Usable Security Introduction to User Authentication and Human Interaction Proof Research

Transcription

1 Usable Security Introduction to User Authentication and Human Interaction Proof Research Argyris C. Constantinides PhD Student Department of Computer Science University of Cyprus 1

2 Agenda Introduction User Authentication CAPTCHA HCI Beyond Mobile INTRODUCTION 2

3 The World Wide Web Today A platform for deployment of complex applications of increased interactivity A medium used for complex and important tasks commercial and governmental transactions, collaborative work, learning, information retrieval Security issues of interactive systems are of paramount importance Security on the World Wide Web Today Millions lost due to security breaches which often are accredited to end-user erroneous interaction habits with regards to deployed security policies Unusable authentication policies an ever increasing number of minimum characters for a secure password unnecessary time-depending security tasks solving a CAPTCHA challenge for accomplishing the main user goal 3

4 Usable Security designing secure systems that people can use Security Concerns the security aspects of the system Develop suitable mechanisms to ensure security of systems Usability Concerns the usability aspects of the system Design and develop security mechanisms following a user-centered design approach Predominant Security Mechanisms User Authentication The process of verifying the physical identity of a person CAPTCHA Challenges Protect Web systems against malicious automated software agents Tasks performed on every moment worldwide by millions of users 4

5 Security THE PROBLEM Emphasis on Security but not Usability Usability 5

6 The User Authentication Problem Current computing systems are more capable of guessing passwords through dictionary attacks Password policies decrease memorability of passwords require users to remember minimum 8+ characters, upper and lower case letters, special characters) Even more difficult to be memorized by humans The CAPTCHA Problem Current character recognition systems are more capable of breaking CAPTCHAs The characters distortion and complexity is increased Even more difficult to be recognized by humans 6

7 RELATED WORK User Authentication Two entities are communicating, and one or both wish to establish their identity to the other User authentication is the process of verifying the physical identity of a person User authentication is a vital component of any security infrastructure today 7

8 User Authentication Types What the user knows, what the user has and what the user is 1. Knowledge-based authentication, e.g., passwords 2. Token-based authentication, e.g., credit card 3. Biometric-based authentication, e.g., fingerprint Password-based Authentication Passwords are the most popular type of authentication 80% of US and UK companies apply text-based password authentication (Zhang et al., 2009) 8

9 Necessity for Increasing Usability of Passwords Studies revealed major usability issues of current password mechanisms (Komanduri et al., 2011; Bonneau et al., 2012) Policies make passwords hard to remember Multiple passwords across multiple accounts (less usable) Users don t understand threats and risks, e.g., one password is used across multiple accounts (less secure) Will Passwords become obsolete? Nielsen (2000) said that biometrics are highly usable and would replace passwords - hasn t happened Gates (2004) predicted that passwords would become obsolete - hasn t happened Why not? 9

10 Password-based Authentication Easy and fast to implement (vs. fingerprint and biometric-based) Cheap to implement (vs. credit cards and token-based) Popular among most of the users Do not have privacy issues as fingerprint identifiers Graphical authentication Graphical authentication highly researched alternatives Require users to remember images or draw patterns on a grid as their authentication key More memorable. Pictures are better recalled and recognized than text (Paivio, 2006; 1971) 10

11 Recognition-based: Passfaces Remember faces as the authentication key Very memorable Memorability decreases until you have multiple Passfaces keys (Everitt et al., 2009) Recognition-based: Single Object Images Remember single-object images More memorable than faces or abstract images Images may be easily labeled, e.g., football, teddy bear, etc. 11

12 Recall-based or Cued-recall-based CAPTCHA (Completely Automated Public Turing Tests to Tell Computers and Humans Apart) Protect against automated software agents whose purpose is to degrade the quality of a provided service Automated creation of fake accounts that are used later on for spam Generation of massive scale advertising Manipulation of online voting systems Access of private information Generation of hyperlinks in forums to improve their Web-sites search engine ranking Dictionary attacks of passwords 12

13 CAPTCHA (Completely Automated Public Turing Tests to Tell Computers and Humans Apart) Verifies that the entity interacting with a system is actually a human being, and not a software agent Based on the assumption that a distorted text-based image can be easily recognized by the human brain but present significant difficulty to image recognition systems Text-recognition CAPTCHA CAPTCHA challenges are performed primarily with the use of textrecognition CAPTCHA (Burzstein et al., 2010; von Ahn et al., 2008). Google recaptcha (von Ahn et al., 2008) is currently the most popular and widely used CAPTCHA online Over 200 million recaptchas are completed daily Facebook, Microsoft and many others utilize text-recognition CAPTCHA (Burzstein et al., 2010) 13

14 Necessity for Increasing Usability of CAPTCHA Studies revealed major usability issues of current CAPTCHA mechanisms (Yan et al., 2008; Fidas et al., 2011) Users find CAPTCHA frustrating Users have major difficulties in solving CAPTCHA CAPTCHA Alternatives Image-recognition CAPTCHAs Image puzzle problems e.g., Require users to select images Illustrating cats among dogs. Or determine the upright position of an image Speech-recognition CAPTCHAs Require users to enter text that is narrated by the CAPTCHA challenge 14

15 Diversity in User Authentication and CAPTCHA Research has shown that human behavior (e.g. interaction, visual and security behavior) in UA and CAPTCHA schemes varies depending on the users individuals characteristics and preferences Differences in factors such as age, cognitive processing styles and abilities One-size-fits-all Ineffective practice of usability in security, does not naturally embed the users characteristics in the design process Ignores the fact that different users different characteristics develop different structural and functional mental models need individual scaffolding It is necessary to understand in depth the interdependencies among the user characteristics and the security tasks,taking place during the interactions with hypermedia environments 15

16 User Security Tasks? Textual Authentication Textual CAPTCHA focusofanalysisremainsmainlyon the technology layer and fails to analyze and understand the users Graphical Authentication Image CAPTCHA Best-fit Security Scheme 16

17 HCI Beyond Mobile Beyond Real World 17

18 Mixed Reality How do we interact with it? 18

19 How do we type? Bluetooth-paired physical keyboard Virtual keyboard Research Challenges Do VR/AR/MR devices affect usability and security in User Authentication and CAPTCHA? Do the existing effects of human factors still exist in VR/AR/MR contexts? How to design usable UA and CAPTCHA schemes within VR/AR/MR contexts? 19

20 THANK YOU FOR YOUR ATTENTION 20