SlideShare ist ein Scribd-Unternehmen logo

Visual Authentication - A Secure Single Step Authentication for User Authorization

EISLab
EISLab

User authentication on publicly exposed terminals with es- tablished mechanisms, such as typing the credentials on a virtual keyboard, can be insecure e.g. due to shoulder surf- ing or due to a hacked terminal. In addition, username and password entry can be time-consuming and thus im- provable with relation to usability. As security and comfort are often competing with each other, novel authentication and authorization methods especially for public terminals are desirable. In this paper, we present an approach on a distributed authentication and authorization system, where the user can be easily identified and enabled to use a service with his smartphone. The smartphone (as personal and pri- vate device the user is always in control of) can provide a highly secure authentication token that is renewed and ex- changed in the background without the user’s participation. The claimed improvements were supported by a user sur- vey with an implementation of a digital room management system as an example for a public display. The proposed au- thentication procedure would increase security and yet en- able fast authentication within publicly exposed terminals.

Technologie
1 von 15
Downloaden Sie, um offline zu lesen
Technische Universität München Visual Authentication A Secure Single Step Authentication for User Authorization Luis Roalter 1, Matthias Kranz 2, Andreas Möller 1, Stefan Diewald 1, Tobias Stockinger 2, Marion Koelle 2, Patrick Lindemann 2 1 Technische Universität München 2 Universität Passau December 5th 2013 Mobile and Ubiquitous Multimedia (MUM 2013), Luleå, Sweden
Technische Universität München mobile & usable security for interaction with public terminals 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 2
Technische Universität München Current Situation username 1 password 1 username 2 password 2 username 3 password 3 username 4 password 4 Different credentials username 5 password 5 05.12.2013 username 6 password 6 username 8 password 8 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization image source: http://commons.wikimedia.org/wiki/File:Singapore_Road_Signs_-_Restrictive_Sign_-_Stop_-_Security_Check.svg 3
Technische Universität München Federated Authentication: Single Sign-On (SSO) Related Work •  Sign in once to use all services •  Single, familiar login mask for different services, e.g. –  “Sign in with Facebook” –  “Sign in with Google” •  One username, one password •  Improved user experience Optional: two-factor authentication with side channel, e.g. mobile phone 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 4
Technische Universität München Increased Security: Multi-Factor Authentication Related Work 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization image source: Microsoft Office Online Clipart Gallery 5
Technische Universität München Problems in the Context of Mobile and Usable Security •  •  Security-centered issues –  Access credentials can be stolen, e .g. •  man-in-the-middle attack •  shoulder surfing •  phishing as the terminal usually does not authenticate towards the user –  Trust relationship towards the device might be limited, even if the device can prove its identity, e.g. if it is a shared device à lack of trust, reluctant to use services, … Device-centered issues –  Limited capabilities of the input device (e.g. no keyboard) –  Limited ergonomics (e.g. wall-mounted device) –  hygiene concerns à time-consuming, uncomfortable, … 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 6
Technische Universität München Proposal: Usable Security with Single Step Authentication sessionID: xyz 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization image source: Microsoft Office Online Clipart Gallery 7
Technische Universität München Proposal: Additional Benefits of the Mobile Authenticator •  User-enabled Session Management -  Remote session logout -  Session transfer between systems •  Maintenance of profile and personal information à Transparency to the user (full information) •  Without mobile authenticator app: can be used with a web-based interface 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 8
Technische Universität München Example Use Case: Room Reservation and Access •  Tablet PC as digital door sign for meeting rooms •  Provides resource-centred information and access (e.g. seeing when rooms are occupied or available) •  Use case: Book a room through the public display –  Need for authentication & authorization (accounting - who reserved the room?) –  Single Sign-On with QR code & mobile (no credentials to type on public display –  Allows physical room access & usage (remotely controlled digital door lock) 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 9
