Presentation on theme: "The quest to replace passwords Evangelos Markatos Based on a paper by Joseph Bonneau,Cormac Herley, Paul C. van Oorschot, and Frank Stajanod."— Presentation transcript:
The quest to replace passwords Evangelos Markatos Based on a paper by Joseph Bonneau,Cormac Herley, Paul C. van Oorschot, and Frank Stajanod
What is the problem Passwords have been around for too long – Original developed for time-sharing systems – 10-100 users – no Internet We need to replace them Why? – Easy to break (most usual password: 12345678) – Difficult to remember esp. if you have several of them – Easy to lose Phishing
What to do? Replace passwords With what? – Biometrics (fingerprints) Iris scanners, fingerprint scanners – Graphics passwords If you can not say it, DRAW it – Cognitive passwords – Point-and-click passwords – One Time Passwords Electronic OTPs, paper copies, etc.
A survey This paper is a survey – Surveys all password categories – Explains Advantages Disadvantages Compares them – Three dimensions: Usability Deployability Security
Usability Do you need to remember something? Scalable? – What if you have 10s – 100s of accounts? Do you need to carry aything? Easy to learn? Efficient to use? What happens if it is lost?
Deployability What is the cost per user? Is it compatible – with current servers? – With current browsers? Is it mature? Is it propriatory?
Security What if the attacker is looking over your shoulder? Is it resilient to random guessing? – Throttled – un-throttled Resilient to internal observation? – Keyboard loggers? Resilient to leaks? Resilient to phishing?
Encrypted Password Managers: Mozilla What is it? Firefox offers to remember all your passwords – One time overhead to set it up – Never type a password again! Firefox remembers it – What if I have two devices? Firefox can sync everything in the cloud – What if I access the web from an Internet Café? Do I want to sync all my passwords with the Cafés browser?
Single sign on! Use one password to log in everywhere Single sign on Great idea! Is it easier than passwords? – Yes Easier Deployment as well! Is it safer than passwords? – Not really… – See next paper as well
Graphical passwords People are better at remembering images – Rather than words! Draw your password! Well, actually – Draw lines, or – Choice points in an image Sounds simple… What if you have lots of passwords? – Lots of drawings….
Cognitive authentication Do not sent your password to the server What? Just prove to the server that you know it Why? – No phisher will be able to find it! – No man-in-the middle will be able to intercept it
Cognitive authentication II How do you prove that you know the password? Say that the password is 10,33,52,74 The server sends you a vector v[0:100] You reply with the contents of – v, v, v, v Each time you want to log in you get a different vector Each time you reply with different numbers – Always you send the v, v, v, v Example: – If v[i] == I, you send 10, 33, 52, 74 – If v[i] == i+1, you send 11, 34, 53, 75
Cognitive authentication III Resistant to monitoring – No password is being sent – Each time a different proof of password knowledge is being sent Resistant to guessing? – Not really
Paper Token Write (one-time) passwords on a piece of paper – The server asks for the password – And something written on the paper – (something you have and something you know) Difficult to deploy – Need to send the papers to users What if you have many accounts? What if someone steals/copies the paper?
Hardware tokens OTPs – One-time passwords Little devices – Press a button – Get an OTP The server asks for – The regular password – The OTP – (something you know and something you have) In 2011 all RSA seeds were stolen – All OTPs had to be replaced
Biometrics Fingerprint scanners Iris scanners Great! Fingerprint scanners – Can be spoofed – Fingerprints can be lifted from glass surfaces Costly ($$$) – Fingerprint readers have a cost
Mobile phone based Use two devices to authenticate – the computer (as usual) – The mobile phone Flow chart: – User selects site on mobile phone – Mobile phone talks to the web browser on the computer – Mobile phone authenticates with the bank – The browser authenticates with the bank The attacker – Needs both the passwords and the mobile phone
Mobile phone based II Security – Although if there is malware both on the phone and the computer … Deployability Usability – Can be used for a subset of sites E.g. banks
What if the computer is compromised? What if you use a public terminal? – Would you give it your password? – Could keyboard loggers steal it? Solution: – SSO + paper OTP + proxy There is a proxy between the client and the server – The proxy has all passwords – The proxy gives the user a set of OTPs – The OTPs are in a piece of paper that the user has
What if the computer is compromised? II Flowchart – The user asks the proxy to authenticate her to a web server – The proxy asks for the OTP – The proxy authenticates the user to the web server + it works - deployment ….
Conclusion No method is perfect No method is clearly better than passwords – Along all three dimensions Several methods complement/strengthen passwords Passwords may be around for a few more years…