1

Authentication and access Authentication and access control overviewcontrol overview

2

OutlineOutlineDefinitions

Authentication• Factors• Evaluation• Examples

Focus on password problems and alternatives

Access control

Case study: Convenient SecureID

Case study: Website mutual authentication

3

DefinitionsDefinitions Identification - a claim about identity

• Who or what I am (global or local)

Authentication - confirming that claims are true• I am who I say I am• I have a valid credential

Authorization - granting permission based on a valid claim• Now that I have been validated, I am allowed to access certain

resources or take certain actions

Access control system - a system that authenticates users and gives them access to resources based on their authorizations• Includes or relies upon an authentication mechanism• May include the ability to grant course or fine-grained

authorizations, revoke or delegate authorizations

4

Building blocks of Building blocks of authenticationauthenticationFactors

• Something you know (or recognize)• Something you have• Something you are

Two factors are better than one• Especially two factors from different categories

What are some examples of each of these factors?

What are some examples of two-factor authentication?

5

Authentication mechanismsAuthentication mechanismsText-based passwords

Graphical passwords

Hardware tokens

Public key crypto protocols

Biometrics

6

EvaluationEvaluation Accessibility

Memorability

Security

Cost

Environmental considerations

7

Typical password adviceTypical password advice

8

Typical password adviceTypical password advice Pick a hard to guess password

Don’t use it anywhere else

Change it often

Don’t write it down

So what do you do when every web site you visit asks for a password?

9

Bank = b3aYZ Amazon = aa66x!Phonebill = p$2$ta1

10

11

Problems with PasswordsProblems with Passwords Selection

• Difficult to think of a good password• Passwords people think of first are easy to guess

Memorability• Easy to forget passwords that aren’t frequently used• Difficult to remember “secure” passwords with a mix of upper &

lower case letters, numbers, and special characters

Reuse• Too many passwords to remember• A previously used password is memorable

Sharing• Often unintentional through reuse• Systems aren’t designed to support the way people work together

and share information

12

Four

Mnemonic PasswordsMnemonic Passwords

First letter of each word (with punctuation)

fsasya,oFSubstitute numbers for words or similar-looking letters

4sa7ya,oFSubstitute symbols for words or similar-looking letters

F

4sasya,oF

Four

4sa7ya,oF

4s&7ya,oF

score s andaand seven sseven yearsy ago a ,, our o Fathers F

Source: Cynthia Kuo, SOUPS 2006

13

The Promise?The Promise?Phrases help users incorporate different

character classes in passwords• Easier to think of character-for-word

substitutions

Virtually infinite number of phrases

Dictionaries do not contain mnemonics

Source: Cynthia Kuo, SOUPS 2006

14

The Problem?The Problem?“Goodness” of mnemonic passwords

unknown• Yan et al. compared regular, mnemonic, and

randomly generated passwords Used standard (non-mnemonic) dictionary Effectively evaluated whether mnemonic passwords

contained dictionary words

Source: Cynthia Kuo, SOUPS 2006

15

Source: Cynthia Kuo, SOUPS 2006

Mnemonic password evaluationMnemonic password evaluation Mnemonic passwords are not a panacea for

password creation

No comprehensive dictionary today

May become more vulnerable in future • Many people start to use them• Attackers incentivized to build dictionaries

Publicly available phrases should be avoided!

C. Kuo, S. Romanosky, and L. Cranor. Human Selection of Mnemonic Phrase-Based Passwords. In Proceedings of the 2006 Symposium On Usable Privacy and Security, 12-14 July 2006, Pittsburgh, PA.

16

Password keeper softwarePassword keeper softwareRun on PC or handheld

Only remember one password

17

Single sign-onSingle sign-onLogin once to get access to all your

passwords

18

BiometricsBiometricsBiometricsBiometrics

19

Graphical passwordsGraphical passwordsGraphical passwordsGraphical passwords

20

““Forgotten password” Forgotten password” mechanismmechanism Email password or magic URL to address on file

Challenge questions

Why not make this the normal way to access infrequently used sites?

21

Types of access controlTypes of access controlDiscretionary access control

•Distributed, dynamic, users set access rules for resources they own and can delegate access to others

Role-based access control•Centralized admin assigns users to roles and

sets access rules based on roles

And many others that vary discretionary/mandatory, centralized/distributed, granularity, grouping

22

Access control usability Access control usability problemsproblems

Admins, large organizations understanding large access control policies• Someone in marketing changed a policy and now we

can’t figure out why people in sales no longer have access to a document

• Who has access to this document anyway?

End users creating and understanding policies• Examples: File system permissions, Grey, Perspective,

privacy rules• Home users want to share some files with some other

users, but don’t want to share everything

23

Convenient SecureIDConvenient SecureID

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

Sources:

http://worsethanfailure.com/Articles/Security_by_Oblivity.aspx http://fob.webhop.net/

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

What problems do these approaches solve?

What problems do they create?

24

Browser-based mutual Browser-based mutual authenticationauthentication Chris Drake’s “Magic Bullet” proposal

http://lists.w3.org/Archives/Public/public-usable-authentication/2007Mar/0004.html

1. User gets ID, password (or alternative), image, hotspot at enrollment

2. Before user is allowed to login they are asked to confirm URL and SSL cert and click buttons

3. Then login box appears and user enters username and password (or alternative)

4. Server displays set of images, including user’s image (or if user entered incorrect password, random set of images appear)

5. User finds their image and clicks on hotspot Image manipulation can help prevent replay

attacks

What problems does this solve?

What problems doesn’t it solve?

What kind of testing is needed

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.