The quest to replace passwords Evangelos Markatos Based on a paper by Joseph Bonneau,Cormac Herley, Paul C. van Oorschot, and Frank Stajanod.

Slides:



Advertisements
Similar presentations
Penetration Testing Biometric System
Advertisements

Usably Secure, Low-Cost Authentication for Mobile Banking* Saurabh Panjwani, Ed Cutrell Microsoft Research India * Many thanks to Anupam Varghese (EKO.
You are responsible for security of your internet banking transactions ONLINE.
Secure Web Authentication With Mobile Phones Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial Intelligence Lab.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
User Security for e-Post Applications Dr Chandana Gamage University of Moratuwa.
Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.
Security Security comes in three forms. 1.Encryption – making data and information transmitted by one person unintelligible to anyone other than the intended.
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility. Simplify authentication.
ICT Curriculum Evening – an introduction to Wizkid.
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
CMSC 414 Computer (and Network) Security Lecture 24 Jonathan Katz.
PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,
By Anthony McDougle and Loren Klingman.  The average user does not have secure passwords ◦ Simple passwords ◦ Reusing the same password ◦ Never changing.
The Office of Information Technology Two-Factor Authentication.
Notes to Teachers At the time we embedded the links in these lessons, they all worked. If they don’t, you can google the website, find the link, open it.
How to Create (and use) Strong & Unique Passwords Larry Magid Co-director ConnectSafely.org.
Threats to I.T Internet security By Cameron Mundy.
SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Cameron Simpson.
CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.
GRAPHICAL PASSWORD AUTHENTICATION PRESENTED BY SUDEEP KUMAR PATRA REGD NO Under the guidance of Mrs. Chinmayee Behera.
© NeoAccel, Inc. TWO FACTOR AUTHENTICATION Corporate Presentation.
The Writing Process Essays don’t just happen. We write in a series of logical steps: 1. Generate ideas 2. Plan 3. Organize 4. Draft 5. Revise.
IT security By Tilly Gerlack.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Thomas Jenkins.
ED 505 Educational Technology By James Moore.  What is the definition of Netiquette and how does it apply to social media sites? ◦ Netiquette is the.
Presented by: Lin Jie Authors: Xiaoyuan Suo, Ying Zhu and G. Scott. Owen.
Lecture 19 Page 1 CS 111 Online Authentication for Operating Systems What is authentication? How does the problem apply to operating systems? Techniques.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Demi Leigh.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Rebecca Pritchard.
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Kamran Didcote.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.
Authentication Lesson Introduction ●Understand the importance of authentication ●Learn how authentication can be implemented ●Understand threats to authentication.
INFORMATION TECHNOLOGY IN A GLOBAL SOCIETY: SECURITY Taylor Moncrief.
Cyber Safety Mohammad Abbas Alamdar Teacher of ICT STS Ajman – Boys School.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
Phishing Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money)
Improving the Usability and Security of OpenID Mike Jones Microsoft Federated Identity Team
COOKIES AND SESSIONS.
BOPS – Biometric Open Protocol Standard Emilio J. Sanchez-Sierra.
Computer Security Set of slides 8 Dr Alexei Vernitski.
Millions of Dollars Lost. MAN IN THE BROWSER. TABLE OF CONTENTS Introduction Brief Examples of Man in the middle Defining MitB From Infection to Pay Day.
Information Systems Design and Development Security Precautions Computing Science.
Secure Quick Reliable Login ● SQRL pronounced “squirrel”. ● Acronym confusion – QR no longer stands for “Quick Response” two-dimensional bar codes. Optional.
A l a d d I n. c o m Strong Authentication and Beyond Budai László, IT Biztonságtechnikai tanácsadó.
Challenge/Response Authentication
Towards Another Step from 3D Password to 4D Password:
Secure HTTP (HTTPS) Pat Morin COMP 2405.
Unit 3 Section 6.4: Internet Security
Outline The basic authentication problem
Remember that our latest topics involve a more advanced look at how webpages work
Simple Authentication for the Web
Ways to protect yourself against hackers
Password Management Limit login attempts Encrypt your passwords
Conveying Trust Serge Egelman.
Get Solution at Trezor Support Phone Number
Google 2 Step Verification Backup Codes Google 2 Steps Verification Backup Codes is very important to get access Gmail account. Backup codes is usually.
Stealing Credentials.
Completing the tasks for A452 with….
Setting up an online account
The main cause for that are the famous phishing attacks, in which the attacker directs users to a fake web page identical to another one and steals the.
K!M SAA LOGICAL SECURITY Strong Adaptive Authentication
Week 7 - Wednesday CS363.
Presentation transcript:

