Authentication for Humans
Rachna Dhamija
SIMS, UC Berkeley
rachna@sims.berkeley.edu
DIMACS Workshop on Usable
Privacy and Security Software
July 7, 2004
Talk Outline
 Machines Authenticating Users
– Déjà Vu User Study- Using Images for Authentication
 Users Authenticating Remote Servers
– Interfaces for website authentication
Password Usability and Security
 Simple and meaningful passwords
- Memorable, but easier to guess
 Complex passwords
- Strong, but hard to remember
 Advantages of passwords
– Cheap and easy to implement
– We develop muscle memory
Previous Solutions




Stronger password hashing & storage
Proactive password cracking
Enforce system policies
Better user education and training
– Significant non compliance rate by users
We try to address the fundamental problem:
Recall is hard
Picture recognition is easier
 Humans have a vast memory for pictures
– 2560 photos for a few seconds: 90% recognition
[Standing, Conezio, Haber]
– 10,000 photos: 66% recognition after 2 days [Standing]
– 200 random photos: >90% after 1-3 months
[Weinshal/Kirkpatrik, CHI2004]
 Fractions of a second is enough to remember
 Picture recognition is easier than verbal recognition
 Picture recognition is easier than picture recall
– Harder to recall semantics or to redraw picture
– But picture recall is better than verbal recall
Déjà Vu Design Goals
 Base security on human strengths
Recognition over recall
 Prevent weak passwords
 Prevent password sharing
 No biometrics or tokens
Authentication through Images
 Choose image portfolio
 Challenge set = portfolio + decoys
 Photos and Random Art
Random Art
Algorithm:
seed -> pseudo-random number generator->
random expression tree maps pixels to RGB ->
random art
Choose Image Portfolio
Portfolio Training
Challenge
Portfolio Creation Screen
Login Screen
Attacks
 Brute Force
– optimal portfolio and challenge depends on security
– 5 image portfolio/25 challenge set = 53,130 combinations
 Measures against shoulder surfers:
– hide image selection
– distort images
 Measures against Intersection Attack:
– Always show same challenge set
– Multi-stage authentication
Experiment Design
 Target population = general computer users
20 participants (11 males + 9 females, expert/novice)
Initialization
Login
PIN (4 digits)
PIN
Password (6 char.)
Password
Art portfolio (5/100)
Art (5/25)
Photo portfolio (5/100)
Photo (5/25)
 Repeat login after one week
 Task order randomized
 Portfolio creation- same images but random order
 Portfolio login- random images and random order
Task Completion Time
70
60
50
PIN
40
Tim e
(seconds) 30
Passw ord
Art
20
Photo
10
0
Create
Login session 1 Login session 2
Unlimited time & attempts
Does not include failed logins
Error Rate
8
6
PIN
Password
Art
Photo
# Failed
4
Logins
2
0
Session 1
Session 2
Session 1: no unrecoverable errors made with portfolios
Session 2: significantly less failed logins with portfolios
(all users remembered 4/5 images on first attempt)
More Results
 It’s easier than it looks
 Text vs. image portfolios
– Passwords/PINS faster to create & login
– Users reported that photos easier than PINs
– More users forgot their user names than portfolios!
 Art vs. photos
– Photos easier to remember, but easier to guess
• Gender, race, interests were a factor in choice
– People choose similar photos; art is individual
– Art descriptions vary, hard to describe
• How hard are they to communicate? Spouse-proof?
Conclusions in this study
 Recognition-based authentication
– More reliable long term than passwords, PINs
– Easier, more pleasant to use
– Random Art portfolios are harder to predict
than passwords or real images
 Applications
– Where text input is hard, limited observation
(e.g., ATM, PDA, pen-based devices)
– Infrequently used high availability passwords
Future Work
 Long term studies
–
–
–
–
Frequency of use
Multiple portfolios and changes
Portfolio communication & prediction study
Cued recall of text passwords
 Image Generation & Distortion
– Image generation and distortion techniques
– What is the space of images are distinguishable, memorable?
 Strengthen against attack, improve login times, allow nonperfect probabilistic recognition
Talk Outline
 Machines Authenticating Users
– Déjà Vu User Study
 Users Authenticating Remote Servers
– Interfaces for website authentication
Challenge