whither challenge question authentication
play

Whither Challenge Question Authentication? 12 May 2009 Mike Just - PowerPoint PPT Presentation

May 26, 2023 •462 likes •765 views

University of Cambridge Security Seminar Series Whither Challenge Question Authentication? 12 May 2009 Mike Just University of Edinburgh Outline What are Challenge Questions? Challenge Question Research Our Research Collecting

  1. University of Cambridge Security Seminar Series Whither Challenge Question Authentication? 12 May 2009 Mike Just University of Edinburgh

  2. Outline  What are Challenge Questions?  Challenge Question Research  Our Research  Collecting data  Analyzing data  What Does it all Mean?  Further Information 12 May 2009 'Whither Challenge Question Authentication? 2

  3. What are Challenge Questions? (1 of 3)  What are 'Challenge Questions?'  Type of 'authentication credential'  Users register Question & Answer  To authenticate later, user is posed Question and asked to provide Answer Authentication 'Something You Know ' 'Something You Have ' Credentials ● Access card ● Smartcard 'Something You 'Something You 'Something You Are ' ● Mobile Memorize ' Already Know ' ● Fingerprints ● Challenge ● Passwords ● Iris/retinal scan questions ● PINs ● Facial scan ● Images ● Images 12 May 2009 'Whither Challenge Question Authentication? 3

  4. What are Challenge Questions? (2 of 3)  Common Examples  'What is my Mother's Maiden Name?'  'What was the name of my first pet?'  'What was the name of my primary school?'  How do Challenge Questions support authentication?  The answers to the questions should be known only to the users that registered the questions, similar to how passwords should be uniquely known 12 May 2009 'Whither Challenge Question Authentication? 4

  5. What are Challenge Questions? (3 of 3)  How and why do we use Challenge Questions?  Almost exclusively as secondary/fallback authentication in case of lost primary credential  Sometimes used to complement primary credential  Often driven by desire to avoid costly help-desk calls  In some cases, 're-registration' is possible, but not always  Too expensive or takes too much time  Not all sites have a registration phase (that includes user identification with shared secrets)  So, some form of secondary authentication is desireable  Challenge Questions are today's ubiqutous choice 12 May 2009 'Whither Challenge Question Authentication? 5

  6. Challenge Question Research (1 of 3)  What is studied w.r.t. Challenge Questions? 1.Security (Attacker's Point-of-View)  How difficult is it to determine the answers to the questions?  Demonstration of security often involves quantitative analysis 2.Usability (User's Point-of-View)  How easy is it to choose questions?  How easy is it to remember the answers?  Demonstration of usability often involves qualitative research Security Human Factors Research Research 12 May 2009 'Whither Challenge Question Authentication? 6

  7. Challenge Question Research (2 of 3) What has been studied w.r.t. Challenge Questions?   Early '90s usability studies referred to 'word pairs,' and 'associative' or 'cognitive passwords'  Focused on facts, opinions or interests. Studies [Haga et al .] suggested facts were easier to recall, but more easily guessable by friends or family  Early '00 analysis focused on tolerating users forgetting or mis- typing answers with secret sharing [Ellison et al. , Frykholm et al .]  Recent work [Rabkin, Jakobsson et al .] has focused directly on the insecurity of administratively-chosen challenge questions, and on specific questions ('Mother's Maiden Name')  Jakobsson et al. have published a novel solution based upon user preferences (binary), though more study is needed 12 May 2009 'Whither Challenge Question Authentication? 7

  8. Challenge Question Research (3 of 3) More recently ...  Single user authentication  Just, Aspinall, ”Challenging Challenge Questions,” Trust 2009 , April 2009  Schechter, Bernheim Brush, Egelman, ”It's no secret: Measuring the security and  reliability of authentication via 'secret' questions,” IEEE Security and Privacy 2009 , May 2009 Just, Aspinall, ”Personal Choice and Challenge Questions: A Security and  Usability Assessment,” SOUPS 2009 , July 2009 Group authentication  Toomim, Zhang, Fogarty, Landay, ”Access Control by Testing for Shared  Knowledge,” CHI 2008 , April 2008 Bonneau, ”Alice and Bob in Love: Cryptographic Communication Using Natural  Entropy,” Security Protocols 2009 , April 2009 12 May 2009 'Whither Challenge Question Authentication? 8

