1
play

1 Devris Isler , imec-COSIC, KU Leuven, Leuven, Belgium Alptekin - PowerPoint PPT Presentation

Mar 13, 2024 •269 likes •585 views

1 Devris Isler , imec-COSIC, KU Leuven, Leuven, Belgium Alptekin Kupcu, Aykut Coskun, Koc University, Istanbul, Turkey User Perceptions of Security and Usability of Mobile-based SPA and 2FA 9/26/19 Introduction Two

  1. 1 Devris̨ Ïs̨ler , imec-COSIC, KU Leuven, Leuven, Belgium Alptekin Kủpc̨ủ, Aykut C̨os̨kun, Koc̨ University, Istanbul, Turkey User Perceptions of Security and Usability of Mobile-based SPA and 2FA 9/26/19

  2. ▪ Introduction ▪ Two Factor Authentication ▪ Single Password Authentication (SPA) ▪ Mobile-based SPA ▪ User Study Design ▪ Results ▪ Remarks ▪ Conclusion 2 User Perceptions of Security and Usability of Mobile-based SPA and 2FA 9/26/19

  3. Alice bank.com (Alice, password) Adds Alice,password <Alice,Hash(password)> to database Registration Authentication Alice,password Checks the database Accept/Reject if hashes match 3 User Perceptions of Security and Usability of Mobile-based SPA and 2FA 9/26/19

  4. Traditional insecure approach: • Insecure against offline dictionary, phishing, man-in- the-middle, and honeypot attacks Remembering all passwords is cumbersome for the user Reuse of the same password (Florencio et. al [5]) increases the damage of attack 4 User Perceptions of Security and Usability of Mobile-based SPA and 2FA 9/26/19

  5. Alice Mobile-Device bank.com (Alice, password, Tel) Adds <Alice,Hash(password),Tel> 𝐵𝑚𝑗𝑑𝑓, 𝑞𝑏𝑡𝑡𝑥𝑝𝑠𝑒, 𝑈𝑓𝑚 to database Registration Alice,password Authentication Checks the database if OTP code (e.g. via SMS) hashes match OTP code OTP code Checks if OTP codes Accept/Reject match 5 9/26/19 User Perceptions of Security and Usability of Mobile-based SPA and 2FA

  6. Attacks on 2FA? 6 User Perceptions of Security and Usability of Mobile-based SPA and 2FA 9/26/19

  7. • Acar et. al [1], and also by Jarecki et. al [2], Bicakci et. al [3], and İş ler and Küpçü [4] • Proposed a secure and usable approach • A user remembers only one single password and username for all her accounts • Secure against phishing, man-in-the-middle, and honeypot attacks • When login server and storage provider (e.g. mobile device) collude (or both are corrupted by an attacker), can perform offline dictionary attack , 7 User Perceptions of Security and Usability of Mobile-based SPA and 2FA 9/26/19

  8. (Trusted) Mobile-Device bank.com (Alice, password, Tel) 𝐻𝑓𝑜𝑓𝑠𝑏𝑢𝑓 𝑏 𝑙𝑓𝑧 𝐿 (e.g. MAC key) 𝑑𝑢𝑓𝑦𝑢 ← 𝐹𝑜𝑑𝑠𝑧𝑞𝑢 𝐼𝑏𝑡ℎ 𝑞𝑏𝑡𝑡𝑥𝑝𝑠𝑒 , 𝐿 𝑑𝑢𝑓𝑦𝑢 (via QR code) Alice, K Forget everything except her single password Registration 8 9/26/19 User Perceptions of Security and Usability of Mobile-based SPA and 2FA

  9. (Alice, password) (Trusted) Mobile Device bank.com (tel,K) Alice (ctext) Cℎ𝑏𝑚𝑚𝑓𝑜𝑕𝑓 𝑑ℎ𝑏𝑚 (e.g. via SMS) 𝑞𝑏𝑡𝑡𝑥𝑝𝑠𝑒 K ← 𝐸𝑓𝑑𝑠𝑧𝑞𝑢 𝐼𝑏𝑡ℎ 𝑞𝑏𝑡𝑡𝑥𝑝𝑠𝑒 , 𝑑𝑢𝑓𝑦𝑢 resp ← 𝐻𝑓𝑜𝑓𝑠𝑏𝑢𝑓𝑆𝑓𝑡𝑞(𝐿, 𝑑ℎ𝑏𝑚) resp resp Accept/Reject 𝑠𝑓𝑡𝑞 ≡ ? 𝐻𝑓𝑜𝑓𝑠𝑏𝑢𝑓𝑆𝑓𝑡𝑞(𝐿, 𝑑ℎ𝑏𝑚) Authentication 9 9/26/19 User Perceptions of Security and Usability of Mobile-based SPA and 2FA

