secure web authentication with mobile phones
Download
Skip this Video
Download Presentation
Secure Web Authentication With Mobile Phones

Loading in 2 Seconds...

play fullscreen
1 / 23

Secure Web Authentication With Mobile Phones - PowerPoint PPT Presentation


  • 162 Views
  • Uploaded on

Secure Web Authentication With Mobile Phones. Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial Intelligence Lab. Problem to Be Solved. People increasingly reply on public computers to do business over the Internet

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Secure Web Authentication With Mobile Phones' - joyce


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
secure web authentication with mobile phones

Secure Web Authentication With Mobile Phones

Min Wu, Simson Garfinkel, Robert Miller

MIT Computer Science and Artificial Intelligence Lab

problem to be solved
Problem to Be Solved
  • People increasingly reply on public computers to do business over the Internet
  • But passwords can be captured by the computer and later reused by a hostile party
    • 2002: key logger at 14 NYC Kinko’s captured 450 usernames and passwords
    • 2003: key logger on more than 100 campus computers in Boston College
    • 2003: £6,300 stolen from a bank account after it was accessed at a public terminal
authentication protocol
Authentication Protocol

“I am Alice”

slide6
Authentication Protocol

Your current authentication session is “FAITH”

Session “FAITH” is waiting for approval

slide7
Authentication Protocol

“FAITH”

Approve session “FAITH”

slide8
Authentication Protocol

Username

Password

slide9
Authentication Protocol (Dealing with Fraud)

“FAITH”

Lock my account until further notice

Session “PSYCH” is waiting for approval

user study
User Study
  • How does our approach compare, in terms of security and usability, to other existing mobile phone authentication solutions?
    • One-time password sent to mobile phone (RSA Mobile, Fujitsu)
four login techniques
Four Login Techniques
  • One-time password approach
    • Type Random Code: “1234-5678”
    • Type Random Phrase: “swears trainee”
      • Proxy-side spelling checker (Ispell)
  • Our approach
    • Check and Approve
    • Choose and Approve
method
Method
  • Controlled experiment in the lab
    • Logged in to Amazon.com using an account set up by us with a personal computer and a mobile phone provided by us
    • 6 logins in a block for each technique, for a total of 24 logins, with the order of the four login techniques randomized
simulated attacks
Simulated Attacks
  • Will a user blindly approve sessions without looking at the session name?
  • Users were told that they were going to be spoofed by our simulated attacks
unknown attack
Unknown Attack

“PSYCH” is waiting for approval

duplicated attack
Duplicated Attack

“FAITH”

“PSYCH”

blocking attack
Blocking Attack

“PSYCH” is waiting for approval

? ? ?

ease of use
Ease of Use

Single factor ANOVA with P = 0.01

error rates
Error Rates
  • Login by Check and Approve was easily spoofed
    • Duplicated attack: 4 successful out of 11 attacks
    • Blocking attack: 2 out of 9
    • Unknown attack: 1 out of 33
slide20
Error Rates
  • Login by Check and Approve was easily spoofed
    • Duplicated attack: 4 successful out of 11 attacks
      • “There must be a bug in the proxy since the session name displayed in the computer does not match the one in the mobile phone.”
    • Blocking attack: 2 out of 9
      • “The network connection must be really slow since the session name has not been displayed.”
    • Unknown attack: 1 out of 33
error rates21
Error Rates
  • Choose and Approve has zero error rate
future work
Future Work
  • Field study
  • Not only password but also any confidential information should avoid touching the hostile host
conclusion
Conclusion
  • By asking the user to choose and approve a correct session name from her mobile phone, we provide a mobile phone authentication solution that is both secure and easy to use
  • Flexible solution to web authentication
    • Good backup to password login
ad