Upload File

privacy concerns of implicit edward felten secondary...

  • Home
  • Documents
  • Privacy concerns of implicit Edward Felten secondary ...cups.cs.cmu.edu/soups/2014/workshops/slides/privacy_bonneau_10.pdfPasswords +... User agent information 191.255.255.255 Mozilla/5.0
14
Privacy concerns of implicit secondary factors for web authentication Stuart Schechter Microsoft Research Joseph Bonneau Edward Felten Prateek Mittal Arvind Narayanan Princeton University WAY Workshop 2014

Upload: others

Post on 04-Mar-2020

3 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Privacy concerns of implicit Edward Felten secondary ...cups.cs.cmu.edu/soups/2014/workshops/slides/privacy_bonneau_10.pdfPasswords +... User agent information 191.255.255.255 Mozilla/5.0

Privacy concerns of implicit secondary factors for web

authentication

Stuart SchechterMicrosoft Research

Joseph BonneauEdward FeltenPrateek Mittal

Arvind NarayananPrinceton University

WAY Workshop 2014

Page 2: Privacy concerns of implicit Edward Felten secondary ...cups.cs.cmu.edu/soups/2014/workshops/slides/privacy_bonneau_10.pdfPasswords +... User agent information 191.255.255.255 Mozilla/5.0

Passwords +...

Behavioral/soft biometrics

Page 3: Privacy concerns of implicit Edward Felten secondary ...cups.cs.cmu.edu/soups/2014/workshops/slides/privacy_bonneau_10.pdfPasswords +... User agent information 191.255.255.255 Mozilla/5.0

Passwords +...

User agent information

191.255.255.255

Mozilla/5.0 (iPad; U; CPU OS 3_2_1 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Mobile/7B405

Set-Cookie: id=0x987fe1; Expires=Wed, 09 Jun 2021 10:18:14 GMT

var x = window.screen.availWidth;var y = window.screen.availHeight;

Page 4: Privacy concerns of implicit Edward Felten secondary ...cups.cs.cmu.edu/soups/2014/workshops/slides/privacy_bonneau_10.pdfPasswords +... User agent information 191.255.255.255 Mozilla/5.0

Passwords +...

Usage patterns

Page 5: Privacy concerns of implicit Edward Felten secondary ...cups.cs.cmu.edu/soups/2014/workshops/slides/privacy_bonneau_10.pdfPasswords +... User agent information 191.255.255.255 Mozilla/5.0

Three privacy(ish) effects

I. Data permanenceII. Inherent sensitivity

III. Legitimate secondary uses

Page 6: Privacy concerns of implicit Edward Felten secondary ...cups.cs.cmu.edu/soups/2014/workshops/slides/privacy_bonneau_10.pdfPasswords +... User agent information 191.255.255.255 Mozilla/5.0

Data permanence

Page 7: Privacy concerns of implicit Edward Felten secondary ...cups.cs.cmu.edu/soups/2014/workshops/slides/privacy_bonneau_10.pdfPasswords +... User agent information 191.255.255.255 Mozilla/5.0

Inherent sensitivity

Page 8: Privacy concerns of implicit Edward Felten secondary ...cups.cs.cmu.edu/soups/2014/workshops/slides/privacy_bonneau_10.pdfPasswords +... User agent information 191.255.255.255 Mozilla/5.0

Legitimate uses

Page 9: Privacy concerns of implicit Edward Felten secondary ...cups.cs.cmu.edu/soups/2014/workshops/slides/privacy_bonneau_10.pdfPasswords +... User agent information 191.255.255.255 Mozilla/5.0

Research challenges

Page 10: Privacy concerns of implicit Edward Felten secondary ...cups.cs.cmu.edu/soups/2014/workshops/slides/privacy_bonneau_10.pdfPasswords +... User agent information 191.255.255.255 Mozilla/5.0

Signal extraction

➔ How fast can a game learn your typing/swiping/clicking style?

➔ Do we need more permissions?

Page 11: Privacy concerns of implicit Edward Felten secondary ...cups.cs.cmu.edu/soups/2014/workshops/slides/privacy_bonneau_10.pdfPasswords +... User agent information 191.255.255.255 Mozilla/5.0

Privacy-preserving authentication

➔ Privacy-preserving machine learning exists already

➔ Can we adapt it for authentication?

➔ Data minimization?

Page 12: Privacy concerns of implicit Edward Felten secondary ...cups.cs.cmu.edu/soups/2014/workshops/slides/privacy_bonneau_10.pdfPasswords +... User agent information 191.255.255.255 Mozilla/5.0

Returns to centralization

➔ Data already collected➔ Data collected frequently➔ Third party logins are a signal, too

➔ Are small services doomed?

Page 13: Privacy concerns of implicit Edward Felten secondary ...cups.cs.cmu.edu/soups/2014/workshops/slides/privacy_bonneau_10.pdfPasswords +... User agent information 191.255.255.255 Mozilla/5.0

Thank you!

