D´ej`a Vu: A User Study Using Images for Authentication

1. D´ej`a Vu: A User StudyUsing Images for Authentication Rachna Dhamija,Adrian PerrigSIMS / CS, University of California Berkeley 報告人：張淯閎

2. Outline • Introdution • Password-Based Authentication • D´ej`a Vu • System Architecture • Sample Applications • User Study • Conclution

3. Introduction • User authentication is a central component of currently deployed security infrastructure. • Knowledge-based • Token-based • Biometrics • Human’s vast memory for picture. • Recognition-based authentication in D´ej`a Vu system.

4. Shortcomings of Password-Based Authentication • Relies on precise recall of the secret information. • Security problem • 15% users picked passwords shorter or equal to three characters. • 85% passwords can be easily broken by using dictionary. • Users often employ similar passwords for different purposes. • Current Solutions • Aim to identify weak passwords. • Establish rules to guide user to follow.

5. D´ej`a Vu • Three requirements • Not rely on precise recall. • Prevent users from choosing weak passwords. • Difficult to write passwords down or share to others. • System Architecture • Based on the observation that people have an excellent memory for images. • Three phases: • Portfolio Creation Phase • Training Phase • Authentication Phase

6. Portfolio Creation Phase • System based on photographs or random art. • Not store images pixel-by-pixel in random art.

7. Training and Authentication Phase • Training phase • To improve the memorability of the portfolio images. • Need to occur in a secure environment. • Authentication phase • Server only needs to store the seed. • If user correctly identifies all portfolio images from challenges set (portfolio and decoy images), then she authenticated. • Portfolio can be to split among multiple servers to increase security.

8. Attacks and Countermeasures • Brute-force attack • Challenge set consisting of n images. • Portfolio consisting of m images. • Probability • Educated Guess Attack • Random art makes it hard to predict. • Hand select images to ensure that no weak images are used.

9. Attacks and Countermeasures • Observer Attack • The position of the portfolio images with in the challenge set is randomized. • The method for the image selection is hidden. • The portfolio images can be slightly changed in each authentication. • Intersection Attack • Use same challenge set • Split up into multiple stages • Tighten the bound on un successful logins before the account is blocked

10. Sample Applications • Customer Authentication at ATM • Avoiding write PIN on the ATM card. • Portfolio selection and training can be don in a secure environment at the bank. • A one-time PIN to bootstrap the system. • Web Authentication • Users often use the same username and password for the different purpose • Users often forget their passwords • D´ej`a Vu is well suited, because the recovery rate is lower than using passwords.

11. User Study • Task Completion Time and Error Rate.

12. Conclusion • This system has the advantage that the authentication task is more reliable, easier and fun to use. • Prevent users from choosing weak passwords and write passwords down. • Has potential applications ,especially where text input is hare like PDAs or ATMs. • The authentication schemes take advantage of innate human abilities.

13. Random Art • A proposed hash visualization algorithm. • The basic idea is to use a binary string s as a seed for a random number generator. • Random Art is an algorithm such that given a bit-string as input, it will generate a function F:[-1,1]2->[-1,1]3,which defines an image. • F maps each pixel (x,y) to a RGB value (r,g,b) which is a triple of intensities for the red, green and blue values, respectively.

14. Random Art