Transcript slides
Use Your Illusion: Secure Authentication Usable Anywhere Eiji Hayashi Nicolas Christin Rachna Dhamija Adrian Perrig Carnegie Mellon CyLab Japan Key Concept: Distortion Distorted Picture Original Picture You can recognize a baby now because you know the original picture Use Your Illusion Graphical Authentication • Passfaces • Pass Points • DAS (Draw-A-Secret) • Déjà vu Passfaces • Faces are used as a graphical portfolio • Preference could be a limitation Cited from “On User Choice in Graphical Password Schemes”, Darren Daivis et. al, 2004 Pass Points • Use “a sequence of clicks” as a shared secret • There are hot spots Cited from “Authentication Usin Graphical Passwords: Basic Results”, Susan Wiednbeck et. al, 2004 Most Straightforward Way • Choose graphical portfolio from a set of pictures Graphical Portfolio • If a user can choose whatever graphical portfolio… • If system assigns portfolio randomly… Security Fundamental Tradeoff Memorability “Use Your Illusion” 1. Allow users to take/choose pictures by themselves 2. Distort the pictures 3. Assign the distorted pictures as graphical portfolio “Use Your Illusion” Security 1. Allow users to take/choose pictures by themselves 2. Distort the pictures 3. Assign the Distorted pictures as graphical token Memorability Requirements for Distortion • One-way • Discarding precise shapes and colors • Preserving rough shapes and colors Oil Painting Filter • Choose RGB values which appears most frequently in a neighborhood 60 50 40 30 20 10 0 0 50 100 150 200 250 Oil Painting Filter Distortion Level • If high, difficult to guess but difficult to memorize • If low, easy to memorize but easy to guess Distortion Level Security • Two parameters affect distortion level –If too high, not usable –If too low, not secure Memorability Low-Fidelity Test Least distorted Most distorted Low-Fidelity Test Low-Fidelity Test Low-Fidelity Test Low-Fidelity Test Low-Fidelity Test Low-Fidelity Test It’s a dog!! Low-Fidelity Test Difficult to guess w/o knowing original picture Low-Fidelity Test Can’t recognize a dog Low-Fidelity Test Easy to recognize w/ knowing original picture Low-Fidelity Test Satisfies requirements Prototype • Implemented on Nokia’s cell-phone for usability test • Also implemented on the web Prototype Demo Usability Test • 45 participants and for 1 week • 54 participants and for 4 weeks st 1 Usability Test • 45 participants were divided into 3 groups – Self-selected, Non-distorted – Self-selected, distorted (Use Your Illusion) – Imposed, highly-distorted Self-selected, Non-distorted Self-selected, Distorted Imposed, Highly-distorted Procedure Date Before the 1st day Task Take 3 pictures The 1st day Memorize portfolio Practice Authenticate Authenticate 2 days after 1 week after Authenticate Fill out questionnaires Success Rate The 1st day 2 days after 1 week after Self-selected, Non-distorted 100% (15) 100% (15) 100% (15) Self-selected, Distorted 100% (15) 100% (15) 100% (15) Imposed, Highly-distorted 93.3% (14) 73.3% (11) 73.3% (11) Authentication Time (Mean) Imposed, Highly-distorted Self-selected, Distorted Self-selected, Non-distorted Process of Memorization • Participants assign meanings to distorted pictures • Assigning meanings helps memorization Mountain Sea Moai statue nd 2 Usability Test • 54 participants were divided into 3 groups – Self-selected, Non-distorted – Self-selected, Distorted – Imposed, Distorted • Authenticate – On the 1st day – 2 days after – 1 week after – 4 weeks after Imposed, Distorted Success Rate The 1st day 2 days after 1 week after 4 weeks after Self-selected, Non-distorted 100% (18) 100% (18) 100% (18) 100% (18) Self-selected, Distorted 100% (18) 100% (18) 100% (18) 100% (18) Imposed, Distorted 100% (18) 89% (16) 94% (17) 89% (16) Authentication Time (Mean) Self-selected, Distorted Imposed, Distorted Self-selected, Non-distorted Tolerance against Guessing Attack • Original pictures are vulnerable • Distorted pictures are more tolerant Future Work • • • • Detailed usability test Long term test Find an optimal distortion Investigate a metric evaluating distortion level Use Your Illusion • Use distorted pictures as a portfolio • As memorable as non-distorted pictures • More memorable than imposed (highly-) distorted pictures • Fits human memorization process • More tolerant to guessing attack Thank you for listening Prototype is available on http://arima.okoze.net/illusion/ Please try it!