Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Web Authentication With Mobile Phones Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial Intelligence Lab.

Similar presentations


Presentation on theme: "Secure Web Authentication With Mobile Phones Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial Intelligence Lab."— Presentation transcript:

1 Secure Web Authentication With Mobile Phones Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial Intelligence Lab

2 Problem to Be Solved People increasingly reply on public computers to do business over the Internet But passwords can be captured by the computer and later reused by a hostile party –2002: key logger at 14 NYC Kinko s captured 450 usernames and passwords –2003: key logger on more than 100 campus computers in Boston College –2003: £6,300 stolen from a bank account after it was accessed at a public terminal

3 Our Approach

4

5 Authentication Protocol I am Alice

6 Authentication Protocol Your current authentication session is FAITH Session FAITH is waiting for approval

7 Authentication Protocol Approve session FAITH FAITH

8 Authentication Protocol Username Password

9 Authentication Protocol (Dealing with Fraud) Lock my account until further notice FAITH Session PSYCH is waiting for approval

10 Two Mobile Phone Interfaces for Authentication Check and ApproveChoose and Approve

11 User Study How does our approach compare, in terms of security and usability, to other existing mobile phone authentication solutions? –One-time password sent to mobile phone (RSA Mobile, Fujitsu)

12 Four Login Techniques One-time password approach –Type Random Code: –Type Random Phrase: swears trainee Proxy-side spelling checker (Ispell) Our approach –Check and Approve –Choose and Approve

13 Method Controlled experiment in the lab –Logged in to Amazon.com using an account set up by us with a personal computer and a mobile phone provided by us –6 logins in a block for each technique, for a total of 24 logins, with the order of the four login techniques randomized

14 Simulated Attacks Will a user blindly approve sessions without looking at the session name? Users were told that they were going to be spoofed by our simulated attacks

15 Unknown Attack PSYCH is waiting for approval

16 Duplicated Attack PSYCH FAITH

17 Blocking Attack PSYCH is waiting for approval ? ? ?

18 Ease of Use Single factor ANOVA with P = 0.01

19 Error Rates Login by Check and Approve was easily spoofed –Duplicated attack: 4 successful out of 11 attacks –Blocking attack: 2 out of 9 –Unknown attack: 1 out of 33

20 Error Rates Login by Check and Approve was easily spoofed –Duplicated attack: 4 successful out of 11 attacks There must be a bug in the proxy since the session name displayed in the computer does not match the one in the mobile phone. –Blocking attack: 2 out of 9 The network connection must be really slow since the session name has not been displayed. –Unknown attack: 1 out of 33

21 Error Rates Choose and Approve has zero error rate

22 Future Work Field study Not only password but also any confidential information should avoid touching the hostile host

23 Conclusion By asking the user to choose and approve a correct session name from her mobile phone, we provide a mobile phone authentication solution that is both secure and easy to use Flexible solution to web authentication –Good backup to password login


Download ppt "Secure Web Authentication With Mobile Phones Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial Intelligence Lab."

Similar presentations


Ads by Google