Chapter 7: Case Study Flashcards
What are the problems with passwords?
Security problems: physhing, social engineering, spyware
Poor usability: memorize, type, complex policies
Why are passwords still dominant if they have so many problems?
- laziness
- Failure of research on convincingly better alternatives
Are biometrics an alternative?
- Who you are provides you the key
- But low accuracy and new attacks (using the fingerprint of a sleeping person)
What are the alternatives to passwords?
Something you…
Are: Easy to use but lower security (fingerprint, face)
Know: Password / Questions
Have: low usability but higher security (USB key, Smart Card)
Improvements to passwords (federated AuthN) Single Sign On
+ better usability for user
+ Complexity and cost reduction (Economies of scale) for Service provider and identity provider
User authenticate only once and gain access to many services
But: we still need to manage multiple passwords/credentials
Improvements to passwords: Password Managers
A software app that aids users in creating, storing & organizing passwords
Components:
- local database
- browser plugins
- cloud server storage
- master key
What are the functions of a password manager?
- Generate secure passwords
- Password strength meter
- Password storage
- Automatic fill-in
What is the best alternative to passwords?
- It depends on the context
Scenario 1: Location: Home application: low risk Beacons: familiar device -> all authentication mechanisms are ok
Scenario 2:
Location: Public place
Application: Sensitive
–> use a combination of secure mechanisms
What is the definition of adaptive authentication?
- intelligent system selects best mechanism dynamically, depending on the context
Does adaptive authentication complement PM / Federated AuthN or is it an alternative?
- It complements the federation standards
1. Mile use adaptive authN
2. Mile Federation Standards
Explain the adaptive authentication concept PICO
Goal: No passwords Proposal: HW token (Pico) - addresses all types of PIN/password - Scales to thousands of passwords - Allow continuous authentication
How is PICO designed?
- 2 buttons (pairing and login)
- display / camera (implemented via smartphone)
- Database with all user credentials
What are the states of PICO?
- Imprintable
- Unlocked
- Locked
Explain the concept of progressive authentication
Scope: User to apps
Authenticators: Multifactor (face, voice, proximity, placement, PIN)
Context: Battery
Explain the CASA concept
- Context-Aware Scalable Authentication
- Choose authentication mechanism {PIN, Password} based on contextual factors: Location {Home, Work, Other}
- > User spent most of the time at home/work (safe places)
- > 60% of logins occur in safe places