Technische Universität München Example Use Case: How does it work? User is scanning a QR code with smartphone (containing a session token, SID), data sent to IdP with user credentials (user name & password) Case 1: Authenticator app installed •  Credentials (which were previously stored in app once) and session token are sent to the service •  The user is authenticated in one step Case 2: No authenticator app installed •  Redirection to a web page where credentials are entered (securely on mobile device) •  The URI is recognized by the tablet and authenticates the user 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 10
Technische Universität München Example Use Case: Initial User Study with “Room Access” •  Initial user survey with the prototype system (room access) –  20 participants (18 males, 2 females) aged between 20 and 64 years –  (non-balanced, non-representative, not providing statistically usable results) •  RQ1: Do users have security concerns when entering personal credentials on a public display? –  Participants agreed that they have security concerns entering personal information on a publicly exposed display –  Avg. 3.8 on 5-step Likert-Scale (fully disagree = 1, fully agree = 5), SD=1.3 •  RQ2: Do users have security concerns when using the smartphone-based visual authentication system in conjunction with a public display? –  Participants agreed that they have security concerns in the smartphonebased authentication approach –  Avg. 2.3 on 5-step Likert-Scale (fully disagree = 1, fully agree = 5), SD=1.4 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 11
Technische Universität München Summary and Discussion Proposed approach for “mobile usable security” providing user-friendly multifactor authentication in a public-private device scenario, addressing •  input modalities and device (replacing potentially non-convenient input methods, hygiene aspects, …) •  security issues (SSO with side-channel authentication, prohibiting shoulder surfing, phishing attacks, potential to de-authenticate sessions remotely, trusted …) •  usability aspects (less error-prone, faster, more convenient, …) Open Issues •  Multiple identity providers require pre-established trust relationships •  Network connection for side-channel/multi-factor authentication needed •  Shift of responsibility to the user (non-expert in security issues) •  Device-to-device communication problems (visible lighting, (audible) noise, …) 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 12
Technische Universität München Outlook and Future Work •  •  •  Technical enhancement –  Pluggable Authentication Module (QR code-based PAM module) for PC login –  Transfer of running sessions and their contexts between terminals Usability evaluation and user study –  Acceptance and usability tests •  in a real-world deployment •  w.r.t. long-term effects on usable security –  Investigation of novel applications and domains and scenario-specific potentials (public displays, distributed environments, internet of things) Security evaluation –  Resistance to man-in-the-middle/replay attacks –  Simulate different hacking scenarios –  Creation of an overall security concept –  Extended information (e.g. WLAN AP scan, GPS, etc. to detect “fakes”) 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 13
Technische Universität München Thank you very much for your kind attention! Questions? ? ? Contact: Luis Roalter (roalter@tum.de) Matthias Kranz (matthias.kranz@uni-passau.de) 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 14
Technische Universität München Citation Information •  Please cite this work as follows: L. Roalter, M. Kranz, A. Möller, S. Diewald, T. Stockinger, M. Koelle, P. Lindemann: Visual Authentication - A Secure Single Step Authentication for User Authorization. In: Proceedings of the 12th International Conference on Mobile and Ubiquitous Multimedia (MUM 2013), Luleå, Sweden, 2013 •  Please use the following BibTex file: @inproceedings{MUM2013Roalter,
 author = {Roalter, Luis and Kranz, Matthias and M"{o}ller, Andreas and Diewald, Stefan and Stockinger, Tobias and Koelle, Marion and Lindemann, Patrick},
 title = {Visual Authentication – A Secure Single Step Authentication for User Authorization},
 booktitle = {Proceedings of the 12th International Conference on Mobile and Ubiquitous Multimedia},
 series = {MUM '13},
 year = {2013},
 location = {Luleaa, Sweden},
 publisher = {ACM},
 address = {New York, NY, USA},
 } " 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 15

Empfohlen

Privacy and Security in Multi-modal User Interface Modeling for Social Media
Privacy and Security in Multi-modal User Interface Modeling for Social MediaPrivacy and Security in Multi-modal User Interface Modeling for Social Media
Privacy and Security in Multi-modal User Interface Modeling for Social Mediamsm2011socialcom
 
