Usable Security

http://cups.cs.cmu.edu/soups/2009/proceedings/a9-schechter.pdf
Stuart Schechter and Robert Reeder
What to do when the user forget their password?  A common method is to provide security questions.  Unfortunately, an initial analysis of the most commonly used security questions found that none were all that great, suffering from either poor memorability or poor security.  What about e-mail based recovery?  This doesn’t work [...]

http://cups.cs.cmu.edu/soups/2009/proceedings/a8-just.pdf
Mike Just and David Aspinall
Challenge questions often serve as part of a password recover mechanism, though are sometimes included along with conventional authentication.  For a long time there was little research in this area, but some studies have emerged recently, generally concluding that challenge questions are neither very usable nor secure. 
This study sought to [...]

http://cups.cs.cmu.edu/soups/2009/proceedings/a7-deluca.pdf
Alexander De Luca, Martin Denzel and Heinrich Hussmann
Many password entry systems suffer from weakness against attacks where the attacker can view either the keyboard or screen.  The proposal is to use eye movements for password entry, building off the findings of EyePassword, Eye Gestures, and PassShapes.  The researchers implemented EyePassShapes, in which the user traces [...]

Speaker: Eric Sachs
Usability “experts” claim that websites should just ask a person for their login information instead.
Security “experts” claim that redirects promote phishing (and want to shoot the usability experts).
Turns out, sites prompting for a password is annoying!
Some % of users couldn’t immediately remember their password.  Another large group just found it annoying and indicated [...]

http://cups.cs.cmu.edu/soups/2008/proceedings/p56Saxena.pdf
This research explored how to bootstrap a secure communication channel between two wireless devices when they have no prior association and no trusted third party.  Examples are pairing a WLAN laptop to an access point, or a Bluetooth cellphone and headset.
The proposal is to use an Out-Of-Band channel between the devices created with human perceptible [...]

http://cups.cs.cmu.edu/soups/2008/proceedings/p35Hayashi.pdf
This research proposes a graphic login system in which the presented images at login time are highly distorted versions of the images chosen at password creation time.  The user should be able to recognize the distorted version of the picture they originally chose.  That said, there is a trade-off in that as distortion increases the [...]

http://cups.cs.cmu.edu/soups/2008/proceedings/p44Yan.pdf
CAPTCHAs were originally invented at CMU.  The goal of a CAPTCHA is to allow humans through but block automated scripts.  They are now widely deployed as a method of preventing spam.
Text-based schemes typically require the use to complete a text recognition tasks.  Some sites offer a sound-based scheme, typically for accessibility reasons.  There have also [...]

http://cups.cs.cmu.edu/soups/2008/proceedings/p24Dunphy.pdf
Passfaces is a commercial graphical password system where the password is a sequence of face images.  This leverages the fact that humans are typically rather good at facial recognition.  Another motivation of Passfaces is supposedly that it is hard to write down your password to share, but are they?  Often a single-sentence description seems to [...]

http://cups.cs.cmu.edu/soups/2008/proceedings/p13Rabkin.pdf
Security questions aren’t always bad…though they often are.  But, the bad news is, they are getting worse.  A secret security question asks for a secret fact.  A personal security question asks about something meaningful to the user, but that they are willing to share.  Unfortunately, if users are willing to share this information in one [...]

http://cups.cs.cmu.edu/soups/2008/proceedings/p1Forget.pdf
The research explored a novel password selection strategy in which subjects would enter a password and have random characters shuffled in to add security to the password.  The researchers explored different methods of selecting and placing the characters.
The goal is not only to help users choose better passwords, but also to build off elements of [...]

OpenID, as currently used for single sign-on, facilitates phishing.
Using OpenID, you can establish an account at any identity provider you like, and then use it to log in to any OpenID-enabled website.  Unfortunately, the way it’s currently deployed, described, and demonstrated, OpenID makes users even more susceptible to phishing than they are without it.  [...]

I had an idea yesterday evening inspired by Cynthia Kuo’s talk on phrase-based passwords.  Cynthia’s research started with a popular method for choosing memorable passwords and evaluated the strength of passwords created using that method.  And there was a questioner from the audience who noted that, whenever you popularize a particular formula for [...]