Chapter 7: Case Study Flashcards
What are the problems with passwords?
Security problems: physhing, social engineering, spyware
Poor usability: memorize, type, complex policies
Why are passwords still dominant if they have so many problems?
- laziness
- Failure of research on convincingly better alternatives
Are biometrics an alternative?
- Who you are provides you the key
- But low accuracy and new attacks (using the fingerprint of a sleeping person)
What are the alternatives to passwords?
Something you…
Are: Easy to use but lower security (fingerprint, face)
Know: Password / Questions
Have: low usability but higher security (USB key, Smart Card)
Improvements to passwords (federated AuthN) Single Sign On
+ better usability for user
+ Complexity and cost reduction (Economies of scale) for Service provider and identity provider
User authenticate only once and gain access to many services
But: we still need to manage multiple passwords/credentials
Improvements to passwords: Password Managers
A software app that aids users in creating, storing & organizing passwords
Components:
- local database
- browser plugins
- cloud server storage
- master key
What are the functions of a password manager?
- Generate secure passwords
- Password strength meter
- Password storage
- Automatic fill-in
What is the best alternative to passwords?
- It depends on the context
Scenario 1: Location: Home application: low risk Beacons: familiar device -> all authentication mechanisms are ok
Scenario 2:
Location: Public place
Application: Sensitive
–> use a combination of secure mechanisms
What is the definition of adaptive authentication?
- intelligent system selects best mechanism dynamically, depending on the context
Does adaptive authentication complement PM / Federated AuthN or is it an alternative?
- It complements the federation standards
1. Mile use adaptive authN
2. Mile Federation Standards
Explain the adaptive authentication concept PICO
Goal: No passwords Proposal: HW token (Pico) - addresses all types of PIN/password - Scales to thousands of passwords - Allow continuous authentication
How is PICO designed?
- 2 buttons (pairing and login)
- display / camera (implemented via smartphone)
- Database with all user credentials
What are the states of PICO?
- Imprintable
- Unlocked
- Locked
Explain the concept of progressive authentication
Scope: User to apps
Authenticators: Multifactor (face, voice, proximity, placement, PIN)
Context: Battery
Explain the CASA concept
- Context-Aware Scalable Authentication
- Choose authentication mechanism {PIN, Password} based on contextual factors: Location {Home, Work, Other}
- > User spent most of the time at home/work (safe places)
- > 60% of logins occur in safe places
Explain the CYOA (Choose your own authentication) concept
Scope: User to web app
Authenticators: password, persuasive cued passwords, object pass tiles, persuasive cued clickpoints
Context: Security & usability
Explain the CORMORANT concept
Scope: User to device
Authenticators: face, gait
Context: proximity to other user devices
Explain the commercial Product Google Smartlock
- Unlock Smartphone in presence of other user devices (smart watch)
- Passwords are remembered for websites and apps
- Laptop is unlocked in presence of users unlocked smartphone
What are the common challenges with adaptive authentication?
key problems -> ad-hoc designs
- Hard to extend / re-configure
- Difficult to reproduce, to compare
- Once deployed become static, costly for companies to change
How to design more comprehensive, versatile & flexible Adaptive Authentication systems?
- Follow Adaptive Systems modelling principles (autonomous driving)
- Generic reference architecture & implementation
How to make adaptive authentication more flexible ?
Develop a flexible and easy to reconfigure system for: authenticators, contexts, and selection algorithms that selects the authenticators
- Use standard protocol for the sensors and effectors
- Use Standard Interface for authenticators and context
Which research questions are still open in the area of adaptive authentication?
- incorporate new authenticators
- Integrate Integrate with applications
- incorporate context and selection algorithms in the planner (reports usability & security)