[IJCST-V5I6P2]:T. Sudharan Simha, D.Srinivasulu
[IJCST-V5I6P2]:T. Sudharan Simha, D.Srinivasulu[IJCST-V5I6P2]:T. Sudharan Simha, D.Srinivasulu
[IJCST-V5I6P2]:T. Sudharan Simha, D.SrinivasuluIJCST - ESRG Journals
 
Digicorp's Mission
Digicorp's MissionDigicorp's Mission
Digicorp's MissionDigicorp
 
Taking Your Site From Useful to Usable
Taking Your Site From Useful to UsableTaking Your Site From Useful to Usable
Taking Your Site From Useful to UsableTony Naccarato
 
Evolution of UX in Oracle Applications
Evolution of UX in Oracle ApplicationsEvolution of UX in Oracle Applications
Evolution of UX in Oracle ApplicationsGetting value from IoT, Integration and Data Analytics
 
Trustworthy Infrastructure for Personal Data Management
Trustworthy Infrastructure for Personal Data ManagementTrustworthy Infrastructure for Personal Data Management
Trustworthy Infrastructure for Personal Data ManagementIoannis Krontiris
 
Security Attacks And Solutions On Ubiquitous Computing Networks
Security Attacks And Solutions On Ubiquitous Computing NetworksSecurity Attacks And Solutions On Ubiquitous Computing Networks
Security Attacks And Solutions On Ubiquitous Computing NetworksAhmad Sharifi
 
Security and privacy issues with mobile cloud computing applications june 2016
Security and privacy issues with mobile cloud computing applications june 2016Security and privacy issues with mobile cloud computing applications june 2016
Security and privacy issues with mobile cloud computing applications june 2016Merlec Mpyana
 

Empfohlen

Privacy and Security in Multi-modal User Interface Modeling for Social Media
Privacy and Security in Multi-modal User Interface Modeling for Social MediaPrivacy and Security in Multi-modal User Interface Modeling for Social Media
Privacy and Security in Multi-modal User Interface Modeling for Social Mediamsm2011socialcom
 
[IJCST-V5I6P2]:T. Sudharan Simha, D.Srinivasulu
[IJCST-V5I6P2]:T. Sudharan Simha, D.Srinivasulu[IJCST-V5I6P2]:T. Sudharan Simha, D.Srinivasulu
[IJCST-V5I6P2]:T. Sudharan Simha, D.SrinivasuluIJCST - ESRG Journals
 
Digicorp's Mission
Digicorp's MissionDigicorp's Mission
Digicorp's MissionDigicorp
 
Taking Your Site From Useful to Usable
Taking Your Site From Useful to UsableTaking Your Site From Useful to Usable
Taking Your Site From Useful to UsableTony Naccarato
 
Evolution of UX in Oracle Applications
Evolution of UX in Oracle ApplicationsEvolution of UX in Oracle Applications
Evolution of UX in Oracle ApplicationsGetting value from IoT, Integration and Data Analytics
 
Trustworthy Infrastructure for Personal Data Management
Trustworthy Infrastructure for Personal Data ManagementTrustworthy Infrastructure for Personal Data Management
Trustworthy Infrastructure for Personal Data ManagementIoannis Krontiris
 
Security Attacks And Solutions On Ubiquitous Computing Networks
Security Attacks And Solutions On Ubiquitous Computing NetworksSecurity Attacks And Solutions On Ubiquitous Computing Networks
Security Attacks And Solutions On Ubiquitous Computing NetworksAhmad Sharifi
 
Security and privacy issues with mobile cloud computing applications june 2016
Security and privacy issues with mobile cloud computing applications june 2016Security and privacy issues with mobile cloud computing applications june 2016
Security and privacy issues with mobile cloud computing applications june 2016Merlec Mpyana
 
Guidelines for the technological development in the e-health application domain
Guidelines for the technological development in the e-health application domainGuidelines for the technological development in the e-health application domain
Guidelines for the technological development in the e-health application domainIvano Malavolta
 