  10. 2FA Mobile-based SPA Security against offline dictionary attacks Security against Phishing & Man-in-the-middle attacks Provable security Single password usage 10 User Perceptions of Security and Usability of Mobile-based SPA and 2FA 9/26/19

  11. • Testing Environment: • User studies are conducted in the Koç University’s Media and Virtual Arts Lab. • Pre-installed (e.g. no installation ) • Participants tried both Mobile-based SPA and 2FA (random order) • Created 3 banking-like website (e.g. Bank A) • NEXMO SMS service for Mobile-based SPA • Google Authenticator for 2FA • Participants: • There were 25 participants • 14 female, 11 male • They had diverse educational backgrounds 11 User Perceptions of Security and Usability of Mobile-based SPA and 2FA 9/26/19

  12. • Measures:, Demographic questionnaire: sex, age interval, education level, and experience • with online/mobile banking. Post-questionnarie: 4-point Likert scale (strongly disagree, disagree, agree, • strongly agree). • Numerical evaluation • Paired t-test: assesses whether the means of two groups are statistically different from each other. Comments: • ◦ discussion with the participants about each system they tested, their feelings and concerns 12 User Perceptions of Security and Usability of Mobile-based SPA and 2FA 9/26/19

  13. 13 User Perceptions of Security and Usability of Mobile-based SPA and 2FA 9/26/19

  14. • The majority of participants ( more than 50% per question ) agreed (or strongly agreed) that mobile-based SPA ; • Is easy to use, • Is useful, • Is trustworthy, • Is not intimidating to use, • Has a positive attitude towards and intention to using this system 14 User Perceptions of Security and Usability of Mobile-based SPA and 2FA 9/26/19

  15. • Anxiety: Mobile-based SPA was less threatening than two-factor authentication (t(24) = 2.77 and p = 0.01), • 96% : not scared to lose a lot of information by hitting the wrong key in mobile-based SPA. “There was nothing to worry, since I did not give any important information to the websites.” • Attitude towards using technology : Mobile-based SPA performed statistically significantly better compared to 2FA (t(24) = 2.71 and p = 0.01) “I found two things she wanted at the same time, which are usability (easing her job by remembering one password) and more security (via employing a personal device and challenge).” 15 User Perceptions of Security and Usability of Mobile-based SPA and 2FA 9/26/19

  16. • Perceived security : The users trusted mobile-based SPA more than they trust 2FA (t(24) = 3.25 and p = 0.003) • 80% : typing the password on the mobile device made the user feel more secure, “Seeing all works (computations) carried out on the mobile device made me feel more secure, and I felt as though I had the control of my password security” 16 User Perceptions of Security and Usability of Mobile-based SPA and 2FA 9/26/19

  17. • There was no significant difference between mobile-based SPA and 2FA regarding : • Effort expectancy (t(24) = 1.10 and p = 0.28), • Behavioral intention to use the system (t(24) = 0.00 and p = 1.00), • Performance expectancy (t(24) = 1.04 and p = 0.30). 17 User Perceptions of Security and Usability of Mobile-based SPA and 2FA 9/26/19

  18. Success and failure rate The percentage distribution of password attempts to login Success percent at trial number 1 2 3 Failure (%) 2FA 82 5 4 9 Mobile-based SPA 100 0 0 0 • 2FA had no failure due to authentication code but had failure due to password. • Mobile-based SPA had 20% failure due to authentication code but had no failure due to password. 18 User Perceptions of Security and Usability of Mobile-based SPA and 2FA 9/26/19

  19. • Password Creation and Recall: 85% of the users struggle while coming up with a strong password as well as recalling them. • Hierarchy : different password for different type of accounts Recall: • Paper : note passwords on a paper • Creating hint : hint for recalling a password • Password Reset: Traditional authentication & 2FA: • logging in to a backup e-mail = another password, • memorizing extra information (such as security questions) Mobile-based SPA: Re-compute the registration ☹︐ How a secure single password reset can be efficiently carried out? 19 User Perceptions of Security and Usability of Mobile-based SPA and 2FA 9/26/19

