This document discusses problems with passwords and ongoing research into improved authentication methods. Passwords are difficult for people to remember and manage across multiple accounts, leading users to choose weak passwords or reuse the same password in multiple places. The document describes past research projects including "Use Your Illusion" which used blurred images for passwords and was highly memorable. It also summarizes the "WebTicket" project, which generates strong passwords that users don't know and allows login by scanning a printed QR code, preventing phishing. Current research focuses on "Casual Authentication" which modulates authentication strength based on contextual factors like location probability to make the login experience faster in familiar situations.

1. ©2009CarnegieMellonUniversity:1
Improving Usable
Authentication
Jason Hong
jasonh@cs.cmu.edu

2. ©2011CarnegieMellonUniversity:2
Problems with Passwords
• People forget passwords
– Special characters, length, change every
4 weeks => wasted time, helpdesk costs
– NYTimes site 100k readers forget
password, 15% of “new” users are old
– Beverage company: 30% help desk calls
password-related, cost $900k / yr

3. ©2011CarnegieMellonUniversity:3
Problems with Passwords
• People fall for phishing attacks
– Estimated 0.4% of Internet users per year
– Loss of corporate secrets, customer data,
financial info

4. ©2011CarnegieMellonUniversity:4
Passwords Also Don’t Scale Up
• Passwords good if you only have a few
• But passwords aren’t scaling as
devices and services become pervasive
– Laptop, mobile phone, VPN, email (x2),
Wii Fit, WiFi, ATM, PDFs, and dozens of
web sites

5. ©2011CarnegieMellonUniversity:5
Coping Mechanisms Cause Problems
• People cope by using weak passwords
– RockYou: Top 20 passwords used in 2.6%
accounts
• People cope by reusing passwords
– Breach on social networking site means
breach on your site too
– Ex. HBGary CEO used same password for
email, iPad, Twitter, LinkedIn

6. ©2011CarnegieMellonUniversity:6

7. ©2011CarnegieMellonUniversity:7
Past Work: Use Your Illusion
• Problem:
– Hard to remember passwords
– Picture-based approaches are memorable
but easy to guess
• Solution:
– Use blurred pictures
to balance security
with usability
– User tests have shown
high memorability and
hard to guess

8. ©2011CarnegieMellonUniversity:8
Ongoing Research Projects
• WebTicket
– Cheap printable tokens
for a reliable way to log in
• Casual Authentication
– Modulate level of authentication needed
based on prior probability that it’s me
• Ex. Probability of me in Brazil is very low
• Ex. Probability of me at home is high

9. ©2011CarnegieMellonUniversity:9
WebTicket
• Originated from discussion of elderly
– Not only couldn’t remember password,
couldn’t remember what web site to go to
• Not trying to solve authentication for
power users
– Gaw and Felten found undergrads had
3.3 passwords for 7.8 accounts
– In our diary study, people had 11.4
accounts and often reused passwords

10. ©2011CarnegieMellonUniversity:10
How WebTicket Works
• Browser plug-in for
creating new accounts
– Strong passwords are assigned
– Users do not know their passwords
• Print out ticket
– Ticket is encrypted to work
only with specific computer(s)
– QRCode: URL, username, password
• To login, show ticket to webcam
– Can’t fall for phishing attacks

11. ©2011CarnegieMellonUniversity:11
Logging In with WebTicket

12. ©2011CarnegieMellonUniversity:12
WebTicket
• Design:
– Very cheap (paper + printer + webcam)
– Compatible with existing systems
– Easy to deploy
– Easy to teach: treat it like a house key
• Weaknesses:
– Not meant for commonly used passwords
– Tickets can get damaged or lost
– Need to store main encryption key

13. ©2011CarnegieMellonUniversity:13
WebTicket
• Surprises:
– Our strong password generator only
worked for 76% of web sites
– Ex. some sites don’t allow symbols or
certain symbols

14. ©2011CarnegieMellonUniversity:14
WebTicket User Study
• Two studies, 55 people total
– Tested for phishing attacks in study #2
– Two conditions: password and WebTicket
• Experiment
– Create a few accounts
– Login to a few sites
– Come back a week later, login again

15. ©2011CarnegieMellonUniversity:15
WebTicket Study Results
• 1/4 of people using passwords could
not login again a week later
– Didn’t restrict what passwords people used
• Login time for WebTicket slower at first,
faster a week later
• WebTicket perceived as easier and faster
• Simulated phishing attack
– All in password condition fell for it
– 30% of people using WebTicket did
(though data still encrypted)