3D Password
3D Password3D Password
3D PasswordShubham Rungta
 
Implications of GDPR for IoT Big Data Security and Privacy Fabric
Implications of GDPR for IoT Big Data Security and Privacy FabricImplications of GDPR for IoT Big Data Security and Privacy Fabric
Implications of GDPR for IoT Big Data Security and Privacy FabricMark Underwood
 
Online Signature Authentication by Using Mouse Behavior
Online Signature Authentication by Using Mouse Behavior Online Signature Authentication by Using Mouse Behavior
Online Signature Authentication by Using Mouse Behavior Editor IJCATR
 
ARCHITECTURE OF A IDENTITY BASED FIREWALL SYSTEM
ARCHITECTURE OF A IDENTITY BASED FIREWALL SYSTEMARCHITECTURE OF A IDENTITY BASED FIREWALL SYSTEM
ARCHITECTURE OF A IDENTITY BASED FIREWALL SYSTEMIJNSA Journal
 
CyberSecurity-Forum-2010-Mario Hoffmann
CyberSecurity-Forum-2010-Mario HoffmannCyberSecurity-Forum-2010-Mario Hoffmann
CyberSecurity-Forum-2010-Mario Hoffmannsegughana
 
Transparent Developmental Biometric Based System Protect User Reauthenticatio...
Transparent Developmental Biometric Based System Protect User Reauthenticatio...Transparent Developmental Biometric Based System Protect User Reauthenticatio...
Transparent Developmental Biometric Based System Protect User Reauthenticatio...IRJET Journal
 
Witdom overview 2016
Witdom overview 2016Witdom overview 2016
Witdom overview 2016Elsa Prieto
 
Cyber Tekes Safety and Security programme 2013
Cyber Tekes Safety and Security programme 2013Cyber Tekes Safety and Security programme 2013
Cyber Tekes Safety and Security programme 2013Turvallisuus2013
 
In Processes We Trust: Privacy and Trust in Business Processes
In Processes We Trust: Privacy and Trust in Business ProcessesIn Processes We Trust: Privacy and Trust in Business Processes
In Processes We Trust: Privacy and Trust in Business ProcessesMarlon Dumas
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architecturesinovia
 
NIS.docx
NIS.docxNIS.docx
NIS.docxPremBorse1
 
GADISA GEMECHUGOOD POWERPOINT .pptx @here
GADISA GEMECHUGOOD POWERPOINT .pptx @hereGADISA GEMECHUGOOD POWERPOINT .pptx @here
GADISA GEMECHUGOOD POWERPOINT .pptx @heregadisagemechu1
 
Survey on cloud computing security techniques
Survey on cloud computing security techniquesSurvey on cloud computing security techniques
Survey on cloud computing security techniqueseSAT Journals
 
Kx3518741881
Kx3518741881Kx3518741881
Kx3518741881IJERA Editor
 
Continuous and Transparent User Identity Verification for Secure Internet Ser...
Continuous and Transparent User Identity Verification for Secure Internet Ser...Continuous and Transparent User Identity Verification for Secure Internet Ser...
Continuous and Transparent User Identity Verification for Secure Internet Ser...1crore projects
 
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...ijcncs
 
AN ENHANCED USER AUTHENTICATION FRAMEWORK IN CLOUD COMPUTING
AN ENHANCED USER AUTHENTICATION FRAMEWORK IN CLOUD COMPUTINGAN ENHANCED USER AUTHENTICATION FRAMEWORK IN CLOUD COMPUTING
AN ENHANCED USER AUTHENTICATION FRAMEWORK IN CLOUD COMPUTINGIJNSA Journal
 
Building a Distributed Secure System on Multi-Agent Platform Depending on the...
Building a Distributed Secure System on Multi-Agent Platform Depending on the...Building a Distributed Secure System on Multi-Agent Platform Depending on the...
Building a Distributed Secure System on Multi-Agent Platform Depending on the...CSCJournals
 
