secure web authentication with mobile phones min wu, simson garfinkel, robert miller mit computer...

Secure Web Authentication With Mobile Phones

Min Wu, Simson Garfinkel, Robert Miller

MIT Computer Science and Artificial Intelligence Lab

Problem to Be Solved

• People increasingly reply on public computers to do business over the Internet

• But passwords can be captured by the computer and later reused by a hostile party– 2002: key logger at 14 NYC Kinko’s captured 450

usernames and passwords – 2003: key logger on more than 100 campus

computers in Boston College– 2003: £6,300 stolen from a bank account after it

was accessed at a public terminal

Our Approach

User

Internet Kiosk(possible hostile)

Security Proxy(trusted)

Remote Service

PASSWORD

Our Approach

User


Mobile Phone(trusted)


Secure Cookie Jar

Remote Service

PASSWORD

Authentication Protocol

User




“I am Alice”


User




Your current authentication session is “FAITH”

Session “FAITH” is waiting for approval


User




Approve session “FAITH”

“FAITH”


User




Remote Service

UsernamePassword

Authentication Protocol (Dealing with Fraud)

User




Lock my account until further notice

“FAITH”

Session “PSYCH” is waiting for approval

Two Mobile Phone Interfaces for Authentication

Check and Approve Choose and Approve

menu

Session: FAITH

1 [Approve it]2 [Cancel it]3 [Lock Account]

Submit Cancel

menu

Choose the same session name as shown in the browser1 [None of them]2 [COURTESY]3 [INHERITS]4 [FAITH]5 [OBJECT]

Submit Cancel

User Study

• How does our approach compare, in terms of security and usability, to other existing mobile phone authentication solutions?– One-time password sent to mobile phone

(RSA Mobile, Fujitsu)

Four Login Techniques

• One-time password approach – Type Random Code: “1234-5678”– Type Random Phrase: “swears trainee”

• Proxy-side spelling checker (Ispell)

• Our approach– Check and Approve– Choose and Approve

Method

• Controlled experiment in the lab– Logged in to Amazon.com using an

account set up by us with a personal computer and a mobile phone provided by us

– 6 logins in a block for each technique, for a total of 24 logins, with the order of the four login techniques randomized

Simulated Attacks

• Will a user blindly approve sessions without looking at the session name?

• Users were told that they were going to be spoofed by our simulated attacks

Unknown Attack

“PSYCH” is waiting for approval

Duplicated Attack

“PSYCH” “FAITH”

Blocking Attack

“PSYCH” is waiting for approval

? ? ?

Ease of Use

(Very hard to use) 1

2

3

4

(Very easy to use) 5

Ease

of

Use 3.55 3.55

4.45

4.20

Type RandomCode

Type RandomPhrase

Check and Approve

Choose and Approve

Login Techniques

Single factor ANOVA with P = 0.01

Error Rates

• Login by Check and Approve was easily spoofed– Duplicated attack: 4 successful out of 11

attacks

– Blocking attack: 2 out of 9

– Unknown attack: 1 out of 33

Error Rates

• Login by Check and Approve was easily spoofed– Duplicated attack: 4 successful out of 11

attacks• “There must be a bug in the proxy since the session

name displayed in the computer does not match the one in the mobile phone.”

– Blocking attack: 2 out of 9• “The network connection must be really slow since the

session name has not been displayed.”

– Unknown attack: 1 out of 33

Error Rates

• Choose and Approve has zero error rate

Future Work

• Field study

• Not only password but also any confidential information should avoid touching the hostile host

Conclusion

• By asking the user to choose and approve a correct session name from her mobile phone, we provide a mobile phone authentication solution that is both secure and easy to use

• Flexible solution to web authentication– Good backup to password login

secure web authentication with mobile phones min wu, simson garfinkel, robert miller mit computer...

Documents

approval slide

approach slide

fujitsu slide

alice slide

session faith faith

error rate slide

hostile host slide

public terminal slide