D ej a vu a user study using images for authentication
1 / 14

D´ej`a Vu: A User Study Using Images for Authentication - PowerPoint PPT Presentation

  • Uploaded on

D´ej`a Vu: A User Study Using Images for Authentication. Rachna Dhamija,Adrian Perrig SIMS / CS, University of California Berkeley 報告人:張淯閎. Outline. Introdution Password-Based Authentication D´ej`a Vu System Architecture Sample Applications User Study Conclution. Introduction.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' D´ej`a Vu: A User Study Using Images for Authentication' - moesha

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
D ej a vu a user study using images for authentication

D´ej`a Vu: A User StudyUsing Images for Authentication

Rachna Dhamija,Adrian PerrigSIMS / CS, University of California Berkeley



  • Introdution

  • Password-Based Authentication

  • D´ej`a Vu

  • System Architecture

  • Sample Applications

  • User Study

  • Conclution


  • User authentication is a central component of currently deployed security infrastructure.

    • Knowledge-based

    • Token-based

    • Biometrics

  • Human’s vast memory for picture.

  • Recognition-based authentication in D´ej`a Vu system.

Shortcomings of password based authentication
Shortcomings of Password-Based Authentication

  • Relies on precise recall of the secret information.

  • Security problem

    • 15% users picked passwords shorter or equal to three characters.

    • 85% passwords can be easily broken by using dictionary.

    • Users often employ similar passwords for different purposes.

  • Current Solutions

    • Aim to identify weak passwords.

    • Establish rules to guide user to follow.

D ej a vu
D´ej`a Vu

  • Three requirements

    • Not rely on precise recall.

    • Prevent users from choosing weak passwords.

    • Difficult to write passwords down or share to others.

  • System Architecture

    • Based on the observation that people have an excellent memory for images.

    • Three phases:

      • Portfolio Creation Phase

      • Training Phase

      • Authentication Phase

Portfolio creation phase
Portfolio Creation Phase

  • System based on photographs or random art.

  • Not store images pixel-by-pixel in random art.

Training and authentication phase
Training and Authentication Phase

  • Training phase

    • To improve the memorability of the portfolio images.

    • Need to occur in a secure environment.

  • Authentication phase

    • Server only needs to store the seed.

    • If user correctly identifies all portfolio images from challenges set (portfolio and decoy images), then she authenticated.

    • Portfolio can be to split among multiple servers to increase security.

Attacks and countermeasures
Attacks and Countermeasures

  • Brute-force attack

    • Challenge set consisting of n images.

    • Portfolio consisting of m images.

    • Probability

  • Educated Guess Attack

    • Random art makes it hard to predict.

    • Hand select images to ensure that no weak images are used.

Attacks and countermeasures1
Attacks and Countermeasures

  • Observer Attack

    • The position of the portfolio images with in the challenge set is randomized.

    • The method for the image selection is hidden.

    • The portfolio images can be slightly changed in each authentication.

  • Intersection Attack

    • Use same challenge set

    • Split up into multiple stages

    • Tighten the bound on un successful logins before the account is blocked

Sample applications
Sample Applications

  • Customer Authentication at ATM

    • Avoiding write PIN on the ATM card.

    • Portfolio selection and training can be don in a secure environment at the bank.

    • A one-time PIN to bootstrap the system.

  • Web Authentication

    • Users often use the same username and password for the different purpose

    • Users often forget their passwords

    • D´ej`a Vu is well suited, because the recovery rate is lower than using passwords.

User study
User Study

  • Task Completion Time and Error Rate.


  • This system has the advantage that the authentication task is more reliable, easier and fun to use.

  • Prevent users from choosing weak passwords and write passwords down.

  • Has potential applications ,especially where text input is hare like PDAs or ATMs.

  • The authentication schemes take advantage of innate human abilities.

Random art
Random Art

  • A proposed hash visualization algorithm.

  • The basic idea is to use a binary string s as a seed for a random number generator.

  • Random Art is an algorithm such that given a bit-string as input, it will generate a function F:[-1,1]2->[-1,1]3,which defines an image.

  • F maps each pixel (x,y) to a RGB value (r,g,b) which is a triple of intensities for the red, green and blue values, respectively.