Extended Visual Cryptography Using Watermarking
Extended Visual Cryptography Using WatermarkingExtended Visual Cryptography Using Watermarking
Extended Visual Cryptography Using WatermarkingShivam Singh
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 

Weitere ähnliche Inhalte

Ähnlich wie Visual Authentication - A Secure Single Step Authentication for User Authorization

Guidelines for the technological development in the e-health application domain
Guidelines for the technological development in the e-health application domainGuidelines for the technological development in the e-health application domain
Guidelines for the technological development in the e-health application domainIvano Malavolta
 
Implications of GDPR for IoT Big Data Security and Privacy Fabric
Implications of GDPR for IoT Big Data Security and Privacy FabricImplications of GDPR for IoT Big Data Security and Privacy Fabric
Implications of GDPR for IoT Big Data Security and Privacy FabricMark Underwood
 
Online Signature Authentication by Using Mouse Behavior
Online Signature Authentication by Using Mouse Behavior Online Signature Authentication by Using Mouse Behavior
Online Signature Authentication by Using Mouse Behavior Editor IJCATR
 
ARCHITECTURE OF A IDENTITY BASED FIREWALL SYSTEM
ARCHITECTURE OF A IDENTITY BASED FIREWALL SYSTEMARCHITECTURE OF A IDENTITY BASED FIREWALL SYSTEM
ARCHITECTURE OF A IDENTITY BASED FIREWALL SYSTEMIJNSA Journal
 
CyberSecurity-Forum-2010-Mario Hoffmann
CyberSecurity-Forum-2010-Mario HoffmannCyberSecurity-Forum-2010-Mario Hoffmann
CyberSecurity-Forum-2010-Mario Hoffmannsegughana
 
Transparent Developmental Biometric Based System Protect User Reauthenticatio...
Transparent Developmental Biometric Based System Protect User Reauthenticatio...Transparent Developmental Biometric Based System Protect User Reauthenticatio...
Transparent Developmental Biometric Based System Protect User Reauthenticatio...IRJET Journal
 
Witdom overview 2016
Witdom overview 2016Witdom overview 2016
Witdom overview 2016Elsa Prieto
 
Cyber Tekes Safety and Security programme 2013
Cyber Tekes Safety and Security programme 2013Cyber Tekes Safety and Security programme 2013
Cyber Tekes Safety and Security programme 2013Turvallisuus2013
 
In Processes We Trust: Privacy and Trust in Business Processes
In Processes We Trust: Privacy and Trust in Business ProcessesIn Processes We Trust: Privacy and Trust in Business Processes
In Processes We Trust: Privacy and Trust in Business ProcessesMarlon Dumas
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architecturesinovia
 
GADISA GEMECHUGOOD POWERPOINT .pptx @here
GADISA GEMECHUGOOD POWERPOINT .pptx @hereGADISA GEMECHUGOOD POWERPOINT .pptx @here
GADISA GEMECHUGOOD POWERPOINT .pptx @heregadisagemechu1
 
Survey on cloud computing security techniques
Survey on cloud computing security techniquesSurvey on cloud computing security techniques
Survey on cloud computing security techniqueseSAT Journals
 
Continuous and Transparent User Identity Verification for Secure Internet Ser...
Continuous and Transparent User Identity Verification for Secure Internet Ser...Continuous and Transparent User Identity Verification for Secure Internet Ser...
Continuous and Transparent User Identity Verification for Secure Internet Ser...1crore projects
 
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...ijcncs
 
AN ENHANCED USER AUTHENTICATION FRAMEWORK IN CLOUD COMPUTING
AN ENHANCED USER AUTHENTICATION FRAMEWORK IN CLOUD COMPUTINGAN ENHANCED USER AUTHENTICATION FRAMEWORK IN CLOUD COMPUTING
AN ENHANCED USER AUTHENTICATION FRAMEWORK IN CLOUD COMPUTINGIJNSA Journal
 
