1 / 21

The quest to replace passwords

The quest to replace passwords. Evangelos Markatos Based on a paper by Joseph Bonneau , Cormac Herley , Paul C. van Oorschot , and Frank Stajanod. What is the problem. Passwords have been around for too long Original developed for time-sharing systems 10-100 users – no Internet

wilma
Download Presentation

The quest to replace passwords

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The quest to replace passwords EvangelosMarkatos Based on a paper by Joseph Bonneau,Cormac Herley, Paul C. van Oorschot, and Frank Stajanod

  2. What is the problem • Passwords have been around for too long • Original developed for time-sharing systems • 10-100 users – no Internet • We need to replace them • Why? • Easy to break (most usual password: 12345678) • Difficult to remember • esp. if you have several of them • Easy to lose • Phishing

  3. What to do? • Replace passwords • With what? • Biometrics (fingerprints) • Iris scanners, fingerprint scanners • Graphics passwords • If you can not say it, DRAW it • Cognitive passwords • Point-and-click passwords • One Time Passwords • Electronic OTPs, paper copies, etc.

  4. A survey • This paper is a survey • Surveys all password categories • Explains • Advantages • Disadvantages • Compares them • Three dimensions: • Usability • Deployability • Security

  5. Usability • Do you need to remember something? • Scalable? • What if you have 10’s – 100’s of accounts? • Do you need to carry aything? • Easy to learn? • Efficient to use? • What happens if it is lost?

  6. Deployability • What is the cost per user? • Is it compatible • with current servers? • With current browsers? • Is it mature? • Is it propriatory?

  7. Security • What if the attacker is looking over your shoulder? • Is it resilient to random guessing? • Throttled – un-throttled • Resilient to internal observation? • Keyboard loggers? • Resilient to leaks? • Resilient to phishing?

  8. Encrypted Password Managers: Mozilla • What is it? • Firefox offers to remember all your passwords • One time overhead to set it up • Never type a password again! • Firefox remembers it • What if I have two devices? • Firefox can sync everything in the cloud  • What if I access the web from an Internet Café? • Do I want to sync all my passwords with the Café’s browser? • 

  9. Single sign on! • Use one password to log in everywhere • Single sign on • Great idea! • Is it easier than passwords? • Yes  • Easier Deployment as well! • Is it safer than passwords? • Not really… • See next paper as well

  10. Graphical passwords • People are better at remembering images • Rather than words! • Draw your password! • Well, actually • Draw lines, or • Choice points in an image • Sounds simple… • What if you have lots of passwords? • Lots of drawings…. 

  11. Cognitive authentication • Do not sent your password to the server • What? • Just prove to the server that you know it • Why? • No phisher will be able to find it! • No man-in-the middle will be able to intercept it

  12. Cognitive authentication II • How do you prove that you know the password? • Say that the password is 10,33,52,74 • The server sends you a vector v[0:100] • You reply with the contents of • v[10], v[33], v[52], v[74] • Each time you want to log in you get a different vector • Each time you reply with different numbers • Always you send the v[10], v[33], v[52], v[74] • Example: • If v[i] == I, you send 10, 33, 52, 74 • If v[i] == i+1, you send 11, 34, 53, 75

  13. Cognitive authentication III • Resistant to monitoring • No password is being sent • Each time a different “proof” of password knowledge is being sent • Resistant to guessing? • Not really 

  14. Paper Token • Write (one-time) passwords on a piece of paper • The server asks for the password • And something written on the paper • (something you have and something you know) • Difficult to deploy • Need to send the papers to users • What if you have many accounts?  • What if someone steals/copies the paper? 

  15. Hardware tokens • OTPs • One-time passwords • Little devices • Press a button • Get an OTP • The server asks for • The regular password • The OTP • (something you know and something you have) • In 2011 all RSA seeds were stolen • All OTPs had to be replaced

  16. Biometrics • Fingerprint scanners • Iris scanners • Great! • Fingerprint scanners • Can be spoofed  • Fingerprints can be lifted from glass surfaces • Costly ($$$) • Fingerprint readers have a cost

  17. Mobile phone based • Use two devices to authenticate • the computer (as usual) • The mobile phone • Flow chart: • User selects site on mobile phone • Mobile phone talks to the web browser on the computer • Mobile phone authenticates with the bank • The browser authenticates with the bank • The attacker • Needs both the passwords and the mobile phone

  18. Mobile phone based II • Security  • Although if there is malware both on the phone and the computer … • Deployability  • Usability  • Can be used for a subset of sites • E.g. banks

  19. What if the computer is compromised? • What if you use a public terminal? • Would you give it your password? • Could keyboard loggers steal it?  • Solution: • SSO + paper OTP + proxy • There is a proxy between the client and the server • The proxy has all passwords • The proxy gives the user a set of OTPs • The OTPs are in a piece of paper that the user has

  20. What if the computer is compromised? II • Flowchart • The user asks the proxy to authenticate her to a web server • The proxy asks for the OTP • The proxy authenticates the user to the web server • + it works • - deployment …. 

  21. Conclusion • No method is perfect • No method is clearly better than passwords • Along all three dimensions • Several methods complement/strengthen passwords • Passwords may be around for a few more years…

More Related