$30 off During Our Annual Pro Sale. View Details »

Putting Your Passwords On Self Destruct Mode: Beating Password Fatigue

Putting Your Passwords On Self Destruct Mode: Beating Password Fatigue

In this talk, we present SAMBA, our approach to ephemeral passwords to ameliorate password fatigue. Our proposed system combines our Synthetic Aperture Multimodal Biometrics Authentication (SAMBA) method with a lightweight scheme and architecture for ephemeral passwords release and consumption.

Huascar Sanchez

June 22, 2016
Tweet

More Decks by Huascar Sanchez

Other Decks in Research

Transcript

  1. PUTTING YOUR PASSWORDS ON SELF DESTRUCT MODE Huascar Sanchez huascar.sanchez@sri.com

    BEATING PASSWORD FATIGUE June 22 - 23, 2016 SRI International John Murray john.murray@sri.com SRI International Daniel Sanchez daniel.sanchez@sri.com SRI International SOUPS’16
  2. Copyright 2016 SRI International Problem: We are simply storing more

    passwords than we really need or are capable of dealing with. (Proposed) Solution: A method that enables users to get passwords that are worthy of temporary using, but not quite worthy of preserving. 2 Beating Password Fatigue
  3. Title - CONFYYY - MM DD, YYYY Good luck, Mr.

    Hunt This message will self destruct in 5 seconds Self destruction sequence initiated 3 Shifting Towards Ephemerality This message will self destruct in 5 seconds Good Luck, Mr. Hunt Self destruction sequence initiated Copyright 2016 SRI International
  4. Title - CONFYYY - MM DD, YYYY Good luck, Mr.

    Hunt This message will self destruct in 5 seconds Self destruction sequence initiated 4 Shifting Towards Password Ephemerality This password will self destruct in 5 seconds Good Luck, Mr. Hunt Self destruction sequence initiated Copyright 2016 SRI International
  5. Title - CONFYYY - MM DD, YYYY 5 Achieving Password

    Ephemerality Copyright 2016 SRI International
  6. 3.1 Scenario: Releasing Ephemeral Passwords Peter is a material scientist

    at a manufacturing company. He wants to pay his DIRECTV bill by sending money directly from his online Wells Fargo bank account. He opens his browser and then score (probability). We u user’s identity. Once all the actions are performed system to release passwords his reg Figure 1. Proposed Scheme for SAMBA (Synthetic Aperture Multimodal Biometric Au Voice Type Motion Request password 1 Do SAMBA 2 Geo-location Gait Verify identity 2.2 ... Other Heartbeat Website Handshake 3 Fusion 2.1 Copyright 2016 SRI International 6 A Lightweight Scheme 3.1 Scenario: Releasing Ephemeral Passwords Peter is a material scientist at a manufacturing company. He wants to pay his DIRECTV bill by sending money directly from his online Wells Fargo bank account. He opens his browser and then score (probability). We u user’s identity. Once all the actions are performed system to release passwords his reg Figure 1. Proposed Scheme for SAMBA (Synthetic Aperture Multimodal Biometric Au Voice Type Motion Request password 1 Do SAMBA 2 Geo-location Gait Verify identity 2.2 ... Other Heartbeat Website Handshake 3 Fusion 2.1 ok ? ok Ephemeral Password Release and Consumption SAMBA method Dispenser SAMBA SAMBA SAMBA Devices SAMBA SAMBA method Dispenser
  7. MTU - ICPC’16 - 05 16, 2016 7 A Lightweight

    Architecture Mobile phone Wearable platform/OS Wearable Device SAMBA (periphery) Wearable Sensor Service Sensor Data User Activity 3rd Apps Message API Libraries Data API Mobile Sensor Service Sensor Data User Activity (Primary) SAMBA Registration SAMBA Handshake Pwd Release Mobile platform/OS Websites Copyright 2016 SRI International
  8. Title - CONFYYY - MM DD, YYYY Or Synthetic Aperture

    Multimodal Biometrics Authentication method Borrows, by analogy, the “synthetic aperture” technique used in radio/optical astronomy. Fuses small and overlapping biometric samples to efficiently verify a user’s identity This method is as accurate as the union of its inputs Converts fused matching scores into confidence scores (probability) 8 The SAMBA Method Copyright 2016 SRI International
  9. Title - CONFYYY - MM DD, YYYY Releasing ephemeral passwords

    is difficult: The biggest issue is adoption Consequently, we provide a wrapper mechanism that works with existing authentication infrastructures • Based on self-service password reset • Naive approach (additional work is needed) Rationale: It avoids a complete overhaul of Websites’ cryptography systems to support our solution. 9 Ephemeral Password Dispenser Copyright 2016 SRI International
  10. MTU - ICPC’16 - 05 16, 2016 10 Design principles

    behind Our Solution Copyright 2016 SRI International
  11. • Fusion of multiple modalities of Biometrics. • “Synthetic aperture”

    needs many biometric samples with overlapping properties in order to be successful. • Efficient match & non-match identity determination. • Small & overlapping biometric samples can be fused quickly • Support future innovation of biometrics. • Smooth inclusion of new types of biometric data. SCC - SRI - 09 18, 2015 11 Design Principles (Babbie, 2015) Copyright 2016 SRI International
  12. MTU - ICPC’16 - 05 16, 2016 12 What this

    means for Users Right to control their passwords lifetime Less password fatigue (no password management) Safeguard in place to protect information Simpler User Experience (3 steps) REQUEST Give me a Password Checking if this is you PROOF PASSWORD Ou45x11!per.iSfG4EeW 00: 00: 05 Copyright 2016 SRI International
  13. MTU - ICPC’16 - 05 16, 2016 Build proof of

    concept of SAMBA System. Design a better handshake between SAMBA and target Websites Perform control experiments to evaluate SAMBA’s new user experience Performance evaluation of SAMBA method 13 Looking ahead Copyright 2016 SRI International
  14. MTU - ICPC’16 - 05 16, 2016 Examined the concept

    of ephemeral content and discuss how it relates to password management and password fatigue. Presented SAMBA, our proposal to ephemeral passwords to combat password fatigue. Combines our SAMBA method with a lightweight scheme and architecture for ephemeral password release & consumption. 14 Summarizing Copyright 2016 SRI International
  15. MTU - ICPC’16 - 05 16, 2016 15 Questions: huascar.sanchez@sri.com

    Copyright 2016 SRI International
  16. Title - CONFYYY - MM DD, YYYY 16