Building a Distributed Secure System on Multi-Agent Platform Depending on the...
Building a Distributed Secure System on Multi-Agent Platform Depending on the...Building a Distributed Secure System on Multi-Agent Platform Depending on the...
Building a Distributed Secure System on Multi-Agent Platform Depending on the...CSCJournals
 
Extended Visual Cryptography Using Watermarking
Extended Visual Cryptography Using WatermarkingExtended Visual Cryptography Using Watermarking
Extended Visual Cryptography Using WatermarkingShivam Singh
 

Ähnlich wie Visual Authentication - A Secure Single Step Authentication for User Authorization (20)

Guidelines for the technological development in the e-health application domain
Guidelines for the technological development in the e-health application domainGuidelines for the technological development in the e-health application domain
Guidelines for the technological development in the e-health application domain
 
3D Password
3D Password3D Password
3D Password
 
Implications of GDPR for IoT Big Data Security and Privacy Fabric
Implications of GDPR for IoT Big Data Security and Privacy FabricImplications of GDPR for IoT Big Data Security and Privacy Fabric
Implications of GDPR for IoT Big Data Security and Privacy Fabric
 
Online Signature Authentication by Using Mouse Behavior
Online Signature Authentication by Using Mouse Behavior Online Signature Authentication by Using Mouse Behavior
Online Signature Authentication by Using Mouse Behavior
 
ARCHITECTURE OF A IDENTITY BASED FIREWALL SYSTEM
ARCHITECTURE OF A IDENTITY BASED FIREWALL SYSTEMARCHITECTURE OF A IDENTITY BASED FIREWALL SYSTEM
ARCHITECTURE OF A IDENTITY BASED FIREWALL SYSTEM
 
CyberSecurity-Forum-2010-Mario Hoffmann
CyberSecurity-Forum-2010-Mario HoffmannCyberSecurity-Forum-2010-Mario Hoffmann
CyberSecurity-Forum-2010-Mario Hoffmann
 
Transparent Developmental Biometric Based System Protect User Reauthenticatio...
Transparent Developmental Biometric Based System Protect User Reauthenticatio...Transparent Developmental Biometric Based System Protect User Reauthenticatio...
Transparent Developmental Biometric Based System Protect User Reauthenticatio...
 
Witdom overview 2016
Witdom overview 2016Witdom overview 2016
Witdom overview 2016
 
Cyber Tekes Safety and Security programme 2013
Cyber Tekes Safety and Security programme 2013Cyber Tekes Safety and Security programme 2013
Cyber Tekes Safety and Security programme 2013
 
In Processes We Trust: Privacy and Trust in Business Processes
In Processes We Trust: Privacy and Trust in Business ProcessesIn Processes We Trust: Privacy and Trust in Business Processes
In Processes We Trust: Privacy and Trust in Business Processes
 
Security in microservices architectures
Security in microservices architecturesSecurity in microservices architectures
Security in microservices architectures
 
NIS.docx
NIS.docxNIS.docx
NIS.docx
 
GADISA GEMECHUGOOD POWERPOINT .pptx @here
GADISA GEMECHUGOOD POWERPOINT .pptx @hereGADISA GEMECHUGOOD POWERPOINT .pptx @here
GADISA GEMECHUGOOD POWERPOINT .pptx @here
 
Survey on cloud computing security techniques
Survey on cloud computing security techniquesSurvey on cloud computing security techniques
Survey on cloud computing security techniques
 
Kx3518741881
Kx3518741881Kx3518741881
Kx3518741881
 
Continuous and Transparent User Identity Verification for Secure Internet Ser...
Continuous and Transparent User Identity Verification for Secure Internet Ser...Continuous and Transparent User Identity Verification for Secure Internet Ser...
Continuous and Transparent User Identity Verification for Secure Internet Ser...
 
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...
Secure Virtualization for Cloud Environment Using Guest OS and VMM-based Tech...
 
