic idea: allow new kinds of password schemes within an ecologically valid setting • Real sites, real usage • Passwords used in context, secondary task

  13. Site password input redirects to MVP • MVP selects scheme based on userid • Scheme runs, logging all events • Result is rendered as text password to site

  14. MVP in Use • Button instead of “Enter Password” field • Pop-up Window with selected Scheme

  15. MVP Schemes: Text • Pure user-chosen text • User-chosen text with rules • Length, required chars, denied chars, etc. • Assigned random text • Length, alphabet • Multiple word text • Number of words, chosen or assigned, lists

  16. MVP Schemes: Recognition • Like PassFaces • Number of panels • Images per panel • Image sets • Faces • Houses • Objects

  17. MVP Schemes: Graphical Recall • Like Draw-a-Secret • Grid size

  18. MVP Schemes: Click-Based • Passpoints • 5 Points on Image • Tolerance areas • Can vary: • Number of Clicks • Image Sets

  19. MVP Schemes: Click Based • Cued-Click Points • Like Passpoints, but 1-click per image • Each click selects next image • Number of images parameter

  20. MVP Schemes: Click Based • Persuasive Cued Click Points • Like CCP, but with random viewport

  21. MVP Schemes: Other • 2nd gen DAS, PP, CCP, PCCP, Recognition • Text Recognition • PassTiles Family • GridSure • CYOA • More???

  22. MVP Website Engine Plugins • Wordpress • Blog Engine with many other plugins, e.g. voting, eCommerce, photo-sharing etc. • phpBB • Generalizable Bulletin Board • osCommerce • eCommerce web-store system • Drupal • Content Management System

  23. MVP Wordpress Admin • MVP Plugin, Registration Plugin, Timeout

  24. MVP System Management • Control Panel • f(username, system): Scheme • Log • Time, System, User, Mode, Event, Data • Booking and Questionnaires • Registration and Notification • Validation and Verification • Etc.

  25. MVP Username Management • By name pattern • E.g. dal101-120 (Between Subjects Group 1) • Campusblog: scheme=textrules, cond=alphaonly • Photos: scheme=textrules, cond=alphaonly • DailyNews: scheme=textrules, cond=alphaonly • E.g. dal121-140 (Between Subjects Group 2) • Campusblog: scheme=recognition, cond=faces • Photos: scheme=recognition, cond=faces • DailyNews: scheme=recognition, cond=faces • E.g. dal201-220 (Within Subjects) • Campusblog: scheme=recognition, cond=faces • Photos: scheme=textrules, cond=alphaonly • DailyNews: scheme=textassigned, cond=az09-6 • Cornerstore: scheme=textrules, cond=alphaonly • By name assignment

  26. MVP Log • Time: Timestamp to 1 second • System: Name of website • User: Username • Scheme: Scheme • Condition: subscheme • Mode: create, enter, login • Event: specific to mode • Data: specific to event

  27. MVP Sites, Schemes, Studies

  28. Comparing Password Schemes • Criteria: • Memorability • Entry Time • Learnability • Perception of Value • Affective Appeal • Measurements: • How to measure each? • How to compare each?

  29. Max Hlywa: In Recognition-Based GPs, are Faces the most Memorable Images? Hylwa co-supervised by Andrew Patrick.

  30. No

  31. Also, they’re slow.

  32. Bruna Machado Freitas:How do people really use Draw-A-Secret?

  33. Not well. Favour Simple Shapes Favour Password Reuse Favour Similar Squares Misunderstand Encoding

  34. Nick Wright:Are Text Recognition Passwords More Memorable than Text Recall? Wright co-supervised by Andrew Patrick.

  35. Elizabeth Stobert: Are assigned graphical passwords memorable?

  36. Dal Action Items • Populate sites: • http://mvp.soft.carleton.ca/dal1, dal2, dal3, dal4 • Choose name, theme, content • Choose two schemes: • With exact specifics, numbers, images etc • Choose research plan: • Consider password space • Consider research question: • E.g. Effect of schemes, sizes, images, etc. • Consider criteria: • Memorability, entry time, appeal, etc. • Consider metrics: • How to evaluate criteria

  37. Usable Authentication Research with the MVP Framework Robert Biddle Carleton University, Ottawa http://hotsoft.carleton.ca Sonia Chiasson, Chris Deschamps, Elizabeth Stobert, Max Hlywa, Nick Wright, Bruna Machado Freitas, Alain Forget, Andrew Patrick

More Related