secure web authentication with mobile phones l.
Skip this Video
Loading SlideShow in 5 Seconds..
Secure Web Authentication With Mobile Phones PowerPoint Presentation
Download Presentation
Secure Web Authentication With Mobile Phones

Loading in 2 Seconds...

  share
play fullscreen
1 / 23
Download Presentation

Secure Web Authentication With Mobile Phones - PowerPoint PPT Presentation

joyce
167 Views
Download Presentation

Secure Web Authentication With Mobile Phones

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Secure Web Authentication With Mobile Phones Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial Intelligence Lab

  2. Problem to Be Solved • People increasingly reply on public computers to do business over the Internet • But passwords can be captured by the computer and later reused by a hostile party • 2002: key logger at 14 NYC Kinko’s captured 450 usernames and passwords • 2003: key logger on more than 100 campus computers in Boston College • 2003: £6,300 stolen from a bank account after it was accessed at a public terminal

  3. Our Approach

  4. Our Approach

  5. Authentication Protocol “I am Alice”

  6. Authentication Protocol Your current authentication session is “FAITH” Session “FAITH” is waiting for approval

  7. Authentication Protocol “FAITH” Approve session “FAITH”

  8. Authentication Protocol Username Password

  9. Authentication Protocol (Dealing with Fraud) “FAITH” Lock my account until further notice Session “PSYCH” is waiting for approval

  10. Check and Approve Choose and Approve Two Mobile Phone Interfaces for Authentication

  11. User Study • How does our approach compare, in terms of security and usability, to other existing mobile phone authentication solutions? • One-time password sent to mobile phone (RSA Mobile, Fujitsu)

  12. Four Login Techniques • One-time password approach • Type Random Code: “1234-5678” • Type Random Phrase: “swears trainee” • Proxy-side spelling checker (Ispell) • Our approach • Check and Approve • Choose and Approve

  13. Method • Controlled experiment in the lab • Logged in to Amazon.com using an account set up by us with a personal computer and a mobile phone provided by us • 6 logins in a block for each technique, for a total of 24 logins, with the order of the four login techniques randomized

  14. Simulated Attacks • Will a user blindly approve sessions without looking at the session name? • Users were told that they were going to be spoofed by our simulated attacks

  15. Unknown Attack “PSYCH” is waiting for approval

  16. Duplicated Attack “FAITH” “PSYCH”

  17. Blocking Attack “PSYCH” is waiting for approval ? ? ?

  18. Ease of Use Single factor ANOVA with P = 0.01

  19. Error Rates • Login by Check and Approve was easily spoofed • Duplicated attack: 4 successful out of 11 attacks • Blocking attack: 2 out of 9 • Unknown attack: 1 out of 33

  20. Error Rates • Login by Check and Approve was easily spoofed • Duplicated attack: 4 successful out of 11 attacks • “There must be a bug in the proxy since the session name displayed in the computer does not match the one in the mobile phone.” • Blocking attack: 2 out of 9 • “The network connection must be really slow since the session name has not been displayed.” • Unknown attack: 1 out of 33

  21. Error Rates • Choose and Approve has zero error rate

  22. Future Work • Field study • Not only password but also any confidential information should avoid touching the hostile host

  23. Conclusion • By asking the user to choose and approve a correct session name from her mobile phone, we provide a mobile phone authentication solution that is both secure and easy to use • Flexible solution to web authentication • Good backup to password login