AN ENHANCED USER AUTHENTICATION FRAMEWORK IN CLOUD COMPUTING
AN ENHANCED USER AUTHENTICATION FRAMEWORK IN CLOUD COMPUTINGAN ENHANCED USER AUTHENTICATION FRAMEWORK IN CLOUD COMPUTING
AN ENHANCED USER AUTHENTICATION FRAMEWORK IN CLOUD COMPUTING
 
Building a Distributed Secure System on Multi-Agent Platform Depending on the...
Building a Distributed Secure System on Multi-Agent Platform Depending on the...Building a Distributed Secure System on Multi-Agent Platform Depending on the...
Building a Distributed Secure System on Multi-Agent Platform Depending on the...
 
Extended Visual Cryptography Using Watermarking
Extended Visual Cryptography Using WatermarkingExtended Visual Cryptography Using Watermarking
Extended Visual Cryptography Using Watermarking
 

Kürzlich hochgeladen

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 

Kürzlich hochgeladen (20)

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 

Visual Authentication - A Secure Single Step Authentication for User Authorization

  • 1. Technische Universität München Visual Authentication A Secure Single Step Authentication for User Authorization Luis Roalter 1, Matthias Kranz 2, Andreas Möller 1, Stefan Diewald 1, Tobias Stockinger 2, Marion Koelle 2, Patrick Lindemann 2 1 Technische Universität München 2 Universität Passau December 5th 2013 Mobile and Ubiquitous Multimedia (MUM 2013), Luleå, Sweden
  • 2. Technische Universität München mobile & usable security for interaction with public terminals 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 2
  • 3. Technische Universität München Current Situation username 1 password 1 username 2 password 2 username 3 password 3 username 4 password 4 Different credentials username 5 password 5 05.12.2013 username 6 password 6 username 8 password 8 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization image source: http://commons.wikimedia.org/wiki/File:Singapore_Road_Signs_-_Restrictive_Sign_-_Stop_-_Security_Check.svg 3
  • 4. Technische Universität München Federated Authentication: Single Sign-On (SSO) Related Work •  Sign in once to use all services •  Single, familiar login mask for different services, e.g. –  “Sign in with Facebook” –  “Sign in with Google” •  One username, one password •  Improved user experience Optional: two-factor authentication with side channel, e.g. mobile phone 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 4
  • 5. Technische Universität München Increased Security: Multi-Factor Authentication Related Work 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization image source: Microsoft Office Online Clipart Gallery 5
  • 6. Technische Universität München Problems in the Context of Mobile and Usable Security •  •  Security-centered issues –  Access credentials can be stolen, e .g. •  man-in-the-middle attack •  shoulder surfing •  phishing as the terminal usually does not authenticate towards the user –  Trust relationship towards the device might be limited, even if the device can prove its identity, e.g. if it is a shared device à lack of trust, reluctant to use services, … Device-centered issues –  Limited capabilities of the input device (e.g. no keyboard) –  Limited ergonomics (e.g. wall-mounted device) –  hygiene concerns à time-consuming, uncomfortable, … 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 6
  • 7. Technische Universität München Proposal: Usable Security with Single Step Authentication sessionID: xyz 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization image source: Microsoft Office Online Clipart Gallery 7
  • 8. Technische Universität München Proposal: Additional Benefits of the Mobile Authenticator •  User-enabled Session Management -  Remote session logout -  Session transfer between systems •  Maintenance of profile and personal information à Transparency to the user (full information) •  Without mobile authenticator app: can be used with a web-based interface 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 8
  • 9. Technische Universität München Example Use Case: Room Reservation and Access •  Tablet PC as digital door sign for meeting rooms •  Provides resource-centred information and access (e.g. seeing when rooms are occupied or available) •  Use case: Book a room through the public display –  Need for authentication & authorization (accounting - who reserved the room?) –  Single Sign-On with QR code & mobile (no credentials to type on public display –  Allows physical room access & usage (remotely controlled digital door lock) 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 9