[email protected]@[email protected]@princeton.edu

Page 14: Privacy concerns of implicit Edward Felten secondary ...cups.cs.cmu.edu/soups/2014/workshops/slides/privacy_bonneau_10.pdfPasswords +... User agent information 191.255.255.255 Mozilla/5.0

Benoit felten

07 - Felten Presentation - CRA

Soups Soups can be the first course. Soups can be a sweet last course. Soups can be an entrée

Benoît Felten Senior Analyst

Towards Understanding ATM Security – A Field Study of Real ...cups.cs.cmu.edu/soups/2010/proceedings/a16_deluca.pdfTowards Understanding ATM Security – A Field Study of Real World

Improving Security Decisions with Polymorphic and Audited ...cups.cs.cmu.edu/soups/2007/proceedings/p76_brustoloni.pdfpolicy condenses advice from several sources [3,4]. According

Retrospective Privacy Managing Longitudinal Privacy …cups.cs.cmu.edu/soups/2013/proceedings/a4_Ayalon.pdf · study can guide the development of proactive and retroactive privacy

Revealing Hidden Context: Improving Mental Models of Personal …cups.cs.cmu.edu/soups/2009/proceedings/a1-raja.pdf · 2009-05-29 · A mental model has been de ned as the model of

Johnny 2: A User Test of Key Continuity Management …cups.cs.cmu.edu/soups/2005/2005proceedings/p13-garfinkel.pdf · Johnny 2: A User Test of Key Continuity Management with S/MIME

Panel--Usability of Security Administration vs. Usability …cups.cs.cmu.edu/soups/2005/2005slides/secure-admin-panel.pdf · Usability of Security Administration vs. Usability of

On the Challenges in Usable Security Lab Studies: …cups.cs.cmu.edu/soups/2011/proceedings/a3_Sotirakopoulos.pdf · On the Challenges in Usable Security Lab Studies: Lessons Learned

Correct horse battery staple: Exploring the usability of ...cups.cs.cmu.edu/soups/2012/proceedings/a7_Shay.pdf · Correct horse battery staple: Exploring the usability of system-assigned

Two Heads are Better Than One: Security and Usability of Device Associations in …cups.cs.cmu.edu/soups/2010/proceedings/a5_kainda.pdf · 2010. 6. 12. · Two Heads are Better Than

The Challenges of Using an Intrusion Detection …cups.cs.cmu.edu/soups/2008/proceedings/p107Werlinger.pdfIDS, with a particular focus on the initial stages of de-ployment (i.e., decision

Quality Management Systems: ISO 9001 BY MATTHEW FELTEN

Indirect Content Privacy Surveys: Measuring Privacy ...cups.cs.cmu.edu/soups/2011/proceedings/a15_Braunstein.pdf · directly asking about a privacy issue may result in an emo-tional

Benoit Felten - The Universal Connectivity Revolution

“I have nothing to hide; thus nothing to fear”: Defining a Framework for Examining ...cups.cs.cmu.edu/soups/2014/workshops/privacy/s4p3.pdf · 2014-06-19 · Framework for Examining

An Empirical Study of Natural Language Parsing of Privacy ...cups.cs.cmu.edu/soups/2006/proceedings/p8_brodie.pdf · development of schemas, such as XACML with a privacy profile and

LUXEMBOURG, 9th July 2015 - FELTEN & ASSOCIES

Feasibility of Structural Network Clustering for Group- Based Privacy …cups.cs.cmu.edu › soups › 2010 › proceedings › a9_jones.pdf · 2010-06-08 · i.e. interactions between

Felten testimony final - Senate Judiciary Committee

Goldilocks and the Two Mobile Devices: Or Nothing Access ...cups.cs.cmu.edu/soups/2012/proceedings/a2_Hayashi.pdf · Goldilocks and the Two Mobile Devices: Going Beyond All-Or-Nothing

Are privacy concerns a turn-off? Engagement and privacy in ...cups.cs.cmu.edu/soups/2012/proceedings/a10_Staddon.pdfbetween reported concerns and broad engagement metrics, as our goal

A Game Storyboard Design for Avoiding Phishing …cups.cs.cmu.edu/soups/2014/posters/soups2014_posters...A Game Storyboard Design for Avoiding Phishing Attacks Nalin A.G. Arachchilage

Home is Safer than the Cloud! Privacy Concerns for ...cups.cs.cmu.edu/soups/2011/proceedings/a13_Sachdeva.pdf · bility questions were raised when 150,000 Gmail ... tices and concerns

Power Strips, Prophylactics, and Privacy, Oh My!cups.cs.cmu.edu/soups/2006/proceedings/p133_gideon.pdf · 2006. 5. 27. · Jupiter Research calculated that by 2006, $24.5 billion

Username and Click on Passpet icon Passpet: Convenient ...cups.cs.cmu.edu/soups/2006/proceedings/p32_yee.pdf · and choosing many passwords is inconvenient. We would like the user

Risk%Percep+on%and%the%Acceptance% …cups.cs.cmu.edu/soups/2013/risk/RiskWS-Harbach-slides.pdf · 2013. 7. 25. · Risk%Percep+on%and%the%Acceptance% of%New%Security%Technology%

San Francisco, California OBI FELTEN

Smartening the Crowds: Computational Techniques for ...cups.cs.cmu.edu/soups/2011/proceedings/a8_Liu.pdf1 Smartening the Crowds: Computational Techniques for Improving Human Verification

Pejlinger af grundvandsstanden i felten

FLORENS FELTEN, WALTER GAUSS, RUDOLFINE SMETANA …

Privacy: Is There An App for That? - CyLab Usable Privacy ...cups.cs.cmu.edu/soups/2011/proceedings/a12_King.pdf · 2 attention to the respondents who are most knowledgeable about

What Makes Users Refuse Web Single Sign-On? An Empirical …cups.cs.cmu.edu/soups/2011/proceedings/a4_Sun.pdf · 2011. 6. 24. · the burden of managing this increasing number of