Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Web Authentication With Mobile Phones Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial Intelligence Lab.

Published byTristan Rawding Modified over 10 years ago

Similar presentations

Presentation on theme: "Secure Web Authentication With Mobile Phones Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial Intelligence Lab."— Presentation transcript:

1 Secure Web Authentication With Mobile Phones Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial Intelligence Lab

2 Problem to Be Solved People increasingly reply on public computers to do business over the Internet But passwords can be captured by the computer and later reused by a hostile party –2002: key logger at 14 NYC Kinko s captured 450 usernames and passwords –2003: key logger on more than 100 campus computers in Boston College –2003: £6,300 stolen from a bank account after it was accessed at a public terminal

3 Our Approach

4

5 Authentication Protocol I am Alice

6 Authentication Protocol Your current authentication session is FAITH Session FAITH is waiting for approval

7 Authentication Protocol Approve session FAITH FAITH

8 Authentication Protocol Username Password

9 Authentication Protocol (Dealing with Fraud) Lock my account until further notice FAITH Session PSYCH is waiting for approval

10 Two Mobile Phone Interfaces for Authentication Check and ApproveChoose and Approve

11 User Study How does our approach compare, in terms of security and usability, to other existing mobile phone authentication solutions? –One-time password sent to mobile phone (RSA Mobile, Fujitsu)

12 Four Login Techniques One-time password approach –Type Random Code: 1234-5678 –Type Random Phrase: swears trainee Proxy-side spelling checker (Ispell) Our approach –Check and Approve –Choose and Approve

13 Method Controlled experiment in the lab –Logged in to Amazon.com using an account set up by us with a personal computer and a mobile phone provided by us –6 logins in a block for each technique, for a total of 24 logins, with the order of the four login techniques randomized

14 Simulated Attacks Will a user blindly approve sessions without looking at the session name? Users were told that they were going to be spoofed by our simulated attacks

15 Unknown Attack PSYCH is waiting for approval

16 Duplicated Attack PSYCH FAITH

17 Blocking Attack PSYCH is waiting for approval ? ? ?

18 Ease of Use Single factor ANOVA with P = 0.01

19 Error Rates Login by Check and Approve was easily spoofed –Duplicated attack: 4 successful out of 11 attacks –Blocking attack: 2 out of 9 –Unknown attack: 1 out of 33

20 Error Rates Login by Check and Approve was easily spoofed –Duplicated attack: 4 successful out of 11 attacks There must be a bug in the proxy since the session name displayed in the computer does not match the one in the mobile phone. –Blocking attack: 2 out of 9 The network connection must be really slow since the session name has not been displayed. –Unknown attack: 1 out of 33

21 Error Rates Choose and Approve has zero error rate

22 Future Work Field study Not only password but also any confidential information should avoid touching the hostile host

23 Conclusion By asking the user to choose and approve a correct session name from her mobile phone, we provide a mobile phone authentication solution that is both secure and easy to use Flexible solution to web authentication –Good backup to password login

Download ppt "Secure Web Authentication With Mobile Phones Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial Intelligence Lab."

Similar presentations

1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.

1 CompChall: Addressing Password Guessing Attacks IAS, ITCC-2005, April 2005 CompChall: Addressing Password Guessing Attacks By Vipul Goyal OSP Global.
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Smartphone and Mobile Device Security IT Communication Liaisons Meeting October 11, 2012 Theresa Semmens, CITSO.

Smartphone and Mobile Device Security IT Communication Liaisons Meeting October 11, 2012 Theresa Semmens, CITSO.
Using the Self Service BMC Helpdesk

Using the Self Service BMC Helpdesk
The quest to replace passwords Evangelos Markatos Based on a paper by Joseph Bonneau,Cormac Herley, Paul C. van Oorschot, and Frank Stajanod.

The quest to replace passwords Evangelos Markatos Based on a paper by Joseph Bonneau,Cormac Herley, Paul C. van Oorschot, and Frank Stajanod.
Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
A mobile single sign-on system Master thesis 2006 Mats Byfuglien.

A mobile single sign-on system Master thesis 2006 Mats Byfuglien.
SSH Operation and Techniques - © 2001-2006 William Stearns 1 SSH Operation and Techniques The Swiss Army Knife of encryption tools…

SSH Operation and Techniques - © William Stearns 1 SSH Operation and Techniques The Swiss Army Knife of encryption tools…
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
 Chase Banking Maci Lemons. Getting Started  All you need to get started is a bank account with Chase  You can download the app on your smartphone.

 Chase Banking Maci Lemons. Getting Started  All you need to get started is a bank account with Chase  You can download the app on your smartphone.
CMPE208 Presentation Terminal Access Controller Access Control System Plus (TACACS+) By MARVEL (Libing, Bhavana, Ramya, Maggie, Nitin)

CMPE208 Presentation Terminal Access Controller Access Control System Plus (TACACS+) By MARVEL (Libing, Bhavana, Ramya, Maggie, Nitin)
Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.

Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
File Transfer Methods : A Security Perspective. What is FTP FTP refers to the File Transfer Protocol, one of the protocols within the TCP/IP protocol.

File Transfer Methods : A Security Perspective. What is FTP FTP refers to the File Transfer Protocol, one of the protocols within the TCP/IP protocol.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Similar presentations

Ads by Google