180 likes | 309 Views
HOPE Remote Management and Security. Team PowerDroid http://utdallas.edu/~imerchant/hope_remote 9/20/11. Agenda. Our work so far Security and Usability What’s left. So Far. Chosen a platform: Amazon Web Services Apache Tomcat JSP Requirements analysis
E N D
HOPE Remote Management and Security Team PowerDroid http://utdallas.edu/~imerchant/hope_remote 9/20/11
Agenda • Our work so far • Security and Usability • What’s left
So Far • Chosen a platform: Amazon Web Services • Apache Tomcat • JSP • Requirements analysis • Detailing functional requirements while considering nonfunctional ones. • Security and how it relates to usability is very important.
The Problem • Users forced to memorize usernames and passwords. • Good practices dictate a unique combination for each website/service.
Unique Combinations • One username/password combo per site • Gmail (three) • Windows Live • Facebook • Twitter • Steam • Minecraft • Bank of America • UTD • Netflix • Various news sites • Reliant Energy • Time Warner Cable • Skype • TV Tropes • Amazon • Newegg
The Problem • Users forced to memorize usernames and passwords. • Good practices dictate a unique combination for each website/service. • Password fatigue. • What about recovering lost passwords?
Solutions • Password vaults like KeePass
Solutions • Tools like 1Password
Security is hard! • Those solutions have usability problems • Lots of menus • Have to keep updated • Unique security breaches • While hard, security is provided. • But, no security is impenetrable. • Tradeoffs!
Our Goals • Provide users reasonable security. • Consider usability and end users • Very easy to use device-side authentication. • Minimal interruption of device-side service due to security issues.
Our Solution • Device • Pair (or activation) codes. • Short alphanumeric one-time use strings. • Web • Standard e-mail/password authentication. • Not ideal, but perfect security is an active research topic. • Pair codes are used to register devices with a particular account. • Once registered, there are no more device-side security-related prompts.
Device Registration Process • Application started for first time. • Asked to setup Remote Management now or later. • If later, give brief instruction on how to setup in the future. (“Tap Remote Management in Settings”, for example.)
Device Registration Process • If now, show pair (or time-sensitive activation code) and tell user to log in on the web (or provide link). • On website, after log in (or registration), device is registered to the account by using the pair (or activation) code. • Device now never asks for login information again. Devices can be deactivated on website.
Not Perfect • Reliant on username/password authentication on the web. • Users with no third-party caregiver could be confused and intimidated. • Pair codes: possible collisions. • Authorization requires use of both device and web.
What’s Left • Finish detailing requirements. • Finish diagrams (class, sequence) • Explore Amazon Web Services capabilities. • Reconcile or justify tradeoffs in security and usability.