  9. Our Research (1 of 2)  Problem: 'Systematic analysis of the security and usability of challenge questions is lacking'  Method: Investigate security and usability of user- chosen challenge questions  Goals: To answer the following:  Do users choose secure questions?  Do users choose memorable answers?  Can we lead realistic yet ethical authentication experiments? 12 May 2009 'Whither Challenge Question Authentication? 9

  10. Our Research (2 of 2)  Lead three experiments with classes at the University of Edinburgh  Human Computer Interaction (HCI), Computer Security, and Biology class  170 participants submitted 500 questions  Devised methods for measuring security and usability of the questions (and answers)  Novel approach for collecting data 12 May 2009 'Whither Challenge Question Authentication? 10

  11. Collecting Data (1 of 3)  Ethically challenging, but users readily submit  Issues regarding participant behaviour  Equate credentials with other private information?  Contribute real information?  Degree of freedom with user-chosen questions  Opportunities for improved Collector behaviour  Challenge to ourselves: Don't collect!  Avoid having to maintain information  Consistent message: Keep credentials to yourself! 12 May 2009 'Whither Challenge Question Authentication? 11

  12. Collecting Data (2 of 3) Experiment Participant Questions Stage 1 Answers Security Analysis Stage 2 Questions Answers Answers MATCH? Version 1 – Pen-and-Paper Only Usability Analysis Version 2 – Online & Pen-and-Paper 12 May 2009 'Whither Challenge Question Authentication? 12

  13. Collecting Data (3 of 3)  Participants use of 'real' Questions and Answers  We asked if participants would use same Questions and Answers in real applications (e.g. Banking)  Of the respondents (92%) indicating that they would likely re- use their questions, 61% indicated some influence from not submitting their answers  Participants and personal privacy  We asked participants if they would be concerned if their friends or family members knew their Questions and Answers  More than two-thirds of the questions raised 'no concern' at all for participants with < 10% meriting strong concern 12 May 2009 'Whither Challenge Question Authentication? 13

  14. Security Analysis (1 of 7)  Existing security analysis of Challenge Questions is limited, and ad hoc  There are no clear guidelines for choosing 'good' questions and answers  We're wanted a more systematic approach that would either  Provide some guidance for secure design, or  Recommend abandonment of the concept 12 May 2009 'Whither Challenge Question Authentication? 14

  15. Security Analysis (2 of 7) Increasing Information for Attacker Answer alphabet and User account, published Questions, distributions of likely distribution, common data, social networks, answers answer sets friends, family, ... Attack Blind Focused Observation Methods Guess Guess Answer Guess 12 May 2009 'Whither Challenge Question Authentication? 15

  16. Security Analysis – Blind Guess (3 of 7) Brute force attack  Security Levels based on equivalence to passwords  6-char alphabetic password (2 34 )  Low (2 34 ) Med (2 48 ) High 8-char alphanumeric password (2 48 )  Answer entropy: 2.3 bits (1 st 8 chars), then 1.5 bits  Results (by question)  Average answer length: 7.5 characters  174 Low, 4 Medium, 2 High  Results (by user)  Q1 – 59 Low, 1 Medium, 0 High  Q1, Q2 – 38 Low, 13 Medium, 9 High  Q1, Q2, Q3 – 5 Low, 19 Medium, 36 High  12 May 2009 'Whither Challenge Question Authentication? 16

  17. Security Analysis – Blind Guess (4 of 7)  Blind Guess (cont'd)  Unlike passwords, the alphabet for answers is just 26 lowercase letters (plus 10 digits in some cases)  Use of a single question seems to provide insufficient protection against the simplest attack  But, multiple questions seem to help  Online attacks considered (targetted and random). Offline attacks would require more security (2 80 ) 12 May 2009 'Whither Challenge Question Authentication? 17