16. ©2011CarnegieMellonUniversity:16
Ongoing and Future Work
• Mobile phone version to scale up
– A strong password manager
– Can’t fall for phish too

17. ©2011CarnegieMellonUniversity:17
Ongoing Work
• Can encode more data in the ticket
– QR Codes can hold 3k of data
– Ex. “Login only if in Cylab office or home”
– Ex. “Login only if parents at home”
– Ex. “Login only if between 5-8pm”
– Ex. “Notify parents when you login”
– Ex. Include face biometric data
• Field deployment of WebTicket

18. ©2011CarnegieMellonUniversity:18
Casual Authentication
• Observation:
– Level of authentication needed
is the same regardless of context
• Idea:
– Use commodity sensors + behavioral
analysis to estimate prior probabilities
(cheap multi-factor authentication)
– Modulate level of authentication needed
• In likely situations, make logins fast
• In unlikely situations, make it reliable

19. ©2011CarnegieMellonUniversity:19
Example Scenarios
• Scenario 1 – Mobile device
– Prior probability of me being in my office
is high, make authentication fast
– Prior probability of me being in Brazil is
low, so make authentication reliable
• Scenario 2 – Home
– Wake up in morning, go to computer
– Weight sensor in chair, height sensor
via Kinect, mobile device nearby
– Use face recognition to login (fast)

20. ©2011CarnegieMellonUniversity:20
Example Passive Factors
• Cheap, invisible, multi-factor
• Examples for mobile scenario
– Location
– IP address
– WiFi MAC address
– Bluetooth / devices nearby (smartphone)
– Tilt (how you hold device)
• Examples for work/home scenario
– Kinect for Height and Body shape
– Weight sensors
– Gait (how you walk)

21. ©2011CarnegieMellonUniversity:21
Example Active Factors
• Passwords
• Biometrics
• Multiple secret questions
• Email verification

22. ©2011CarnegieMellonUniversity:22
Examples of Location Context
• Personal frequency to that place
– Analysis of 20 people’s GPS locations
– 66.2% of time spent at home
– 20.2% - Work
– 6.3% - Some third place
• Where people login
– Diary study of 20 people over 2 weeks
– Home accounted for 59.2% of logins
– Work accounted for 25.1% of logins
– Public places, school, other: infrequent

23. ©2011CarnegieMellonUniversity:23
Examples of Location Context
• Location entropy
– Concept taken from ecology
– Number of unique people seen in a place
– Approximates public vs private

24. ©2011CarnegieMellonUniversity:24

25. ©2011CarnegieMellonUniversity:25
Other Kinds of Location Info
• Personal location info
– Personal frequency
– Mobility
• Place info
– Going beyond behavior analytics of
people to include analytics of places
– Churn – same people or different?
– Transience – amount of time spent
– Burst – Regularity of people seen

26. ©2011CarnegieMellonUniversity:26
Current Plan of Research
• Systematically evaluate passive factors
• Develop and evaluate threat models
• Techniques for integrating prior
probabilities
• Develop and deploy prototypes
– Mobile case
– Work/Home
• Evaluate security and usability
– Ease of use, time to login
– False accept rates, expert analysis

27. ©2011CarnegieMellonUniversity:27
Long-term Opportunities
• Starting with casual authentication for
devices
– Could be extended in future to
password managers as well
• Could be part of trusted computing
base in future
– Custom chips for secure sensing
– Support for server-side authentication too

28. ©2011CarnegieMellonUniversity:28

29. ©2011CarnegieMellonUniversity:29
Threat Model (Ideal)
No difference
with regular
authentication
No difference
with regular
authentication
Could possibly
mimic passive
factors, would also
need active factors
?
Little LotsLittleLots
Knowledge of securityKnowledgeofUser

30. ©2011CarnegieMellonUniversity:30
Other Approaches
• Two-factor authentication
– Cost
– Requires server support
• Password managers
– Can still fall for phishing
– No guarantee of strong password
• Biometrics
– Marios’ talk next
– False positives / false negatives

31. ©2011CarnegieMellonUniversity:31
Diary Study

32. ©2011CarnegieMellonUniversity:32
Diary Study

33. ©2011CarnegieMellonUniversity:33
Diary Study
• Where people login
Place %
Home 59.2%
Office 25.1%
Public place 6.9%
School 6.2%
Other 2.4%

34. ©2011CarnegieMellonUniversity:34
Our Diary Study of Passwords
• 20 participants over 2 weeks
– Had participants rank importance of account
– 5 means very concerned if someone else
could obtain access to an account