1. Authentication for Humans Rachna Dhamija SIMS, UC Berkeley rachna@sims.berkeley.edu DIMACS Workshop on Usable Privacy and Security Software July 7, 2004

2. Talk Outline  Machines Authenticating Users –Déjà Vu User Study- Using Images for Authentication  Users Authenticating Remote Servers –Interfaces for website authentication

3. Password Usability and Security  Simple and meaningful passwords - Memorable, but easier to guess  Complex passwords - Strong, but hard to remember  Advantages of passwords –Cheap and easy to implement –We develop muscle memory

4. Previous Solutions  Stronger password hashing & storage  Proactive password cracking  Enforce system policies  Better user education and training –Significant non compliance rate by users We try to address the fundamental problem: Recall is hard

5. Picture recognition is easier  Humans have a vast memory for pictures –2560 photos for a few seconds: 90% recognition [Standing, Conezio, Haber] –10,000 photos: 66% recognition after 2 days [Standing] –200 random photos: >90% after 1-3 months [Weinshal/Kirkpatrik, CHI2004]  Fractions of a second is enough to remember  Picture recognition is easier than verbal recognition  Picture recognition is easier than picture recall –Harder to recall semantics or to redraw picture –But picture recall is better than verbal recall

6. Déjà Vu Design Goals  Base security on human strengths Recognition over recall  Prevent weak passwords  Prevent password sharing  No biometrics or tokens

7. Authentication through Images  Choose image portfolio  Challenge set = portfolio + decoys  Photos and Random Art

8. Random Art Algorithm: seed -> pseudo-random number generator-> random expression tree maps pixels to RGB -> random art

9. Choose Image Portfolio

10. Portfolio Training

11. Challenge

12. Portfolio Creation Screen

13. Login Screen

14. Attacks  Brute Force –optimal portfolio and challenge depends on security –5 image portfolio/25 challenge set = 53,130 combinations  Measures against shoulder surfers: –hide image selection –distort images  Measures against Intersection Attack: –Always show same challenge set –Multi-stage authentication

15. Experiment Design  Target population = general computer users 20 participants (11 males + 9 females, expert/novice) Initialization PIN (4 digits) Password (6 char.) Art portfolio (5/100) Photo portfolio (5/100) Login PIN Password Art (5/25) Photo (5/25)  Repeat login after one week  Task order randomized  Portfolio creation- same images but random order  Portfolio login- random images and random order

16. Task Completion Time Unlimited time & attempts Does not include failed logins

17. Error Rate Session 1: no unrecoverable errors made with portfolios Session 2: significantly less failed logins with portfolios (all users remembered 4/5 images on first attempt)

18. More Results  It’s easier than it looks  Text vs. image portfolios –Passwords/PINS faster to create & login –Users reported that photos easier than PINs –More users forgot their user names than portfolios!  Art vs. photos –Photos easier to remember, but easier to guess Gender, race, interests were a factor in choice –People choose similar photos; art is individual –Art descriptions vary, hard to describe How hard are they to communicate? Spouse-proof?

19. Conclusions in this study  Recognition-based authentication –More reliable long term than passwords, PINs –Easier, more pleasant to use –Random Art portfolios are harder to predict than passwords or real images  Applications –Where text input is hard, limited observation (e.g., ATM, PDA, pen-based devices) –Infrequently used high availability passwords

20. Future Work  Long term studies –Frequency of use –Multiple portfolios and changes –Portfolio communication & prediction study –Cued recall of text passwords  Image Generation & Distortion –Image generation and distortion techniques –What is the space of images are distinguishable, memorable?  Strengthen against attack, improve login times, allow non- perfect probabilistic recognition

21. Talk Outline  Machines Authenticating Users –Déjà Vu User Study  Users Authenticating Remote Servers –Interfaces for website authentication

22. Challenge