  18. Security Analysis – Focused Guess (5 of 7) Attacker knows the Challenge Questions  Security Levels same as for Blind Guess  Q Type % Space Answer types and space  Proper Name 50% 10 4 – 10 5 Results (by question) 10 2 – 10 5 Place 20%  10 3 – 10 7 Name 18% 167 Low, 0 Medium, 13 High  10 1 – 10 4 Number 3% 10 2 – 10 5 Time/Date 3% Results (by user)  Ambiguous 6% 10 8 – 10 15 Q1 – 58 Low, 0 Medium, 2 High  Q1, Q2 – 46 Low, 11 Medium, 3 High  Q1, Q2, Q3 – 5 Low, 28 Medium, 27 High  Much room for refinement of 'Space'  12 May 2009 'Whither Challenge Question Authentication? 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Personal Choice and Challenge Questions: A Security and Usability Assessment 16 July 2009 Mike

Personal Choice and Challenge Questions: A Security and Usability Assessment 16 July 2009 Mike

SOUPS 2009 Personal Choice and Challenge Questions: A Security and Usability Assessment 16 July 2009 Mike Just University of Edinburgh (joint work with David Aspinall) Challenge Question Authentication Authentication credential is answer

394 views • 20 slides
Challenge/Response Authentication Authentication by what questions you can answer correctly

Challenge/Response Authentication Authentication by what questions you can answer correctly

Challenge/Response Authentication Authentication by what questions you can answer correctly Again, by what you know The system asks the user to provide some information If its provided correctly, the user is authenticated

233 views • 20 slides
HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest mechanisms called challenge-response entity authentication exchange cleartext bitstrings directly, i.e., no cryptographic primitives are used A PUF

1.08k views • 38 slides
Authentication Scenarios 2. Users share a password with a trusted authority (authentication

Authentication Scenarios 2. Users share a password with a trusted authority (authentication

Authentication Scenarios 2. Users share a password with a trusted authority (authentication servers) Kerberos Challenge-response Symm.Key What do we learn from previous attacks? Timestamps: are valid only in a small time window

334 views • 22 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
Practical key recovery attack against APOP , an MD5 based challenge response authentication. By

Practical key recovery attack against APOP , an MD5 based challenge response authentication. By

Practical key recovery attack against APOP , an MD5 based challenge response authentication. By Gaetan Leurent Presented by:- Guided By:- Raagi Sukhlecha Prof. Anish Mathuria Lalit Agarwal Outline Introduction APOP What is

953 views • 79 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
WILD FISH CHALLENGE! QUESTION: HAVE YOU EVER GONE FISHING? DID YOU CATCH EXACTLY WHAT YOU WANTED

WILD FISH CHALLENGE! QUESTION: HAVE YOU EVER GONE FISHING? DID YOU CATCH EXACTLY WHAT YOU WANTED

BIGGEST CHALLENGE: WILD SUPPLY FLUCTUATIONS RELATIVELY CONSISTENT DEMAND WILD FISH CHALLENGE! QUESTION: HAVE YOU EVER GONE FISHING? DID YOU CATCH EXACTLY WHAT YOU WANTED TO? SOLUTION! KNOWLEDGE COMMUNICATION

525 views • 8 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
SEPTEMBER 4TH, 2019 Welcome What big question or challenge do you bring to your community

SEPTEMBER 4TH, 2019 Welcome What big question or challenge do you bring to your community

PRIORITIZING SUBSTANCE ABUSE PREVENTION IN YELLOWSTONE COUNTY SEPTEMBER 4TH, 2019 Welcome What big question or challenge do you bring to your community building efforts? Impromptu Networking What do you hope to give and to get from our

931 views • 47 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
Semantic Question Answering on Big Data Tatiana Erekhinskaya July, 2016 The Goal Challenge:

Semantic Question Answering on Big Data Tatiana Erekhinskaya July, 2016 The Goal Challenge:

Semantic Question Answering on Big Data Tatiana Erekhinskaya July, 2016 The Goal Challenge: Find answers to complex questions in large structured and unstructured data resources Sample question: List Chinese researchers who

240 views • 20 slides
Phrase-Indexed Question Answering : A New Challenge for Scalable Document Comprehension Minjoon

Phrase-Indexed Question Answering : A New Challenge for Scalable Document Comprehension Minjoon