  20. • Widespread: 52% : use the mobile-based SPA and trust it if it is commonly used and advertised by a " trusted" authority such as Facebook. “I feel secure while I am using WhatsApp, since WhatsApp is employed for secure messaging. They use something like encryption.” • Complexity of the Solution: More complex, more secure? • 90% : mobile-based SPA provided a better security for online banking • Secure in the online banking scenario because it was “complex” enough. • Unproductive for email type daily purposes due to its complexity, 20 User Perceptions of Security and Usability of Mobile-based SPA and 2FA 9/26/19

  21. • We implemented mobile-based single password authentication method of Acar et. al [1] and conducted its usability analysis for the first time. • Our study constitutes an important step in understanding the usability of SPA systems regarding their future deployment. • We compared it against 2FA in a fake online banking scenario • There is potentially a trade-off between usability and perceived security which is worth exploring. To obtain more generalizable results: • • taking place in a natural settings instead of a lab environment, • examining other dimensions of user experience of SPA systems beyond usability. 21 User Perceptions of Security and Usability of Mobile-based SPA and 2FA 9/26/19

  22. • We acknowledge the support of; • TUB İ TAK (The Scientific and Technological Research Council of Turkey) under Project numbers 115E766, • The Royal Society of UK Newton Advanced Fellowship NA140464 • ERC Advanced Grant ERC-2015-AdG-IMPaCT • The FWO under an Odysseus project GOH9718N • We thank; • Arjen Kılıç and İ lker Kadir Öztürk for their efforts on implementation 22 User Perceptions of Security and Usability of Mobile-based SPA and 2FA 9/26/19

  23. 23 User Perceptions of Security and Usability of Mobile-based SPA and 2FA 9/26/19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

OpenID Connect Authentication in iRODS Kyle Ferriter kferriter@renci.org Renaissance Computing

OpenID Connect Authentication in iRODS Kyle Ferriter kferriter@renci.org Renaissance Computing

OpenID Connect Authentication in iRODS Kyle Ferriter kferriter@renci.org Renaissance Computing Institute (RENCI) UNC - Chapel Hill Context and Use Case NIH Data Commons Web application - CommonsShare.org Compute Platform and

318 views • 11 slides
HOW TO AUTH: SECURE A GRAPHQL API WITH CONFIDENCE MANDI WISE | GRAPHQL SUMMIT 2020 AGENDA

HOW TO AUTH: SECURE A GRAPHQL API WITH CONFIDENCE MANDI WISE | GRAPHQL SUMMIT 2020 AGENDA

HOW TO AUTH: SECURE A GRAPHQL API WITH CONFIDENCE MANDI WISE | GRAPHQL SUMMIT 2020 AGENDA Authentication Authorization Federation GRAPHQL SUMMIT 2020 AUTH AUTHENTICATION AUTHORIZATION YOU ARE WHO YOU SAY YOU ARE YOU CAN DO WHAT YOU WANT

347 views • 23 slides
Towards a Unified Framework for Mobile Device Security Wayne A. Jansen, NIST Mobile Device

Towards a Unified Framework for Mobile Device Security Wayne A. Jansen, NIST Mobile Device

Towards a Unified Framework for Mobile Device Security Wayne A. Jansen, NIST Mobile Device Background* Mobile Device Background* Mobile Device Background* Mobile Device Background* Inexpensive, ubiquitous, wireless, networked,

478 views • 19 slides
The Windows Hello for Business: Protocol Level Deep Dive Obaid Farooqi Sr. Escalation Engineer

The Windows Hello for Business: Protocol Level Deep Dive Obaid Farooqi Sr. Escalation Engineer

The Windows Hello for Business: Protocol Level Deep Dive Obaid Farooqi Sr. Escalation Engineer Microsoft Introduction } Obaid Farooqi } Microsoft } Sr. Escalation Engineer in Developer Support: Protocols Team } Support Developers implementing

2.45k views • 22 slides
Zero-Interaction Authentication Mark Corner, Brian Noble University of Michigan Presented by

Zero-Interaction Authentication Mark Corner, Brian Noble University of Michigan Presented by

Zero-Interaction Authentication Mark Corner, Brian Noble University of Michigan Presented by Martin Meyer Overview Introduction Design of System Encryption Model Authentication Token File Ownership Departure and Return

