Putting Your Passwords On Self Destruct Mode: Beating Password Fatigue

Transcript

1. PUTTING YOUR PASSWORDS ON SELF DESTRUCT MODE Huascar Sanchez [email protected]

   BEATING PASSWORD FATIGUE June 22 - 23, 2016 SRI International John Murray [email protected] SRI International Daniel Sanchez [email protected] SRI International SOUPS’16

2. Copyright 2016 SRI International Problem: We are simply storing more

   passwords than we really need or are capable of dealing with. (Proposed) Solution: A method that enables users to get passwords that are worthy of temporary using, but not quite worthy of preserving. 2 Beating Password Fatigue

3. Title - CONFYYY - MM DD, YYYY Good luck, Mr.

   Hunt This message will self destruct in 5 seconds Self destruction sequence initiated 3 Shifting Towards Ephemerality This message will self destruct in 5 seconds Good Luck, Mr. Hunt Self destruction sequence initiated Copyright 2016 SRI International

4. Title - CONFYYY - MM DD, YYYY Good luck, Mr.

   Hunt This message will self destruct in 5 seconds Self destruction sequence initiated 4 Shifting Towards Password Ephemerality This password will self destruct in 5 seconds Good Luck, Mr. Hunt Self destruction sequence initiated Copyright 2016 SRI International

5. Title - CONFYYY - MM DD, YYYY 5 Achieving Password

   Ephemerality Copyright 2016 SRI International

6. 3.1 Scenario: Releasing Ephemeral Passwords Peter is a material scientist

   at a manufacturing company. He wants to pay his DIRECTV bill by sending money directly from his online Wells Fargo bank account. He opens his browser and then score (probability). We u user’s identity. Once all the actions are performed system to release passwords his reg Figure 1. Proposed Scheme for SAMBA (Synthetic Aperture Multimodal Biometric Au Voice Type Motion Request password 1 Do SAMBA 2 Geo-location Gait Verify identity 2.2 ... Other Heartbeat Website Handshake 3 Fusion 2.1 Copyright 2016 SRI International 6 A Lightweight Scheme 3.1 Scenario: Releasing Ephemeral Passwords Peter is a material scientist at a manufacturing company. He wants to pay his DIRECTV bill by sending money directly from his online Wells Fargo bank account. He opens his browser and then score (probability). We u user’s identity. Once all the actions are performed system to release passwords his reg Figure 1. Proposed Scheme for SAMBA (Synthetic Aperture Multimodal Biometric Au Voice Type Motion Request password 1 Do SAMBA 2 Geo-location Gait Verify identity 2.2 ... Other Heartbeat Website Handshake 3 Fusion 2.1 ok ? ok Ephemeral Password Release and Consumption SAMBA method Dispenser SAMBA SAMBA SAMBA Devices SAMBA SAMBA method Dispenser

7. MTU - ICPC’16 - 05 16, 2016 7 A Lightweight

   Architecture Mobile phone Wearable platform/OS Wearable Device SAMBA (periphery) Wearable Sensor Service Sensor Data User Activity 3rd Apps Message API Libraries Data API Mobile Sensor Service Sensor Data User Activity (Primary) SAMBA Registration SAMBA Handshake Pwd Release Mobile platform/OS Websites Copyright 2016 SRI International

8. Title - CONFYYY - MM DD, YYYY Or Synthetic Aperture

   Multimodal Biometrics Authentication method Borrows, by analogy, the “synthetic aperture” technique used in radio/optical astronomy. Fuses small and overlapping biometric samples to efficiently verify a user’s identity This method is as accurate as the union of its inputs Converts fused matching scores into confidence scores (probability) 8 The SAMBA Method Copyright 2016 SRI International

9. Title - CONFYYY - MM DD, YYYY Releasing ephemeral passwords

   is difficult: The biggest issue is adoption Consequently, we provide a wrapper mechanism that works with existing authentication infrastructures • Based on self-service password reset • Naive approach (additional work is needed) Rationale: It avoids a complete overhaul of Websites’ cryptography systems to support our solution. 9 Ephemeral Password Dispenser Copyright 2016 SRI International

10. MTU - ICPC’16 - 05 16, 2016 10 Design principles

    behind Our Solution Copyright 2016 SRI International

11. • Fusion of multiple modalities of Biometrics. • “Synthetic aperture”

    needs many biometric samples with overlapping properties in order to be successful. • Efficient match & non-match identity determination. • Small & overlapping biometric samples can be fused quickly • Support future innovation of biometrics. • Smooth inclusion of new types of biometric data. SCC - SRI - 09 18, 2015 11 Design Principles (Babbie, 2015) Copyright 2016 SRI International

12. MTU - ICPC’16 - 05 16, 2016 12 What this

    means for Users Right to control their passwords lifetime Less password fatigue (no password management) Safeguard in place to protect information Simpler User Experience (3 steps) REQUEST Give me a Password Checking if this is you PROOF PASSWORD Ou45x11!per.iSfG4EeW 00: 00: 05 Copyright 2016 SRI International

13. MTU - ICPC’16 - 05 16, 2016 Build proof of

    concept of SAMBA System. Design a better handshake between SAMBA and target Websites Perform control experiments to evaluate SAMBA’s new user experience Performance evaluation of SAMBA method 13 Looking ahead Copyright 2016 SRI International

14. MTU - ICPC’16 - 05 16, 2016 Examined the concept

    of ephemeral content and discuss how it relates to password management and password fatigue. Presented SAMBA, our proposal to ephemeral passwords to combat password fatigue. Combines our SAMBA method with a lightweight scheme and architecture for ephemeral password release & consumption. 14 Summarizing Copyright 2016 SRI International

15. MTU - ICPC’16 - 05 16, 2016 15 Questions: [email protected]

    Copyright 2016 SRI International

16. Title - CONFYYY - MM DD, YYYY 16