http://cups.cs.cmu.edu/soups/2008/proceedings/p56Saxena.pdf
This research explored how to bootstrap a secure communication channel between two wireless devices when they have no prior association and no trusted third party. Examples are pairing a WLAN laptop to an access point, or a Bluetooth cellphone and headset.
The proposal is to use an Out-Of-Band channel between the devices created with human perceptible [...]
http://cups.cs.cmu.edu/soups/2008/proceedings/p35Hayashi.pdf
This research proposes a graphic login system in which the presented images at login time are highly distorted versions of the images chosen at password creation time. The user should be able to recognize the distorted version of the picture they originally chose. That said, there is a trade-off in that as distortion increases the [...]
http://cups.cs.cmu.edu/soups/2008/proceedings/p44Yan.pdf
CAPTCHAs were originally invented at CMU. The goal of a CAPTCHA is to allow humans through but block automated scripts. They are now widely deployed as a method of preventing spam.
Text-based schemes typically require the use to complete a text recognition tasks. Some sites offer a sound-based scheme, typically for accessibility reasons. There have also [...]
http://cups.cs.cmu.edu/soups/2008/proceedings/p24Dunphy.pdf
Passfaces is a commercial graphical password system where the password is a sequence of face images. This leverages the fact that humans are typically rather good at facial recognition. Another motivation of Passfaces is supposedly that it is hard to write down your password to share, but are they? Often a single-sentence description seems to [...]
http://cups.cs.cmu.edu/soups/2008/proceedings/p13Rabkin.pdf
Security questions aren’t always bad…though they often are. But, the bad news is, they are getting worse. A secret security question asks for a secret fact. A personal security question asks about something meaningful to the user, but that they are willing to share. Unfortunately, if users are willing to share this information in one [...]
http://cups.cs.cmu.edu/soups/2008/proceedings/p1Forget.pdf
The research explored a novel password selection strategy in which subjects would enter a password and have random characters shuffled in to add security to the password. The researchers explored different methods of selecting and placing the characters.
The goal is not only to help users choose better passwords, but also to build off elements of [...]
OpenID, as currently used for single sign-on, facilitates phishing.
Using OpenID, you can establish an account at any identity provider you like, and then use it to log in to any OpenID-enabled website. Unfortunately, the way it’s currently deployed, described, and demonstrated, OpenID makes users even more susceptible to phishing than they are without it. [...]
I had an idea yesterday evening inspired by Cynthia Kuo’s talk on phrase-based passwords. Cynthia’s research started with a popular method for choosing memorable passwords and evaluated the strength of passwords created using that method. And there was a questioner from the audience who noted that, whenever you popularize a particular formula for [...]
Read the paper here.
Phishing is a semantic attack: it exploits the gap between user’s intentions and the system’s operation (in particular when submitting data). The key factors are: what is the data and where will it go?
The Web Wallet is a browser sidebar that users open by pressing a secure attention key (F2). [...]
Read the paper here.
Many organizations tell users to create “mnemonic phrase-based passwords” — passwords made up by thinking of a memorable sentence or phrase, then compressing each word of the phrase to a character (such as its first letter, a number, or a punctuation character). Association with the phrase helps users remember their passwords, [...]
Read the paper here.
This study compared the real and perceived vulnerability of Passfaces (a graphical password system) to dictionary and non-dictionary passwords. There were four conditions: Passfaces with a mouse, Passfaces with the keyboard, a dictionary password, and a non-dictionary password.
The study confirmed that the concern about shoulder-surfing vulnerability of Passfaces with a mouse [...]
Read the paper here.
This study of password use surveyed about 50 Princeton undergraduates. The participants had, on average, about 3 passwords, they acquire more accounts over time, and they reuse their passwords more as they acquire more accounts. Participants most commonly rely on their memory to recall passwords, and not using software tools. [...]