bootstrapping mobile pins using passwords markus jakobsson debin liu information risk management...
TRANSCRIPT
![Page 1: Bootstrapping Mobile PINs Using Passwords Markus Jakobsson Debin Liu Information Risk Management PayPal](https://reader035.vdocuments.site/reader035/viewer/2022062620/5519d8ec5503468b0c8b4a9b/html5/thumbnails/1.jpg)
Bootstrapping Mobile PINs Using Passwords
Markus JakobssonDebin Liu
Information Risk ManagementPayPal
![Page 2: Bootstrapping Mobile PINs Using Passwords Markus Jakobsson Debin Liu Information Risk Management PayPal](https://reader035.vdocuments.site/reader035/viewer/2022062620/5519d8ec5503468b0c8b4a9b/html5/thumbnails/2.jpg)
A Bit about Authentication
2
1 2 3 4 5
Short battery life
Slow Web connection
Lack of coverage
Poor voice quality
Small screen
size
Difficulty customizing
settings
Difficulty authenticating
![Page 3: Bootstrapping Mobile PINs Using Passwords Markus Jakobsson Debin Liu Information Risk Management PayPal](https://reader035.vdocuments.site/reader035/viewer/2022062620/5519d8ec5503468b0c8b4a9b/html5/thumbnails/3.jpg)
Commercial Four-Letter Word
“Friction”
![Page 4: Bootstrapping Mobile PINs Using Passwords Markus Jakobsson Debin Liu Information Risk Management PayPal](https://reader035.vdocuments.site/reader035/viewer/2022062620/5519d8ec5503468b0c8b4a9b/html5/thumbnails/4.jpg)
A Bit About Human Memory
Not so amazing
![Page 5: Bootstrapping Mobile PINs Using Passwords Markus Jakobsson Debin Liu Information Risk Management PayPal](https://reader035.vdocuments.site/reader035/viewer/2022062620/5519d8ec5503468b0c8b4a9b/html5/thumbnails/5.jpg)
Common PIN
Your spouse’s birthday
![Page 6: Bootstrapping Mobile PINs Using Passwords Markus Jakobsson Debin Liu Information Risk Management PayPal](https://reader035.vdocuments.site/reader035/viewer/2022062620/5519d8ec5503468b0c8b4a9b/html5/thumbnails/6.jpg)
Love/Hate
PINs
![Page 7: Bootstrapping Mobile PINs Using Passwords Markus Jakobsson Debin Liu Information Risk Management PayPal](https://reader035.vdocuments.site/reader035/viewer/2022062620/5519d8ec5503468b0c8b4a9b/html5/thumbnails/7.jpg)
What will users see
![Page 8: Bootstrapping Mobile PINs Using Passwords Markus Jakobsson Debin Liu Information Risk Management PayPal](https://reader035.vdocuments.site/reader035/viewer/2022062620/5519d8ec5503468b0c8b4a9b/html5/thumbnails/8.jpg)
Example User Mapping
“Blu2thRules” “2582”
![Page 9: Bootstrapping Mobile PINs Using Passwords Markus Jakobsson Debin Liu Information Risk Management PayPal](https://reader035.vdocuments.site/reader035/viewer/2022062620/5519d8ec5503468b0c8b4a9b/html5/thumbnails/9.jpg)
Opportunistic Derivation
Access; Truncate; Map; Store
![Page 10: Bootstrapping Mobile PINs Using Passwords Markus Jakobsson Debin Liu Information Risk Management PayPal](https://reader035.vdocuments.site/reader035/viewer/2022062620/5519d8ec5503468b0c8b4a9b/html5/thumbnails/10.jpg)
Special Characters
~1.5%
Can be reduced
![Page 11: Bootstrapping Mobile PINs Using Passwords Markus Jakobsson Debin Liu Information Risk Management PayPal](https://reader035.vdocuments.site/reader035/viewer/2022062620/5519d8ec5503468b0c8b4a9b/html5/thumbnails/11.jpg)
Special Phones
Need numeric pad
![Page 12: Bootstrapping Mobile PINs Using Passwords Markus Jakobsson Debin Liu Information Risk Management PayPal](https://reader035.vdocuments.site/reader035/viewer/2022062620/5519d8ec5503468b0c8b4a9b/html5/thumbnails/12.jpg)
Strong password, weak PIN
“1234Brew$g”, “1begHELP”
![Page 13: Bootstrapping Mobile PINs Using Passwords Markus Jakobsson Debin Liu Information Risk Management PayPal](https://reader035.vdocuments.site/reader035/viewer/2022062620/5519d8ec5503468b0c8b4a9b/html5/thumbnails/13.jpg)
Password change?
