use your illusion: secure authentication usable anywhere eiji hayashi nicolas christin rachna...
TRANSCRIPT
Use Your Illusion:Secure Authentication Usable Anywhere
Eiji HayashiNicolas Christin
Rachna DhamijaAdrian Perrig
Carnegie Mellon CyLab Japan
Key Concept: Distortion
You can recognize a baby nowbecause you know the original picture
Distorted Picture Original Picture
Passfaces• Faces are used as a graphical portfolio
• Preference could be a limitation
Cited from “On User Choice in Graphical Password Schemes”, Darren Daivis et. al, 2004
Pass Points• Use “a sequence of clicks” as a shared
secret
• There are hot spots
Cited from “Authentication Usin Graphical Passwords: Basic Results”, Susan Wiednbeck et. al, 2004
Graphical Portfolio • If a user can choose whatever
graphical portfolio…
• If system assigns portfoliorandomly…
“Use Your Illusion”1. Allow users to take/choose pictures by
themselves2. Distort the pictures3. Assign the distorted pictures as graphical
portfolio
“Use Your Illusion”1. Allow users to take/choose pictures by
themselves2. Distort the pictures3. Assign the Distorted pictures as graphical
token
Secu
rity
Memorability
Requirements for Distortion • One-way
• Discarding precise shapes and colors
• Preserving rough shapes and colors
Oil Painting Filter• Choose RGB values which appears most
frequently in a neighborhood
0 50 100 150 200 2500
10
20
30
40
50
60
Distortion Level• If high, difficult to guess
but difficult to memorize
• If low, easy to memorizebut easy to guess
Distortion Level• Two parameters affect distortion level
–If too high, not usable
–If too low, not secure
Secu
rity
Memorability
1st Usability Test• 45 participants were divided into 3 groups
– Self-selected, Non-distorted– Self-selected, distorted (Use Your Illusion)– Imposed, highly-distorted
ProcedureDate Task
Before the 1st day Take 3 pictures
The 1st day Memorize portfolio
Practice
Authenticate
2 days after Authenticate
1 week after Authenticate
Fill out questionnaires
Success RateThe 1st
day2 days after
1 week after
Self-selected,
Non-distorted
100%
(15)
100%
(15)
100%
(15)
Self-selected,
Distorted
100%
(15)
100%
(15)
100%
(15)
Imposed,
Highly-distorted
93.3%
(14)
73.3%
(11)
73.3%
(11)
Authentication Time (Mean)
Imposed,Highly-distorted
Self-selected,Distorted
Self-selected,Non-distorted
Process of Memorization• Participants assign meanings to distorted pictures• Assigning meanings helps memorization
Mountain Sea Moai statue
2nd Usability Test• 54 participants were divided into 3 groups
– Self-selected, Non-distorted– Self-selected, Distorted– Imposed, Distorted
• Authenticate– On the 1st day– 2 days after– 1 week after– 4 weeks after
Success RateThe 1st
day2 days after
1 week after
4 weeks
after
Self-selected,
Non-distorted
100%
(18)
100%
(18)
100%
(18)
100%
(18)
Self-selected,
Distorted
100%
(18)
100%
(18)
100%
(18)
100%
(18)
Imposed,
Distorted
100%
(18)
89%
(16)
94%
(17)
89%
(16)
Tolerance against Guessing Attack
• Original pictures are vulnerable
• Distorted pictures are more tolerant
Future Work• Detailed usability test
• Long term test
• Find an optimal distortion
• Investigate a metric evaluating distortion level
Use Your Illusion• Use distorted pictures as a portfolio• As memorable as non-distorted pictures• More memorable than imposed (highly-)
distorted pictures• Fits human memorization process• More tolerant to guessing attack