bootstrapping mobile pins using passwords
DESCRIPTION
Bootstrapping Mobile PINs Using Passwords. Markus Jakobsson Debin Liu Information Risk Management PayPal. A Bit about Authentication. Difficulty customizing settings. Difficulty authenticating. Short battery life. Lack of coverage. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Bootstrapping Mobile PINs Using Passwords](https://reader035.vdocuments.us/reader035/viewer/2022062410/5681614f550346895dd0d464/html5/thumbnails/1.jpg)
Bootstrapping Mobile PINs Using Passwords
Markus JakobssonDebin Liu
Information Risk ManagementPayPal
![Page 2: Bootstrapping Mobile PINs Using Passwords](https://reader035.vdocuments.us/reader035/viewer/2022062410/5681614f550346895dd0d464/html5/thumbnails/2.jpg)
A Bit about Authentication
2
1 2 3 4 5
Short battery life
Slow Web connection
Lack of coverage
Poor voice quality
Small screen
size
Difficulty customizing
settings
Difficulty authenticating
![Page 3: Bootstrapping Mobile PINs Using Passwords](https://reader035.vdocuments.us/reader035/viewer/2022062410/5681614f550346895dd0d464/html5/thumbnails/3.jpg)
Commercial Four-Letter Word
“Friction”
![Page 4: Bootstrapping Mobile PINs Using Passwords](https://reader035.vdocuments.us/reader035/viewer/2022062410/5681614f550346895dd0d464/html5/thumbnails/4.jpg)
A Bit About Human Memory
Not so amazing
![Page 5: Bootstrapping Mobile PINs Using Passwords](https://reader035.vdocuments.us/reader035/viewer/2022062410/5681614f550346895dd0d464/html5/thumbnails/5.jpg)
Common PIN
Your spouse’s birthday
![Page 6: Bootstrapping Mobile PINs Using Passwords](https://reader035.vdocuments.us/reader035/viewer/2022062410/5681614f550346895dd0d464/html5/thumbnails/6.jpg)
Love/Hate
PINs
![Page 7: Bootstrapping Mobile PINs Using Passwords](https://reader035.vdocuments.us/reader035/viewer/2022062410/5681614f550346895dd0d464/html5/thumbnails/7.jpg)
What will users see
![Page 8: Bootstrapping Mobile PINs Using Passwords](https://reader035.vdocuments.us/reader035/viewer/2022062410/5681614f550346895dd0d464/html5/thumbnails/8.jpg)
Example User Mapping
“Blu2thRules” “2582”
![Page 9: Bootstrapping Mobile PINs Using Passwords](https://reader035.vdocuments.us/reader035/viewer/2022062410/5681614f550346895dd0d464/html5/thumbnails/9.jpg)
Opportunistic Derivation
Access; Truncate; Map; Store
![Page 10: Bootstrapping Mobile PINs Using Passwords](https://reader035.vdocuments.us/reader035/viewer/2022062410/5681614f550346895dd0d464/html5/thumbnails/10.jpg)
Special Characters
~1.5%Can be reduced
![Page 11: Bootstrapping Mobile PINs Using Passwords](https://reader035.vdocuments.us/reader035/viewer/2022062410/5681614f550346895dd0d464/html5/thumbnails/11.jpg)
Special Phones
Need numeric pad
![Page 12: Bootstrapping Mobile PINs Using Passwords](https://reader035.vdocuments.us/reader035/viewer/2022062410/5681614f550346895dd0d464/html5/thumbnails/12.jpg)
Strong password, weak PIN
“1234Brew$g”, “1begHELP”
![Page 13: Bootstrapping Mobile PINs Using Passwords](https://reader035.vdocuments.us/reader035/viewer/2022062410/5681614f550346895dd0d464/html5/thumbnails/13.jpg)
Password change?
Dual Universes
![Page 14: Bootstrapping Mobile PINs Using Passwords](https://reader035.vdocuments.us/reader035/viewer/2022062410/5681614f550346895dd0d464/html5/thumbnails/14.jpg)
Measuring Security
Raided Dropboxes
![Page 15: Bootstrapping Mobile PINs Using Passwords](https://reader035.vdocuments.us/reader035/viewer/2022062410/5681614f550346895dd0d464/html5/thumbnails/15.jpg)
Entropy of Derived PINs
FSP (8359) SNP (2873) Malware (16192)0
2
4
6
8
10
12
1412
10.59.7
10.910
9.2
1.1 0.5 0.5
pwd4 EntropyPIN EntropyInformation Loss by Mapping
Data Sources (Size)
Info
rmat
ion
Ent
ropi
es
![Page 16: Bootstrapping Mobile PINs Using Passwords](https://reader035.vdocuments.us/reader035/viewer/2022062410/5681614f550346895dd0d464/html5/thumbnails/16.jpg)
Special Characters
FSP (8359) SNP (2873) Malware (16192)0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00% 32.16%
11.14%
26.96%
1.44% 1.95%6.16%
Percentage of Passwords using Upper Case Letters
Percentage of Passwords using Special Characters
Data Sources (Size)
Perc
enta
ge
![Page 17: Bootstrapping Mobile PINs Using Passwords](https://reader035.vdocuments.us/reader035/viewer/2022062410/5681614f550346895dd0d464/html5/thumbnails/17.jpg)
Imagine PIN Theft
02468
101214161820
![Page 18: Bootstrapping Mobile PINs Using Passwords](https://reader035.vdocuments.us/reader035/viewer/2022062410/5681614f550346895dd0d464/html5/thumbnails/18.jpg)
ExperimentWhat is Joe’s PIN?
Joe uses a PIN to access his PayPal account from his phone. But he does not want to have to remember another number, and he does not want to reuse his banking PIN. So he uses PayPal’s new “password to PIN” feature so that he only has to remember his password. Joe’s password is “Blu2thrules”. Look at the screen-shot below and let us know what PIN he should enter.
![Page 19: Bootstrapping Mobile PINs Using Passwords](https://reader035.vdocuments.us/reader035/viewer/2022062410/5681614f550346895dd0d464/html5/thumbnails/19.jpg)
Usability of Derived PINs25-subject Qualitative study
Successful but Slow 24%
Failed12%
Successful and Fas
t64%
![Page 20: Bootstrapping Mobile PINs Using Passwords](https://reader035.vdocuments.us/reader035/viewer/2022062410/5681614f550346895dd0d464/html5/thumbnails/20.jpg)
Usability of Derived PINs100-subject Quantitative study
Likely Successful22%
Failed10%
Successful68%
![Page 21: Bootstrapping Mobile PINs Using Passwords](https://reader035.vdocuments.us/reader035/viewer/2022062410/5681614f550346895dd0d464/html5/thumbnails/21.jpg)
Other things I pitch
Address web/app spoofing: www.SpoofKiller.com
Mobile-friendly passwords: www.fastword.meMobile malware detection: www.fatskunk.com
Etc: www.markus-jakobsson.com