Who Are You?! Adventures in Authentication

Even with years of research into new authentication technologies, passwords still dominate the authentication landscape. This is due primarily to a combination of security, deployability, and usability that has been difficult to match. While password alternatives exist, their lack of widespread adoption indicates that for the foreseeable future passwords are here to stay.

Our research goal is to strengthen, not replace, password-based authentication. We focus on two serious problems with password-based authentication. First, poor security practices at the web servers leads to stolen password files that are easily compromised using an offline attack. Second, passwords are too easily stolen via phishing attacks.

Both of these problems arise because for the vast majority of authentication flows, servers require users to provide their plaintext passwords. In the case of a legitimate server receiving this password, the user must blindly trust that the server correctly salts and hashes the password. Experience, though, has shown that many websites do not follow proper password storage. Moreover, there is a disconnect between perceived best practices for password storage and actual best practices.

Even if websites were to safely store users' passwords, users would still be at risk to phishing attacks. Phishers impersonate legitimate websites in order to trick users into sending their authentication credentials to the phishing website. The problem of phishing is only compounded by password reuse, allowing a single stolen password to potentially compromise many of the user's sites.

In this paper, we describe two methods for strengthening existing password-based authentication: strong password protocols and safe password entry.

In this position paper, we present a new mechanism for contextdependent user authentication. We propose an approach in which the type of authentication (single/two factor, two-step, etc.) and the choice of the authentication mechanisms (algorithms/protocols used) vary dynamically, depending on contextual information.

Over the last several decades, it has become increasingly important to secure data via end-to-end encryption. The Internet has evolved to provide security for connections, primarily using TLS (or SSL), but generally fails to provide true end-to-end encryption. While TLS and similar protocols encrypt data during transit, data at rest is often unprotected, residing in storage on a client or server machine in plaintext. Data in this state are susceptible to honest-but-curious service providers, hackers, physical theft, and coercive governments.

Generic public-key cryptography provides powerful mechanisms to enable end-to-end encryption, but providing good usability for these mechanisms is a challenging task for novice users|leading to the decades-long situation where "Johnny can't encrypt". The primary problems center on user-to-user authentication { authenticating users to each other by associating their identities with public keys. We have made signicant progress authenticating web sites to users (via X509 certicates and associated authorities) and authenticating users to web sites (with passwords). Each of these have their challenges, but have at least been widely deployed. Authenticating users to one another, however, has seen relatively little adoption. Usable mechanisms for personal key management, key distribution, and key authentication are still largely open issues.

There is strong support for single sign-on, using methods such as Facebook, Google, or Amazon for providing third-party sign-on to websites. While it is practical to the user, it carries a large risk: a compromise of the account credentials can lead to a severe impact on the websites the user authenticates to, and unwanted linkages between intentionally separated social roles, or personas. Moreover, we increasingly use mobile devices and theft of a device carrying credentials could have dire consequences, potentially based on different perceptions of risk. Our perceptions of risk we may assign to each world we authenticate to may be different and very individual, and that separation may be indeed necessary, albeit cumbersome.

The use of Emojis has been proposed for use in mobile authentication. Emojis are small icons, e.g., smileys or objects, that are often used in digital communication to express emotions. Our interest lies in better understanding the implications of Emoji-based passwords. Can they potentially enhance the user experience of knowledge-based authentication or is their use just a gimmick? In the following, we reflect on the implications of using Emojis to create a positive mobile authentication experience for users. We further present the results of a user study for which we developed a study artifact named EmojiAuth.

Given the fact that personal mobile devices provide access to and/or store a great deal of personal and sensitive data, including passwords, contacts, les, emails, etc., it is not surprising that unauthorized access to the device is one of the highest security risks for smartphone users. To protect such data and services from unauthorized access, some smartphone users lock their phones using PIN, password, biometrics and DAP (\draw a pattern"). Yet, others don't, risking the data and online services accessible through their devices, mainly because of the inconvenience of unlocking, lack of motivation and awareness. One way to improve user behaviour is to oer them more usable unlocking mechanisms, without sacrificing the security. It remains an open problem, however, how to optimize both security and usability for smartphone unlocking mechanisms. Thus, it is important for researchers to understand the interplay between security and usability of unlocking mechanisms in situ. To this end, we are preparing a longitudinal eld study, in the course of which our monitoring app installed on the participants' Android smartphones will collect detailed relevant data.

Android's graphical password scheme (sometimes referred to as the "password pattern") is perhaps the most widely used and most studied graphical password system to date. With its launch, Android's only authentication/unlock mechanism was the graphical password; however, other authentication systems are allowed today, such as PINs and text-based passwords. Despite the added authentication choices, the graphical password option remains a very popular choice among Android users.

The graphical password system requires users to select and recall a "pattern" drawn over a 3x3 grid of contact points, connecting between 4 and 9 contact points, without repetition. There are 392,112 possible password, which provide more choices than a 4-digit PIN (10,000); however, like all password systems, users do not choose uniformly from the set of available passwords. Recent studies have shown that the guessability strength of user-generated password patterns is on the order of a random 3-digit PIN and provides weaker security than one might expect.