Dual Universes
![Page 14: Bootstrapping Mobile PINs Using Passwords Markus Jakobsson Debin Liu Information Risk Management PayPal](https://reader035.vdocuments.site/reader035/viewer/2022062620/5519d8ec5503468b0c8b4a9b/html5/thumbnails/14.jpg)
Measuring Security
Raided Dropboxes
![Page 15: Bootstrapping Mobile PINs Using Passwords Markus Jakobsson Debin Liu Information Risk Management PayPal](https://reader035.vdocuments.site/reader035/viewer/2022062620/5519d8ec5503468b0c8b4a9b/html5/thumbnails/15.jpg)
Entropy of Derived PINs
FSP (8359) SNP (2873) Malware (16192)0
2
4
6
8
10
12
14
12
10.59.7
10.910
9.2
1.10.5 0.5
pwd4 EntropyPIN EntropyInformation Loss by Mapping
Data Sources (Size)
Info
rmat
ion
En
trop
ies
![Page 16: Bootstrapping Mobile PINs Using Passwords Markus Jakobsson Debin Liu Information Risk Management PayPal](https://reader035.vdocuments.site/reader035/viewer/2022062620/5519d8ec5503468b0c8b4a9b/html5/thumbnails/16.jpg)
Special Characters
FSP (8359) SNP (2873) Malware (16192)0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00% 32.16%
11.14%
26.96%
1.44% 1.95%
6.16%
Percentage of Passwords using Upper Case Letters
Percentage of Passwords using Special Characters
Data Sources (Size)
Per
cen
tage
![Page 17: Bootstrapping Mobile PINs Using Passwords Markus Jakobsson Debin Liu Information Risk Management PayPal](https://reader035.vdocuments.site/reader035/viewer/2022062620/5519d8ec5503468b0c8b4a9b/html5/thumbnails/17.jpg)
Imagine PIN Theft
0
2
4
6
8
10
12
14
16
18
20
![Page 18: Bootstrapping Mobile PINs Using Passwords Markus Jakobsson Debin Liu Information Risk Management PayPal](https://reader035.vdocuments.site/reader035/viewer/2022062620/5519d8ec5503468b0c8b4a9b/html5/thumbnails/18.jpg)
Experiment
What is Joe’s PIN?
Joe uses a PIN to access his PayPal account from his phone. But he does not want to have to remember another number, and he does not want to reuse his banking PIN. So he uses PayPal’s new “password to PIN” feature so that he only has to remember his password. Joe’s password is “Blu2thrules”. Look at the screen-shot below and let us know what PIN he should enter.
![Page 19: Bootstrapping Mobile PINs Using Passwords Markus Jakobsson Debin Liu Information Risk Management PayPal](https://reader035.vdocuments.site/reader035/viewer/2022062620/5519d8ec5503468b0c8b4a9b/html5/thumbnails/19.jpg)
Usability of Derived PINs25-subject Qualitative study
Successful but Slow 24%
Failed12%
Successful and Fas
t64%
![Page 20: Bootstrapping Mobile PINs Using Passwords Markus Jakobsson Debin Liu Information Risk Management PayPal](https://reader035.vdocuments.site/reader035/viewer/2022062620/5519d8ec5503468b0c8b4a9b/html5/thumbnails/20.jpg)
Usability of Derived PINs100-subject Quantitative study
Likely Successful22%
Failed10%
Successful68%
![Page 21: Bootstrapping Mobile PINs Using Passwords Markus Jakobsson Debin Liu Information Risk Management PayPal](https://reader035.vdocuments.site/reader035/viewer/2022062620/5519d8ec5503468b0c8b4a9b/html5/thumbnails/21.jpg)
Other things I pitch
Address web/app spoofing: www.SpoofKiller.com
Mobile-friendly passwords: www.fastword.me
Mobile malware detection: www.fatskunk.com
Etc: www.markus-jakobsson.com