Presentation is loading. Please wait.

Presentation is loading. Please wait.

The quest to replace passwords Evangelos Markatos Based on a paper by Joseph Bonneau,Cormac Herley, Paul C. van Oorschot, and Frank Stajanod.

Published byAraceli Temple Modified over 10 years ago

Similar presentations

Presentation on theme: "The quest to replace passwords Evangelos Markatos Based on a paper by Joseph Bonneau,Cormac Herley, Paul C. van Oorschot, and Frank Stajanod."— Presentation transcript:

1 The quest to replace passwords Evangelos Markatos Based on a paper by Joseph Bonneau,Cormac Herley, Paul C. van Oorschot, and Frank Stajanod

2 What is the problem Passwords have been around for too long – Original developed for time-sharing systems – 10-100 users – no Internet We need to replace them Why? – Easy to break (most usual password: 12345678) – Difficult to remember esp. if you have several of them – Easy to lose Phishing

3 What to do? Replace passwords With what? – Biometrics (fingerprints) Iris scanners, fingerprint scanners – Graphics passwords If you can not say it, DRAW it – Cognitive passwords – Point-and-click passwords – One Time Passwords Electronic OTPs, paper copies, etc.

4 A survey This paper is a survey – Surveys all password categories – Explains Advantages Disadvantages Compares them – Three dimensions: Usability Deployability Security

5 Usability Do you need to remember something? Scalable? – What if you have 10s – 100s of accounts? Do you need to carry aything? Easy to learn? Efficient to use? What happens if it is lost?

6 Deployability What is the cost per user? Is it compatible – with current servers? – With current browsers? Is it mature? Is it propriatory?

7 Security What if the attacker is looking over your shoulder? Is it resilient to random guessing? – Throttled – un-throttled Resilient to internal observation? – Keyboard loggers? Resilient to leaks? Resilient to phishing?

8 Encrypted Password Managers: Mozilla What is it? Firefox offers to remember all your passwords – One time overhead to set it up – Never type a password again! Firefox remembers it – What if I have two devices? Firefox can sync everything in the cloud – What if I access the web from an Internet Café? Do I want to sync all my passwords with the Cafés browser?

9 Single sign on! Use one password to log in everywhere Single sign on Great idea! Is it easier than passwords? – Yes Easier Deployment as well! Is it safer than passwords? – Not really… – See next paper as well

10 Graphical passwords People are better at remembering images – Rather than words! Draw your password! Well, actually – Draw lines, or – Choice points in an image Sounds simple… What if you have lots of passwords? – Lots of drawings….

11 Cognitive authentication Do not sent your password to the server What? Just prove to the server that you know it Why? – No phisher will be able to find it! – No man-in-the middle will be able to intercept it

12 Cognitive authentication II How do you prove that you know the password? Say that the password is 10,33,52,74 The server sends you a vector v[0:100] You reply with the contents of – v[10], v[33], v[52], v[74] Each time you want to log in you get a different vector Each time you reply with different numbers – Always you send the v[10], v[33], v[52], v[74] Example: – If v[i] == I, you send 10, 33, 52, 74 – If v[i] == i+1, you send 11, 34, 53, 75

13 Cognitive authentication III Resistant to monitoring – No password is being sent – Each time a different proof of password knowledge is being sent Resistant to guessing? – Not really

14 Paper Token Write (one-time) passwords on a piece of paper – The server asks for the password – And something written on the paper – (something you have and something you know) Difficult to deploy – Need to send the papers to users What if you have many accounts? What if someone steals/copies the paper?

15 Hardware tokens OTPs – One-time passwords Little devices – Press a button – Get an OTP The server asks for – The regular password – The OTP – (something you know and something you have) In 2011 all RSA seeds were stolen – All OTPs had to be replaced

16 Biometrics Fingerprint scanners Iris scanners Great! Fingerprint scanners – Can be spoofed – Fingerprints can be lifted from glass surfaces Costly ($$$) – Fingerprint readers have a cost

17 Mobile phone based Use two devices to authenticate – the computer (as usual) – The mobile phone Flow chart: – User selects site on mobile phone – Mobile phone talks to the web browser on the computer – Mobile phone authenticates with the bank – The browser authenticates with the bank The attacker – Needs both the passwords and the mobile phone

18 Mobile phone based II Security – Although if there is malware both on the phone and the computer … Deployability Usability – Can be used for a subset of sites E.g. banks

19 What if the computer is compromised? What if you use a public terminal? – Would you give it your password? – Could keyboard loggers steal it? Solution: – SSO + paper OTP + proxy There is a proxy between the client and the server – The proxy has all passwords – The proxy gives the user a set of OTPs – The OTPs are in a piece of paper that the user has

20 What if the computer is compromised? II Flowchart – The user asks the proxy to authenticate her to a web server – The proxy asks for the OTP – The proxy authenticates the user to the web server + it works - deployment ….

21 Conclusion No method is perfect No method is clearly better than passwords – Along all three dimensions Several methods complement/strengthen passwords Passwords may be around for a few more years…

Download ppt "The quest to replace passwords Evangelos Markatos Based on a paper by Joseph Bonneau,Cormac Herley, Paul C. van Oorschot, and Frank Stajanod."

Similar presentations

Penetration Testing Biometric System

Penetration Testing Biometric System
Usably Secure, Low-Cost Authentication for Mobile Banking* Saurabh Panjwani, Ed Cutrell Microsoft Research India * Many thanks to Anupam Varghese (EKO.

Usably Secure, Low-Cost Authentication for Mobile Banking* Saurabh Panjwani, Ed Cutrell Microsoft Research India * Many thanks to Anupam Varghese (EKO.
You are responsible for security of your internet banking transactions ONLINE.

You are responsible for security of your internet banking transactions ONLINE.
Secure Web Authentication With Mobile Phones Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial Intelligence Lab.

Secure Web Authentication With Mobile Phones Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial Intelligence Lab.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
User Security for e-Post Applications Dr Chandana Gamage University of Moratuwa.

User Security for e-Post Applications Dr Chandana Gamage University of Moratuwa.
Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.

Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.
Security Security comes in three forms. 1.Encryption – making data and information transmitted by one person unintelligible to anyone other than the intended.

Security Security comes in three forms. 1.Encryption – making data and information transmitted by one person unintelligible to anyone other than the intended.
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility. Simplify authentication.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility. Simplify authentication.
ICT Curriculum Evening – an introduction to Wizkid.

ICT Curriculum Evening – an introduction to Wizkid.
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.

By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.
PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,

PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,
By Anthony McDougle and Loren Klingman.  The average user does not have secure passwords ◦ Simple passwords ◦ Reusing the same password ◦ Never changing.

By Anthony McDougle and Loren Klingman.  The average user does not have secure passwords ◦ Simple passwords ◦ Reusing the same password ◦ Never changing.
The Office of Information Technology Two-Factor Authentication.

The Office of Information Technology Two-Factor Authentication.
Notes to Teachers At the time we embedded the links in these lessons, they all worked. If they don’t, you can google the website, find the link, open it.

Notes to Teachers At the time we embedded the links in these lessons, they all worked. If they don’t, you can google the website, find the link, open it.
How to Create (and use) Strong & Unique Passwords Larry Magid Co-director ConnectSafely.org.

How to Create (and use) Strong & Unique Passwords Larry Magid Co-director ConnectSafely.org.

Similar presentations

Ads by Google