The quest to replace passwords Evangelos Markatos Based on a paper by Joseph Bonneau,Cormac Herley, Paul C. van Oorschot, and Frank Stajanod

What is the problem Passwords have been around for too long – Original developed for time-sharing systems – users – no Internet We need to replace them Why? – Easy to break (most usual password: ) – Difficult to remember esp. if you have several of them – Easy to lose Phishing

What to do? Replace passwords With what? – Biometrics (fingerprints) Iris scanners, fingerprint scanners – Graphics passwords If you can not say it, DRAW it – Cognitive passwords – Point-and-click passwords – One Time Passwords Electronic OTPs, paper copies, etc.

A survey This paper is a survey – Surveys all password categories – Explains Advantages Disadvantages Compares them – Three dimensions: Usability Deployability Security

Usability Do you need to remember something? Scalable? – What if you have 10s – 100s of accounts? Do you need to carry aything? Easy to learn? Efficient to use? What happens if it is lost?

Deployability What is the cost per user? Is it compatible – with current servers? – With current browsers? Is it mature? Is it propriatory?

Security What if the attacker is looking over your shoulder? Is it resilient to random guessing? – Throttled – un-throttled Resilient to internal observation? – Keyboard loggers? Resilient to leaks? Resilient to phishing?

Encrypted Password Managers: Mozilla What is it? Firefox offers to remember all your passwords – One time overhead to set it up – Never type a password again! Firefox remembers it – What if I have two devices? Firefox can sync everything in the cloud – What if I access the web from an Internet Café? Do I want to sync all my passwords with the Cafés browser?

Single sign on! Use one password to log in everywhere Single sign on Great idea! Is it easier than passwords? – Yes Easier Deployment as well! Is it safer than passwords? – Not really… – See next paper as well

Graphical passwords People are better at remembering images – Rather than words! Draw your password! Well, actually – Draw lines, or – Choice points in an image Sounds simple… What if you have lots of passwords? – Lots of drawings….

Cognitive authentication Do not sent your password to the server What? Just prove to the server that you know it Why? – No phisher will be able to find it! – No man-in-the middle will be able to intercept it

Cognitive authentication II How do you prove that you know the password? Say that the password is 10,33,52,74 The server sends you a vector v[0:100] You reply with the contents of – v[10], v[33], v[52], v[74] Each time you want to log in you get a different vector Each time you reply with different numbers – Always you send the v[10], v[33], v[52], v[74] Example: – If v[i] == I, you send 10, 33, 52, 74 – If v[i] == i+1, you send 11, 34, 53, 75

Cognitive authentication III Resistant to monitoring – No password is being sent – Each time a different proof of password knowledge is being sent Resistant to guessing? – Not really

Paper Token Write (one-time) passwords on a piece of paper – The server asks for the password – And something written on the paper – (something you have and something you know) Difficult to deploy – Need to send the papers to users What if you have many accounts? What if someone steals/copies the paper?

Hardware tokens OTPs – One-time passwords Little devices – Press a button – Get an OTP The server asks for – The regular password – The OTP – (something you know and something you have) In 2011 all RSA seeds were stolen – All OTPs had to be replaced

Biometrics Fingerprint scanners Iris scanners Great! Fingerprint scanners – Can be spoofed – Fingerprints can be lifted from glass surfaces Costly ($$$) – Fingerprint readers have a cost

Mobile phone based Use two devices to authenticate – the computer (as usual) – The mobile phone Flow chart: – User selects site on mobile phone – Mobile phone talks to the web browser on the computer – Mobile phone authenticates with the bank – The browser authenticates with the bank The attacker – Needs both the passwords and the mobile phone

Mobile phone based II Security – Although if there is malware both on the phone and the computer … Deployability Usability – Can be used for a subset of sites E.g. banks

What if the computer is compromised? What if you use a public terminal? – Would you give it your password? – Could keyboard loggers steal it? Solution: – SSO + paper OTP + proxy There is a proxy between the client and the server – The proxy has all passwords – The proxy gives the user a set of OTPs – The OTPs are in a piece of paper that the user has

What if the computer is compromised? II Flowchart – The user asks the proxy to authenticate her to a web server – The proxy asks for the OTP – The proxy authenticates the user to the web server + it works - deployment ….

Conclusion No method is perfect No method is clearly better than passwords – Along all three dimensions Several methods complement/strengthen passwords Passwords may be around for a few more years…

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.