Phrase-Indexed Question Answering : A New Challenge for Scalable Document Comprehension Minjoon Seo, Tom Kwiatkowski, Ankur Parikh, Ali Farhadi, Hannaneh Hajishirzi Question Answering? 1961 Model Barack Obama (1961-present) was the 44 th

460 views • 32 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password Token-based authentication Third party authentication Local Authentication How to store and verify password? Clear Data can be hacked

615 views • 14 slides
6.006- Introduction to Priority Queue Algorithms A data structure implementing a set S of

6.006- Introduction to Priority Queue Algorithms A data structure implementing a set S of

Heap Menu Implementation of a priority queue Priority Queues An array, visualized as a nearly complete binary tree Max Heap Property: The key of a node is than the keys of Heaps its children (Min Heap defined

202 views • 7 slides
Differential cohomology and topological actions Ben Gripaios Cambridge 28.x.20 with Joe Davighi

Differential cohomology and topological actions Ben Gripaios Cambridge 28.x.20 with Joe Davighi

Differential cohomology and topological actions Ben Gripaios Cambridge 28.x.20 with Joe Davighi and Oscar Randal-Williams goal and motivations examples differential cohomology Goal: construct and classify topological actions in

873 views • 52 slides
P-Companion: A Principled Framework for Diversified Complementary Product Recommendation Ju

P-Companion: A Principled Framework for Diversified Complementary Product Recommendation Ju

CIKM Applied Research Paper P-Companion: A Principled Framework for Diversified Complementary Product Recommendation Ju Junhen eng g Hao , Tong Zhao, Jin Li, Xin Luna Dong, Christos Faloutsos, Yizhou Sun, Wei Wang Oct. 19-23, 2020 | Online

684 views • 24 slides
In a Silent Way Communication Between AI and Improvising Musicians Beyond Sound MASAHIRO ISERI

In a Silent Way Communication Between AI and Improvising Musicians Beyond Sound MASAHIRO ISERI

In a Silent Way Communication Between AI and Improvising Musicians Beyond Sound MASAHIRO ISERI STUDENT NUMBER 46193003 Information Title In a Silent Way: Communication Between AI and Improvising Musicians Beyond Sound Author McCormack,

637 views • 51 slides
Rationalization Vadim Cherepanov (Upenn and Kellogg) Alvaro Sandroni (Kellogg) Tim Feddersen

Rationalization Vadim Cherepanov (Upenn and Kellogg) Alvaro Sandroni (Kellogg) Tim Feddersen

Rationalization Vadim Cherepanov (Upenn and Kellogg) Alvaro Sandroni (Kellogg) Tim Feddersen (Kellogg) 23/11/10 1 Economics and Psychology Economics: Agents think to relate means and consequences Choice = Preference Psychology:

577 views • 10 slides
Take two minutes to get your Notebooks, Signals, Calculators, &amp; Student Orgzniers before we

Take two minutes to get your Notebooks, Signals, Calculators, &amp; Student Orgzniers before we

AIM: How do we rationalize the denominator ? Take two minutes to get your Notebooks, Signals, Calculators, &amp; Student Orgzniers before we begin today's lesson. Alert! Alert! aim 1 Aim: How do we rationalize the denominator? HW: Worksheet

284 views • 9 slides
Credit Suisse Third Quarter 2018 Results Tidjane Thiam, Chief Executive Officer David Mathers,

Credit Suisse Third Quarter 2018 Results Tidjane Thiam, Chief Executive Officer David Mathers,

Credit Suisse Third Quarter 2018 Results Tidjane Thiam, Chief Executive Officer David Mathers, Chief Financial Officer November 1, 2018 Disclaimer This material does not purport to contain all of the information that you may wish to consider.

939 views • 79 slides
Dysfunctional Momentum Unchallenged concept that events are unfolding as expected Class of

Dysfunctional Momentum Unchallenged concept that events are unfolding as expected Class of

Moms Company Rule Dysfunctional Momentum and Master Clinicians Gerard M. Doherty Chair of Surgery Utley Professor of Surgery and Medicine Boston University Surgeon-in-Chief Boston Medical Center Dysfunctional Momentum Unchallenged

204 views • 5 slides

More recommend