1 / 10

Next Steps toward More Trustworthy Interfaces

This workshop discusses the market problem of users lacking confidence in the applications they interact with. It explores the need for more trustworthy interfaces for entering passwords and personal information. The workshop proposes criteria for such interfaces and suggests potential collaborations to put them into practice.

dennisep
Download Presentation

Next Steps toward More Trustworthy Interfaces

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Next Steps toward More Trustworthy Interfaces Burt Kaliski, RSA Laboratories1st Workshop on Trustworthy Interfaces for Passwords and Personal InformationJune 13, 2005

  2. Market Problem • Users don’t have a convenient way of gaining confidence that the applications they’re interacting with are the correct ones • especially when entering passwords and personal information • User interface is typically not trustworthy, so can’t tell if application can be trusted • “WYSINWYG” – what you see isn’t necessarily what you get • An important and relatively separable part of the broader trustworthy computing issue

  3. Not Just Passwords … • More trustworthy interfaces benefit other authentication types besides traditional passwords, e.g.: • PIN entry for smart cards and other security tokens • one-time passwords (challenge-response, event-sync, time-sync) • passwords to unlock software credentials • Trustworthy interfaces can be a platform for transitioning to stronger authentication, starting with passwords

  4. Multiple Stakeholders • Market problem brings together multiple parties involved in the interfaces and supporting protocols: • Application developers • Browser, OS and desktop software vendors • Identity providers and certificate authorities • User experience designers • Research community • None can address the full problem alone – stakeholders must work together

  5. Some Related Work • All of this workshop, of course … • Kim Cameron’s “Laws of Identity,” at the system level • Carl Ellison and Jesse Walker’s “Ceremonies” • protocol interaction involving humans • User control and consent • Minimal disclosure for a constrained use • Justifiable parties • Directed identity • Pluralism of operators and technologies • Human integration • Consistent experience across contexts

  6. Proposed Criteria for a Trustworthy Interface for Passwords and Personal Information • User can tell when interacting with an application through a trustworthy interface (e.g., via reserved “real estate”) • Interface provides a “trusted path” for data entry, protecting against other software • User can activate interface, or it can be activated automatically • User can verify identity of application through interface • Authentication is mutual – application must also demonstrate knowledge of password (or other authentication credential) • Personal information is protected – trusted interface won’t provide to incorrect application

  7. Presumptions • Market problem is important • Collaboration of multiple stakeholders is essential to solve it Industry goal: Provide trustworthy interfaces that give users confidence that their online interactions are with parties they trust, especially when entering passwords and personal information

  8. Potential Collaborations:Putting TIPPI into Practice • Publish workshop summaries and propose concepts in other forums • Prepare an open letter challenging the industry to improve interfaces • Promote industry standards efforts: • user interface criteria and specific user experience designs • supporting protocols and APIs • Provide reference implementations • browser plug-ins, OS extensions • Plan on 2nd TIPPI Workshop, June 2006! 

  9. For More Information • Burt KaliskiChief Scientist, RSA LaboratoriesVP Research, RSA Securitybkaliski@rsasecurity.com • Magnus NyströmTechnical Director, Office of the CTORSA Security (Stockholm Office)mnystrom@rsasecurity.com • www.rsasecurity.com

More Related