580 views • 42 slides
Multi-Factor Authentication (MFA) for the NCEdCloud IAM Service - Part 2 - (MFA for additional

Multi-Factor Authentication (MFA) for the NCEdCloud IAM Service - Part 2 - (MFA for additional

Multi-Factor Authentication (MFA) for the NCEdCloud IAM Service - Part 2 - (MFA for additional NCEdCloud Privileged Accounts) - Mark Scheible, MCNC MFA for All NCEdCloud Privileged Users - 1 As a part of continuing efforts to enhance the

319 views • 15 slides
Designing and Building Secure Software With material from Dave Levin, Mike Hicks, Adam Shostack

Designing and Building Secure Software With material from Dave Levin, Mike Hicks, Adam Shostack

Designing and Building Secure Software With material from Dave Levin, Mike Hicks, Adam Shostack Making secure software Flawed approach : Design and build software, ignore security at first Add security once the functional requirements

858 views • 39 slides
Authenticating Out-of-Band Communication Over Social Links Anirudh Ramachandran and Nick Feamster

Authenticating Out-of-Band Communication Over Social Links Anirudh Ramachandran and Nick Feamster

Authenticating Out-of-Band Communication Over Social Links Anirudh Ramachandran and Nick Feamster School of Computer Science, Georgia Tech {avr,feamster}@cc.gatech.edu Motivating Application: Secured Web Server Bob Alice Alice wishes to

691 views • 17 slides
VulCAN: Efficient Component Authentication and Software Isolation for Automotive Control Networks

VulCAN: Efficient Component Authentication and Software Isolation for Automotive Control Networks

VulCAN: Efficient Component Authentication and Software Isolation for Automotive Control Networks Jo Van Bulck, Jan Tobias Mhlberg and Frank Piessens jo.vanbulck|jantobias.muehlberg@cs.kuleuven.be imec-DistriNet, KU Leuven, Celestijnenlaan

654 views • 28 slides
Beyond Trust PostgreSQL Client Authentication Christoph Mnch-Tegeder 2ndQuadrant

Beyond Trust PostgreSQL Client Authentication Christoph Mnch-Tegeder 2ndQuadrant

Beyond Trust PostgreSQL Client Authentication Christoph Mnch-Tegeder 2ndQuadrant http://www.2ndquadrant.com/ 2017-02-05 Part I Authentication Why Authentication? Too complicated Nobody knows my database Nobody will attack us

813 views • 39 slides
Security II: Web authentication Markus Kuhn Computer Laboratory, University of Cambridge

Security II: Web authentication Markus Kuhn Computer Laboratory, University of Cambridge

Security II: Web authentication Markus Kuhn Computer Laboratory, University of Cambridge https://www.cl.cam.ac.uk/teaching/1718/SecurityII/ Lent 2018 Part II websecurity-slides.pdf 2018-02-23 11:38 fca1bee 1 Hyper Text Transfer Protocol

500 views • 33 slides
ALIKE: Authenticated Lightweight Key Exchange Sandrine Agagliate, GEMALTO Security Labs Outline:

ALIKE: Authenticated Lightweight Key Exchange Sandrine Agagliate, GEMALTO Security Labs Outline:

ALIKE: Authenticated Lightweight Key Exchange Sandrine Agagliate, GEMALTO Security Labs Outline: Context Description of ALIKE Generic description Full specification Security properties Chip Unforgeability and Channel Secrecy Underlying

400 views • 21 slides
TwistIn: Tangible Authentication of Smart Devices via Motion Co-analysis with a Smartwatch Ho Ho

TwistIn: Tangible Authentication of Smart Devices via Motion Co-analysis with a Smartwatch Ho Ho

TwistIn: Tangible Authentication of Smart Devices via Motion Co-analysis with a Smartwatch Ho Ho Man Col Colman Leu Leung, Chi Wing Fu, Pheng Ann Heng The Chinese University of Hong Kong, Hong Kong Shenzhen Key Laboratory of Virtual Reality

910 views • 15 slides
Formal Verification of e-Auction protocols Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech

Formal Verification of e-Auction protocols Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech

Introduction Formal Definitions Case Studies Conclusion Formal Verification of e-Auction protocols Jannik Dreier, Pascal Lafourcade, Yassine Lakhnech Universit Grenoble 1, CNRS, VERIMAG firstname.lastname@imag.fr Principles of Security and