  • 10. Technische Universität München Example Use Case: How does it work? User is scanning a QR code with smartphone (containing a session token, SID), data sent to IdP with user credentials (user name & password) Case 1: Authenticator app installed •  Credentials (which were previously stored in app once) and session token are sent to the service •  The user is authenticated in one step Case 2: No authenticator app installed •  Redirection to a web page where credentials are entered (securely on mobile device) •  The URI is recognized by the tablet and authenticates the user 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 10
  • 11. Technische Universität München Example Use Case: Initial User Study with “Room Access” •  Initial user survey with the prototype system (room access) –  20 participants (18 males, 2 females) aged between 20 and 64 years –  (non-balanced, non-representative, not providing statistically usable results) •  RQ1: Do users have security concerns when entering personal credentials on a public display? –  Participants agreed that they have security concerns entering personal information on a publicly exposed display –  Avg. 3.8 on 5-step Likert-Scale (fully disagree = 1, fully agree = 5), SD=1.3 •  RQ2: Do users have security concerns when using the smartphone-based visual authentication system in conjunction with a public display? –  Participants agreed that they have security concerns in the smartphonebased authentication approach –  Avg. 2.3 on 5-step Likert-Scale (fully disagree = 1, fully agree = 5), SD=1.4 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 11
  • 12. Technische Universität München Summary and Discussion Proposed approach for “mobile usable security” providing user-friendly multifactor authentication in a public-private device scenario, addressing •  input modalities and device (replacing potentially non-convenient input methods, hygiene aspects, …) •  security issues (SSO with side-channel authentication, prohibiting shoulder surfing, phishing attacks, potential to de-authenticate sessions remotely, trusted …) •  usability aspects (less error-prone, faster, more convenient, …) Open Issues •  Multiple identity providers require pre-established trust relationships •  Network connection for side-channel/multi-factor authentication needed •  Shift of responsibility to the user (non-expert in security issues) •  Device-to-device communication problems (visible lighting, (audible) noise, …) 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 12
  • 13. Technische Universität München Outlook and Future Work •  •  •  Technical enhancement –  Pluggable Authentication Module (QR code-based PAM module) for PC login –  Transfer of running sessions and their contexts between terminals Usability evaluation and user study –  Acceptance and usability tests •  in a real-world deployment •  w.r.t. long-term effects on usable security –  Investigation of novel applications and domains and scenario-specific potentials (public displays, distributed environments, internet of things) Security evaluation –  Resistance to man-in-the-middle/replay attacks –  Simulate different hacking scenarios –  Creation of an overall security concept –  Extended information (e.g. WLAN AP scan, GPS, etc. to detect “fakes”) 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 13
  • 14. Technische Universität München Thank you very much for your kind attention! Questions? ? ? Contact: Luis Roalter (roalter@tum.de) Matthias Kranz (matthias.kranz@uni-passau.de) 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 14
  • 15. Technische Universität München Citation Information •  Please cite this work as follows: L. Roalter, M. Kranz, A. Möller, S. Diewald, T. Stockinger, M. Koelle, P. Lindemann: Visual Authentication - A Secure Single Step Authentication for User Authorization. In: Proceedings of the 12th International Conference on Mobile and Ubiquitous Multimedia (MUM 2013), Luleå, Sweden, 2013 •  Please use the following BibTex file: @inproceedings{MUM2013Roalter,
 author = {Roalter, Luis and Kranz, Matthias and M"{o}ller, Andreas and Diewald, Stefan and Stockinger, Tobias and Koelle, Marion and Lindemann, Patrick},
 title = {Visual Authentication – A Secure Single Step Authentication for User Authorization},
 booktitle = {Proceedings of the 12th International Conference on Mobile and Ubiquitous Multimedia},
 series = {MUM '13},
 year = {2013},
 location = {Luleaa, Sweden},
 publisher = {ACM},
 address = {New York, NY, USA},
 } " 05.12.2013 MUM 2013 Presentation: Visual Authentication – A Secure Single Step Authentication for User Authorization 15