Archive for the 'Authentication' Category

1 + 1 = You: Measuring the comprehensibility of metaphors for configuring backup authentication

Thursday, July 16th, 2009

http://cups.cs.cmu.edu/soups/2009/proceedings/a9-schechter.pdf
Stuart Schechter and Robert Reeder
What to do when the user forget their password?  A common method is to provide security questions.  Unfortunately, an initial analysis of the most commonly used security questions found that none were all that great, suffering from either poor memorability or poor security.  What about e-mail based recovery?  This doesn’t work [...]

Personal Choice and Challenge Questions: A Security and Usability Assessment

Thursday, July 16th, 2009

http://cups.cs.cmu.edu/soups/2009/proceedings/a8-just.pdf
Mike Just and David Aspinall
Challenge questions often serve as part of a password recover mechanism, though are sometimes included along with conventional authentication.  For a long time there was little research in this area, but some studies have emerged recently, generally concluding that challenge questions are neither very usable nor secure. 
This study sought to [...]

Look into my Eyes! Can you guess my Password?

Thursday, July 16th, 2009

http://cups.cs.cmu.edu/soups/2009/proceedings/a7-deluca.pdf
Alexander De Luca, Martin Denzel and Heinrich Hussmann
Many password entry systems suffer from weakness against attacks where the attacker can view either the keyboard or screen.  The proposal is to use eye movements for password entry, building off the findings of EyePassword, Eye Gestures, and PassShapes.  The researchers implemented EyePassShapes, in which the user traces [...]

Invited Talk: Redirects to login pages are bad, or are they?

Thursday, July 16th, 2009

Speaker: Eric Sachs
Usability “experts” claim that websites should just ask a person for their login information instead.
Security “experts” claim that redirects promote phishing (and want to shoot the usability experts).
Turns out, sites prompting for a password is annoying!
Some % of users couldn’t immediately remember their password.  Another large group just found it annoying and indicated [...]

Universal Device Pairing using an Auxiliary Device

Thursday, July 24th, 2008

http://cups.cs.cmu.edu/soups/2008/proceedings/p56Saxena.pdf
This research explored how to bootstrap a secure communication channel between two wireless devices when they have no prior association and no trusted third party.  Examples are pairing a WLAN laptop to an access point, or a Bluetooth cellphone and headset.
The proposal is to use an Out-Of-Band channel between the devices created with human perceptible [...]

Use Your Illusion: Secure Authentication Usable Anywhere

Thursday, July 24th, 2008

http://cups.cs.cmu.edu/soups/2008/proceedings/p35Hayashi.pdf
This research proposes a graphic login system in which the presented images at login time are highly distorted versions of the images chosen at password creation time.  The user should be able to recognize the distorted version of the picture they originally chose.  That said, there is a trade-off in that as distortion increases the [...]

Usability of CAPTCHAs Or “usability issues in CAPTCHA design”

Thursday, July 24th, 2008

http://cups.cs.cmu.edu/soups/2008/proceedings/p44Yan.pdf
CAPTCHAs were originally invented at CMU.  The goal of a CAPTCHA is to allow humans through but block automated scripts.  They are now widely deployed as a method of preventing spam.
Text-based schemes typically require the use to complete a text recognition tasks.  Some sites offer a sound-based scheme, typically for accessibility reasons.  There have also [...]

Securing Passfaces for Description

Thursday, July 24th, 2008

http://cups.cs.cmu.edu/soups/2008/proceedings/p24Dunphy.pdf
Passfaces is a commercial graphical password system where the password is a sequence of face images.  This leverages the fact that humans are typically rather good at facial recognition.  Another motivation of Passfaces is supposedly that it is hard to write down your password to share, but are they?  Often a single-sentence description seems to [...]

Personal Knowledge Questions for Fallback Authentication

Thursday, July 24th, 2008

http://cups.cs.cmu.edu/soups/2008/proceedings/p13Rabkin.pdf
Security questions aren’t always bad…though they often are.  But, the bad news is, they are getting worse.  A secret security question asks for a secret fact.  A personal security question asks about something meaningful to the user, but that they are willing to share.  Unfortunately, if users are willing to share this information in one [...]

Improving Text Passwords Through Persuasion

Thursday, July 24th, 2008

http://cups.cs.cmu.edu/soups/2008/proceedings/p1Forget.pdf
The research explored a novel password selection strategy in which subjects would enter a password and have random characters shuffled in to add security to the password.  The researchers explored different methods of selecting and placing the characters.
The goal is not only to help users choose better passwords, but also to build off elements of [...]

Phishing and OpenID: Bookmarks to the Rescue?

Saturday, January 20th, 2007

OpenID, as currently used for single sign-on, facilitates phishing.
Using OpenID, you can establish an account at any identity provider you like, and then use it to log in to any OpenID-enabled website.  Unfortunately, the way it’s currently deployed, described, and demonstrated, OpenID makes users even more susceptible to phishing than they are without it.  [...]

An Idea: Upending the Password Strength Problem

Friday, July 14th, 2006

I had an idea yesterday evening inspired by Cynthia Kuo’s talk on phrase-based passwords.  Cynthia’s research started with a popular method for choosing memorable passwords and evaluated the strength of passwords created using that method.  And there was a questioner from the audience who noted that, whenever you popularize a particular formula for [...]