806 views • 68 slides
Bonsai: Balanced Lineage Authentication Ashish Gehani Bonsai:Balanced Lineage Authentication

Bonsai: Balanced Lineage Authentication Ashish Gehani Bonsai:Balanced Lineage Authentication

Bonsai: Balanced Lineage Authentication Ashish Gehani Bonsai:Balanced Lineage Authentication p. 1/19 What is data lineage ? Output Operation Input 1 Input n (a) Primitive operation (b) Compound operation tree Bonsai:Balanced Lineage

651 views • 19 slides
CS 423 Operating System Design: OS Security Crash Course Tianyin Xu Thanks for Prof. Adam Bates

CS 423 Operating System Design: OS Security Crash Course Tianyin Xu Thanks for Prof. Adam Bates

CS 423 Operating System Design: OS Security Crash Course Tianyin Xu Thanks for Prof. Adam Bates for the slides. CS 423: Operating Systems Design Security Properties Confidentiality? Integrity? Availability? Authenticity? CS

437 views • 22 slides
distributed IP networks IETF 89 - Tutorials London, England March 2 - 7, 2014 Presented by:

distributed IP networks IETF 89 - Tutorials London, England March 2 - 7, 2014 Presented by:

Introduction to centralized Authentication, Authorization and Accounting (AAA) management for distributed IP networks IETF 89 - Tutorials London, England March 2 - 7, 2014 Presented by: Lionel Morand Co-authored by: Alan Dekok x Introduction

1.2k views • 71 slides
Communication: TLS CS 161: Computer Security Prof. David Wagner March 11, 2016 Todays Lecture

Communication: TLS CS 161: Computer Security Prof. David Wagner March 11, 2016 Todays Lecture

Securing Internet Communication: TLS CS 161: Computer Security Prof. David Wagner March 11, 2016 Todays Lecture Applying crypto technology in practice Two simple abstractions cover 80% of the use cases for crypto: Sealed blob:

1.09k views • 58 slides
Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many Authentication ? Servers Users How do users prove their identities when requesting services from machines on the network? Nave solution:

359 views • 10 slides
CS 4803 Computer and Network Security Servers Users How do users prove their identities when

CS 4803 Computer and Network Security Servers Users How do users prove their identities when

Many-to-Many Authentication ? CS 4803 Computer and Network Security Servers Users How do users prove their identities when requesting services from machines on the network? Alexandra (Sasha) Boldyreva Nave solution: every server knows

217 views • 5 slides
SCRAM in LDAP Better Password-based Authentication Kurt Zeilenga Isode Limited What is SCRAM?

SCRAM in LDAP Better Password-based Authentication Kurt Zeilenga Isode Limited What is SCRAM?

SCRAM in LDAP Better Password-based Authentication Kurt Zeilenga Isode Limited What is SCRAM? S alted C hallenge R esponse A uthentication M echanism SCRAM-SHA-1-PLUS An improved SASL mechanism for password authentication of the

469 views • 31 slides
Authentication and technology Secure Communication people Jeff Chase Duke University Where

Authentication and technology Secure Communication people Jeff Chase Duke University Where

Authentication and technology Secure Communication people Jeff Chase Duke University Where are the boundaries of the system that you would like to secure? Where is the weakest link? What happens when the weakest link fails? The First

574 views • 10 slides
Specifying Kerberos 5 Cross-Realm Authentication Chris Walstad Joint work with Iliano Cervesato,

Specifying Kerberos 5 Cross-Realm Authentication Chris Walstad Joint work with Iliano Cervesato,

Specifying Kerberos 5 Cross-Realm Authentication Chris Walstad Joint work with Iliano Cervesato, Aaron D. Jaggard, Andre Scedrov Supported by ONR, NSF, NRL Overview Introduction Kerberos 5 Formalization Properties

454 views • 24 slides
Mobile User Authentication with On-Premise LDAP Server / Social Login using IBM Mobile

Mobile User Authentication with On-Premise LDAP Server / Social Login using IBM Mobile

Mobile User Authentication with On-Premise LDAP Server / Social Login using IBM Mobile Foundation My My W Ward wh what is t is th the a app a about Ser Servi vices ces used used IBM Mobile Foundation V8 {API} Mo

501 views • 21 slides

More recommend